If you're using a *nix system: https://www.passwordstore.org/ I switched over from LastPass a few months ago. It uses gpg for encryption and supports git for password syncing between systems. Pretty simple to set up and use. There are quite a few third party apps for it already (both desktop and mobile)
`pass` is based on well-established cryptography implementations: GnuPG. GnuPG is recommended by many security experts and used widely by journalists dealing with sensitive disclosures, e.g. the edward snowden documents.
It also doesn't try to NIH some complicated database format or syncing technology but instead uses well-established software (git, plain directory structure and gpg-encrypted text files) which makes it robust, flexible and future-proof, and also responsive to changes in cryptography as it benefits from upstream GnuPG updates. You can use any PGP key structure you want, or even hardware PGP devices like the YubiKey.
KeePass on the other hand seems to be based on mostly homegrown techniques written by people with no or limited understanding of cryptography. (see e.g. [0]) That said, I don't know how much KeePassX continues this trend - but it's based on the same file format so it presumably has to reimplement at least some of KeePass's homegrown crypto.
I don't know how much more convincing you need, but personally I wouldn't even dare consider using anything other than `pass`.
I tried LastPass, but didn't trust them, so I found https://www.passwordstore.org/ some year ago. I can't emphasize enough how good it is, mainly because it is so dead simple and transparent in how it works, and also because it has great bash integration, and uses git which makes it easy to sync between your machines. There is also a firefox plugin that integrates with it, but I don't really see that you need it: it is so easy to use at a prompt.
Don't use anything that runs in the DMZ (browser), if you care about your secrets.
I use keepassx, which requires manual search, copy, paste but it can store its vault on a cloud drive, mobile etc. and can have a key file or password.
Autotype is a bit risky because it assumes you've got the correct window/element focused. All it takes to expose your passwords is for a pop-up (e.g. instant message) to appear at the right moment.
Even if you don't hit the enter key/submit the form it is still possible for that incorrect window/app to grab your keystrokes.
I switched to 1Password after Lastpass got acquired. I obviously have no special knowledge how secure it is but it's serving me well. OSX browser integration excellent, iOS integration mediocre.
How easy is it to migrate from Laspass to 1Password? I've had the worst experience with their tech support (reported 2 bugs that have both been scrapped as WONT FIX) and really don't want to support them as a premium subscriber anymore.
If you encounter any trouble please write into support at agilebits dot com and mention "Kyle" somewhere in the body of the email and I'll get notified. You should be fine though, but every once in awhile we have someone encounter trouble with the import from LastPass.
I checked out the pricing model and didn't see anything that made sense to me as an individual user. Is there any plan for an affordable individual plan (in the range of 10-20$/ year)?
As a Mac/IOS user, I don't see myself shelling out 60$ for a desktop license and then another 10$ for an IOS license on top of it. I'm sure your profit margin is great, don't get me wrong, but as a buyer that is just overkill.
I put my elderly parents onto 1Password and they "got" it.
The hardest part of the migration for my parents were 1) demystifying the spaghetti mishmash my Dad had in place to manage his passwords, 2) getting Dropbox set up correctly between Mom & Dad for vault sharing, 3) training my Mom how to use, and 4) educating Data on how to manage website edge cases.
I would hope that 1PW has a LP migration tool, but if they don't, Dad was able to clean up his historical garbage one by one. The password capturing process in 1PW is good enough that this worked nearly seemlessly.
Finally, I've had nothing but positive results from posting questions in the 1PW forum.
Disclaimer: I work for AgileBits, makers of 1Password
Yea, we hear you there. I (and others on the team) wish we could make this happen, but priorities are a tough one. Linux in general didn't fit all that great in our standalone license model before, along with being closed source. Now with the subscription option for individuals (new today), families and teams we have made the payment side a little less of a concern but we still have the closed source nature of things making Linux a harder target to hit.
We're probably in a better position now than before though. Every time I asked a Linux user who wasn't asking for this they said they had no interest in paying for closed source software. I wanted all the positive response I could get to show to the decision makers but I fell short in getting it.
This is all to say it's simply a complicated situation. It has to either make money to pay for its development, or the others have to offset it enough that it's a win for us so we can keep the lights on.
Hope that helps a little anyway. I know it's not the answer you wanted but I hate leaving people like yourself wondering why it feels like we aren't listening.
Is there a feature comparrison or reasoning you may have about why 1password may be better than Keepass? I have been using Keepass as I use Linux, Windows, and Phone for accessing my passwords. I am wondering if 1password has some neat helpful features that Keepass doesn't. I am considering switching to a new password manager.
Coincidentally, a bunch of Dropboxers are working on a version of 1Password for Linux written in Rust (it's Dropbox's "Hack Week" right now). Hopefully we can open source it soon. Looking good so far!
If you have any questions that we might be able to answer, please shoot me an email. kyle at agilebits.com, or support at agilebits.com. I work on our Mac/iOS teams and security teams. I can probably answer most of your questions and at least get them in front of people who can answer them.
I really hope you're not making this work with AgileKeychain, we've put that one out to pasture. :)
I have been using 1Password since version 3 and highly recommend it. I personally am quite happy with the iOS support, synchronization, and mobile Safari extension.
I just read the whitepaper (I am a long time Dashlane user) and they have a section on security of their javascript/browser extensions. They say that their extensions all use c++ so execute entirely outside of the javascript context. This would not have prevented the Lastpass exploit since all that was required as a malformed URL, but it is nice to see that Dashlane is thinking about this stuff. Also, had Lastpass not used js this exploit would've been harder to find (though not impossible).
Hello Julsimon, this is Simon from Dashlane's Support team. Thank you for your feedback. We have indeed ran multiple checks on our end and can confirm that we are not vulnerable to this type of issue. The code used for our auto-fill functions is shared on all our platforms and has been audited multiple times.
I don't know about best practise but it integrates closely with Git. I store the encrypted passwords in a remote git repository. That means if someone else had the same GPG key and the password for that key, they could simply clone the repo and obtain the passwords. Equally they could add passwords and push them to the repo.
So that seems like a reasonable way for people to share them. However, I only use it for myself so I may not have thought of all the gotchas.
I found this alternative when LastPass was acquired by log me once. I was not happy with this. This app doesn't have hacking or vulnerability history like LastPass.
Why not? I've been using it for about a year now (switched from LastPass) and haven't had any issues. Kind of miss the in-browser features of LastPass, but seeing as how those are what's being exploited, maybe not so much!
There are browser extensions that work with KeePass. This LastPass vulnerability makes me wonder, too. I wish the KeePass site would be 100% HTTPS, though, but the maintainer is a jerk in that regard.
My team and I have been using 1Password Teams (https://1password.com/teams/) for this. They also have a Families service if for some reason you want to do the same thing with family and friends.
That's a very bad recommendation. Very few people are capable of remembering unique 10-character passwords for each site. I have like 100 passwords and accounts for various systems and I'm certainly not able to remember each of them. So either I start reusing passwords or I use a password manager.