I've been having it on my various systems (Windows, Linux, Android) in the sidelines for a couple months, and after initial fiddling, still haven't actually started using it.
This is mostly because I don't want to have to deal with copy-pasting my password between the KeePass app and the browser (where most of my passwords are needed). Luckily, there are autofill plugins that exist for Chrome [1], Firefox [2], and Android [3].
However:
- said plugins work with KeePass2 which on Linux the GUI theme to the point of being almost unusable (as a C# app using WinForms, it doesn't respect GTK/Qt themeing well).
- getting the KeePass2 plugin needed for the browser plugins requires jumping through hoops on Linux and I haven't gotten it to work (yet?).
- I'm sharing my KeePass database on DropBox (with its own security considerations...) to synchronise between the different systems and...
- The Android app just won't open the shared database.
So it feels like I'm 60% of the way there, but I still don't have a usable system. Hints appreciated.
Keepass proper has a global Ctrl+Alt+A shortcut that automatically types in your username and password into the form: I've found it works fine on the majority of sites (almost everyone uses username-tab-password-enter, but for the few that don't, you can specify a custom auto type format in keepass. It even has an option to obfuscate the typing to trick keyloggers).
For android, I recommend Keypass2Android: it comes with a custom keyboard you can enable temporarily, which inputs your password without going through the android clipboard. I use it with the dropbox app as well, I'm not sure why it's not working for you.
KeePassDroid is another good one for Android. It does use the clipboard though by giving you two notifications to click on. One for the username, and one for the password of the chosen credentials.
For personal use, I've been using LastPass for a few years but have been slowly migrating away from it in recent months. I'm switching to KeePassX which I already use for $work-related data. (I have intentionally avoided the Mono-based applications.)
KeePassX has similar "auto-fill" functionality as well. It's not as perfect or as seamless as LastPass but it is definitely usable (after a bit of one-time per-site tweaking in some cases). Having recently decided that using LastPass presents a non-zero risk, the extra effort I have to spend w/ KeePassX is certainly worth it, IMO.
Although I don't do it now, I have in the past kept my password databases in Dropbox. With Dropbox also installed on my iPhone, I am able to access my password databases use "MiniKeePass" on iOS without any issues.
In addition, there are Windows, Linux, and OS X versions of KeePassX and all of them can open up my .kdb files without any issues.
As others have said, why migrating away from LastPass? They definitely seem to be doing things properly in terms of security and I've been very happy with the security, as well as the ease of use when I set it up on a new machine.
The problem with in-browser password management is that the attacker does not need to escape the browser. Code injection (via XSS or a browser exploit) into a running extension is likely easier than defeating the seccomp-IPC implementation or the AppArmor/SELinux profiles which protect the system. Addons like LastPass are mainly concerned with remote server weaknesses, but nothing will protect the browser from itself.
Another opinion: It's weird loading a browser+environment for non-browser passwords (SSH, HTTP/WebDAV, etc), and it's equally weird managing the passwords separately.
I have the LastPass plugin installed in Firefox, which I use 95% of the time. I also have the mobile app installed on my iPhone.
Why the switch? Recent revelations WRT NSA & the iPhone, recent reports of other plugin developers selling their plugins to shady actors, and my general belief that the most sensitive credentials I have are safer on machines under my control instead of "in the cloud".
I work for an ISP and also manage systems and networks for schools, government organizations, health care facilities, investment firms, law offices, you name it. If someone were to gain access to all of my stored credentials, they could do a LOT of damage -- to myself as well as many, many others.
While I have no reason to believe that there's anything wrong with LastPass (from a security point of view), I am certain that the level of risk is lower with, i.e., KeePassX.
I have the LastPass plugin installed in Firefox, which I use 95% of the time. I also have the mobile app installed on my iPhone.
Why the switch? Recent revelations WRT NSA & the iPhone, recent reports of other plugin developers selling their plugins to shady actors, and my general belief that the most sensitive credentials I have are safer on machines under my control instead of "in the cloud".
I work for an ISP and also manage systems and networks for schools, government organizations, health care facilities, investment firms, law offices, you name it. If someone were to gain access to all of my stored credentials, they could do a LOT of damage -- to myself as well as many, many others.
While I have no reason to believe that there's anything wrong with LastPass (from a security point of view), I am certain that the level of risk is lower with, i.e., KeePassX.
I looked into LastPass last week. It looked great on desktops, but on Android it's basically a separate browser. That's a no-go for me, I'd rather stick with Chrome
This is mostly because I don't want to have to deal with copy-pasting my password between the KeePass app and the browser (where most of my passwords are needed). Luckily, there are autofill plugins that exist for Chrome [1], Firefox [2], and Android [3].
However:
- said plugins work with KeePass2 which on Linux the GUI theme to the point of being almost unusable (as a C# app using WinForms, it doesn't respect GTK/Qt themeing well).
- getting the KeePass2 plugin needed for the browser plugins requires jumping through hoops on Linux and I haven't gotten it to work (yet?).
- I'm sharing my KeePass database on DropBox (with its own security considerations...) to synchronise between the different systems and...
- The Android app just won't open the shared database.
So it feels like I'm 60% of the way there, but I still don't have a usable system. Hints appreciated.
[1] https://chrome.google.com/webstore/detail/chromeipass/ompiai... [2] https://addons.mozilla.org/EN-us/firefox/addon/passifox/ [3] https://play.google.com/store/apps/details?id=com.hanhuy.and...