Rich Freeman on 9 Jan 2017 05:04:47 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Lastpass - friend of foe

On Mon, Jan 9, 2017 at 7:53 AM, Rich Kulawiec <> wrote:
> Given that approach, how will LastPass know?

Presumably they have security monitoring.  A hacker would need to
compromise the client side, since the vaults are encrypted on the
server side.  A modified client being pushed out should be fairly
detectable.  Heck, somebody other than Lastpass could probably spot
that, not that anybody is necessarily looking.

And if you assume that somebody is able to push out modified clients
then I don't know why you'd trust something like Keepass more since
the same risk exists on your distro or Android Play.  Maybe you might
trust that if it were detected it would be more likely to be
announced, but so far Lastpass has been up-front about past security
issues and has taken conservative reactions even when it was not clear
that anything serious was compromised.

> This is the point where you should be sweating, getting off LastPass,
> and changing all your passwords as fast as you possibly can.

The problem is a general lack of alternatives.  I need something that
can handle form-filling passwords on:
1.  Chromium on Gentoo.
2.  Chrome on Windows, ChromeOS, and Android
3.  Ugh, IE/Edge on Windows which rarely is needed.
4.  Lots of random applications on Android.

I've yet to find a suitable substitute that covers all of these
options.  On android in particular I want the fields to be filled in,
not to switch to some application, copy a username, switch back,
paste, switch back, copy a password, switch back, paste.  Granted,
that is sometimes needed in lastpass as well but it is pretty rare.

If somebody could offer a comparable FOSS implementation I'd be more
than happy to use it.  I can take another look at Keepass but the last
time I checked they were still not a great option on Android or

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --