Hi, creator of StrongBox Password Safe (https://itunes.apple.com/us/app/strongbox-password-safe/id89...) here. I think LastPass have done a pretty good job of being upfront and honest about their techniques and have a handy little product. Comments above mention the centralised nature of storage and indeed it is an issue as it becomes a real bullseye for hackers. Ultimately it’s a tradeoff between convenience and security. For what it’s worth my app uses the standard Password Safe format (http://passwordsafe.sourceforge.net/), designed by Bruce Schneier. It can store your encrypted password databases locally on device or on Dropbox or Google Drive. This can be easily exported or imported. An added bonus is you can store other tidbits of information in there, notes of any kind, not just passwords. Might be useful for those of you with more stringent security in mind, or more general encryption requirements. It’s also free.
I like Bruce. I trust Bruce. However, as far as I can tell, this is a black box. There is no documentation on formats, protocols, and similar. I have no reason to trust the security of this system. The closest I could come would be to read the source code.
Sorry, should have mentioned a bit about that. The Password Safe format is public, open, and available here [1]. There's also plenty of code/libraries you can use to write your own clients, e.g. Javascript [2], Java [3], Python [4]. For what it's worth the core data encryption is done using the Twofish cipher. Hope that helps.
That both does and doesn't help. There is the format, which looks sensible. There are the protocols around it, key generation, salt generation, overall design, etc. which are not.
What actually scares me about the design is if my machine is compromised, an attacker can grab my Password Safe file (plus keylogs or whatever) and has access to all of my passwords. The design seems not very robust at a designs+protocols level.
(In contrast, right now, if a machine is compromised, it only compromises the passwords I've used from that machine).
