Thanks for the input. In the spirit, not of "debate", but of a "comparative discussion" of pros/cons of each, just a couple of comments.
tlu wrote:
I see 2 advantages:
1. You have an additional (encrypted) copy of your login data on the Lastpass servers which adds security. Say, if your harddisk crashes and you don't have a backup available (or it's not up-to-date), just setup your system anew and install the Lastpass plugin in your browser, login with it in your Lastpass account - and a new encrypted local copy is immediately saved on your harddisk. It couldn't be easier.
Always an advantage to *anything* to have an off-site backup, agreed. Since backing up Password Safe is as easy as plugging in flash drive and 2-click the batch script mentioned -- or just copy *one single file* of a few k directly from the HD to the Flash -- I back it up every time there's a significant change. It couldn't be easier.
(and no need to be online, either you or an external server). There is also an
automatic backup feature that can be configured to save a backup every time anything changes, to whatever location you direct -- flash, external drive, Shared folder on your home network, etc.
I did have a HD die on me, got a new one, restored a full-disk-image backup, and got the latest backup of password file off my flash drive, just in case the FDI-backup wasn't of the latest PWS file. No sweat, and no need to go online.
2. If you use different browsers, operating systems and/or a mobile phone there is no need to synchronize them manually. Just install the
suitable plugin - ready!
I'm very leery of doing
any sensitive operations over a mobile phone, given the even-weaker security, but supporting different OS is indeed an advantage for some users -- PWS is Win-only ATM. AFAIK, though, one single copy (say, on flash drive) does support any browser .
2) Not being able to edit, delete, or add entries whenever the server is not available for any of a million reasons still seems a major disadvantage, even if it happens only rarely.
Yes, it happens
very rarely in my experience. And do you really edit, delete or add login entries that often
Surprisingly more than one might think. For example, with the wave of bank mergers in the US, one's online banking creds might change, or the new site might add challenge questions, or have different ones. And existing sites often "upgrade" security
by adding various such things. Every time you happen to see, or be directed to, a forum, perhaps in searching for an answer to a question, you may be required to create yet another user/pass. Also, enterprises often have policies requiring pw changes every X days, and that advice is often given to home users, too, although its value is much less than popularly thought.
In total, I'd guess i do at least two dozen or more edits or additions a year, so without hunting through a year of backups to count the PWS files with different "modified" dates
, let's say an average of once every week or two. Agreed that the chances of that happening at the moment of one of those very rare server failures is slim, and I *could* write it down, change the local plugin (?), etc. until the server is up, but with PWS, the chance is zero. I prefer zero to very rare, but agree that there are advantages to the multi-OS support.
Another advantage that comes to my mind: The automatic fill-in of login fields works better on several sites with Lastpass compared to the FF password manager (I don't know about other alternatives like PasswordMaker).
I don't know PasswordMaker, and I would never trust *any* browser pw-manager. PWS auto-type works perfectly on all sites for me, except for those in which the user and password inputs are on different pages, in which case a convenient copy-to-clipboard and paste still saves the trouble of typing. Try it - it's free, no "installation", delete it if you don't like it.
<snip> what about when you take your USB stick and log in on some other machine? (Friend, relative, Internet cafe, if they allow USB at all). When Password Safe is placed directly on your flash drive ... it can be run on any Windows machine *without leaving traces on the host computer*. So if someone bad later gets access to the machine, they can find nothing from your use of PWS on it. This is a question, not a statement: What does LastPass leave on the host machine under these circumstances?
I went there.
With PWS, no need to d/l a portable browser, although I have a couple anyway. It will work with whatever browser is on the host, AFAIK.
The same version of PWS that you put on your HD works fine on your flash drive, since it's completely self-contained. No multiple versions to d/l and install.
3. Use IE Anywhere to hook into Internet Explore or IE Tab for Firefox and Chrome (this is a Premium....)
Costs money? I wouldn't use IE (whole point of Fx is safety, esp, with NoScript), but while I haven't looked into it, intuitively, whatever browser is running on the host, PWS enters your info. Or you can click-paste, as mentioned. No charge.
If you frequently use Internet cafes or untrusted computers, the Portable option is an ideal way to securely access your LastPass Vault.
This *implies* that no traces are left on the host, thought I couldn't see where they said so explicitly. Of course, any untrusted machine could be compromised in ways that would hurt us with either tool, but not having to browse the Internet to get to your pw manager is one less possible attack vector. (Machine/LAN has phony SSL cert installed, MITMs your transmissions, then sends them on to server. With PWS, your stuff is already encrypted before it hits even the LAN of the Internet cafe or whatever.)
Overall, it does seem as though the LP people have tried hard to provide a good and secure cloud-based solution, but on general principles IMHO, the fewer parties involved in *anything*, the better. After all, what was this thread *originally* about? (before we took it O/T, lol) An XSS vuln in Last Pass.
And *that* is why whenever there's a choice between the cloud and home, I'm with
Dorothy: "There's no place like home."
Thanks for the interesting discussion and exploration.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/3.6.16