OT Lastpass security breached

Why in God's name would ANYONE use such a service?

KeepassX and other solutions work well and remain under user control (KeepassX is also open source for the ruely paranoid who may want to recompile the code themselves).

One advantage of a web based service is that your passwords are available on all your devices. However, I am having second thoughts about storing my passwords in Chrome.

En el artículo , Tim Watts escribió:

My thought too. Eggs and baskets come to mind.

Others may view things differently, but my passwords don't change very often, and it's a simple matter to email my KeePass database to my mobile devices from time to time.

The answer to that is only to have one device.

You could use BitSync or SyncThing to distribute (via internet) the database across your machines. Both work on Windows, Linux + Android. SyncThing is open source.

which means you are now already past the point many users will want to/be able to get to grips with.

It's really all about balance of risk. It's probably better that someone use Lastpass with a one strong password which means they can have good unique passwords for their various services than don't use anything and rely on remembering weak passwords and reusing them to often etc.

En el artículo , Chris French escribió:

Password, n: the funny word on a Post-it note stuck to the monitor.

for a long time my password was tatung

Owain

My password is 'incorrect'. The awfully clever Windows prompts me with it if I spell it wrong.

I simply copy my encrypted file of passwords to laptop etc. whenever they are at home (done automatically by a cron job). So any changes are available anywhere.

I *never* save passwords in my web browser. I either use easy (for me) to remember ones on things that don't matter (like mailing lists and forums) or I keep properly secure ones in *my* encrypted file.

Or have only one password ;-)

Many people use the same password for a crappy webforum as they use for gmail (Other email suppliers are available). As soon as the scammers lift the password from the crappy webforum, they can login to gmail, and proceed to take over the account. At the *very* least you should have a password for accounts you don't care about, and another one for ones you do. Ideally though, you want different passwords for each account (for many people, ebay will be an important account and it was hacked a few years ago). That's where something like lastpass comes in.

Sadly, there is no generically good solution which my sister can use on her home computer and her smartphone. (An example of a bright, but not particularly computer or security savvy person).

There is actually, a decent stand alone password manager and automatically synching the encrypted database across the devices with any one of a number of auto synch systems that only have to be setup once and can even be setup by someone like that effortlessly just by keeping the encrypted password database in a particular folder etc.

Personally I prefer to go even further and have a combined password manager and form filler that avoids having to enter your basic details like addresses and card numbers etc more than once as well, like Roboform.

Note that I don't use their central storage of the encrypted database, I just synch that using something else like dropbox.

Makes a lot more sense to have more than done device and either manually move the encrypted database between them when anything changes or have that done automatically.