| Cloud-based password managers | LessPass |
|---|---|
| All accounts/passwords are stored on a 3rd party, often closed-source server | No passwords are ever stored anywhere |
| KeePass | LessPass |
|---|---|
| Store accounts/passwords in a database encrypted with your master password | Compute a unique password for every account based on your master password; your generated password is never saved |
| Need to sync databases and changes between devices | Only need to know master password, and any non-default generation settings |
| Database can be stolen and brute-forced offline, passwords are not individually encrypted so whole database is vulnerable | Would have to brute-force websites to guess master passwords, most sites log and mitigate this (reCAPTCHA, blocking multiple attempts, etc) |
| Most KeePass clients are very large, and there are many forks | A web app, a Firefox and Chrome extension, as well as a CLI tool; compact and fast |
The counter changes the generated password without changing your master password. For example, if your generated password is compromised, you can easily generate a new one by incrementing the counter without needing to change any other information.
By default, LessPass runs offline without any database. It is designed so that complex, high-entropy passwords can be generated from few inputs, so you can have a safe, hard-to-guess password without having to remember it.
But we all know sites with stupid password rules. For example, some banks only allows numbers. I don't want to remember those options (e.g. no letters, no symbols, length of 8, etc).
So we created LessPass Database to help users keep track of complex password profiles.
We save your email and account password. Do not use your master password as your Database password. To prevent users from making this mistake, we added a new feature on the login form:
This will replace your Database password with a LessPass generated password with default password profile.
We also save your password profiles when you click the save button. A password profile looks like this:
{
"id": "01af05117-429f-953e-zz2f-1a1125471d179",
"login": "contact@lesspass.com",
"site": "example.org",
"lowercase": false,
"uppercase": false,
"symbols": false,
"numbers": true,
"counter": 1,
"length": 8,
"version": 2,
"created": "2016-11-10T10:57:25.147095Z",
"modified": "2017-02-08T12:42:34.880316Z"
}
Even encrypted in a database, we still see accounts and their passwords compromised. Your master password and account passwords are never saved, so even in the event of a data breach, your accounts will remain protected. The only information an attacker would have is some of the metadata used to generate your password; without your master password, this information is not very useful, and your password will likely still be difficult to guess.
If you don't want to use our database, you can deploy your own Docker container. You will need to build the container yourself.
When using the website to generate passwords, the default configuration of LessPass can be saved locally. Data stored in localStorage has no expiration time, even if you close your browser.
See When is localStorage cleared? on StackOverflow for how to clean local storage.
Ctrl+Shift+L.
On Firefox, change the keyboard shortcut on the Addons page by typing as URL: about:addons
On Chrome-based browser, change the keyboard shortcut on the Extension Shortcuts page by typing as URL: chrome://extensions/shortcuts
There is was a desktop application built with Electron, but due to the low number of downloads and the lack of time to maintain the code, support for it was dropped. However, you can get the old source code from the commit
/desktop@495e8b3
We removed auto-filling for generated passwords for the following reasons:
- Auto-filling password extensions widen the potential attack surface. See LastPass breach, advertisers capturing your data
- It is required to inject a script on every page due to WebExtension restrictions—even if you don't open or activate LastPass—to get the auto-fill to work. We don't want that.
- Servers and backups on Vultr: $200
- Domain name on Gandi: $15
- Apple Developer program: $100
To operate properly LessPass costs us $315/year. For you the service is free.
If you like what we do and want to support the project, consider backing us on Open Collective. More information is available here.
There is currently no dedicated add-on to Opera (see issue #496).
However, the add-on from Chrome Web Store can be installed by installing first the Opera's official adapter https://addons.opera.com/en/extensions/details/install-chrome-extensions/.