Less Pass Reviews

There are advantages and disadvantates to Less Pass's unusual password management philosophy.

about Less Pass and KeePass, LastPass, Master Password · · Helpful Not helpful 4 Helpful

LessPass is an open source browser plugin. It allows you to remember - or rather recall (important distinction) passwords for various websites. It works well but differently to most password managers, and the difference is worth understanding:

LESS PASS IS DIFFERENT TO MOST PASSWORD MANAGERS

Most password managers work by creating an encrypted database. A master password you choose is used to access the contents of the database. In the database you might store website logins and passwords, credit card details, notes, bookmarks, and whatever else you want/the password manager permits. That is how LastPass (don't confuse with Less Pass), 1Password, Dashlane, EnPass and KeePass all work (and relatives of KeePass like KeePassX, MacPass, KeeWeb and others). Either by design (e.g. LastPass, 1Password, Dashlane) or by choice (KeePass, EnPass you can sync the encrypted database between computers - either because the service offers it or because you can put your encrypted database into Dropbox or similar service.

The advantage of such a system is that quite a lot of information can travel with you between computers. You only need to download your database (again, either because a service like LastPass has a browser plugin that does that for you or because you access your sync folder and download it yourself) and then LOCALLY decrypt it to get at your information. Very convenient. It's what most people go for.

The weakness of that approach is that it creates a file that contains all your valuable data. Most password managers use the encryption standard AES-256, which is considered to be uncrackable, provided you chose a strong password. (Services like LastPass and apps like KeePass additionally put in bits of code that limit the number of guesses you can make at the password.) With all that, your database should be very secure. So even if someone were to hack LastPass servers (which has happened), or hack into your Dropbox account (which has also happened), your database should be nice and safe, even in the hacker's hands: they don't know the password and AES-256 is far too good for them to break in. Nevertheless, the weakness lies in the fact that all your data is in one place. That makes it an attractive place to TRY to hack/crack, for which reason LastPass, for example, have been targeted before. Now, many people find that to be an acceptable situation, which is fine.

Less Pass has a different design. It works by not having any database or file that could be stolen or decrypted. It works by using several things you input to calculate a unique password. So you open it, specify a domain name, e.g. "protonmail.com", a login e.g. "john.fastman" and a master password - a password you ALWAYS remember (the only one you need to). With this info, Less Pass uses a hash function to calculate a unique string of numbers, letters and symbols (you can set the length and complexity). Every time with these settings and with these inputs, it will generate the same password. The same math, with the same inputs always gives the same result, allowing you to recall the same password that you can then copy/paste into your login screen for whatever website you're visiting (protonmail.com in the example above). And that's it.

The advantages of this approach are:

  • you can go anywhere in the world, download it onto your computer, type in your details and have your password generated for you.

  • You never have to trust anyone to store your information securely, or that they have guarded a server correctly, or that they are implementing encryption correctly.

  • Commercial services like LastPass, 1password and Dashlane encrypt everything in your database, but NOT the URLs (web addresses) of your accounts. These are hashed (turned into a number) but in a way that's very easy to interpret. One of the problems with this is that these services, hackers and intelligence agencies can easily tell from looking at your database which websites you have accounts with. That could be used to identify you or profile you. KeePass (and its open source relatives - see above) don't do this despite having a centralized database. Less Pass also doesn't do this because it cannot - by design.

The disadvantages of this approach are:

  • unlike KeePass or LastPass, Less Pass isn't able to store notes, links, credit card details or anything else. It's just a password calculator.

  • It does not support 2-factor authentication, which means that all the security rests on the strength of your master password. In some situations, you could have a keylogger program on a computer (e.g. a compromised public computer) steal that password.

  • If you had to change your master password, it would innevitably mean that all your passwords, for all your websites, would have to change. That could be quite tedious to sort out.

  • If you need to change a password just for one website (e.g. your login for Diaspora), it becomes inconvenient to remember. Less Pass won't automatically remember that the old password is no longer good. You have to remember to increase a counter from '1' to '2' when generating the Diaspora password.

  • Password managers like KeePass and LastPass have either good browser integration or well-developed autofill capabilities. (KeePass uses the excellent KeeFox plugin for Firefox.) Less Pass has neither, which means that once your password is generated, you have to copy it to your clipboard and paste it into the login page's password field. That leaves your password in the clipboard, and a hacker will know to look there if your computer is compromised (or you're using compromised public computer).

OTHER PASSWORD MANAGERS WITH THE SAME SOLUTION:

Less Pass is not unique in its approach. Other password managers that use this design are Master Password and SuperGenPass. They vary by how well supported they are and whether they use a browser plugin, a website or a local client installed on the computer. Master Password is the closest thing to Less Pass - if Less Pass interests you, check out Master Password to see if that's even better for your needs.

IS LESS PASS GOOD/BETTER THAN THE ALTERNATIVES?

That's a personal choice based on your usage needs. I do not use Less Pass for the hundreds of domains I have accounts with. The main reason is the inconvenience associated with changing a password just for one account, and then remembering to have to increase the counter (see above). For that, the database-reliant method is better, and I would only trust open source apps, like KeePass (Windows & Linux), KeePassX (all platforms), MacPass (Mac), KeeWeb (all platforms) and their compatible relatives.

However, a good useage case for Less Pass is this: If you have collaborators you would wish to share passwords with, you can agree with them in person to use Less Pass, and what the master password should be. All you do then is email them what website/other input you wish to generate a password for and they can do the same thing on their computers using Less Pass as you can. In this way you can share passwords without really sending them insecurely, e.g. via email. For that, Less Pass is excellent.

Reply