LessPass vs traditional password manager

Privacy Tools Providers & Services
#5

The disadvantages of this approach are:

unlike KeePass or LastPass, Less Pass isn’t able to store notes, links, credit card details or anything else. It’s just a password calculator.

It does not support 2-factor authentication, which means that all the security rests on the strength of your master password. In some situations, you could have a keylogger program on a computer (e.g. a compromised public computer) steal that password.

If you had to change your master password, it would innevitably mean that all your passwords, for all your websites, would have to change. That could be quite tedious to sort out.

If you need to change a password just for one website (e.g. your login for Diaspora), it becomes inconvenient to remember. Less Pass won’t automatically remember that the old password is no longer good. You have to remember to increase a counter from ‘1’ to ‘2’ when generating the Diaspora password.

Password managers like KeePass and LastPass have either good browser integration or well-developed autofill capabilities. (KeePass uses the excellent KeeFox plugin for Firefox.) Less Pass has neither, which means that once your password is generated, you have to copy it to your clipboard and paste it into the login page’s password field. That leaves your password in the clipboard, and a hacker will know to look there if your computer is compromised (or you’re using compromised public computer).

https://alternativeto.net/software/less-pass/reviews/

6 Likes
#6

Try hacking 256 bits AES, I wish you luck.

7 Likes
#7

I even prefer to hide a piece of paper in a good place :wink::grin:

#8

Maybe the computer is compromised even before the encryption, or maybe the app is compromised in some way that the cracker could see what you’re doing. It’s not the first time that a password manager is cracked.

#9

if my understanding is correct, they offer an option to store some kind of passwordless profiles that contains meta information about the passwords that are later used when computing the passwords

Agreed, that is quite limiting.

Agreed, that would be very annoying.

I think that what the passwordless database and or file is for. So you do not have to remember the meta information of the passwords.

1 Like
#10

At the moment the attacker has access your device its game over anyway.

3 Likes
#11

Everything could be cracked into, the thing is how easily and how many people can actually pull it off and will they? I think for the vast majority of the population, there is no need for extreme measurements, and if you value information you possess on such a high level that you would not store it on a computer because it could be compromised, I suggest learning memory techniques and store everything within your mind because that is the best-encrypted vault that is far from being cracked into in the near future… if you exclude some sophisticated torture :smiley:

1 Like
#12

That’s true, but if the app has a severe vulnerability then it’s something different, and you are risking ALL your passwords.

#13

Yes, everything within my mind.

#14

Thats the thing, it doesn’t matter at all how secure the app itself is, as long as the crypto has been done well, which is the case with keepass.

1 Like
#15

Then it could be something less complicated (and maybe more secure because it’s not an app) as a text file with your passwords and you encrypt it with AES256, like I do with my files before uploading to some cloud or save them in external hard disks and usb pendrives.
The point is that I don’t trust in only 1 app with ALL my passwords. And maybe you only need to crack the password of the app. You crack 1 password and you have them all.

#16

Encrypting is exactly what it is, a password manager just makes an encrypted file in which you store your passwords, and because you need to remember only one secure password, means you can use way stronger passwords for everything. Sure a keylogger can intercept the encryption, but at that point intercepting your passwords normally is possible too.

1 Like
#17

I mean that a text file and a command in Terminal is simpler and I’m sure that less vulnerabilities.
Anyway, another thread should be: can we trust in passwords only?

#18

Kee Pass has embedded protection against keyloggers.

When typing the master password : Tools / Options / Security / Enter Master Key on Secure Desktop = Yes. (Incredibly, this option is not enabled by default – and buried deep. At least it wasn’t last time I checked.)

When Auto-Typing username and password : Edit Entry / Auto-Type / Two-Channel Auto-Type Obfuscation = Yes. (Needs to be enabled for each entry separately. Not enabled by default, because some sites won’t accept it. Very few of them, in my experience.)

2 Likes
Clipboard Password Attack
#19

Even if you have, a memorable password is not a good password, even if you have the best system ever :wink:

#20

Deal breaker. I had not understood that. It makes Less Pass impossible to use, in practice. Unless you envision never to change your master password, but that would be a stupid assumption to make.

In fact, Less Pass-type programs have always looked to me as challenging intellectual games for crypto-minded people. It’s fun science. Practical tools ? Not so much.

2 Likes
#21

I can see a system where you would be able to remember passwords that are not rememberable on first sight, the same way you are able to learn to remember dozens of numbers via the techniques.

Like for example “kloning-FLOWN~&88–namaste” would be in my opinion very strong password and I can imagine having a memorizing technique for remembering such passwords.

#22

When Lastpass got purchased by Logmein for $125M I switched to Bitwarden instead…figuring it’s open source and how are Logmein going to make that $125M back + profit on a free password manager? (Probably by selling info).

As it stands I use a somewhat complicated password, I don’t use 2FA because it requires a smartphone - I use a phone that could have been made in the early 90’s, because I think smartphones are already compromised when they are sold - people are paying $1000 for a tracking device. I might get a dongle of some kind for 2FA though.

However 0day is always a worry no matter what you do and then we found out about how access to computers is enabled through Ring bus regardless of your OS… I figure everything you do is vuln now and I just try not to be low hanging fruit for “l3370 scr1ptk11d13s” or whatever they call themselves these days.

As for site passwords they are all like 30 char’s with a load of symbols…if I ever lost access to my BW account I would be screwed.

#23

About the 2fa thing, if you have a spear computer laying around, you can use TOTP based 2FA with KeepassXC on a computer.

Also, welcome to our forum!

1 Like
#24

Looks like Master Password

Great alternative (imho): Diceware password generator