Passwords. Login credentials. Those things which seem to continue to add up – no matter how many accounts you close you always end up with more login credentials at the end of the day.
I have been a user of LastPass for years. It’s become a tool which I simply cannot do without. LastPass works everywhere I want and need it to – Firefox, Chrome, Windows, Linux, Android … the downside is, well, it’s been hacked a couple times – not that any of those hackings ever effected me.
LastPass is an online service which means it’s subject to constant attempts to be hacked, but this also means it’s an absolute breeze to use (did I mention it’s also FREE!!). Are there alternatives? – Some shout “Yes” without a moment’s hesitation. But the real question is “Are there alternatives which are as easy to use/setup/maintain and free?” – To this there is a resounding “NOOOOO”.
So what’s the next best thing we could try out? – Why not Keepass!?
Keepass is completely different to LastPass in that it stores your credentials in a .kdbx database file which you can move around as you like. Keepass is simply a password manager. To make real-life use of all those credentials in the browser (which is where most creds are used these days) you have to look to your browser addons and extensions in the hopes that someone has developed something.
Firefox users are lucky to have KeeFox as a pretty well working solution. KeeFox still has some quirks though which have been around for some time, but generally it’s very usable. KeeFox connects directly to KeePass running on your local device.
Chrome users, on the other hand, have a tough time of it. There exist just two extensions which you can try. CKP has a nice UI and responds well to filling in the credentials fields etc … but things become very tricky when you have a KeePass database which you want to use like LastPass – which means having an up-to-date version of your database on every device where you will need those credentials – which for me is every device I browse the web from – my home PC, work PC and phone, to begin with.
My setup involves an OwnCloud instance hosted on my personal hosting. I have my KeePass database file stored to the cloud. If I am on my home PC and I make a change to the KeePass database the OwnCloud client immediately syncs the changed file up to the cloud. When I think use the KeePass database from my work PC it’s using the latest version of the database with the changes I made earlier at home, and so on. I have been using this for a while now and it works very well (with KeeFox that is).
Unlike KeeFox the CKP Chrome extension does not connect with KeePass but instead has it’s own three options for connecting your KeePass database to the extension. You can either connect your KeePass database from Google Drive, Dropbox or from a local location. Here are the problems I found with all three of these options:
Google Drive – No native client for Linux (Ubuntu 14.04). I tried a few workarounds and also a third-party client but nothing was cutting it. When changes are made to the KeePass database syncing to the cloud was not immediate.
Dropbox – Has a nice native client for Linux, but as was the case with Google Drive the changes to the database were not immediately synced to the cloud.
Local Database – Opens database as read-only and whenever a change is made to the KeePass database you have to re-connect the database manually.
The chromeIPass extension has a hard time filling in credentials into login fields – so that’s useless!
So my choices came down to:
1. Continue using LastPass, or
2. Switch back to Firefox as my browser of choice
Considering the very noticeable performance boost on Chrome vs Firefox’s sluggishness option 2 is almost certainly not going to happen.
Here’s the thing about KeePass – you can use it in different ways, but none of the ways you use it is going to outdo LastPass.
1. Use KeePass completely off the cloud.
In this use case you have the KeePass database on your local PC. If you want access to those credentials on another PC you have to copy them over to that PC. You could also put the database on a USB flash drive and only access it from the flash drive – this of course means that whenever and wherever you don’t have that USB drive you also don’t have your credentials.
This is the most secure use case but is much more hassle than LastPass.
2. Use KeePass on the cloud
Let’s say I was to switch back to using Firefox, I would still have to host this KeePass database somewhere. Is it safe on Google Drive? Is it safe on Dropbox? Is it safe on my personal hosting? Are any of these and other cloud services any more secure than storing these credentials on LastPass? – I don’t know.
So what this comes down to is not how secure KeePass is vs LastPass – it’s actually a question of is LastPass any less secure than any other (free) cloud storage services.
KeePass has the option of using keys in tandem with your master password to secure your KeePass database, but LastPass also has Multifactor authentication options, which again are much easier to use and setup, requiring very little geek in the user.
LastPass also sports some very useful security tools such as it’s Security Challenge which gives you up-to-date information on how secure your stored login credentials are and notifies you of the vulnerabilities.
Sometimes making things more complex leads to people getting weary and then making critical mistakes. I get that feeling with KeePass – it appears to be more secure because it’s not an online service, but then it being an offline service also makes it less secure and more prone to user mishaps.