Which is more secure: LastPass with 2factor, or a gpg encrypted password safe on my home server accessed by a passphrase-locked rsa-encrypted key?
I've been trying to decide for the past few weeks. Copying and pasting passwords isn't as annoying as I thought it would be, and it seems like keeping my pwsafe locally reduces the attack vector of the LastPass servers.
Then again, it's in LastPass's absolute interest that my info never gets leaked, and they've built up a good reputation. Further, at a public terminal my usb drive would need to be connected while I unlock the key, thus possibly exposing my unencrypted key.
LastPass is only one persistent XSS flaw away from having your password store completely compromised. I found a non-persistent one last year which exposed a lot of information about you, but not your password:
Specifically it exposed your email address, your password reminder, the list of sites you log into and the history of your logins, including which sites you logged into, the time and dates you logged into them, and the IP addresses you logged in from.
EDIT: I used to use LastPass but now I use a GPG encrypted file, which I sync between machines. I set up a simple helper script so I can just type for example "password facebook" at a terminal and it will do a gpg --decrypt on the text file, grab the facebook password, display it, and also copy it into my clipboard for ten seconds.
At the absolute best, I'd say using an app like Pocket (on Android) on a non-network connected device is probably the safest setup. Granted you'd have to type the passwords in manually, but nothing beats air-gap security, and you'd need to remember just one password.
Also, if you lose your device, you're screwed, unless you've dropbox synced it of course. In which case, you lose the air-gap.
Which is more secure: LastPass with 2factor, or a gpg encrypted password safe on my home server accessed by a passphrase-locked rsa-encrypted key?
I've been trying to decide for the past few weeks. Copying and pasting passwords isn't as annoying as I thought it would be, and it seems like keeping my pwsafe locally reduces the attack vector of the LastPass servers.
Then again, it's in LastPass's absolute interest that my info never gets leaked, and they've built up a good reputation. Further, at a public terminal my usb drive would need to be connected while I unlock the key, thus possibly exposing my unencrypted key.
Any ideas?