I can say with full confidence that this at least has nothing to do with their hostage situation:
> Having no formal support channel
When I last had to deal with their so-called support, all contact details were very efficiently hidden. Once you found a page with a phone number, and the hours you could call them, there was one final surprise:
"The phone number you are trying to reach is not in use". The only contact that works reliably at LastPass is their billing department. Make of that what you will.
> It tells you that it is a credit monitoring service when you call, but it is indeed the password manager service
That actually sounds like it might be a business model (at least in places where the proletariat don't get too uppity). You run a password manager service and calculate data on people's password strengths and the number of duplicated password they use, and then feed this data to some sort of credit check system.
While it was harder than it should have been to reach them. The one support interaction I’ve ever needed to have with them (domain name change went badly with master password email account re-verification before I added a secondary email) was amazing. They had a thorough security checking, identification confirmation process that would make it more difficult for social engineering, they were able to fix up the email over the course of a 45 minute phone call (I did mention it was thorough)
You guys did better than me, I gave up trying to find a phone number and used their ticket system… it was not good. Issue was eventually resolved but wow, what a mess.
I vaguely remember eventually figuring out how to lodge some kind of issue or something because the UI of their credit monitoring was completely broken. It was impossible to use the service at all.
I think I eventually figured out some methodology of opening some graphical element in a new frame or something that got it working partially but that was what made me cancel everything and switch to BitWarden. Ridiculous.
Watch out! Another "bug" of the LastPass happens when you export your accounts.
I have exported all my accounts via the web interface, and the three times I've done that it export a truncated CSV file with about 30 lines, while printing the whole file content in the web page you access. That means the CSV you downloaded probably is not complete and you have to copy some lines from the web.
I was lucky to investigate a weird warning, about some missing fields in the last row, that SQLite gave me after importing all the accounts to a database.
I did this a few months ago and didn't run into that problem. I basically did a "make before break" migration. I kept LastPass available for several months after importing the database into 1Password, while using 1Password day to day. I never needed to refer to LastPass, so I finally unsubscribed and deleted my account.
I have read some others on HN describe stories where it didn't go so well. Private Notes not exported (I saw this on HN before I cancelled, but mine all came over), incomplete exports (I got everything), etc.
But yeah... do be careful and give yourself a grace period.
When they were acquired by LogMeIn a few years ago, the thread on HN about it was recommending switching to Bitwarden. Which I did.
In a few weeks, I'll have to pay $10 to renew it.
Meanwhile, since December we have those kind of worrying news from LastPass which is almost 4 times more expensive than Bitwarden.
I wanted to use BW. Even had a talk with their lead engineer and CEO about switching my company over. Seems like a good product but at least two years ago their commercial offering was abysmal, basically no way to run a managed system with user accounts for their personal things and work entires that I could control or deploy.
Lastpass Enterprise has issues, but it does allow the above.
No, that was the point. I want accounts for personal that I can access or reset, and I want a work account I can.
Lastpass does this and allows you to link them for your visibility, not mine. So users get a single log in the morning or whatever and they can do whatever they like. It’s a convenience that helps our less security minded users still have good habits.
2 of my colleagues lost their personal accounts (which they had linked to the corpo account) when they disabled/deleted the trial corpo account.
They were the only 2 of us who were trialling the linked account approach so I cannot say what the chance of losing your personal account is/was under this scenario.
This was a couple of years ago but understandably prompted a mass migration way from LastPass.
The way it’s worked ever since I’ve seen is the account is entirely separate. It’s just linked in. But they would have lost the features until they paid the normal rate themselves.
I understand, we've also been talking to LastPass in the past and they offered us something like this (not sure if it's a similar deal). Basically giving employees full access to the paid features personally as well.
But a single login is something I wouldn't even want. If my corporate account got blocked for some reason (e.g. the company folding), would that also lock the personal one? I don't know if we asked them this question as I wasn't directly involved in the discussion. In the end the whole deal was shelved anyway.
For me it's just a matter of account hygiene. And for personal stuff I prefer to host my password manager myself anyway. I was into mixing work/private in the past but with the increasing sophistication of attackers I avoid it now.
I can see the benefit though, promoting the use of a password manager to users who might not have thought of this in their personal life. I know many people who have never even heard of the phenomenon and still use the same password everywhere. I wonder what's in it for LastPass though.
> basically no way to run a managed system with user accounts for their personal things and work entires that I could control or deploy.
Could you elaborate on this?
I'm not an enterprise user, however, as a happy commercial Bitwarden user, I was annoyed that the company I worked for moved to LastPass relatively recently. I'd love to know what may have made them choose LP over Bitwarden.
Lastpass lets you (possibly with a large enough enterprise account?) give free personal accounts to your employees, seperate to their business accounts, that the employees can link with the business accounts. This gives the employees a single interface to access their business and personal passwords, while giving the company a business account it can see stats (but not passwords) of, and terminate to cut off access to without locking a user out of their personal passwords (the personal account gets downgraded to a free account).
Personally I don't use that as I have bitwarden set up for my personal accounts and would rather trust that.
See the post above this one. Lastpass allows me to deploy enterprise then link you can link personal that I can’t access. The user gets a single sign on to work and personal. It’s nice.
There was something else that BW wasn’t interested in doing for enterprise. I think that came down to recovery. They weren’t willing to trade some security feature on commercial accounts for a required IT feature. I wish it would have worked out with them, I’d switch from LP in a second if they solved those issues.
They were very upfront to me that their focus was consumer first.
I don’t want the hate for it, but I really hated my demo with it. I wish I could remember why! All I remember is that I couldn’t do basic enterprise level things I expected. It may have come down to linking personal accounts or recovery or cloud. Sorry, don’t really remember. I think it just rubbed me the wrong way.
The only thing important about a password manager is the amount of the bug bounty. In economic theory, it should be higher than the assets you protect with the password manager.
Sign in to LastPass web -> Advanced Options -> Export -> Verify export by email -> Advanced Options -> Export (again) -> List of passwords in CSV format.
The problem is if you aren't a paying customer, and you are locked to the mobile app, it doesn't have the password CSV option. So if you can access the desktop web option, sure, it works. But that's not true for all users.
I have quite a few gripes with Bitwarden, but I've never used LastPass so don't take this as a comparison.
1. Their auditing ("Event Logs") feature is unusable. It refers to items by some magical identifier which does not correspond to the name in the vault, e.g. "Viewed password for item ebabefac".
2. Payments by anything other than Credit Card are a mess, which is a serious pain if you have a lot of users. It took us weeks and many support interactions to get something as trivial as a bank transfer sorted.
3. It's still (!) lacking a feature to actually send people passwords ... as in sysadmin creates some account for a user, presses a magical button in BW, and it ends up in the user's vault (or maybe they get a message and are asked to import it, whatever). BW recommends you use the "Send" feature, which is basically a glorified pastebin.
4. The UX is .... not great. Organization vs Personal Collection view is confusing. Every time we onboard a new user we get questions about how they should store personal passwords.
It works well enough, but I don't think the enterprise plan is worth the 60/user/year price tag.
> 1. Their auditing ("Event Logs") feature is unusable. It refers to items by some magical identifier which does not correspond to the name in the vault, e.g. "Viewed password for item ebabefac".
Names and all other identifiers can be changed freely, so Bitwarden refers to passwords by their unchangeable UUID, so you can keep track of an entry across any such changes.
What bitwarden lacks is an easy way to search for passwords by UUID, but that's a rather minor UX improvement.
> It's still (!) lacking a feature to actually send people passwords ...
Yeah, that surprised me as well. Back in 2014 or so we added magic password://uuid links to our internal password management tool, you can just send people the link, and when they clicked it, it opened that particular password, as long as they had access. I would've expected the competition to have picked up on it ages ago, but c'est la vie.
For exchanging passwords with external users, Send is reasonable enough IMO.
> The UX is .... not great.
Agreed. But given that everything else is solid and open source, I'll take it over any competitors, or continuing maintenance of our own tool, which quickly gets a whole lot more expensive...
I switched to BitWarden when they dropped the subscription requirement for mobile, continued charging for my subscription for over a year and then announced they’d start charging again.
It’s… fine, but many areas of integration with browser and on iOS are significantly less polished and pleasant to use. Things like credit cards are entirely manual on iOS. It’s definitely a worse experience on the convenience side.
That, and even though it’s relatively easy to migrate, it’s even easier to not spend the effort reworking your workflows and ways you use password tools.
> it’s even easier to not spend the effort reworking your workflows and ways you use password tools.
Yeah, this. I've been using LastPass since 2012 - four years before BitWarden even existed. BitWarden actually looks excellent and I'm tempted to switch, but the easiest thing is just to not do anything.
Although I understand your point from a psychological point of view, in my experience switching from LP to BW was an easy task.You can create a temporary CSV to export your Lastpass vault and import it in Bitwarden. It takes 2 minutes maybe. The rest is just switching which app you use to fetch your passwords.
Although that was prior to the shenanigans this post's article talks about.
I thought it would be time consuming too but it's literally just 1 minute to sign up for an account, export from Lastpass and a 2 click import into Bitwarden.
It transferred EVERYTHING -- passwords, notes, credit cards etc. It's super easy.
You have the option of paying for BitWarden if you prefer :)
But everyone that I know that uses it, hosts their own anyway (I don't agree with Moxie's thing of "people don't want to host their own servers and never will - clearly not true for some people). But that was beside the point anyway, open server design means you can choose who runs your server for you.
They have compelling premium plans fairly cheap. In my opinion it's a more trustworthy relationship because their software is open source and is fairly straight forward to host yourself if they start misbehaving. No such option on most alternatives.
I'd be ok paying for BW, the issue for me is not knowing what's going to happen if they close down or decide to pull a LastPass. So I've transferred my stuff to KeepassXC and been pretty happy with the ux. Having to deal with syncing the password database across devices is a bit of a pain but it's one of the things I absolutely need control over.
Try 1Password - Great app and I can vouch that they help you when things go wrong (because things went wrong for me and they went above and beyond to help).
LastPass has been around for a very long time. I'm still using it because I haven't had much reason to migrate and I installed it probably a decade or more ago.
Lack of information. LastPass was also relatively decent software for a while. I only stopped using it two years ago, but also noticed at the time that they have significant marketing efforts compared to the competition.
It seems like LastPass is angling to become the AOL of password managers, and by that I mean they want a bunch of old customers who never bother to switch to something better.
At any rate there is no reason to use LastPass. There must be tens of password managers all geared towards a different kind of user and all better than LastPass.
1Password is another proprietary SaaS password manager. You "dodged this bullet" but shouldn't you also be concerned that 1P will do the same thing in the future?
> Now, the question is “why would I trust this?” to which I answer: I trust them to safeguard my passwords.
Isn't that tautological?
I trust 1Password more than LastPass simply because you _must_ pay for it. Freemium upsells are a dark pattern, and the temptation to monetize data on free users is much greater than paid.
> I trust 1Password more than LastPass simply because you _must_ pay for it
The ultimate problem with this whole logic is that you trust that other individuals and companies are not tempted to "double-dip" by monetizing data on paying users. A comment in the reddit thread referenced in the article summarizes the problem neatly:
> These SaaS cloud services are completely unregulated and answer to no one except their own profits. They can and will hold your data hostage the moment they think they can do so profitably on a large scale. It doesn't matter whether you're paying for the service or not.
> The ultimate problem with this whole logic is that you trust that other individuals and companies are not tempted to "double-dip" by monetizing data on paying users. A comment in the reddit thread referenced in the article summarizes the problem neatly:
I don't think the logic is wholly broken - there will be a lower incentive for paid companies who can generate a profit with subscription fees to "double-dip" than there is for free companies to "single-dip" (who need to dip to survive).
It's all about relative risk between those two models - if company A has a business model that can work without doing shady shit, and company B has a business model that can only work if they do shady shit, then company B will be more likely to do shady shit in reality.
True, which is why I switched from 1Password to Bitwarden about 6 months ago.
If you told me my options were between LastPass and 1Password, I would rather use a physical pen & paper than LastPass, but I would at least be able to live with 1Password.
CorrectHorseBatteryStaple will fail for a lot of sites. It doesn't have special characters, it's too long, it doesn't have numbers, it contains dictionary words, etc.
And you still have to remember the unique phrase you chose for each site. If you have a couple dozen logins, can you remember 24 different phrases? What about when a site forces you to change your password?
A password manager. A much as I like CorrectHorseBatteryStaple, it would be impossible to use on every account I have (hundreds). I use CHBS for the few (5 at most) accounts that I log into all day, every day. Everything else gets a long, random string of garbage and stored in my password manager.
LastPass, unless you're able to memorize 200 different unique, complex passwords. Using a password "scheme" per site (like CorrectHorseBatteryStapleHN, CorrectHorseBatteryStapleReddit) is not safe.
This happened to me: I forgot a password (site was ThompsonReuters, so not a tiny company we-dont-know-better), and requested a restore via email. The mailed me the password in plain text: "Your password is CorrectHorseBatteryStaple, you can change it at url.com/change".
So imagine you use CorrectHorse, and some site stores passwords in plain text or weakly hashed, and then the DB is compromised (if they do badly the storage, chances are the DB is also weak), and boom, a cracker has your email, password, and the name of your first pet.
But if I use KeepPass, I don't care if my password leaks from that site or the other, or if they store in plain text. That password is only used in one site.
I use the CorrectHorseBatteryStaple format, but with a short string of digits/symbols at the end to satisfy picky rules. This generally seems to work. But since I use a different password for every website I don't see how I could not use a password manager of some sort ... making passwords easier to type and remember doesn't mean I'm going to remember them all.
There is nothing wrong with a proprietary SaaS password manager if:
1. You can export all of your data easily
2. They cannot see your data (E2E encryption with you holding the key)
You get the benefits of people making money off this service and thus keeping up to date clients and plugins. If it becomes bad you dump your data and go somewhere else.
I quite like the fact that 1PW has a very simple business proposition: I give them money, and they safeguard my passwords. And if I don't like their service, I can easily export my stuff and not renew my subscription. There are no growth hacks involved.
I tend to agree, but the E2EE part can only be verified if their clients are not proprietary. The SaaS part isn't a huge issue as long as there is no lock-in, as you mentioned.
They also store regular copies of your vault in a backup folder. If Satan buys them and they try to lock you out, just decrypt your backups and move somewhere else.
My girlfriend has been using 1Password for years without any issue, so I think it must be a decent service, at least in her book. The built-in password management on iOS and macOS has been good enough for me, though.
1Password is moving in a direction just as bad. A few months ago they took away features for legacy single paid users and started hiding them behind the monthly paywall.
The newest version removed the ability to use a local repo (on iCloud, etc.) and they force you to use their monthly cloud service vs. buying outright.
Neither a bug nor an intentional ploy would surprise me. When I last used LastPass (2018) the web UI was quite buggy and difficult to use. Since then they have been acquired[1] by a PE firm and are about to be spun off again[2] as an independent company. Heaven knows who's steering the ship over there.
I don't know, maybe I'm old-fashioned, but I never used and never will use a password manager. I can't think of a reason to let a business know all my passwords while also making it my single point of failure.
Fwiw, most good password managers don’t necessarily let the business know your passwords, the passwords are encrypted before transport, and the business has no access to your data. All decryption can be client side only. You pay for storage and hosting of encrypted data, i.e., access from anywhere, and browser+mobile apps.
This means losing the master password is dangerous, so some people still choose to allow a host-side override where the business has some access, in order to enable account recovery in the case of a lost password.
How do you manage your credentials then? Before using a password manager, the best thing I could manage was variations on a similar password. But sites with arcane password requirements tend to break this.
I was _really_ disappointed when 1password dropped support for Dropbox sync and pushed everyone onto their storage. I'm uncomfortable, like you, with the truly single point of failure this way: I would much rather diffuse the storage and master credentials to separate parties.
I do like you said, small variations. Things get difficult once there are bizarre requirements, but then I just login by "forgot my password". Another commenter replied (s)he has over 400 credentials; I don't think I have even 100 let alone 400 logins.
Why is that the real question? The advantage of a password manager is you can default to max security with no more effort than poor security. Many of my accounts have changed over time, it’s not uncommon to add payment to a trial account, or for personal information to accumulate. There are plenty of good reasons to always use maximum security in order to lower your risk and prevent future accidents.
What's your alternative? If it's just memorizing a huge set of passwords plus the ability to add to that set whenever you need, that's awesome.
But if you're doing what most people do instead of a password manager, which is just re-use two or three passwords for everything, then you don't just have a single point of failure. You have dozens of points of failure. You're not letting "a business" know all your passwords, you're letting many businesses know your password, singular.
Also, password managers don't only come from "businesses". I use pass[0], which just gpg encrypts passwords in a git repo. If you're willing to set up sshd, git, and gpg on your devices, you can use pass.
That said I still recommend that people coming from the "old way" use something like 1Password or LastPass if self-hosted is not for them. I share your distaste for giving the keys to the kingdom to a single business, but it's better than the alternative. I trust LastPass more than I trust the weakest member among a random set of other businesses.
You don't. Password managers like Bitwarden are basically cloud storage for an encrypted blob that happens to contain your passwords wrapped up with a nice UI/UX and handle all the syncing for you between your devices. They don't "know" your passwords. They sync that blob and then all encryption and decryption is done on your device.
Not to mention with Bitwarden you can run your own server if you are comfortable doing so and don't want to rely on their servers.
> making it my single point of failure
So maintain backups of your encrypted vault. Also Bitwarden (which is what I use) doesn't require an internet connection to unlock your vault so even if you're stuck somewhere with no net access you can still access all your data. Export it, etc. It is 100% offline for use, internet connection is only needed to sync the encrypted blob.
---
IMHO the benefits of a good password manager with nicely integrated password management, history, generation, MFA, etc. far outweigh the drawbacks of your account being hacked.
I have over 300 logins in my password manager.
I only have to remember a few actually important passwords in my brain which makes life exponentially easier when logging in to so many different services each day.
The reality is that it's unreasonable to expect users to maintain passwords that are both unique and memorable. My password manager tells me I have over 400 credentials saved. There's no way I can keep track of that in my head.
To solve this, you can drop either one of the "memorability" or "uniqueness" requirements. Most people naturally drop "uniquness" and reuse the same passwords everywhere. Or you can use a password manager and drop the "memorability" requirement. It's safer and more usable to do the latter. Even writing it down in a physical notebook is an improvement over reusing the same password.
I highly recommend keepass + syncthing. Avoid some third party having access to your password store while keeping it backed up wherever you need it to be.
I'll never use a centralized one like that. I use a password manager that keeps my vault file locally and is synchronized through any cloud storage provider of my choice. I chose OneDrive, but if I was more insistent on absolute privacy it could also synchronize to a WebDAV server I set up myself.
Interestingly, if you think about it, this is pretty much equivalent to what Bitwarden is doing. You trust the (open source) client to not leak your passwords and to encrypt them properly, and then you use an online service to sync an encrypted blob. A "custom" sync solution is less prone to a targeted attack due to the obscurity, but otherwise is largely equivalent to using Bitwarden (or any other provider with an open-source client and encrypted vault sync).
I feel that way about online password managers, but an offline open source password manager is a huge quality of life (not to mention security) improvement when all of your accounts have different passwords. I'd highly recommend giving it a shot.
It’s just terribly insecure. Humans are really bad at making unique passwords. I have around 500 unique passwords in my password manager. No way I could do that manually.
This is my concern as well. The whole idea of my passwords being in a black box that is tied to my hardware seems like a recipe for disaster if I am traveling and my hardware gets stolen, lost or destroyed.
(maybe there is something that I am failing to understand, but I've watched several videos that attempt to explain how a PW manager works and I've not found an answer)
- the master key derives from 1. your password, and 2. a long, random key that you type manually on each new device (so you can’t brute-force the password just from the server’s data, and you can’t decrypt the data just from your hard drive without the master password),
- none of these keys ever leave your devices (encryption and decryption happen client-side),
- the key is deleted from RAM, locking the vault, if you’re inactive for too long.
That makes some attacks hard. It will be defeated if malware can get 1. your secret key and 2. your master password. But in that case, your login cookies and what you type in login forms are vulnerable too, so there isn’t much difference.
You don't need to let a business know anything. Run your own self-hosted instance via a dedicated server or WebDAV, or use the password database totally offline. SaaS is not the only option here (and IMO, I wouldn't even consider using a password manager unless I could do so without involving any other companies).
It sounds like a cloud hosted password manager isn't a good choice for you. However not all password managers are cut from the same cloth. There are many offline/locally encrypted options.
If you or they are not technically inclined, write them down on a piece of paper, stored safely.
If you are, encrypt a file or volume on your computer and use that.
I've done and advised this forever and each little story like this leaves me convinced that these ways, while not perfect, definitely beat all the others.
Right, I suppose what I mean is "local software" over "centralized service."
Frankly, I'd even avoid Dropbox here. No need; and slightly reduced threat model (e.g. you happen to pick a bad encryption scheme). Syncthing, if anything.
As a LastPass user, I'm getting a bit nervous. I've looked through various other threads on suggestions, but, since it is inevitable - what do people recommend and why? I'd prefer only answers from people that have been using their solution for at least a couple of years, and even better, people that have been using theirs for even longer and through multiple iterations of "weird things happened to password manager X" cycles :)
I've been on 1Password for many many years - looks like I bought it first in 2008, and I've bought every major version since, and then moved to subscription within weeks of it launching. I couldn't be happier with the product, or their customer support. $3 per month for bulletproof password management that integrates so well into iOS and Mac OS isn't even something I think about when renewal time comes along.
I'm watching their move to Electron for their apps with caution, but they have such a long track record of shipping great product that I'm not too worried.
I don't love electron, but I do like they now have a Linux client with good platform integration (such as pop up mini window).
They previously had a cli for Linux. It was designed to provide everything you'd need to build a nice ui but since it was a little low-level it didn't have great ux.
I'm using keepassxc, synchronized over pcloud (but Box, Dropbox, gdrive etc would all work just as well). There's an excellent browser plugin, I use keepass2android on my phone and it also functions as my ssh-agent and I use it as my secret-provider for my Linux desktop (essentially a replacement for gnome keyring or kwallet). I'm not sure what reason there would be to use a SAAS.
I’ve used 1Password for around 8 years (maybe longer) and I believe them to be a pretty safe bet currently.
I wasn’t a huge fan of their move to a hosted model but I went with it and even so, I have to say that their service is good, reliable and instilling of confidence.
If I was starting from scratch I’d probably look more closely at Bitwarden (likely to use their hosted service but knowing I have the option later to self-host).
I would suggest that most people would likely be served well by either of these solutions at this point in time.
Same here. If I was starting from scratch, I'd consider Bitwarden, but 1Password has been so flawless for me over the decade and a half I've used it (off and on) that I can only lose by moving.
I've used 1PW since it's inception, happily moving whichever way they went. However, the latest iteration (electron?) is an absolute mess. I blinkin hate it! Shortcuts work, then they don't. Search rarely works. Multiple overlapping modals appear. Modals position themselves over the input boxes. It's really awful after the change. Sadly I didn't find this out until I had already paid for the monthly subscription or I would have dropped it like a hot potato. I'll stick it out for a few months more, but if things don't improve I'll be in the market for something (anything) better.
I've been using pen & paper for a decade. So far it has not been affected by any CVEs, company acquisitions, bugs, quirky updates, outages, mandatory subscriptions or arbitrary account limits, leaks, or other compromises. It's airgapped and works fully offline too. Even if all my computing devices got filled with malware, they would only log the passwords that I actually type in.
Second Bitwarden, I moved from Lastpass to it last year and the process was painless. iOS and Browser support were at a parity that I just uninstalled one installed the other and was ready to go.
Vault warden (the recently renamed bitwarden compatible implementation in rust) supports 2fa as well. The providers mentioned are Auth/Google Auth, Yubico, Duoa, WebAuthn, and email.
I am having a great experience with KeepassXC and KeepassXC-browser. I sync my password database via Seafile, which is hosted by Your Secure Cloud. And I use Strongbox on iOS.
I used LastPass for a while too, but I then switched to KeePass, using syncthings to have a single db. At first that was great, but after a few save mistakes, and a slight change in need, I've switched to a hosted bitwarden (using vaultwarden).
I've not had a single issue with it since, it's fully compatible with the official bitwarden app (which works rather well), and is much easier to use when other people in your household also need to manage their passwords.
Point of note : the android app syncs the database locally, and can be accessed/used/exported even offline, which is very, very reassuring in case of server/network failure
Former LastPass user (2+ years) and current 1Password user (2+ years).
There’s no looking back. LastPass was buggy and the UI ugly. That was fine when it was free but when they went to fee based for cross platform support we switched the whole family over to LastPass. Everything works, is pleasant to use, and no slimy tactics.
Another vote for BitWarden. I used LastPass for many years, and jumped ship when they were acquired. I've been using Bitwarden for a few years now and really like it.
LastPass has become garbage since it was purchased by LogMeIn (or whatever parent garbage company owns them these days). I can't comprehend why anyone would use them.
I can only personally recommend Bitwarden instead - it's open source and can never decrypt your passwords on prem. Browser plugin, mobile app, enterprise versions, etc. It has it all, and hasn't been a cunt to it's users from day 1.
Also, unlike LastPass, they haven't been hacked multiple times. I can not comprehend why anyone trusts them with their passwords - the company I work for included I'm afraid.
I use Firefox / Safari built-in password management. I do not know how secure they are but no issues in 10+ years and I certainly have access to all passwords in my keychain/account. Not locked behind some corporate service. They are saved locally.
Both easily generate long random passwords, etc.
For me this is a solved problem (until Firefox's service is hacked, of course) to the point that my real pain point is remembering the random strings I use for "security question" answers. For that I use a KeepPass database. But I wish FF/Safari would see the need and add security questions fields to their management.
No way am I giving real information for those. Why yes my mother's maiden name is cd559b1085b94b2dad32bb9e458e2422 so sorry to hear it was leaked, SONY.
1. avoid vendor lockin (if I want to switch browsers I can, or switch from iOS to Android)
2. enable portability, with passwords not just being available locally requiring manual migration to other devices
Do you have problems/qualms with the above just using browser password managers?
The problem I had with LastPass is that if you have any billing problem then you're immediately kicked down with to the free tier with all the problems that entails, including loss of access to regular support. Worse, they had a bug that prevented me upgrading back to premium with new payment details. The special contact form for billing support was non-obvious and they were not especially prompt or helpful. I've since migrated to BitWarden. No problem exporting, thank goodness, but it wouldn't have suprised me!
This is exactly why I switched to another password manager when they announced LogMeIn had bought them.
Same gross tactics and lock in. IIRC LogMeIn refused to let me delete my credit card details or cancel my plan and their “support contact” was completely unresponsive.
Can’t remember if I just used fake card details or blocked the transaction by locking/cancelling the credit card but it was a real nightmare.
Root cause of this issue: export is only possible from the desktop browser plugin, but lastpass locks free users to either desktop or mobile.
If your account is locked to mobile, you can't export your passwords.
I have another related issue: it is not possible to export your TOTP seeds from lastpass authenticator.
I contacted the lastpass/logmein dpo, which (in my case at least) got forwarded to their generic support-by-email. They were slow to respond, and eventually claimed they could not export my one time passwords because they are encrypted. This is obviously false, they can decrypt the data just fine (I actually switched to a new phone, authenticator data got synced as you would expect). And other apps such as Google Authenticator allow you to export your data.
I filed a gdpr complaint with my national Data Protection Authority, which after a long response time got accepted, and is now forwarded to the Irish DPA.
If you want to assert your rights, contact Lastpass/Logmein at privacy@logmein.com or via their support page [0] (from their privacy page [1]), and demand access to your data. If they refuse, or do not respond within 30 days, file a complaint with your DPA [2], with proof that you requested your data but got denied.
I had issues exporting my LastPass database to a CSV file a couple of weeks ago from a browser (no plugin installed). They seemed to render the CSV data inside a <pre> tag in an HTML page (I have no CSV browser plugin installed). I had to copy the text manually from the HTML source and paste/import it in another password manager.
> This company is so rotten. Just look at their recent track record showing pure user hostility. Why is anyone still using them?
Inertia. Lastpass still works, and frankly it's not high on my list of priorities to research and switch to a new password manager. Some people have time to obsess over this stuff, I don't anymore.
And frankly, data export barriers wouldn't be a difficulty for me (I wouldn't mind re-keying stuff if that's what it took, and that's what I did to get my passwords into LastPass). Deciding on a direction is way more work, and that's the real barrier.
Also, it's kind of pointless. The alternatives will almost certainty be some open source thing with major UX friction and personal maintenance burden, or some for-profit service that will eventually be corrupted in exactly the same way as LastPass has.
> Just look at their recent track record showing pure user hostility. Why is anyone still using them?
Because I've managed to miss any news damning enough to make me decide to switch.
It's possible that either:
a) I've overlooked something
b) You and I have different priorities
c) You're being hyperbolic.
I genuinely don't know which but your phrasing and tone makes me lean towards (c)
The internet is full of people shouting "God. [Company] is the worst!" - if you want to be persuasive then it's probably better to not sound like them.
You can lean towards C all you want and I admit my phrasing and tone will come across a certain way, but the track record isn't hard to dig up if you just take a cursory look.
Let me give you this own site's experiences with the company.
As some have said the web export gave a truncated set. However the chrome browser plugin export function worked just fine and gave me a full export from two separate accounts.
This included one account that was seemingly locked in the web browser because I had cancelled my subscription and was locked into a re-subscribe page with no other options to proceed that I could figure out.
Just painlessly (finally) deduplicated my pwds in excel and imported to a bitwarden family plan. It's been so painless. The features I'm seeing make me fairly certain I'll be paying for a family org plan.
I was removed from a team account, after that I could no longer access my account until the company reinstated me temporarily. Very weird behavior because it was a private account first..
I've been paying for one license of LastPass to use on multiple computers and phones since 2012. Never any problems. What the heck are y'all doing with it that makes it so unreliable for you?
The only problem I have is that my iPhone 7 doesn't always detect my USB-C UbiKey NFC, but I think that's a UbiKey or iPhone problem.
> If this is true, they are in major violation of Article 20 of the GDPR.
I honestly have no idea how the GDPR got implemented. A true policy that actually benefits the citizens of Europe, in a world where most policies are to screw over everyone but the rich.
-Well, Amazon got a €750M ($850M) slap on their wrist, which while not sufficient to put them out of business surely must have hurt someone's feelings (not to mention their bonuses...)
Members of the security community whom I trust gave their recommendation to those two products and went out of their way to suggest not using other products. I trusted that advice and picked 1Password. Also, AFAIK, even though 1Password is closed source, it has been audited.
> All it takes is for someone to write a little chrome extension to export everything and import it into competing software...
Though it would be foolish to trust such an extension, given the existence of practices like extension hijacking. I'm sure someone could make a lot of money with a "secretly export LastPass passwords to attacker" extension.
> If this is true, they are in major violation of Article 20 of the GDPR.
Is this reasonable, or trying to whip up resentment based on speculation? It partly feels questionable because the author is a US resident, and the company is a US company - of course that’s no reason not to discuss/comply with GDPR - but paired with the lack of specifics and the explicit speculation with words like “appears” and “likely knowingly” that have no accompanying proof, it feels like more hit piece than valid legal concerns.
There may be real, valid, and large reasons to have resentments here, I have no opinion on that. But LastPass doesn’t necessarily “have” everyone’s passwords, because many are encrypted and LastPass can’t decrypt them.
Does article 20 really apply to data encrypted such that the company has no access? That seems unlikely. Article 20 might require that LastPass export someone’s user profile and credit card information, but it was not designed as way for people to demand UI features they want or force companies to offer service for free, right?
Sure, but are they truly compelled by EU law to do this for people in the EU, to export encrypted data? GDPR applies to PII, and encrypted data the company can’t access is not personally identifiable information, and the company doesn’t necessarily “have” the unecrypted data. It seems like Article 20 does not automatically apply here. (This all aside from the question of whether GDPR applies to Americans using American services.)
>- Only making the export function available via the desktop browser plugin, despite locking peoples accounts to either Desktop or Mobile after 3 switches between these platforms.
Oh, I misunderstood that statement. The browser extension works perfectly fine on my computer, which is not what I would call a "desktop browser plugin", especially for software that at one point actually did have a desktop browser plugin but, afaik, does not anymore.
Glad I dropped them as soon as they made the change to limit the number of connected clients behind a paywall.
Changed to bitwarden. Same functionality (at least for my uses) free and with the option of you spinning up your own server for your personal use (versus the cloud option).
I use Keepass + Onedrive sync (Windows + Android). It's been working well for many many years and I see no reason to switch.
If I had to recommend a pw manager to someone I'd probably suggest they just save them in-browser, and use the same browser (Chrome/FF/Edge) across all their devices. Chrome has a pretty good password suggestion feature. Other browsers are probably not far behind.
I switched. Bitwarden just seems easier to use. Everytime I install Keepass on a new computer I have to spend 15 minutes remembering where all the options are to configure it. Bitwarden feels more like a vault of information while Keepass seems like you gotta fight it to be anything other than URL-username-password.
To be honest though I'm still not 100% moved over, and may never be. I doubt I'll need to transfer the login to the public library from a town I lived in 10 years ago.
Came here to say the same thing. Been using Keepass for years without any issue and won't switch. I started it using quite a while ago after someone on here recommended it and haven't looked back since.
As the sibling comment states, it's not stored as plain text.
You're right that external storage lets you use it elsewhere, but IMO using keepass has a lot of friction I personally don't mind but wouldn't initially recommend to most people. Browser password storage fills 99% of most people's needs.
They did at one point but not anymore. But either way any password filling is as secure as plaintext since it's pasted as plaintext, and you can just edit the DOM after it's filled.
The last time I checked, Bitwarden would fill a password into an iframe even if the iframe is for a different domain than the parent. This came up in one of their security audits and changing it was argued against.
This has security implications and what cautioned me against it.
Other password managers don't do this and look at iframe domains before filling them in.
I really like how pass saves passwords as a gpg file, so when you sync with a cloud provider you can see specifically what passwords are being synced. When you store everything as a single database file, not only does sync not show you differences, but you have to resync the entire DB file each time you change something.
Something that I believe should be added to this thread would be utilities that can take the LastPass export and transform it into structures that other pw managers can easily recognize and import.
Here [1] is an example of migrating passwords from LastPass to KeePassXC. Does anyone have more examples like this for other pw managers?
KeePass and pass use fully open database formats. (I like MacPass, KeePassHTTP Connector, and Keepassium.) Enpass uses a well-documented database format based on SQLCipher/SQLite (albeit not fully open, you have to piece it together from the white paper and forum posts). They are all local-first, so you own your password information.
I have no reason to believe BitWarden would try to hold my passwords hostage. But I prefer the solution where they can't.
I use iCloud Keychain because Apple is not in business of making money off a password manager. They charge me more via their hardware sales scheme but at the end of the day it’s a good experience overall
The older (and busier) I get, the more I'm willing to put up with a walled garden that just works.
Apple is not (always) a good actor; they've been caught intentionally degrading the performance of older hardware, in order to increase sales of new hardware. But, they seem very keen on maintaining the privacy and safety of their users, which is true of essentially no other tech company on the planet.
I'm still not all-in on the Apple ecosystem, but stuff like this always makes me pause.
Strange - the fact that Apple is not trying to make money from passwords seems like a good reason NOT to use it. Though I don't have much experience with keychain so I can't comment on that specifically. (I do have a lot of Apple devices I like though).
I feel more comfortable when a company is trying to earn my money by delivering a good product with good service. Of course that doesn't always work out, but I feel it's a better shot.
Well, Apple isn't directly making money from selling subscriptions to the iCloud Keychain, but it's a fairly important factor in making iOS and macOS straightforward to use for many people (including me). So the indirect business case for keeping it around and performing well is pretty sound.
I see your point, and if I were (say) a Linux user I of course wouldn't use iCloud. But as someone whose entire digital life is on iOS and macOS, it doesn't bother me that it may not work (or work as well) on other platforms.
> Having no formal support channel
When I last had to deal with their so-called support, all contact details were very efficiently hidden. Once you found a page with a phone number, and the hours you could call them, there was one final surprise:
"The phone number you are trying to reach is not in use". The only contact that works reliably at LastPass is their billing department. Make of that what you will.