I use keepass with  Key and Master password combination. I store the password database on the dropbox/SFTP  and carry my key with myself on my cell phone, laptop etc. and then the master password is in my mind :) . So with this , even if my password database gets compromised or dropbox gets hacked, My password database is still encrypted and the keys/password is not with the password database file.

Amit K Nepal
(CISSP, RHCE, CCENT, C|EH, C|HFI, GIAC ISO 27000 Specialist)

On 7/28/2016 1:25 AM, Joseph Sinclair wrote:
I do use Lastpass, fortunately I do not use the Firefox client affected by the latest issue, which has already been patched (One thing Lastpass has done well is security response and patching).
I don't store everything there, but I do store some things there for various reasons (mostly needing to use them on idiotic sites that actively block copy/paste).

I store absolutely everything in encrypted databases (multiple small files for performance and separation) (not keepass, mono is too much of a pig to run on my desktops).
The encrypted files (never decrypted to anything but RAM, and that's overwritten with 0's in the program as quickly as possible) are stored in a DVCS (e.g. git, mercurial, DARCS, Bazaar, etc...) that I sync via it's normal repo synchronization.  I gain the advantage of "oops" recovery as well with the version history.
The repo is NEVER online, however, just filesystem-to-filesystem "remote" sync.

Nothing's perfect, but the amount of work needed to get past the encryption should vastly exceed the rather low value of what's stored there (in my case).


On 07/27/2016 03:34 PM, Stephen Partington wrote:
I know several of you here are using keepass. of those users who is working
with the various browser integrations and the various android apps. and the
usual or unusual means of keeping the db across multiple locations.

I have been wondering about keepass and its use for some time, but now with
the recent security hold found in Lastpass i am taking a second look at it.

https://nakedsecurity.sophos.com/2016/07/27/lastpass-password-manager-zero-day-bug-hits-the-news/

​PS i know this is not a real 0 day bug, so does the author. not sure why
he decided to do that sort of weird headline.​




---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss


      

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss