Can't decide on a password manager (KeePass vs 1Password)

Status
Not open for further replies.

MW99

Estimable
Oct 29, 2015
3
0
4,510
I heard about password managers awhile back and have been thinking about getting one. I did some research on the programs out there and narrowed my options down to these four: 1Password, KeePass, Dashlane, and LastPass.

I do NOT want my database file (even if it is encrypted) being stored in the cloud, so I crossed out LastPass. It needs to have a mobile iOS application as well. 1Password, KeePass, and Dashlane all have a mobile app, but Dashlane sends the file to the app via their web servers, so I crossed out Dashlane.

Now I'm left with 1Password and KeePass. 1Password can be set to store everything locally, has a great mobile app and good browser integration. However, KeePass seems more secure being as it's open source and there is a portable version which can be put onto an encrypted thumb drive.

The only things really keeping me from using KeePass are the lack of an official mobile app and good browser integration. There is MiniKeePass on the iOS App Store, but I'm not sure if I trust it not to make off with my data. Also, syncing between my PC and the app would be a pain. (1Password has local WiFi sync) There is also KeeFox for Firefox integration, but I'm not sure if I trust that either.
In short, I trust KeePass itself, but I'm not sure if I can trust the third-party developers of the mobile app and browser extension.

I'd love to use 1Password, but I'm just not sure how secure it really is. I'm also concerned that they might shut down one day, or a disgruntled employee might decide to insert something malicious into the software, etc. I may just be being paranoid here, but I don't want to take any chances.


So, I'm trying to decide between 1Password and KeePass and can't make up my mind. Should I go with KeePass with it's open-sourceness and ability to use it on a thumb drive? Or should I go with 1Password and enjoy a better, official mobile app and browser extension?

Security and long term use are my main concern. What do you guys suggest?
 

MW99

Estimable
Oct 29, 2015
3
0
4,510
I'm leaning towards KeePass, but I'm still not sure if I can trust third-party extensions such as MiniKeePass, KeeFox, KeeWeb, etc.
Anyone?
 

Wups

Honorable
Oct 14, 2013
13
0
10,560
Hi MW99,

1Password was found to be storing your passwords in plain text and also had a security breach, resulting in passwords being leaked.

"So what’s the problem? Well, it turns out that your metadata isn’t encrypted. I discovered this after having a sync issue with Dropbox (I use Dropbox to host my keychain). The file that had issues was 1Password.agilekeychain/data/default/contents.js. Being a curious kind of guy I opened the file to see what was in there. The answer is the name and address of every item that I have in 1Password. Every single one. In plain text."

If anything, I would write them in a notepad and use Dropbox to secure my passwords.

Regards,
Wups.
 

Jeff Mongillo

Estimable
Mar 15, 2014
19
0
4,570
I tried KeePass and had an issue with the file corrupting itself and losing nearly 200 passwords on me. I did find an alternative that works really well and I have been using now for about a year (The KeePass issue happened Summer of 2014).
Check out Dashlane. It also has mobile versions that you can use on iOS and Androids as well. They offer a free version as well as one that has a cloud storage option for keeping back-ups. Check it out at www.dashlane.com. They also build and operate digital wallet services and other secure transaction software solutions.
 

Wups

Honorable
Oct 14, 2013
13
0
10,560


I really wouldn't use KeePass at the minute.

A researcher has released a free tool that can steal your passwords.
Read here: https://thehackernews.com/2015/11/password-manager-hacked.html

Can all be done within seconds.
 

Edmond2020

Estimable
Nov 6, 2015
3
0
4,510
For those of you who don’t know, 1PasswordAnywhere is a feature of 1Password which allows you to access your data without needing their client software.

Myers, a sofware engineer at Microsoft, has examined his 1PasswordAnywhere's .agilekeychain file recently and found that its metadata isn't encrypted. That means the sites you use with the password aggregator and even their precise login locations are stored in plain text. 1PasswordAnywhere is the program's feature that gives you a way to access your saved passwords without having to install the software itself.
 

SpoilerDM

Estimable
Nov 24, 2015
1
0
4,510


FWIW, this only works against KeePass 2.0, a fact that was omitted from the article but evident from the source code on GitHub. For the moment, at least, the old clunky KeePass 1.1 remains "secure."

Which is fine with me since KeePassDroid support for 2.0 database files is still experimental, and I've been consequently sticking with 1.1.
 

VADemon

Estimable
Jul 6, 2014
1
0
4,510
MW99, you worry about your encrypted database syncing via cloud, but at the same time you are taking a proprietary software (1Password) in consideration. Sorry, but this sounds ridiculous.
If you are concerned about privacy and looking for a bullet-proof solution then the only way to go is open-source software. For example, there was another incident with a proprietary file "encrypter" for Android/iOS which used the simplest possible "encryption" on earth: XORing of data that is as easy to crack a monkey could do that. Would not happen to an open-source software.

If you're worried about the mobile app not being as reliable (backdoors etc.) as the desktop app: compile it yourself from sources. https://github.com/MiniKeePass/MiniKeePass You can also compile the desktop version yourself. Honestly, I doubt most people, including you and me, will bother.

As you can see I'm recommending KeePass. Regarding the guy from above who has lost his database: who told you that you shouldn't make a backup of that as well? What if a cryptolocker hit you? Exactly, it would be still a problem, though not caused by KeePass directly.

KeePass password stealer from the link above: That's the reason KeePass automatically locks your database when you haven't used it for xx minutes. It's not a 100% safe counter-measure, but I hope you get the idea. Actually your Antivirus software must take care of those things.

As for the syncing: I think BitTorrent Sync should do it. It's p2p, meaning there're no servers inbetween. Maybe there're even open alternatives already.

TL;DR: KeePass <-> BitTorrent Sync for database transfer <-> MiniKeePass
And most important: No proprietary encryption software can be fully trusted
 

wahoowad

Estimable
Jan 10, 2016
2
0
4,510
I use Keepass. The file is encrypted locally and I sync with Dropbox across numerous PC's and iOS devices (iKeepass). I trust the Keepass 256 AES encryption more than I trust Dropbox, so Dropbox can and will get hacked but I feel OK with my file.

Dropbox has versioning so any concerns over a corrupted file are minimized (I've never had a corrupt file after 3+years). And of course my Dropbox data is also captured (and encrypted yet again) by my daily PC backup.

I am comfortable with Keepass but out of boredom will be reading up on 1Password today and trying it out. I like the biometric integration as my new iPad supports that.

I realize this is an old thread, but what did you end up going with and how do you like it?
 

Frikster

Estimable
Jan 30, 2016
5
0
4,510


Heh, I've been lurking this thread for the last few weeks. I also had it narrowed down to keepass vs 1password. You've convinced me to go the keepass route ;)

 

wahoowad

Estimable
Jan 10, 2016
2
0
4,510
1Password seems pretty nice after I tried it for a few accounts. But nothing compelling enough to cause me to switch over. I think they charge for mobile too, not sure? Regardless it isn't better so not switching.
 
Status
Not open for further replies.