No, I didn't mean for this to be a debate on the merits of each, and you've answered some concerns. I have just two thoughts that came to mind upon reading your post:tlu wrote: As you've said yourself, this is going a bit OT. Nevertheless I want to clarify some things as you don't seem to be familiar with the Lastpass approach:
1. There is only encrypted data on the Lastpass servers. Encryption/decryption is done only on your computer.
2. Your data is also stored on your computer in encrypted form and can be copied to a USB stick or whatever.
Consequences:
1. If there is a data theft from their servers the thieves cannot use it unless you're master password is very weak and prone to a dictionary attack.
2. If the servers are offline or Lastpass is bankrupt you can still access the data on your harddisk via the plugin (but you can't change/add new data) - and you can still export it to, e.g. the Firefox password manager or to a csv file.
This is not meant to convince you. But I think it's obvious that most of the attacks/incidents you mentioned would come to nothing.
1) If the encrypt/decrypt is done only on your own computer, then why involve a third-party website at all, when a free, 3-MB tool does the same thing for you without anyone else's involvement, and the corresponding saving in bandwidth and time-to-process? In other words, what is *better* about using LastPass versus Password Safe?
2) Not being able to edit, delete, or add entries whenever the server is not available for any of a million reasons still seems a major disadvantage, even if it happens only rarely.
And one that came to mind since:
You are correct that I haven't investigated LP deeply, seeing no need, and seeing some disadvantages. But if the decryption is done on "your" computer, what about when you take your USB stick and log in on some other machine? (Friend, relative, Internet cafe, if they allow USB at all). When Password Safe is placed directly on your flash drive (and it can be an exact dupe of the one on your hard drive, synched regularly by copying a single, small file, example below), it can be run on any Windows machine *without leaving traces on the host computer*. So if someone bad later gets access to the machine, they can find nothing from your use of PWS on it. This is a question, not a statement: What does LastPass leave on the host machine under these circumstances?
Here is one line in a simple batch script that both backs up your HD password file to your flash drive, and also synchs it to your copy of PWS on the flash, since you can set this location as the default pw file to open:
Code: Select all
xcopy "c:\program files\password safe\pwsafe.psafe3" g:\backups /d /q /k /yOf course, power users can shorten that and universalize it (if perhaps you use one machine with root drive C: and another with root D:, for example) with environment variables: %programfiles% for c:\ programfiles, which on my own machine, I shortened to %prog%. Cheers.
(and no need to be online, either you or an external server). There is also an automatic backup feature that can be configured to save a backup every time anything changes, to whatever location you direct -- flash, external drive, Shared folder on your home network, etc. 
by adding various such things. Every time you happen to see, or be directed to, a forum, perhaps in searching for an answer to a question, you may be required to create yet another user/pass. Also, enterprises often have policies requiring pw changes every X days, and that advice is often given to home users, too, although its value is much less than popularly thought. 
![[IMG]http://img855.imageshack.us/img855/7666/capture32.png[/img]](http://img855.imageshack.us/i/capture32.png/){kind=link}