Re: Best app for keeping passwords
I have used 1Password in the past, and I believe it's fine, but I have been using Lastpass for several years now, and I prefer it. I believe that the usability of 1Password is higher, particularly for Apple devices, but I initially switched to Latspass because they had a great solution for Android at a time when I was using Android phones, and 1Password did not (and for a long time they had only a "read-only" solution - you could see what your passwords were for sites, but not change them or create new ones on Android.)
I'm on iOS now, but I still prefer Lastpass. They were recently sold to Logmein, which initially worried me a little, but they seem to be running things the same (if not better - just today they announced that previous Premium-only features are now free).
But what really makes me prefer Lastpass is their response to security issues. Here is a blog post from July:
https://blog.lastpass.com/2016/07/lastpass-security-updates.html/
Tavis Ormandy, a security researcher at Google, made them aware of a security issue and they had it patched THE SAME DAY. Normally, Ormandy starts a 90 day clock; he responsibly reports security issues to a vendor and does not publicize them until they have had 90 days to fix it. I think it's quite unusual for him to have these vulnerabilities patched so quickly.
In August, he tweeted that he was looking into 1Password; he seemed unimpressed:
https://twitter.com/taviso/status/760231214812844032
Somebody asked him about it a few days later:
https://twitter.com/schof/status/763802703793315840
@taviso Haven't heard you report anything on 1Password. Clean bill of health so far?
And he reported that he'd found some issues:
https://twitter.com/taviso/status/763830191407845376
@schof I've sent them some vulnerabilities, but it's not the worst I've looked at.
He was asked later what the issues were, but said that he couldn't comment until the issues were patched. Well, it's been almost three months now, and there is still no patch to 1Password. (He also mentioned in a later tweet that there was an issue with Dashlane that was patched a month later, because Apple would not expedite the app review. KeePass seemed fine, he said.)
Almost three months without word of a patch for this vulnerability: even though it's "not the worst [he's] looked at", this is what worries me about 1Password compared with Lastpass...