Subscribe
Sign in
LessPass — Next-gen open source password manager
31
Replies
kevoh
How does this compare with KeePass?
Share
@kevinohlsson KeePass generate random passwords and save them in an encrypted vault. So you need a way to sync your vault beetween all your devices. LessPass recreate a unique password for every site base on unique information you know. So you don't need to sync your passwords. Learn more on https://blog.lesspass.com
How timely. I'm still using KeyPass since most of my stuff is stored on there but this looks like a great time to switch. Looks simple and beautiful! @guillaume20100
So it's like MasterPassword merged with LastPass that can be self-hosted and is a bit simpler?
@bgiesing39 Yes except that you can not save a password in our database. So you can not save your credit card number for example. And more important, LessPass is open source. Lastpass is not.
I still think passwords shouldn't be handled in any browser context (apart from input, naturally).
@guillaume20100 I mean new devices that the user is trying to regenerate his/her password so in case an attacker grabs user's credentials, he/she will still need to verify before regenerating the same password.
@sekodev In the case of public computers, I would assume that the machine is compromised. I certainly wouldn't do any banking on such a machine. If I need a password for a service, I will use my phone to create my password, and visually copy it on the compromised computer. But personaly I don't use services on public computer and never log in. And I recommend to do so. Hope it answers your question
Did I get it right: you take one master password, and use that as seed to generate pseudo-random passwords for all the other sites? The idea is brilliant and deceptively simple, however, have you done formal security analysis on this approach? It seems insecure to me. Consider this: if somebody were able to steal your master password, they'd be able to generate the passwords and gain access to all your other LessPass-managed sites.
@kixpanganiban you're right we need some security audit https://github.com/lesspass/less.... And If somebody find your master password, yes your probably not good. We are making an app to encourage people to "regularly" change their master password and increase security of the tools. There is more on github if you're interested in. Thank you
@guillaume20100 Ah, but then it would be self-defeating, no? Since if you change your master password, you'd be forced to change your password for all registered sites as well since they would have to be generated from a new seed. I guess that's the tradeoff -- convenience for security. This flaw notwithstanding, I still love how simple LessPass is and kudos to you guys for all your work.
Surely this means that it's easier to find the way it encrypts passwords? (sorry, noob with this stuff)
@giacomolaw If by easier you think easier to find how does it work ? sure explication are on https://blog.lesspass.com and the code is open source;
@tomflemming we plan to make a native mobile app on IOS and Android. For Safari, you can use https://lesspass.com
@tugushev the web extension is for Chrome or Firefox. See my first answer : Safari : https://lesspass.com and IOS (we are making the mobile app)
