TechSpot

KeePass vs LastPass

By dms96960
Apr 10, 2014
Post New Reply
  1. In response to the recent security concerns, I decided to look at password managers. I cannot decide between KeePass and LastPass. Even when I review the comparisons, they seem to be equally popular. I have a PC laptop for work and an iMac at home and a Samsung smartphone. I was hoping our incredible techspot crowd could weigh in here with opinions on which is best for me and why.

    One thing I still do not understand is, whichever one I have, what happens when I visit my mother -- how do I use HER computer to access my bank account?

    Thank you.
     
  2. learninmypc

    learninmypc TS Evangelist Posts: 5,245   +232

    Pardon my ignorance, but as far as your bank goes, I've heard/read you should/could just ask them if they've taken care of it . More here
     
  3. dms96960

    dms96960 TS Enthusiast Topic Starter Posts: 223   +20

    No. That is not what I meant. Whichever password manager I decide to use (and I am disappointed nobody has weighed in with which one of these two are the best), how do I access my bank account when I visit my mother and use her computer since I will not be able to remember the generated password, whatever it is.

    Hope that makes more sense.
     
  4. learninmypc

    learninmypc TS Evangelist Posts: 5,245   +232

    If I'm understanding this correctly, you're saying the password changes everytime you log in? If I'm mis understanding something, I'll let the others reply.
     
  5. dms96960

    dms96960 TS Enthusiast Topic Starter Posts: 223   +20

    No. What I am saying (or trying to say) is:

    Whether I decide on KeePass or LastPass, I understand that I will have downloaded something on my computer so that I do not have to remember all the generated passwords for various sites. I am asking what happens if I do not have my computer, but am at my mother's house and need to conduct a banking transaction -- how do I log in to my bank's account from my mother's computer when I do not know the password that was assigned to the account by either KeePass or LastPass?
     
  6. digitaltoast

    digitaltoast TS Rookie

    Well, you CAN always look inside the Lastpass vault and manually note the password.
    However, the smarter thing to do would be to use Google Chrome, sign in, install LastPass extensions. When you get to another computer, open Chrome, make a new user profile, login, and your bookmarks AND EXTENSIONS will load up. Then just login to Lastpass et voila! Everything there. When you leave, delete the profile, and all is gone.

    But if that sounds a bit tricky, then just actually writing down the entry from the vault might be easier.
     
  7. learninmypc

    learninmypc TS Evangelist Posts: 5,245   +232

    Why can't you simply write down the password for it on a piece of paper & use it on hers? Heck, memorize your usernames/passwords.
     
  8. LookinAround

    LookinAround TechSpot Chancellor Posts: 8,372   +167

    I use LastPass. There's one feature in particular that I like (don't know if it's available from KeePass).

    LastPass supports 2-step authentication. You buy a USB security device with your LastPass subscription (look for the option to buy Yubikeys)n).

    Then, you need BOTH your LastPass pasword AND a physical Yubikey to login to your LastPass account.
    > My home desktop computer is the only computer authorized to skip Yubikey authentication
    > If I use any other computer I a) start a private browsing window (so nothing is remembered on the other computer) and b) have a Yubikey with me to so I can login. So even if someone learned my password they still can't login to my password vault

    I bought 2 Yubikeys. I to take with when I need one, other for safe keeping should I ever need it.

    p.s. You can access your vault from any computer.
     
    learninmypc likes this.
  9. Relic

    Relic TechSpot Chancellor Posts: 1,392   +16

    Hi dms,

    Both options you listed are excellent choices as I'm sure you found out through reviews. KeePass is known for being very in-depth accompanied by a great knowledge base online, however, it can be less user friendly for first time users, and you are responsible for all syncing between systems (e.g. pairing with dropbox)

    LastPass on the other hand is known for being one of the most convenient options available, easily being able to sync with the cloud and other systems and having a good mobile option. Since it is browser based, you won't have any problems working between operating systems. However, the mobile version is not free and requires a premium subscription; fortunately, it's only a buck a month ($12 annually). And even though you do sync with their servers, everything is done locally on your machine and encrypted.

    At the end of the day it'll come down to what you find to be the most appropriate for your daily needs. I personally find LastPass to be the better option as it allows for more flexibility in terms of convenience (synchronization, easy auto-fill, easy organization, cross-platform, etc). I also use two-factor authentication which I would recommend everyone turn on if they use LastPass as @LookinAround points out. So I have a password (something I know) and an authentication key (something I have).

    Here are some more in-depth links that will give you a better idea about LastPass.

    Which Password Manager is Most Secure?
    Security Now – LastPass Security - (LastPass discussion starts around 52:45)

    Also note that whatever choice you make, you MUST choose a strong master password. The whole point of having a password manager is so you only have ONE master password to remember. If you work with a lot of sensitive information, it might not be smart to store everything under one account as well.

    The below link should give you a good idea on how to craft a strong master password.

    Schneier on Security - Choosing Secure Passwords

    I would recommend against using anyone else's computer to access your accounts unless you explicitly know it to be secure. As much as I love my friends and family, their computers may not be secure.

    But if you must, you can simply access your LastPass vault online, or install the LastPass extension/program for KeyPass and sync up your account and delete it when done. Even better, use the mobile versions of the password manager on your phone, and grab the password you need, just don’t save it on their PC. You're still vulnerable as pointed out above, but at least only one account is and not everything if you don't use two-factor authentication.

    Hope this gives you a better idea on what to choose.
     
    LookinAround and SNGX1275 like this.
  10. dms96960

    dms96960 TS Enthusiast Topic Starter Posts: 223   +20

    Great replies. THANKS to all for the assistance!
     
  11. Docus

    Docus TS Rookie

    I use KeePass, and haven't tried LastPass. However it's possible to specify a keyfile with KeePass, which could be stored on a USB drive, which sounds like the same thing described by LookinAround. There are also several user-contributed browser extensions to make KeePass more convenient for users. Personally I'm happy to just leave the program running on my desktop; it locks after a specific period of inactivity but can be easily re-opened by entering your password. There is also an "auto-type" feature that can be used for most websites--when you reach the login page, just click in the username box and then hit Ctrl+V while selecting the relevant entry in your KeePass database and it will enter your username in the browser window, followed by a tab, followed by your password, followed by enter. Voila. Finally, there are a couple of different Android-based apps for accessing KeePass. In terms of accessing your accounts from other computers (or even storing non-internet important information like account numbers, license info, addresses, whatever), if you have a smartphone you can just pull up the KeePass database and look up the information. I recommend KeePass2Android Password Safe because it offers a 'QuickUnlock' feature that only requires you to enter the final 3 characters of your password to re-open the file, once it has been unlocked before. This allows you to continue to use a long, secure, but difficult to enter on a smartphone keyboard sort of password.
    Either way you decide to go, it's good that you're looking into password managers. I really can't imagine any other way to avoid repeating the same passwords at multiple sites, which is a terrible practice.
     
    Relic likes this.
     
  12. SNGX1275

    SNGX1275 TS Forces Special Posts: 12,552   +301

    I got KeePass, but didn't go through with it yet. It seems like it is going to be a major hassle to get initially set up. I realize I need to do something sooner than later since this Heartbleed mess. I was using a base password that was pretty strong and easy for me to remember, then I would change/modify it based on each website. That works great if only one site gets hacked and your password gets out. Unfortunately, I don't have a good grasp or maybe even remember all the sites I've used this on, it would take a lucky guess to make the connection if you saw my password for 2 sites. But, by the 3rd or 4th you'd instantly know my password on almost every site :(
    I have various devices that access my accounts including: Macs, PCs, Android phone, iPod Touch, AppleTV. It seems like I'm literally going to have to dedicate hours to getting this crap set up, and then what...? I could store the master file on dropbox for access anywhere and keep the key file separate, but where would I keep it? A usb stick? what if that stick dies or I lose it? Suppose I could store it in Google Drive..

    Perhaps I'm making it into a much bigger deal than it really is...
     
  13. Docus

    Docus TS Rookie

    The approach I used was to open the program and start browsing to all the sites I use regularly that require logging in-- gmail, banks, etc.-- and then I went through the hassle of creating a new password, and using one that was auto-generated by keepass. It took the better part of an afternoon, but it would be the same as updating my contact info after a move, and certainly less trouble than it would be to clear up fraudulent charges, you know? Plus, that way I got into the habit of using the program when I browse my regular sites. I didn't worry too much about the sites I rarely use unless they were connected to a billing method, like a credit card stored on file. Whenever I found myself returning to a site that my browser stored the login info for, I'd create a new entry in keepass and change the password. It really wasn't much of a hassle in the long run, and four years later I've created a database with over a thousand entries. You can also set keepass to remind you to change your password for any given site after a certain interval. Honestly I still let Firefox remember some login info, but only on my desktop and only for sites that can't access my money or really affect my reputation.
     
    SNGX1275 likes this.
  14. SNGX1275

    SNGX1275 TS Forces Special Posts: 12,552   +301

    Yeah. Ugh. Maybe tomorrow :D What do you think about my comments on what do I do with the master file and key. Seems like it probably isn't a good idea to have them in the same spot online, but losing a USB stick or having it die is probably not a very good idea either. Just seems like I go through a lot of trouble to get this set up and for convenience, you'd want to have them in the same place, otherwise why not just think up a new password scheme because the hassle is still there.
     
  15. Docus

    Docus TS Rookie

    Yeah, I'd be nervous about losing the USB stick... I'm also not sure whether KeePass would be usable via Android if the file isn't available. On the other hand, it could be a file hidden in plain sight -- just some random .ini file that is never modified or deleted. I don't use key files myself, so perhaps someone with more experience can add their perspective.
     
  16. Relic

    Relic TechSpot Chancellor Posts: 1,392   +16

    @Docus Agree 100% and good overview of KeePass, the basic experience is similar to LastPass.

    @SNGX1275 I used a similar password method to yours for a long time before realizing it just wasn't safe anymore and moved to a password manager. I highly recommend you switch as well, especially any place that contains billing or PII you want to keep safe. This Ars Technica article from last year paints a scary picture of how easy it is today for crackers. Passwords like 'qeadzcwrsfxv1331' and 'Sh1a-labe0uf,' may have been good passwords a decade ago, but they are easily broken now. Keyboard walking, leet-speak, dictionary combo's aren't as safe as they used to be. The best approach is long randomly generated passwords that have no pattern to crack. Unfortunately websites that have lax security can still expose you as the last few years have made pretty clear. And some websites still to this day have low character count limits and refuse special characters altogether, making it easier for crackers.

    It may take a bit too completely transition to a password manager, but it's worth the effort imo. Docus's point of starting with the most important and daily used sites first and working your way down is a good approach to ease you in and get you used everything.

    Regarding storage for your database, using the cloud is the most convenient option as you'll always have a backup. Dropbox is usually the go-to place for easy syncing across multiple devices. You can also put something like Boxcryptor (Classic or Normal) on top as another layer of protection.

    Key files take a 'something you have' approach sort of like two-factor authentication, but potentially weaker. It's a static file that you can use to replace your master password or preferably pair with your master password requiring two 'things'. However, it's still a static digital file that you need to safeguard, but it is definitely better than just a master password and I would recommend it. Though it's not an authenticator generating a one-time password on a separate device used for two-factor authentication, something I prefer in LastPass. Here is KeyPass's page on the subject for more information.
     
  17. raeaa

    raeaa TS Rookie

    LastPass is stored online in the cloud, so you will have access to your passwords wherever you have internet connection (at home, at Mom's, when traveling, etc.). KeePass is stored locally on your computer meaning it can only be used when on your computer. There is an alternative to put KeePass on a USB stick drive, that you can use on any computer, but you risk getting viruses when putting your stick drive in other computers, and you really should encrypt the stick drive for safety, which adds another layer of complexity. The easiest most user friendly solution is LastPass, which at $12 per year is a pretty good deal.
     
  18. Bruce Fraser

    Bruce Fraser TS Rookie

    Back to the original question: "One thing I still do not understand is, whichever one I have, what happens when I visit my mother -- how do I use HER computer to access my bank account?"

    Others give complicated answers, but for me it's very simple: On the internet, go to www.LastPass.com. Log in. The "vault" will have all your passwords. Go down the list to the name of your bank. Click on the "pencil" icon, and it will show you your password and username for that account. Close that, then click on the bank name, and it will take you to that website.
    You can do the same thing with Dashlane, by the way, which I prefer.
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.