LessPass
Compute your password offline
Start new thread

LessPass - Next-gen open source password manager

by

Add a comment

Replies

Best
genius. love the simplicity.
Maker
thank you :)
Safari? and iOS?
Maker
we plan to make a native mobile app on IOS and Android. For Safari, you can use
how to use for safari?
Maker
open with safari directly.
Yes, I have opened in Safari. But there are no extensions to my browser
Maker
the web extension is for Chrome or Firefox. See my first answer : Safari : and IOS (we are making the mobile app)
How does this compare with KeePass?
Maker
KeePass generate random passwords and save them in an encrypted vault. So you need a way to sync your vault beetween all your devices. LessPass recreate a unique password for every site base on unique information you know. So you don't need to sync your passwords. Learn more on
I still think passwords shouldn't be handled in any browser context (apart from input, naturally).
Surely this means that it's easier to find the way it encrypts passwords? (sorry, noob with this stuff)
Maker
If by easier you think easier to find how does it work ? sure explication are on and the code is open source;
Okay, thank you for clearing that up! :)
Actually, this makes sense but I guess it requires an extra layer of security before generating the password in untrusted browsers. What do you think about adding two-step verification before generating the password? Would it make the system safer?
Maker
untrusted browsers ? what do you mean ?
I mean new devices that the user is trying to regenerate his/her password so in case an attacker grabs user's credentials, he/she will still need to verify before regenerating the same password.
Maker
In the case of public computers, I would assume that the machine is compromised. I certainly wouldn't do any banking on such a machine. If I need a password for a service, I will use my phone to create my password, and visually copy it on the compromised computer. But personaly I don't use services on public computer and never log in. And I recommend to do so. Hope it answers your question
Actually, made it more clear before I did. Thank you for your answer.
How timely. I'm still using KeyPass since most of my stuff is stored on there but this looks like a great time to switch. Looks simple and beautiful!
Did I get it right: you take one master password, and use that as seed to generate pseudo-random passwords for all the other sites? The idea is brilliant and deceptively simple, however, have you done formal security analysis on this approach? It seems insecure to me. Consider this: if somebody were able to steal your master password, they'd be able to generate the passwords and gain access to all your other LessPass-managed sites.
Maker
you're right we need some security audit . And If somebody find your master password, yes your probably not good. We are making an app to encourage people to "regularly" change their master password and increase security of the tools. There is more on github if you're interested in. Thank you
Ah, but then it would be self-defeating, no? Since if you change your master password, you'd be forced to change your password for all registered sites as well since they would have to be generated from a new seed. I guess that's the tradeoff -- convenience for security. This flaw notwithstanding, I still love how simple LessPass is and kudos to you guys for all your work.
This is very nice - looking forward to the android app.
Wow, great job with the clean and simple approach, looking forward to using this.
12
Next
Last