So superiorly secure, in fact, that Chrome couldn't even connect to its site. :)

It's not just a Chrome problem :)

I guess it's fair to say that the app can't be cracked if you can't even install it :D

Eh, it was up when I posted. It is a password generator app so once you install it you do not need any connection ... which is actually one of its advantages. For example, you can use it to generate a PIN code for your credit card from your master password.

Well, the site's back up and I can see that it's a bit unique in that it doesn't actually store passwords, but generates them via an algorithm that uses your name, the site name, and your master password. What's unclear is how it manages multiple logins to the same site using different IDs, something that LastPass handles very well.

I'm not sure how much that actually improves security; it would seem that cracking/sleuthing the master password on whatever device it's installed would still provide the keys to all of the castles.

It also concerns me that they simply blow off 2FA, claiming that some number of organizations that implement it do so insecurely. Although that may be true in some rare instances, I have not seen it personally.

I very much like the fact that LastPass syncs my site URLs, IDs, passwords, notes, etc. across all my devices and also maintains a local cache for those occasional instances I'm off-line. I use a Windows PC, an Android phone and an Apple tablet and it works seamlessly across all three.

Speaking of 2FA, looks like eTrade is offering it now, in the form of an app. to generate pin codes or one of those fobs they will send you.

I'd like to use it but their iPhone app. supports TouchID so if I turn on 2FA, it kind of defeats the purpose of TouchID authentication.

THere's no way to turn on 2FA for website access only.

Convenience or security?

I've been using 1Password for years. When I finally upgraded to the latest version I paid the extra $10 or so to get the Mac and Windows bundle. The ability to sync between OS X, Windows, iOS, and Android via dropbox is quite handy.

You can't crack the master password because it's not stored. Anywhere. That's the point of the whole thing. As for multiple logins, the "What is it? How do I use it?" covers this: prefix the name with a user name and an @: [email protected], [email protected].

The problem with LastPass is that you trust someone with all your passwords. That's a problem.

The entire LastPass database is encrypted locally. Only the encrypted blob is uploaded to LP or downloaded from LP. They can't access it.

Passwords that aren't stored can still be cracked. There are all sorts of computer programs intended to do just that.

Not that it has anything to do with passwords but is it easy enough to crack a word password?

As others have stated, cracking it has nothing to do with whether it's physically stored or not. Unless it's changed very regularly, it's static. And unless it has a suitable level of entropy, it's crackable.

2FA at least provides a mechanism where a non-static value is required for authentication.

If you're referring to MS Word, it's just as difficult to crack as any other application that uses a static, single token for ancryption and authentication. Make the password as long and random as you can stand and it's unlikely that someone will be able to crack it through conventional means. See this post earlier in this thread for caveats.

^

I've learned a lot from this thread and downloaded both 1password and LastPass. I like LastPass and would upgrade to get it across all my devices but I do have one question.

If I use their crazy generated passwords (or even different, complex ones of my own) how do I log in when I'm not on my own device/computer? It seems you have to use either the LastPass app or browser extension but I wouldn't have access to either on a random device or computer. Like if I'm with a friend and I want to use their ipad or phone to show them something, or check a credit card or something, how do I log in to any of my accounts? I definitely won't remember all the passwords. Is there an obvious answer here that I am missing or does it come back to carrying around a piece of paper (and I'd never really know which one I might need) or keeping a master file somewhere in the cloud and having to log into that, get my list of passwords, log out, then go to the site I want. Keeping a master file somewhere kind of defeats the whole purpose of using LastPass, doesn't it? And I don't carry around my ipad or even my phone all the time.

If you don't have your computer, iPad, or phone with you (when do you not have your phone with you?), then you could use your friend's computer to visit lastpass.com and access your passwords vault. This would be difficult if you enabled two factor auth and didn't have your phone with you, or didn't have your list of backup 2FA codes with you.