SillyDog701

[James]

In my opinion (and the opinion of many techies, I might add), LP is the best password manager there is, bar none. Take a few moments and read the following article:

http://blogs.techrepublic.com.com/security/?p=3291

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6

[Antony]

there's an interesting part:

TechRepublic: You mention that LastPass is superior to password managers used by browsers. Why is that?

Siegrist: The biggest risk with built-in password managers is how malware is able to steal passwords directly from your password manager. For those who don’t believe this is possible, try our windows installer and see if it finds stored passwords. If LastPass can find passwords, so can malicious applications. During installation, LastPass imports all found passwords, then cleans all traces off your computer.

Another advantage is if you have multiple computers. With LastPass, you do not have to worry about reentering the password data on every computer. You simply install the add-on on the other computer and log in.

I have to say, that's new to me.

So far, I only two password manager, 1) Mac OS X's built-in Keychain, 2) Yojimbo.

Yojimbo not just encrypts the passwords, but also any text, pictures, PDF or any information I wish to encrypt. Yojimbo syncs very well between computers.

UserAgent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.2) Gecko/20100316 Firefox/3.6.2

[Don_HH2K]

there's an interesting part:

TechRepublic: You mention that LastPass is superior to password managers used by browsers. Why is that?

Siegrist: The biggest risk with built-in password managers is how malware is able to steal passwords directly from your password manager. For those who don’t believe this is possible, try our windows installer and see if it finds stored passwords. If LastPass can find passwords, so can malicious applications. During installation, LastPass imports all found passwords, then cleans all traces off your computer.

Another advantage is if you have multiple computers. With LastPass, you do not have to worry about reentering the password data on every computer. You simply install the add-on on the other computer and log in.

This sounds like a hybrid of fearmongering and half-truths to me.

I keep my Firefox password list encrypted. It's been encrypted ever since I started using the password list - way back with Netscape 7.1. Password encryption has been included in the Mozilla (and therefore Firefox) codebase for ages now, I could even do that with Netscape 6 if I wanted to. And it's not hard to encrypt it; I believe that Netscape actually asked me way in the beginning whether I wanted to set a master password to encrypt the other passwords with.

Their advantage of having your passwords follow you seems like a security hazard in itself, specifically in that LastPass would have access to those. It's similar to how Verizon and others store their customers' phones' data so that they can advertise the portability of that data, even if it only creeped a friend of mine out when Verizon migrated all his data from his Treo to a Motorola Q without physical access to either phone.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.3a3pre) Gecko/20100310 Minefield/3.7a3pre

[Antony]

I keep my Firefox password list encrypted. It's been encrypted ever since I started using the password list - way back with Netscape 7.1.

Was that browser's built-in encryption? OR additional encryption you applied to (e.g. disk or folder encryption)?

Are you saying that the Firefox's (or Netscape's) password manager can be used without encryption?

UserAgent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.22.7 (KHTML, like Gecko) Version/4.0.5 Safari/531.22.7

[Don_HH2K]

That was with the encryption built into Netscape. Same with Netscape 6. I also add folder encryption on my own, but that's only helping if somebody steals the laptop; it'll still be accessible to any apps running as me.

I guess some people don't want to use a master password to encrypt their passwords, so they give you the option of not. I personally think it's a terrible idea to save passwords as plaintext but that is allowed.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.3a3pre) Gecko/20100310 Minefield/3.7a3pre

[James]

This sounds like a hybrid of fearmongering and half-truths to me.

I keep my Firefox password list encrypted. It's been encrypted ever since I started using the password list - way back with Netscape 7.1. Password encryption has been included in the Mozilla (and therefore Firefox) codebase for ages now, I could even do that with Netscape 6 if I wanted to. And it's not hard to encrypt it; I believe that Netscape actually asked me way in the beginning whether I wanted to set a master password to encrypt the other passwords with.

Their advantage of having your passwords follow you seems like a security hazard in itself, specifically in that LastPass would have access to those. It's similar to how Verizon and others store their customers' phones' data so that they can advertise the portability of that data, even if it only creeped a friend of mine out when Verizon migrated all his data from his Treo to a Motorola Q without physical access to either phone.

I wondered about their servers being hacked (they had a lengthy explanation at their site explaining why this is unlikely and even if it were so one's passwords would still be safe since they're stored on their servers in encrypted form. The other advantage is that we are able to change our passwords by having them generated in strong form by the program and then memorized by LP.

BUT... let me back up just a bit. Firefox asks two things under Security and Passwords.

1. Remember password sites
2. Use a Master password

Are you saying, Don, that if I check both boxes that FF will log me automatically into all my sites AND do so under the encryption of my master password? I've never used a master password with Netscape or FF so I'm not sure if I entirely understand that operation.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.2) Gecko/20100316 Firefox/3.6.2

[Don_HH2K]

I'm not a big fan of "cloud" services to begin with. Moving things like text and spreadsheet editing to the cloud made no sense to me in the first place, but having the cloud remember my credentials for me seems like a massive problem waiting to happen.

The way that master passwords in the Firefox PSM work is that, once applied, the passwords in the password file get encrypted using the master password as a key. When Firefox first requires the master password to autofill your login credentials on some site, it will ask for the master password, then will continue to autofill credentials for the remainder of the browsing session. It does leave open the possibility of an in-memory attack, though I believe those are mostly theoretical at this point.

For the few weeks I was using Konqueror and KDE Wallet, the behavior was pretty much the same, so I suspect this is a common way of doing things.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.3a3pre) Gecko/20100310 Minefield/3.7a3pre

[Antony]

That was with the encryption built into Netscape. Same with Netscape 6. I also add folder encryption on my own, but that's only helping if somebody steals the laptop; it'll still be accessible to any apps running as me.

Please understand that not everybody is using double encryption like you. And I hope you do realise that each additional encryption would make the data recovery a whole lot harder.

UserAgent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.2) Gecko/20100316 Firefox/3.6.2

[James]

The way that master passwords in the Firefox PSM work is that, once applied, the passwords in the password file get encrypted using the master password as a key. When Firefox first requires the master password to autofill your login credentials on some site, it will ask for the master password, then will continue to autofill credentials for the remainder of the browsing session. It does leave open the possibility of an in-memory attack, though I believe those are mostly theoretical at this point.

I'm still not seeing the advantage of using the FF master password over the LastPass system. Last Pass not only generates strong passwords for each site (and different ones that I could never remember) but it also autofills forms for me.

Take a look at some of the sites endorsing LP : https://lastpass.com/whylastpass_reviews.php

You might also want to check out some of the videos that LP editors have made addressing some of your concerns. Found here:

https://lastpass.com/

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.2) Gecko/20100316 Firefox/3.6.2

[Antony]

I'm not a big fan of "cloud" services to begin with. Moving things like text and spreadsheet editing to the cloud made no sense to me in the first place,

I can see the benefit of the ability of being able to access your documents everywhere you are, regardless if you carried your computer with you or not.

UserAgent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.2) Gecko/20100316 Firefox/3.6.2

[Don_HH2K]

I can see the benefit of the ability of being able to access your documents everywhere you are, regardless if you carried your computer with you or not.

If it worked that way it'd be nice, but cloud computing goes one step further and turns whatever app environment into a Web-based application. Therefore by getting things done in the cloud, I would need to have a persistent Internet connection to do things such as write papers, read my e-mail (as in already downloaded / not new mail), read up on notes I took, or similar. There's also the fact that I have to trust the cloud to keep whatever I put in it both safe and backed up, which it isn't always capable of doing (the recent Gmail breach and T-Mobile Sidekick incident for instance).

If cloud computing were the equivalent of syncing my files among several devices, I wouldn't have a problem with it. The problem is when providers create their platform such that they keep your files on your behalf, then require the work on those files to also be done in the cloud.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.2) Gecko/20100324 Namoroka/3.6.2

[richard mitnick]

Does anyone know of a password manager that will work with SeaMonkey?

>>RSM

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 ImageShackToolbar/5.2.4 (.NET CLR 3.5.30729)

[James]

Last Pass, Richard. Follow this link:

https://addons.mozilla.org/en-US/seamonkey/addon/8542

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3

[richard mitnick]

Thanks.

>>RSM

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729) WinNT-EVR 14.02.2010

[Vanny]

I have tried LoginTrap and just want to say thank you)
It is what I need!

UserAgent: Opera/9.80 (Macintosh; Intel Mac OS X; U; ru) Presto/2.2.15 Version/10.10