LastPass Makes Password Management Free Across All Of Your PCs, Tablets and Smartphones

LastPass on Wednesday announced that its popular password manager will now be free for all to use. LastPass previously charged a fee of $12 per year to sync passwords across multiple devices, such as a computer, tablet or phone. From a report on CNET: To entice newcomers, the service allowed you to access select features for free on either the web or on a mobile device, but syncing between the two required a premium membership. Not anymore -- that service is now free. LastPass is one of the best known and most trusted password managers. Its main purpose is to store all of your passwords in an encrypted vault in the cloud. The vault can only be opened using a master password that only you know. LastPass doesn't store the master password or have access to it, which means even if its servers were to be breached, your precious passwords would remain encrypted and protected.

No news at 11

[TimothyHollins]

I don't see anything newsworthy here at all. Did some sneaky little marketer pay for someone's lunchy-lunch yesterday?

Bad Slashdot, bad!

Re:

[Anonymous Coward]

Yep. KeePass is open source and stores your password database locally (or remotely via something like WebDAV). Another alternative is to use a password hasher that regenerates all of your passwords based on a master password so that there is no stored database to be potentially compromised at all.

There is no reason to trust LastPass or any other proprietary, third party solution with your most valuable data. Also, didn't LastPass recently get hacked?

Re:Fuck you!

[MrNiceguy_KS]

Yep. KeePass is open source and stores your password database locally (or remotely via something like WebDAV). Another alternative is to use a password hasher that regenerates all of your passwords based on a master password so that there is no stored database to be potentially compromised at all.

There is no reason to trust LastPass or any other proprietary, third party solution with your most valuable data. Also, didn't LastPass recently get hacked?

And if you want to sync passwords across devices, just keep the KeePass database in a cloud storage account. In the event that your cloud account is breached, the database is still encrypted

Re:

[account_deleted]

Comment removed based on user account deletion

Biometrics?

[Overzeetop]

You mean like requiring that you log into your device (laptop, phone) with a fingerprint, an iris scan, or facial recognition in order to even open the Lastpass program - at which point you then have to put in your master password? Yeah, I think modern hardware can accommodate your request. It's not set up to be used that way, but the effective result is the same.

Re:

[tepples]

If your biometrics are compromised, how can they be revoked and reissued without harming you?

Re:

[Lopton]

Lastpass Premium integrates with the Yubikey.

Re:

[nicolaiplum]

Laspass Premium supports Yubikey.

(I have no connection with lastpass other than being a customer)

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Nemyst]

Biometrics can be insecure if you're being specifically targeted. The most common security breaches for regular users come from phishing, hacks or vulnerabilities in software, and those are non-targeted most of the time and would be significantly hampered by biometrics, since the hackers don't know you and don't specifically care about you.

Also, you're seemingly assuming that today's biometrics are as good as it gets, which is rather myopic. Fingerprinting will move on to finger vein matching, face recogn

Re:

[Stormy Dragon]

The other big problem with biometrics is that once a breach does occur, you can't change to a new set of fingerprints, eyes, etc.

Conversely, if you're in some sort of accident, you now have no way to access any of your accounts.

Still charging for two factor support

[Froze]

Which is why I still don't use it. If they really wanted to bolster security then MFA should really be standard, IMHO.

I will just leave this here...
http://keepass.info/help/kb/yu... [keepass.info]

Re:

[portnoy]

According to their website, a number of forms of 2FA are available free. The free options largely involve either one-time verification codes like Google Authenticator or push notifications to your smart phone. Premium is required for Yubico, Sesame, and windows fingerprint recognition.

This service is brought to you by NSA

[ugen]

Because someone's got to pay for it.

Why?

[AmiMoJo]

Can someone explain why I would want to have Lastpass hold the keys to my kingdom when I could just use a trusted, open source option like Keepass with a private server or free account on any number of cloud storage services? Browser plug-ins aren't exactly known for their great security.

Re:

[ljw1004]

Can someone explain why I would want to have Lastpass hold the keys to my kingdom when I could just use a trusted, open source option like Keepass with a private server or free account on any number of cloud storage services? Browser plug-ins aren't exactly known for their great security.

Lastpass (the company) doesn't hold the keys to your kingdom. Their servers only store an encrypted blob that they (the company) can't decrypt. It only ever gets decrypted locally on your machine at the moment you type in your master password.

Why would you want Lastpass? Because (1) it's really convenient - 99% of the time you want to enter a password it's the password to a web-page, and LastPass is already there; (2) you've heard from lots of security professionals that lastpass security is adequate.

Re:Why?

[ljw1004]

"Their servers only store an encrypted blob that they (the company) can't decrypt". You don't know that. Unless you can see the source you don't know anything about it.

Technically true. But let's look at the equivalent Keepass steps:

1. Download source code for desktop version
2. Audit it
3. Compile it locally
4. Optional: encrypt the binary and store it somewhere in (say) dropbox if you want to avoid steps 1-3 each time in future
5. Download source code for iOS version (say)
6. Audit it
7. Purchase $100/year Apple developer license
8. Compile it locally
9. Deploy the binary to your iOS device

Unless you've gone through steps 1-9 yourself, then the difference between "trusting Keepass" and "trusting Lastpass" are immaterial.

No longer need developer license to run own builds

[tepples]

Purchase $100/year Apple developer license

That's no longer required since Xcode 7 if you're not distributing your apps, but a $150/year* sufficiently recent Mac is required, unless the computer that you already use for other things happens to be a sufficiently recent Mac.

* Estimate based on dividing the price of a Mac mini by its expected four-year update life.

Re:

[AmiMoJo]

You don't have to do it yourself. Lots of people have looked at Keepass. Given the choice, I'll take open source over closed. All other things being equal, it's much harder for the NSA/GCHQ to screw with open source software, but Lastpass is vulnerable to legal attacks.

Re:

[ljw1004]

You don't have to do it yourself. Lots of people have looked at Keepass

Okay, you (1) trust those people to have audited the code, (2) trust the website is offering you a download binary built from the code that was audited by those people, (3) trust that no one malicious has snuck in a modified binary.

I trust the Lastpass employees to have audited their code, and the security professionals who recommend Lastpass. I *know* that I'm getting an authentic lastpass binary because of the way the Google and Apple store works.

It's all down to a personal question of trust. I respect th

Re:

[ljw1004]

No it isn't. I trust open source developers a hell of a lot more than I do any closed source company trying to make a buck. Ridiculous.

Ah, now you're shifting goalposts. Your first was "you can't *know* it's secure". Now it's down to a personal trust preference. My personal trust preference is that I trust the Lastpass developers more than the Keepass developers.

Re:

[110010001000]

I'm not shifting anything. You can't know Lastpass is secure. You don't have the source. You have no idea what they are doing. They might be storing your password in plaintext. I also trust open source developers rather than some closed source company. It really isn't that complex to understand.

Re:

[ljw1004]

You also can't know that your installation of Keepass is secure unless you've done steps 1-9. Have you? If the answer is no for you or anyone you're advising, then you should remove "know it is secure" from your list of arguments.

Re:

[110010001000]

Yes I have. It is 100% secure. I have audited the code. So how do you know Lastpass is secure? I await your response.

Re:

[ljw1004]

I haven't audited the code for Keepass. So my knowledge of the security of Lastpass and Keepass is equal (as it is for almost everyone else). So any advice you give to me or anyone else in my position shouldn't be based on your "knowledge" argument. And anytime you trot out your knowledge argument you should accompany it with the big caveat that it only applies to people who did steps 1-9.

PS. You said you audited the code. I assume you meant "and I also compiled it locally and I also paid $100/year apple ta

Re:

[Fnord666]

Yes I have. It is 100% secure. I have audited the code. So how do you know Lastpass is secure? I await your response.

Did you build the version that you are using from the source that you audited, or are you trusting that what you installed has anything to do with the source that you saw?

Re:

[110010001000]

Correct. I have audited the code and I know it is secure. So basically you have no idea if Lastpass is secure, BUT you COULD find out if Keepass is secure if you audited the publicly available code. With Lastpass you don't have that option. You are basically trusting some company to do the right thing. Good luck with that.

Re:

[RandomSurfer314]

False dichotomy. Security is not a simple Yes/No matter. There is no absolute security but you can increase it, e.g. by auditing source code.

Re:

[RandomSurfer314]

And you're absolutely right in doing so. It's way easier to sweep issues under the carpet when you're closed-source, and every private company that wants to make money will do so if a problem arises and can be fixed silently.

And who should I trust?

[Overzeetop]

Even I I could view the source, I still wouldn't know that. I don't do cryptography or programming for a living at the level which would allow me to review the code for vulnerabilities, which puts me in with about 99.999%* of the general population. I can't verify keepass either. So I can either trust that their business model and livelihoods are based on some level of security, or I can base my trust of, say, keepass on some random set of internet users I've never met, have never seen the credientials of,

Re:

[110010001000]

So you could trust a corporation, who employs people you have never met, or seen the credentials of, who wants to make money somehow off of storing your passwords, or you could trust some open source developers, or yourself if you learned enough to take a look at the source. The point is with open source you at least have the OPTION of the latter. Whether you take that option or not is up to you, but I don't trust companies. They have proven to be untrustworthy.

Free software means freedom to hire someone

[tepples]

The point is that with free software, anybody interested in evaluating a particular application can hire one of those 70,000 to perform and publish an audit.

Re:

[tepples]

How do you know you can trust your own eyes? You think that's air you're breathing now? [youtube.com]

Re:

[RandomSurfer314]

The auditor has a vital business interest in finding bugs and making them public to you, whereas the maker of the proprietary software has a vital interest in keeping any bugs secret from you and fixing them silently whenever it pleases him or he has the time.

Re:

[Cro Magnon]

Open Source doesn't guarantee that the source will be audited. However, closed source does guarantee that the source WON'T be audited by anyone outside the company. Open is no silver bullet, but it's better than closed.

Re:

[110010001000]

Bound by their own policy? Comical. Is that like "Do no evil"?

Re:

[110010001000]

I guess I never realized that breaking a company policy was illegal. Thanks for the tip!

Re:

[tepples]

Look up "tort of deceit" and "non-disclosure agreement" and "false advertising". Even if it isn't a crime, it can still be grounds for a civil suit.

Puhleaze

[s.petry]

We all know the legal game of plausible deniability. "We didn't know Bob and Mary were skimming keys." ends any legal challenge you pose for violating their policy. Hell, that works for breaking actual laws nowadays.

Re:

[mrlinux11]

They could encrypt it and send it up. The question is how good is the encryption and the password you used to generate the key. If they use a combination of symmetric key for the bulk encryption and asymmetric key (generated from Password) to encrypt the symmetric key. Then they could encrypt everyone's data with the same symmetric key and encrypt it with the asymmetric key to make it look secure. So now the NSA can get access to everyone's userid and password

Re:

[110010001000]

Thanks! Where is the server side code? That is just the interface to LastPass.com.

Re:

[110010001000]

You have no idea if they are running that code in their closed source clients, and you have no idea what is being transmitted to the server. You do have to trust someone, but Internet companies have proven to be untrustworthy.

Re:

[tepples]

If you can verify that the vault always leaves your machine encrypted

How is that possible when the GUI half of the LastPass client is not part of the lastpass-cli repository or any other repository owned by the LastPass organization?

Re:

[idji]

Keepass users are more tech-savvy than Lastpass users. Different customers.

Re:

[whodunit]

I'd use FreePAVE [pave.software] instead; nicer UI (no damn trees) a search feature that actually works, SQLite database, XSalsa20 instead of AES, yadda yadda. But mainly the search thing.

Re:

[irrational_design]

Because LastPass just works on Macs and iPhones, while KeePass is a major pain to set up (I tried following a number of tutorials when I tried it, but was never successful, YMMV).

Okay, what's the business model then?

[Dr. Crash]

Which leaves us with the interesting question of LastPass's business model.

1) Advertising? Knowing every site you visit - AND YOUR PASSWORD?

2) "We have a benefactor". Yeah. Except that maybe that benefactor is the NSA. Or is it the GRU? Or is it the MSS (China's NSA)?

No matter how I slice it, I can't figure out an angle that isn't kinda creepy.

Re:Okay, what's the business model then?

[Githaron]

There are still features exclusive to premium and enterprise users: https://lastpass.com/features/ [lastpass.com]

Re:

[Nemyst]

1) They don't know your password. You should read more before commenting

2) Their benefactor is LogMeIn. To them, LastPass is another tool in their arsenal to court corporations, and corporate LastPass usage is not free.

Re:

[Overzeetop]

This, more than anything else, may prompt me to switch. Not that handing my money over is any kind of guarantee of privacy, but if you're giving away nearly your entire product then it means you're making money some other way. And I'm not so sure I trust that "other way" not to be in conflict with my privacy.

Re:

[nine-times]

It's advertising. Though to be fair, they don't know your passwords.

Re:

[Last_Available_Usern]

My assessment is their goal is two-pronged. The first is to amass the majority of this market and get even more people to embrace cloud password storage. Secondly, at some point in the future they will roll out a paid "premium" service that will help offset the costs they've been absorbing and move them into profitability. Given the expected low per-user cost I suspect it would have to be a *very* enticing service as to lure enough subscribers to move them into the black. Not sure what they could offer

Re:

[110010001000]

"What would they sell? They don't have any information about you, except your login and a collection of encrypted bits that might as well be random."

How do you know that? You don't. There sure are a lot of people here claiming they know how LastPass works. Without the source being open, I wonder how they know that.

Re: Okay, what's the business model then?

[cyber-vandal]

Which you can do with Keepass easily enough without having to hand over anything to a third party.

Re:

[Anonymous Coward]

Remember These,

June 15, 2015 - LastPass Reporting a Security Breach, Including Authentication Hashes and Salts https://it.slashdot.org/story/15/06/15/2143222/lastpass-reporting-a-security-breach-including-authentication-hashes-and-salts

January 17, 2016 - LastPass Vulnerable To Extremely Simple Phishing Attack https://it.slashdot.org/story/16/01/17/1936211/lastpass-vulnerable-to-extremely-simple-phishing-attack

July 27, 2016 - LastPass Accounts Can Be 'Completely Compromised' When Users Visit Sites https://it

Is it sad that my first thought was...

[PortHaven]

Oh, so the NSA is paying them to make it free in exchange for a backdoor. So that the NSA can access the passwords of anyone who uses LastPass.

Re:

[110010001000]

The thing is: you never know. They could be doing the right thing now, but maybe they aren't. Or maybe the company changes ownership or gets threatened by some agency or needs some "alternative" revenue stream. You would never know because you can't know exactly what they are doing.

Time to become suspicous

[stikves]

When LastPass was bought out by LogMeIn, I was worried that they would discontinue the service, however this seems even worse. Because in general if you're not the customer, you're the product. And in this case you're the product with all passwords stored on the cloud.

It might be time to move on to KeePass. Then again the mobile versions are not 100% from the source. So even that is a tough decision.

This is a solved problem

[Dasher42]

For me, KeepassX compiled with Qt 4 or 5 does the job. I store its encrypted wallets on the cloud. Linux, Android, Windows, and Mac all work with it. What's LastPass got that I should be interested in?

Re:

[Sneftel]

Not a ton. LastPass has better 2FA support, and you might prefer one UI to the other, but ultimately the two solutions are pretty similar in approach.

Free? It cost $8 on the Humble Bundle

[Nyder]

https://www.humblebundle.com/l... [humblebundle.com]

Last Pass is part of the "LifeHackers" Humble Bundle. Cost just under $8 for it (and others).

Guess that's okay because it's charity right?

But the $1 for Directory Opus is a great deal.

Why CNET?

[alexru]

Why is this going to fking CNET instead of the LastPass blog? Here is the actual article https://blog.lastpass.com/2016... [lastpass.com]

Re:A Master Password....

[Jawnn]

...that only you transmit up to 'the cloud' anytime you want to use any of your passwords, anywhere.

I know it isn't quite that simple or risky, but it's rather close.

Password Managers, by design, serve the function of reducing your security.

That's not how it works.

Re:

[silas_moeckel]

Or ya could use keepass across all your devices without using somebody shared hosting.

Re:

[mlts]

As a compromise, I have started using an app (mSecure) that offers a different encryption key for what is syncs with Dropbox or iClouyd, as it does for the local device. The nice thing about this is that one can use a very long password (32+ characters) for the file that is stashed on the cloud, while having a much shorter key for the app that is sitting on an already encrypted device.

I don't trust a service that is dedicated to storing passwords. It is an obvious target. Yes, one has an encryption passw

Re:

[irrational_design]

Unless you are on the Apple ecosystem, then keepass is a nightmare to set up (YMMV, but that has been my experience). LastPass on the other hand just works.

Re:A Master Password....

[hsmith]

If you have a keylogger installed then none of your passwords you'd be storing are safe anyway. A useless fucking point.

Re:

[bigfinger76]

But you will be typing in your master password, which makes everything else moot.

Re:

[Lopton]

This is also not true with default settings from LastPass, by default last pass won't let you login from an unknown device or unknown location, it will send an e-mail to a account you specify and require you to click the link to allow access from the remote location. Also you can secure access like I do with a physical token (Yubikey).

Re:

[Anonymous Coward]

They can't get stolen because they're encrypted. They could as well be public, because they're of no use to anyone who doesn't know the master password.

Re:

[mlts]

If I need one password, I'd like to use some form of 2FA with it, be it a key residing on a device + a PIN, a password + keyfile, or similar. Something to ward off a brute force attack.

I do this with my TrueCrypt/VeraCrypt volumes when storing those offsite. They get encrypted with a password and a keyfile, with the keyfile stashed in a secure location. This way, if the offsite account is compromised, an attacker has to deal with the entire 256-bit keyspace, as brute-forcing passwords is not an option.

Re: WHo cares how it works.

[dnorman]

each site has a unique, computer-generated password. which is stored in encrypted form and only decrypted by you when you need to retrieve that single password. if one of the 20 sites doesn't store their password properly in their database, only that password will be compromised and the other 19 are safe. This is much better than using a single super-secure-nobody-could-possibly-guess-it password for all sites.

Re:

[dnorman]

wait. people agree with each other on the internet? what the hell just happened? ;-)

Re:A Master Password....

[suutar]

from How It Works [lastpass.com]:
Local-Only Encryption
User data is encrypted and decrypted at the device level. Data stored in the vault is kept secret, even from LastPass.

Now, you don't have to believe that if you don't want to, but unless you have evidence I'm gonna say you appear to be mistaken in your understanding of how it works.

Re:

These kind of "promises" by closed-source software security companies are rather worthless. If they want to, they'll have all your passwords, since they provide the software. Another question is whether they can be legally subpoenaed or forced by a national security letter to get your passwords by somehow modifying the way their software works. Probably not, but this may be a grey zone in the US.

But the real problem with closed-source software security solutions is that the company can do whatever they wan

Re:

[suutar]

yep, that's why I said you can believe it or not, as you choose.

Re:

[RandomSurfer314]

I'm saying that you shouldn't believe them, based on experience and a vast history of failures of private security companies. That's not "as you choose".

Re:

[Anubis IV]

These kind of "promises" by closed-source software security companies are rather worthless. If they want to, they'll have all your passwords

1) They're open source: https://github.com/LastPass/la... [github.com]

2) The only way they "have all your passwords" is as an encrypted blob. See #1 if you want to confirm it for yourself.

3) Your master password that could decrypt that blob never leaves your system [slashdot.org].

And then there's this discussion [ycombinator.com] about the quality of code in KeyPass, which seems to call into question some of what you said. While your ideas about open source probably work fine as generalizations, they should not be stated as absolutes, since they oftent

Re:

[account_deleted]

Comment removed based on user account deletion

Re: A Master Password....

[TuballoyThunder]

Unless you are making your own CPU, firmware, compilers, personally audit every line of code, etc, I guarantee you that you hit the "I believe" button somewhere along the way.

Going for absolute security is a great navel-gazing exercise. Pick the security boundary you are comfortable with and realize that you have no control outside the boundary. Hopefully you pick a boundary that fails gracefully.

I personally do not believe open source is any more secure than closed source in any practical sense.

Re:

[Rick Schumann]

Personally I'd rather not take any chances about who is and is not telling the truth about what they're doing and just keep my own passwords.

Re:A Master Password....

[EmeraldBot]

Oh look at that, a shill posting a boilerplate explanation from his company's own website.

Unless you have "evidence" to the contrary, I'm gonna say that your opinion is irrelevant because it isn't your own, your corporate pimps handed it down to you and you sucked it up like the good little whore you are.

This is where we thank the wonders of open-source, so you can freely read the code and see for yourself how it works. [github.com]

Not that I suspect, of course, that you ever have done that, ever wanted to do that, or ever will do that. At least I'm the honest whore.

Re:

[110010001000]

That is only one side of the code (that they are presumably using in their closed source client). Where is the rest?

Re:A Master Password....

[EmeraldBot]

That is only one side of the code (that they are presumably using in their closed source client). Where is the rest?

Ermm... This is pretty much a full blown client, which it says right on the giant README. On phones you have a point, but on the desktop you can use this and be guaranteed it's the same client. As for the rest, what does it matter? You see your password is being encrypted, and you can check it's not backdoored. If you trust modern encryption at all, then you know your secrets are safe because there's no way to crack your passwords unless your master password is literally "1234". If you don't trust encryption, well, I'm afraid you're a little out of luck for security then. :)

Re:A Master Password....

[kevmeister]

Calling anyone who disagrees, especially when they point out that you are wrong, a "shill" is just the same as any unsupported BS from a presidential candidate. Null content.

Several years ago I had the job of evaluating LastPass for $DAY_JOB. I tested it by capturing the data uploaded to the network and confirmed that it was AES encrypted using my password on my system and the data was all encrypted before leaving my system. the master password was never transmitted in any form that I could find. No traffic was generated to/from any other port or location.

While it is true that things might have changed since then, the server remains open source and you can confirm that it does not ever touch the master password in any form. More importantly, the system is heavily examined on a continuing basis by security researchers and, while vulnerabilities have been found, reported, and fixed, there has never been any question of the master password leaving the client.

With well over 100 unique, random, long passwords, some only used once or twice a year, I really lack other options than a password vault in a world where accounts might need to be accessed from a desktop, two laptops, and two phones running six OSes (2 VMs and one dual boot).

Re:

[suutar]

nope, I don't work for them or even use their product. I just read the website. (Though not completely - I did overlook the more applicable quote "Private Master Password: The user’s master password, and the keys used to encrypt and decrypt user data, are never sent to LastPass’ servers, and are never accessible by LastPass.")

Re:A Master Password....

[Anubis IV]

I don't use LastPass, but they make it abundantly clear [lastpass.com] that all encryption and decryption is local-only, done on-device, not in the cloud, so that they never have access to the information in your vault. From what I can gather, their cloud is little more than a sync engine between devices, rather than the place from which you access your data.

Re:

[boskone]

what were the results when you popped it in the debugger on the last update? Anything interesting? I'm trying to decide on a pass manager because i'm not going to let FB take over, and sites are idiotic with their various rules/etc.

could sites at least tell you what the password rules are ON THE LOGIN SCREEN so that I can determine which password I likely used?

Re:

[Chelloveck]

The nice thing about KeePass is that the database format is documented and the encryption can be done with gnupg. There are other clients available, or write your own. I use my own command-line Python script to read/write the DB on my computers and a third-party client on my phone, with Google Drive to keep them in sync.

Re:

[LiENUS]

Since LastPass is open source whats your complaint?
https://github.com/lastpass/la... [github.com]

Re:

[110010001000]

That is only half of the side of the conversation. Where is the other half?

Re:

[fph il quozientatore]

That's only the command-line client. Is the source for the browser extensions available?

Re:

[Anubis IV]

Before I answer that, answer this to yourself: if it's available, do you have any plans to review the code yourself or check to see if others have, or is this just a case where you'll feel safer knowing the code is available, even though you have no intention of verifying that the feeling has a basis in reality?

I feel compelled to ask that up front, because if you were actually concerned about whether your password manager's code was trustworthy or whatnot, you'd already know that browser extensions are jus

Re:

[unixisc]

Except that it is

Re:

[Anubis IV]

As long as LastPass' software is not open-source, you can only hope they are telling the truth. I can put keepass in a debugger and see what it does.

1) It is open source. The command-line underpinnings are available here on github [github.com], and you can easily look at the source for any extension by just navigating to it in your file system and opening the various files. Admittedly, the desktop GUI and cloud backend aren't available, but neither is necessary for verifying that the cloud never receives data it can decrypt, and neither is necessary to use the app.

2) Given that you said "I can put keepass in a debugger", rather than "I have put keepass in a debugger

Re:

[DRJlaw]

That's not the complete corresponding source code to everything in the executable.

If you were as awesome as your paranoia suggests than you wouldn't need source code in addition to the debugger, now would you?

Step through the program and capture the traffic like a real security researcher. If the obfuscated C contest hasn't already proven that the things that you haven't actually bothered to do with the keepass source code can't save you, nothing will.

Re:

[Anubis IV]

While it would be incredibly naive for me to share my info with you, an AC, given that I'd have no recourse against you if you abused it, the same is not true for established companies. If I share my credit card number with a retailer or reputable online company in exchange for goods and services, I have recourse against them if they abuse that number or fail to live up to their end of the contract. As such, it's perfectly reasonable for me to do so.

In this case, LastPass has said that their service include

Re:

[MightyYar]

Password Managers, by design, serve the function of reducing your security.

That's too simplistic. They can both increase your security and decrease other aspects at the same time. If they make it feasible to have different login credentials for every site, that will increase your security. Since they also create a single point of failure to your entire kingdom, that will decrease your security.

Here's my analysis - please point out any logical flaw: if I use the same credentials on many web sites, an attack on a single web site is just as damaging as someone installing a keylogger

Re:

[tepples]

Provided the device's operating system can even mount a flash drive in a manner that KeePass can see. PCs can, but a lot of "mobile" devices* cannot. The Android operating system on Nexus 7 devices, for example, can use many USB devices through an OTG cable but not a flash drive.

* Defined as devices running a smartphone-derived operating environment, namely stock Android and iOS.

Re:

[IRGlover]

I particularly like them because the comments then provide information about better, usually open source alternatives. So they are essentially paying to have their competitors promoted instead of their products.