Saying goodbye to LastPass and finding a credible alternative

German Lorenz cipher machine, Source:WikiCommons

Lastpass announced yesterday(9th October, 2015) that they have been acquired by LogMeIn, and I decided to move away from the Lastpass account that I have had for 6+ years. There were several reasons:

1. LogMeIn as a company does not share the same values, and the pricing is likely to change. They are notorious for bad customer support.
2. I have been thinking of moving away from Lastpass after they admitted to being breached in June that partly compromised their userdata.

My criteria for selecting an alternative is:

1. Multiple platforms — especially Linux(Xubuntu) and Android, where I spend most of my time.
2. Decentralized — No one company should be able to decide the product's future. User retains control of his data, end to end. A GPL license would be great.
3. Web auto fill — fill in my passwords automatically on the websites that I already have an account in.

My search led me to only one credible alternative — Keepass. I was able to set it up in a way such that it met my initial requirements.

1Password which is a competitor to Lastpass came close, but did not have a client for Linux.

The Keepass website had some confusing options, but the simplest way to get it is to simply use apt.

sudo apt-get install keepassx

Setting it up was straightforward — you create a new database, import a CSV file from Lastpass and you are good to go.

For the autofill feature, install the Chrome app from here.

This article helped me to easily import my Lastpass database to Keepass, and I was able to finish the setup on my Xubuntu machine. Now for the fun part — keeping the database in sync with Android, via SFTP.

Since I already run a DigitalOcean server for hosting some personal stuff, I set up a new SFTP instance and installed AndFTP on android. This gave me access to the latest version of my password database on my Xiomi Mi4i. Keepass2Android seemed like the best client on android, so went with that.

I was able to set up this entire chain in less than 4 hours tops. A few quick thoughts:

1. Lastpass had a zero knowledge proof implementation and their tech was impressive. As a company they have had a giant target painted on their back for so long and yet managed to keep going. But with the recent breach and acquisition, I felt it is finally time to move on. All the best Lastpass team, you did a great job so far!
2. My Keepass setup is not perfect. Clunky interfaces, the hassle of having to maintain these moving parts is something that I have to deal with. If someone has a better solution that does not involve Dropbox or Google Drive, please let me know.
3. A lot is happening in the security space. TrueCrypt abruptly announced that they are shutting shop last year. Good thing is an independent audit found that it is still safe to use.

Governments are trying to intrude into the digital data of users more than ever. Those who read the draft of the Encryption policy in India would have had a few laughs when the Government of India requested companies to maintain plain text logs of the user data. What's the point of encryption then? Hope lies in the fact that there are products like Telegram, Bleep etc and a lot of alternatives out there. A little bit of work is required, but reasonable countermeasures can be taken.

I will update this post on how my setup holds up in terms of usability. It has been less than a day, so holding on to passing judgement. If anyone has suggestions to improve the setup, please comment. As for security, I am confident that it is more than good enough for what is required for a single user.