In a recent blog post about how to protect your online privacy and I got quite a bit of feedback on a free for the desktop app called LastPass that promises to work with any browser seamlessly and for a 12 dollar per year fee you can even set it up on your smartphones. Having to install unofficial ports of KeePass on my smartphone and tablet is something I always disliked about KeePass. So I decided to take LastPass for a spin and give you an honest comparison of the two password managers.
KeePass vs. LastPass – Let the fight for your internet security begin
Comparing KeePass and LastPass is like comparing apples with apple juice. One is pure but has an annoying skin that gets stuck between your teeth and the other is sweet and delicious but has a lot of added sugar. The analogy is terrible but true. Both of them are free and will store and enter your passwords on websites and can optionally work with some desktop applications with the use of add-ons or a 2nd application.
KeePass is exceptional in its functionality but to get anything more than a basic password manager requires an hour of setup for a technically inclined user. For the less technically gifted it may require hours of trial and error to get up and running. LastPass on the other hand setups in minutes and then integrates with your favorite browser in seconds. All it requires is for you to approve access to your browser. So if you’re not very technical then you really should consider going with LastPass.
With KeePass, your passwords are stored local database only. You will need to back it up manually or you can install plugins that will allow you to sync the encrypted database to your favorite cloud and backup server. You can enable dual-factor authentication, use Windows certificates, RSA certificates, and token based authentication via OATH HOTP (iPhone) and TOTP (Google) one-time passwords. You can even install plugins that allow you to automatically enter passwords for Putty, Remote Desktop, SmartFTP and Ubuntu Desktop. Each of these plugins will require extra setup. I can tell you from personal experience that some of these plugins do not come with very good documentation. KeePass is open source and us here at LiquidVPN like open source software. The obvious drawback is that documentation is usually hard to find.
When you are using the KeePass client you are presented with a traditional desktop application. Your passwords are held in a familiar file structure. You have complete control over the strength of generated passwords, notifications and custom fields to store any other type of data you can possibly imagine. KeePass has more features than 99% its users will ever use. Myself included.
LastPass is freemium software. Which means no one can actually look at the source code. That could be a strike against the software for some people. The advantage to this is there is much better documentation and the software remains consistent. When you click on the My LastPass Vault it brings you to a web interface. All of your passwords, credit card data, bank account information and spouses SSN numbers are stored in the cloud. LastPass says they can never see your data because it is encrypted with AES 256 bit encryption and is done locally and then sent to the cloud. I happen to believe they believe their claim but I am not an uber-paranoid person, to begin with. The thing I really like about LastPass is you can have it synced on all your desktop devices fairly easily. With KeePass, you will first need to sync to a cloud to do this. Another neat feature is Offline Access which basically allows you to access your passwords without internet connectivity. With KeePass, it’s not a problem but because LastPass is in the cloud it’s nice to know you can retrieve your data while offline.
As stated above the LastPass desktop shortcut actually brings you to a web page to manage all of your settings. There are much fewer settings here. It is a very streamlined piece of software when compared to KeePass but it still has a lot of the great features KeePass has. The major drawback is you have to pay 12.00 per year to get the professional version. The Professional version allows multifactor authentication and installation on mobile devices. Another possible drawback is the fact that the desktop control panel brings you to a website and performs its spooky action at a distance aka in the cloud. You really have to ask yourself are you ready to keep all of your sensitive data in the cloud using proprietary software that has never been vetted by the security community? Hackers have targeted LastPass’s 256bit AES encryption before but LastPass quickly disclosed all their information and overreacted to the threat. This speaks well for LastPass. Getting hacked is the risk you take when using any cloud based service. Don’t go all anti-cloud just yet. It’s not the clouds fault it’s the executive’s fault. For example, Neiman Marcus’s executive VP Michael Kingston actually told congress that its anti-virus software was virtually useless. It didn’t detect when its credit card systems were being hacked. As a result, the company did not learn of the intrusion until the beginning of January, even though the attacks occurred between July and October. With executives relying on their antivirus solution to provide network security you can be sure that hackers will continue to target the same honey holes they are currently targeting. You can read more about that executive and the Targets hack here if you like. Overall LastPass has stood the test of time and has a good track record of being upfront about their data policies.
So is LastPass as safe as KeePass if both are set up properly? No, it’s not even close KeePass is the winner hands down. That does not mean LastPass does not have a stellar product and is not a completely viable solution for your password and data management. I would highly recommend going pro for 2-factor authentication to further secure your master passwords and for its support on smartphones and laptops. I purchased LastPass and set it up for my mom. I have also recommended it to some friends that do not have the technical knowledge to implement KeePass effectively. If you are ready to finally secure your passwords and the thought of entering API codes and changing some settings in XML files is new jargon to you then LastPass Pro with 2-factor authentication is the tool for you. Otherwise, go with KeePass.