first draft of password-mamangers article

1 files changed, 35 insertions, 0 deletions

diff --git a/password-managers.txt b/password-managers.txt
index e69de29..a86194d 100644
--- a/password-managers.txt
+++ b/password-managers.txt
@@ -0,0 +1,35 @@
+News that LogMeIn will purchase the LastPass password manager service was not well received by LastPass users. In fact that outrage was sufficient that LastPass quickly shutdown comments on their blog. Why the outrage and who is LogMeIn? 
+
+LogMeIn may be best known as the company that shutdown its free service with a mere week's warning. Even in a web filled with capricious, disappearing services LogMeIn's mere week stands out as almost spiteful. Combine that with LastPass's less than stellar history of customer service and its not hard to see why users were unhappy about the deal.
+
+For its part LastPass says its business model is not changing and that the service will remain essentially as-is under its new owners. Unfortunately for LastPass fans, if you dig around the Internet Archive you can find similar statements from Delicious, Flickr, tk, tk and countless other small services that were purchased and later abandoned. LastPass may well be different, but since there's a chance you might only have a week to find something new, now might be a good time to look for alternatives.
+
+The best alternative to LastPass depends somewhat on how you use LastPass and what, if anything, you'd like to be different. 
+
+There are two broad categories of password managers. The cloud-based solutions like LastPass offer automatic syncing between devices, while others like KeePass reside on your local machine and you're often on your own for syncing (which can be done via Dropbox, OwnCloud, SpiderOak, Syncthing etc). The primary difference between the two approaches comes down to control of your data.
+
+Cloud-based sync services store your data on their servers. The best of these offer zero-knowledge storage, which is to say that your data is encrypted and decrypted only on your devices. That means that these services, the storage system it uses and the people working for it have no access to your data. 
+
+If you're looking for a drop-in cloud based replacement for LastPass there are dozens available, but the big standout is <a href="https://www.dashlane.com/">Dashlane</a>. It has everything you're used to with LastPass -- browser plugins, autofill, password strength indicator, secure notes -- and throws in a few things LastPass doesn't offer like the ability to share a password and some digital wallet features.
+
+Dashlane is not free, it'll <a href="https://www.dashlane.com/premium">set you back $40/year</a>. Technically there is a free tier if you just want to try out Dashlane, but the free version doesn't sync between devices so to really replace LastPass you'll need to sign up for the premium version. Also note that there's no Linux client, but there are browser plugins that make it easy enough to use Dashlane on Linux. 
+
+Another noteworthy possibility in the cloud-based category is <a href="https://encryptr.org/">Encryptr</a>. Encryptr is free, open source (based on the <a href="https://crypton.io/">Crypton project</a>, itself an outgrowth of SpiderOak), and reasonably cross platform. It's currently available for Android, Windows, Linux, and Mac OS X. An iOS version is in the works, but not yet available.
+
+The problem with Encryptr is that it currently lacks browser integration, which makes it a considerably less capable LastPass replacement. 
+
+Other services worth investigating include the more enterprise-oriented <a href="http://thycotic.com/products/secret-server/">Secret Server</a> and <a href="http://www.scorpionsoft.com/software">AuthAnvil</a>, as well as <a href="https://www.zoho.com/vault/">ZohoVault</a> (which is offering a year of its business version for <a href="https://www.zoho.com/vault/logmein-lastpass-acquisition.html">free to LastPass users</a>). There's also the biometric-based <a href="https://www.stickypassword.com/">Sticky Password</a>.
+
+The problem with replacing LastPass with another, similar, cloud-based service is two-fold. First you may well find yourself back here again in a few years when the new service is sold and you're relying a third-party for syncing. Chances are you're already using some kind of sync service -- be it SpiderOak, Dropbox, Owncloud, SyncThing, etc -- why not sync your passwords yourself?
+
+If you handle the syncing yourself all you need to worry about is finding an application that can encrypt and decrypt your data on all your devices. Fortunately there are quite a few apps that can do that, most notably <a href="http://keepass.info/">KeePass</a>.
+
+KeePass may be slightly confusing for newcomers since there are two variants, KeePass and KeePass X. There's not much difference between them, though KeePass seems to have better plugin support if you'd like to add extra features like syncing to Amazon S3, a duplicate checker or better Ubuntu integration.
+
+KeePass is a database that stores encrypted versions of all your password -- just like the hosted services above -- that you can secured with a master password, key file or both. You can then sync that database file using the syncing tool of your choice and access it on any device that has a KeePass client. There are clients available for Linux, Windows and OS X, as well as unofficial clients for Android, iOS, Windows Phone, Blackberry and most web browsers.
+
+Depending on your platform, KeePass may not be quite a simple as LastPass, but it does place everything directly under your control, which means you won't have to worry about any web services shutting down or company being sold.
+
+The last possible LastPass replacement that I'll mention simply because it's the one I opted for is pass. Pass is command line tool that essentially just provides a nice wrapper around GPG. Pass stores each site or note as a single file that's then encrypted and decrypted using a GPG key. The pass community has created clients for Firefox and Android, which are the two places I need to access my passwords. It's not for everyone, but if you're comfortable with the command line and want to keep things ultra simple, pass fits the bill.
+
+In a perfect world the LastPass acquisition won't change anything, the service will continue as it always has, but if it doesn't work out that way or if you don't want to find out the hard way how it will end I suggest you try out KeePass or, if you want to stick with a remotely hosted service, Dashlane.