With all of the recent security breaches I’ve been trying to improve my password practices, especially on all of those sites where I used simple “throwaway account passwords”.
For about a year now I’ve been using KeePass for managing my passwords and generating stronger passwords. It’s very nice for that purpose and allows me to also keep track of those pesky security questions, etc. The problem is, it’s not very well integrated with the browser, etc. Sure, you can install a bunch of plugins, but it’s a pain and still leaves you either running various clients on various platforms of varying quality (often in Mono, which is barely a solution, to say the least), or with poor usability.
1Password looks beautiful and looks very powerful, but it doesn’t support enough platforms and is very expensive, so I haven’t even really given it much attention.
That leaves me considering LastPass. It has great integration on almost all platforms, browser plugins, widely supported, etc. I really like it, but can’t bring myself to use it because of a few fatal (IMO) flaws. If they’d just address these flaws I’d be willing to make the jump and pay for their service:
- They use the same password for your vault as for the normal account maintenance login. That feels like a major weak point.
- They require you to re-enter your password to “change identities”, but don’t allow different passwords for different identities (or, better, completely separate vaults. I want to be able to set it up to have my more secure passwords protected behind a much stronger password that is harder to type, but an easier to type password for my less important identities.
- They don’t allow you to store your vaults off-site. While they’re theoretically safe if somebody gets ahold of it, they’re still a major target. Being able to store my vaults somewhere else gives me at least a (possibly false) sense of security by the fact that the location is known only to me.
Given how cheap their service is and how nicely their stuff integrates into all of my browsers (even mobile w/ Touch ID integration!) I’m considering using them for my less important “everyday” passwords, but continuing to use KeePass for my more secure passwords that I don’t access nearly as often.
What are your thoughts?