LessPass vs traditional password manager

Let’s talk LessPass!

I really like the whole idea of not storing passwords (storing only passwordless profiles) but I am thinking, is it really any more secure than just having securely stored passwords? Like if someone somehow cracks your master passwords they get all of your passwords on one plate the same way they would have if they had cracked master password which they would then use to decrypt the encrypted password vault. Is there really any benefit of having the passwords directly generated instead of stored within an encrypted DB?

I am not trying to create a claim that the LessPass way of password managing is neither more nor less secure than the traditional way I am simply just curious if there is any benefit or downside to it or if it is just a design decision.

I hate password managers and even against all the opinons out there I think it’s not secure. What app is secure nowadays?, and if that app is hacked all your passwords will be. No, thanks.

LessPass doesn’t have your database anywhere, your database is just a algorithm.

Well, unless you have mastered memorizing techniques and are able to remember dozens of passwords for dozens of websites and services there is not much of an option. Yes, it is a certain risk to have all passwords stored together but I think most of the password managers offer a very solid security to prevent such thing happening (MFA or 2FA for example). I think it is still better to remember one fairly complex password and then having all of the others generated. And if you do not trust providers storing your passwords encrypted you may go for something that is open source and reputable or does not leaves your device.

1 Like

The disadvantages of this approach are:

unlike KeePass or LastPass, Less Pass isn’t able to store notes, links, credit card details or anything else. It’s just a password calculator.

It does not support 2-factor authentication, which means that all the security rests on the strength of your master password. In some situations, you could have a keylogger program on a computer (e.g. a compromised public computer) steal that password.

If you had to change your master password, it would innevitably mean that all your passwords, for all your websites, would have to change. That could be quite tedious to sort out.

If you need to change a password just for one website (e.g. your login for Diaspora), it becomes inconvenient to remember. Less Pass won’t automatically remember that the old password is no longer good. You have to remember to increase a counter from ‘1’ to ‘2’ when generating the Diaspora password.

Password managers like KeePass and LastPass have either good browser integration or well-developed autofill capabilities. (KeePass uses the excellent KeeFox plugin for Firefox.) Less Pass has neither, which means that once your password is generated, you have to copy it to your clipboard and paste it into the login page’s password field. That leaves your password in the clipboard, and a hacker will know to look there if your computer is compromised (or you’re using compromised public computer).

https://alternativeto.net/software/less-pass/reviews/

5 Likes

Try hacking 256 bits AES, I wish you luck.

6 Likes

I even prefer to hide a piece of paper in a good place :wink::grin:

Maybe the computer is compromised even before the encryption, or maybe the app is compromised in some way that the cracker could see what you’re doing. It’s not the first time that a password manager is cracked.

if my understanding is correct, they offer an option to store some kind of passwordless profiles that contains meta information about the passwords that are later used when computing the passwords

Agreed, that is quite limiting.

Agreed, that would be very annoying.

I think that what the passwordless database and or file is for. So you do not have to remember the meta information of the passwords.

1 Like

At the moment the attacker has access your device its game over anyway.

2 Likes

Everything could be cracked into, the thing is how easily and how many people can actually pull it off and will they? I think for the vast majority of the population, there is no need for extreme measurements, and if you value information you possess on such a high level that you would not store it on a computer because it could be compromised, I suggest learning memory techniques and store everything within your mind because that is the best-encrypted vault that is far from being cracked into in the near future… if you exclude some sophisticated torture :smiley:

1 Like

That’s true, but if the app has a severe vulnerability then it’s something different, and you are risking ALL your passwords.

Yes, everything within my mind.

Thats the thing, it doesn’t matter at all how secure the app itself is, as long as the crypto has been done well, which is the case with keepass.

1 Like

Then it could be something less complicated (and maybe more secure because it’s not an app) as a text file with your passwords and you encrypt it with AES256, like I do with my files before uploading to some cloud or save them in external hard disks and usb pendrives.
The point is that I don’t trust in only 1 app with ALL my passwords. And maybe you only need to crack the password of the app. You crack 1 password and you have them all.

Encrypting is exactly what it is, a password manager just makes an encrypted file in which you store your passwords, and because you need to remember only one secure password, means you can use way stronger passwords for everything. Sure a keylogger can intercept the encryption, but at that point intercepting your passwords normally is possible too.

1 Like

I mean that a text file and a command in Terminal is simpler and I’m sure that less vulnerabilities.
Anyway, another thread should be: can we trust in passwords only?

Kee Pass has embedded protection against keyloggers.

When typing the master password : Tools / Options / Security / Enter Master Key on Secure Desktop = Yes. (Incredibly, this option is not enabled by default – and buried deep. At least it wasn’t last time I checked.)

When Auto-Typing username and password : Edit Entry / Auto-Type / Two-Channel Auto-Type Obfuscation = Yes. (Needs to be enabled for each entry separately. Not enabled by default, because some sites won’t accept it. Very few of them, in my experience.)

1 Like

Even if you have, a memorable password is not a good password, even if you have the best system ever :wink:

Deal breaker. I had not understood that. It makes Less Pass impossible to use, in practice. Unless you envision never to change your master password, but that would be a stupid assumption to make.

In fact, Less Pass-type programs have always looked to me as challenging intellectual games for crypto-minded people. It’s fun science. Practical tools ? Not so much.

2 Likes