[john_b]

> "They however do control access to the account. This means there's a point where they get all sorts of data on me, and while I personally don't mind, I must admit I felt a bit safer when I thought it was a smaller, purpose-built company managing things."

I've never really understood the appeal of account-based password managers. It was a startup and it needed a business model, sure, so from the company's perspective it makes sense. But from a customer's perspective you're accepting a new type of risk that you don't have to worry about if you use a glorified encrypted list (e.g. KeePass) to manage passwords. The payoff is convenience, but personally no amount of convenience is enough to make me comfortable with storing all of my encrypted passwords on a single server somewhere and hoping that there are no exploitable security vulnerabilities (or malicious insiders who might seek to profit from finding or introducing them). Having an offline password manager that never uploads data to a server provides defense in depth, though it's less convenient.

[scrollaway]

Agreed. Logically, something like KeepassX (https://www.keepassx.org/) is the most logical, secure choice. I think a lot of people pick Lastpass and such for the convenience of browser integration, but I don't think that's necessarily impossible with keepassx - just so happens that nobody is really working on it (which is a shame).

[manveru]

There's actually rather good browser integration for KeePass now, I just switched a few weeks ago from LastPass.

Check out http://keepass.info/plugins.html (I use PassIFox and ChromeIPass via KeePassHttp)

[mistersquid]

Another reason to use LastPass is if you need to share sensitive data with a team.

Group credentials and secure keys for production environments, among other things, can be shared using LastPass.

[jtheory]

This one in particular -- I use KeePass for my personal stuff, still; but at work, there seem to be a ton of logins we need to share.

Never mind sensitive stuff -- we get lots of use out of LastPass for managing the list of test and demo users on our site. We setup sandbox accounts (with various types of users) for potential customers. Each time the main logins to into LastPass, so if they run into problems, anyone on the dev team can help them out (with no other coordination required).

I've not been terribly impressed by LP's usability, honestly; but for quite a while they've seemed to be the only mature product in this space.

I've noticed Dashlane seems to be catching up here; I'm keeping an eye on them.

[pinkano]

Dashlane is pretty OK. I'm playing with Sticky Password now.

[ultramancool]

Beware, KeePass uses a weird custom key derivation function. LastPass uses PBKDF2 with a configurable number of iterations, a pretty widely accepted standard.

Maybe this has changed since I last checked but this and many other things seemed highly questionable on KeePass.

[marcofiset]

An important thing is that LastPass works on mobile.

[sethd]

So does KeyPassX, quite well actually, at least on iOS but there are Android apps as well.

iOS (MiniKeyPass): https://itunes.apple.com/us/app/minikeepass-secure-password/...

Source: https://github.com/MiniKeePass/MiniKeePass

[e_proxus]

How is trusting you data to several corporate entities better than to just one?

[sethd]

Huh? The data is only on my devices and no where else. I transfer the password database to the app via iTunes file sharing.

[function_seven]

Back when I first signed up for LastPass, the killer feature for me was that it worked on my BlackBerry Curve. The fact that they made versions of LP for damn near every platform is what sold it for me.

I don't have a BlackBerry anymore, though. Now might be the time to jump ship.

[Splines]

Keepass has apps on Android, I've seen an implementation for WP, I'm not sure about iOS.

[Niten]

I wouldn't consider Keepass the most secure choice. One of the most common attacks in practice is phishing, and browser integration discourages carelessly pasting your password into something that looks like your bank's site. The Chrome password manager and LastPass can help there, but Keepass does not.

[cuillevel3]

But if an attacker steals your Keepass file and acquires your password you won't notice.

Lastpass can detect logins from new IP adresses and throttle requests, send warning mails etc.

But sure, once their servers are cracked and their plugin is infected with master-password-stealing code it's all game over.

[mhurron]

> Lastpass can detect logins from new IP adresses and throttle requests, send warning mails etc.

This, Duo integration and Linux support are the features that are making finding an alternative to LastPass difficult for me.

[kemitche]

> The payoff is convenience

It's true for any level of password management. KeePass is less secure but more convenient than simply memorizing each of your long, secure passwords. Choosing less secure passwords or repeating passwords is more convenient than memorizing long, unique passwords.

Finding the right balance of convenience & security is critical for securing the myriad accounts of the "masses." We know that the average person isn't going to bother memorizing long unique passwords - even the most security conscious person won't do that (except for maybe a handful of super-critical passwords).