I can't imagine why anyone would've stayed with them after their poor handling of the latest security breach. Like many others, I also switched to BitWarden and my only regret was not doing it...
I can't imagine why anyone would've stayed with them after their poor handling of the latest security breach. Like many others, I also switched to BitWarden and my only regret was not doing it sooner. I actually pay the $10/year for premium because I wanted Duo support and the service is absolute worth that cost.
Simple. Family. I pay for a family plan, which several (less tech-savvy) family members use. It was hard enough convincing them to actually use LastPass, teaching them how to use it, and use it...
Simple. Family. I pay for a family plan, which several (less tech-savvy) family members use. It was hard enough convincing them to actually use LastPass, teaching them how to use it, and use it consistently so they would finally stop reusing the same passwords over and over again on every site. And I just don't have the time or energy to convince them all to switch password managers now, and then teach them how to use those new apps.
Is LastPass perfect? Far from it. Does it work good enough? Yes. Is it better than my family reusing passwords and constantly getting their accounts compromised, which I then had to sort out for them? Absolutely.
I agree with this @cfabbro. If it was just me I’d roll KeePass, but 1Password is extremely intuitive, their family plan is pretty cheap as long as your family is fewer than 6 people, and they’re a...
I agree with this @cfabbro. If it was just me I’d roll KeePass, but 1Password is extremely intuitive, their family plan is pretty cheap as long as your family is fewer than 6 people, and they’re a much more trustworthy and well run company than LastPass. My only complaint is that they sunsetted their native Mac app and replaced it with an inferior Electron app (blegh). But I think only I care about such things.
I think the hardest part about adopting a password manager is actually adopting the first one, teaching the benefits, and getting into the habit of using it. Your family likely now sees the value...
I think the hardest part about adopting a password manager is actually adopting the first one, teaching the benefits, and getting into the habit of using it. Your family likely now sees the value in using a password manager. The pains that you speak of seem mostly behavioral in nature, rather than about the tool itself.
The cutover to other services is very simple - export from LastPass, import to the other service. And since you're paying for the service, and you're the resident expert in this area, you call the shots. I host an email / Google Workspace domain for my family. And when Google was going to kick everyone off of the free tier and force them onto a rather expensive paid tier, I had simply told my family "Hey, here's what's going on, we're going to move to X service. Here's what to expect."
I think that the LastPass product itself is fine - I used it for 6 years. But I lost faith in the security company's ability to appropriately handle a major security incident.
I think you seriously overestimate some of my family's abilities when it comes to using technology. :P Not all of them live near me either. So, even from a logistics perspective, teaching them to...
I think you seriously overestimate some of my family's abilities when it comes to using technology. :P Not all of them live near me either. So, even from a logistics perspective, teaching them to use any new app wouldn't be quite as easy as you're suggesting. And even should I start trying to move them over to a new password manager, I would likely have to pay for both services for several months (at least) until I manage to get them all familiar with the new apps/extensions. And, to be totally honest, I frankly just don't care enough to go through with all that. LastPass is fine. It works for them, they're using it, and I've never run into problems with it, nor has any of my family.
Same issue here. I got my mom to use LastPass about a year or two ago. Luckily, one of her coworkers was asking telling her about password managers, so she got interested in them. But it was a...
Same issue here. I got my mom to use LastPass about a year or two ago. Luckily, one of her coworkers was asking telling her about password managers, so she got interested in them. But it was a slog to get her using the thing properly, especially she's mainly a mobile user (And I'm not).
I moved over from Lastpass to BitWarden last year after all of LP's fuck ups. I work in IT, so it was an easy move for me (though there are still some things that I miss from LP; maybe I just haven't found the right settings). I advised her to move over to BW, but knew that was going to be a struggle. I live in the Midwest; my parents live in the Southwest. My dad could help her, but he won't. He works in IT, but admittedly is an idiot when it comes to end user stuff. My brother recently moved out there; he's not in IT, but he's capable enough. But I know he also won't help her.
So I just told her to change all of her most important passwords, like financial and email passwords, and of course the LP master password. Figured that that was better than nothing.
I've done as much as I can. And as much as I'm willing. Probably better for her to be using LP than just the same 5 password over and over, anyway.
Fair enough! As the tech support person for my family, I totally sympathize with this. And, this answers the question of why people still are still using the service :)
Fair enough! As the tech support person for my family, I totally sympathize with this. And, this answers the question of why people still are still using the service :)
Totally empathize with that sentiment, but I don’t think I could consider LastPass “good enough” at this point. I’m typically a bit more paranoid about security than average, but I have yet to see...
Totally empathize with that sentiment, but I don’t think I could consider LastPass “good enough” at this point. I’m typically a bit more paranoid about security than average, but I have yet to see evidence that they are competent enough to be trusted with what are essentially the keys to my identity and my life.
I’m traveling at the moment and realized how absolutely fucked I would be if I lost my phone since 1Password has all of my information and I don’t have my secret key memorized (yet!). I don’t think a thief would be able to access my 1Password vault but I need it to access just about anything. If someone got a hold of my primary vault, it’s essentially game over–I’d be playing disaster recovery for a very long time. Fortunately some accounts of mine are only accessible with a FIDO key.
One of the simplest solutions for the family kinda users is to teach them how to use the built-in password managers of chrome, firefox, etc. Of course, this requires sticking to the same browser...
One of the simplest solutions for the family kinda users is to teach them how to use the built-in password managers of chrome, firefox, etc. Of course, this requires sticking to the same browser on all devices but is a neat and simple solution without needing any third party extensions.
I honestly wouldn't rely on that. Not for any security reason either. Simply put, I don't know any of my family that could tell me the difference between Edge, Chrome, Firefox, Opera, Safari, etc....
I honestly wouldn't rely on that. Not for any security reason either. Simply put, I don't know any of my family that could tell me the difference between Edge, Chrome, Firefox, Opera, Safari, etc. OSes have a habit of changing and/or forcing certain links to open in certain browsers. Once that happens at a moment I'd rather be sleeping, I'll be getting a call asking why their browser doesn't remember their passwords any longer.
Teach them to use a specific app (like Bitwarden) and they will always look for that app. Also allows them to change ecosystems with ease. Don't have to worry about porting all your passwords from chrome on your android phone to safari when you switch to an iPad. You just drop the app on the device and it just works.
Certainly, you could just use browser password storage. I just look for the path of least family tech support.
Man, I'm glad I don't have anyone that tech-obtuse. I just use Firefox for all my stuff and then write down physically anything not based in a website. Anyone who wants my help with their computer...
Man, I'm glad I don't have anyone that tech-obtuse.
I just use Firefox for all my stuff and then write down physically anything not based in a website.
Anyone who wants my help with their computer is going to use firefox because I absolutely hate chrome.
The combination of their security breaches and jacking up their subscription price made me jump ship to Bitwarden a year or two ago. I have no regrets. Everything that LogMeIn touches turns to shit.
The combination of their security breaches and jacking up their subscription price made me jump ship to Bitwarden a year or two ago. I have no regrets.
Ahh, yeah I forgot about the price nonsense. When I started using that service, it was $12. Then it went to $24 and eventually $36 with no meaningful feature upgrades. The only reason I stayed...
Ahh, yeah I forgot about the price nonsense. When I started using that service, it was $12. Then it went to $24 and eventually $36 with no meaningful feature upgrades. The only reason I stayed with it as long as I did was because I had bought several years of subscription when they announced the first price increase.
Same. I can't remember when I made the switch, probably a similar time frame and I haven't looked back, it works great. I hadn't realized they had a Premium option til I saw your comment and might...
Same. I can't remember when I made the switch, probably a similar time frame and I haven't looked back, it works great. I hadn't realized they had a Premium option til I saw your comment and might go for it, just because of how useful it is and how cheap it seems, though I honestly don't even know if I would have use for all the other features that they have. I'm probably not even using the Free account to its full potential now anyways.
I've been using KeePass (free and open source) for years. I keep my KeePass password database on Google Drive, synced between three PCs (one Linux, two Windows), my tablet and my phone (both iOS)...
I've been using KeePass (free and open source) for years. I keep my KeePass password database on Google Drive, synced between three PCs (one Linux, two Windows), my tablet and my phone (both iOS) and it's worked great for me.
KeePass is fantastic. On the Desktop, I use KeePassXC. It's a third-party, cross-platform client with additional features. On Android, I use Keepass2Android. I keep my password database...
KeePass is fantastic.
On the Desktop, I use KeePassXC. It's a third-party, cross-platform client with additional features.
I keep my password database synchronised across all my devices using SyncThing, which is sort of like having your own peer-to-peer Dropbox or Google Drive. This way, my passwords are never stored in the cloud.
Sure, my password database is encrypted - but if it's never stored in the cloud, I dont have much to worry about in the event that a serious vulnerability is ever discovered.
Is one of your devices always away from home? Or how do you handle the case that you have a house-fire or something, which to me is the primary reason I want a cloud backup for a few files and...
I keep my password database synchronised across all my devices using SyncThing, which is sort of like having your own peer-to-peer Dropbox or Google Drive. This way, my passwords are never stored in the cloud.
Is one of your devices always away from home? Or how do you handle the case that you have a house-fire or something, which to me is the primary reason I want a cloud backup for a few files and folders?
My phone is always on my person, so I'm not worried about a fire. I also have some backup copies stashed around. They aren't updated frequently, but they're up-to-date enough for me to be able to...
My phone is always on my person, so I'm not worried about a fire. I also have some backup copies stashed around. They aren't updated frequently, but they're up-to-date enough for me to be able to recover everything important.
I was using KeePass and moved to KeeWeb. It's basically the same but KeeWeb is capable of reaching out to cloud services to fetch and update the database file so I don't need to worry about...
I was using KeePass and moved to KeeWeb. It's basically the same but KeeWeb is capable of reaching out to cloud services to fetch and update the database file so I don't need to worry about syncing to multiple devices.
Oof, that sucks. Have been completely happy with Bitwarden and it's been solid if you are looking to leave. Also a big fan of multiple MFA services for backup reasons, Bitwarden has it built in*,...
Oof, that sucks. Have been completely happy with Bitwarden and it's been solid if you are looking to leave.
Also a big fan of multiple MFA services for backup reasons, Bitwarden has it built in*, and something like Authy is a good fallback (and syncs between multiple devices).
edit: * I just learned that it's not in the free version, to do MFA you have to pay some money. Given that it's $10 a year it's a worthy microsplurge.
I left LastPass years ago after the first security breach and chose BitWarden as well. It's incredible. The free tier is all most people will need, so it's definitely worth checking out if you're...
I left LastPass years ago after the first security breach and chose BitWarden as well. It's incredible. The free tier is all most people will need, so it's definitely worth checking out if you're still stuck on LP for whatever reason.
Those people should have been moving passwords managers and changing passwords after LastPass got hack. The data was encrypted but still. Also never have the Authenticator and Password manager...
Those people should have been moving passwords managers and changing passwords after LastPass got hack. The data was encrypted but still.
Also never have the Authenticator and Password manager with the same company or/and app. But that just my opinion anyways.
Use Authy or the new Google one that finally doesn’t fuck you over if you change phones.
Are you me? This is the exact combo I use and, minus some pains keeping passwords between phone and PC up-to-date (for which I use Syncthing), it's been working great! I've also learned that you...
Are you me? This is the exact combo I use and, minus some pains keeping passwords between phone and PC up-to-date (for which I use Syncthing), it's been working great!
I've also learned that you can use KeePass to set up OTP/2FA. I know that defeats the purpose of having separate 2FA and password management apps, but I've found that the convenience sometimes outweighs the lessened security. I actually have all of my authenticator secrets also in Aegis. That's where they go first, in fact.
No online password manager is going to fare any better. Are you just going to jump around services every time there's a breach? Yes, losing the data sucks, but the data was secured. Every company...
No online password manager is going to fare any better. Are you just going to jump around services every time there's a breach? Yes, losing the data sucks, but the data was secured. Every company that holds data is vulnerable. It's not a matter of if but when they get hacked. The most important part is that the data is encrypted at rest.
The other solution is a self managed keystore which is all fine and dandy, but you can't easily use those as a family or on mobile. And if you say, "well put it on dropbox" then you've completely negated the security advantage you had self managing it in the first place. Dropbox is just as vulnerable to data breaches.
1Password hasn’t ever been hacked and while you can’t speak for all personal instances it’s my understanding the BitWarden hasn’t been either. I get the sentiment about nothing being perfect but...
No online password manager is going to fare any better.
1Password hasn’t ever been hacked and while you can’t speak for all personal instances it’s my understanding the BitWarden hasn’t been either.
I get the sentiment about nothing being perfect but there are options that are better than others and LastPass has a terrible track record.
Alas, the data wasn’t secure. There are a ton of issues with their security. Even if you changed master passwords, they never changed the iterations. This makes it much easier to crack the leaked...
Alas, the data wasn’t secure. There are a ton of issues with their security.
Even if you changed master passwords, they never changed the iterations. This makes it much easier to crack the leaked vaults.
If you had linked personal account to business account, so that always only log in with business account, it turns out that the personal account still lived with the old master passwords with the old iterations from before you linked the accounts. These kind of vaults with less security was part of the leaked data.
A ton of fields were unencrypted, like the URL for each password and the account name and email address for Lastpass, which will be the same as the user name for many passwords. Regardless of how good your security was, the hacker now has your name and email and every URL you have registered an account at. This is very sensitive data in a lot of situations for a lot of persons - politically, sexually, religiously etc. There are a lot of possible attack vectors in blackmail, phishing etc. from this data.
LastPass 100% mislead in their communication about the incident and absolutely cannot be trusted with your data.
They don’t have had the best track record and waited like a month to tell people they been hacked. People are free to pick whatever they want, but this wouldn’t be my choice.
They don’t have had the best track record and waited like a month to tell people they been hacked.
People are free to pick whatever they want, but this wouldn’t be my choice.
I left LastPass after the latest round of breaches. I did not leave because the breaches happened - I left because of the communication about the breaches. Communication was slow, opaque, and...
I left LastPass after the latest round of breaches. I did not leave because the breaches happened - I left because of the communication about the breaches.
Communication was slow, opaque, and consistently played down the severity of the issue. Everyone can, and probably will be, hacked. What matters is:
I don't know how long ago this is supposed to have happened, but I can't remember the icon being anything but that capital G that kinda looks like a stylized safe dial. Is that the new icon or do...
I don't know how long ago this is supposed to have happened, but I can't remember the icon being anything but that capital G that kinda looks like a stylized safe dial. Is that the new icon or do I still have the old version?
...I guess I still have the old version but it does say it's syncing to my Google account. I'm super confused.
Edit2: well done for confusing myself! I forgot that I have a custom icon pack installed, so it's just the icon pack that hasn't been updated with the new icon.
I hate when I do stuff like this to myself, wonder why I have X issue and then realize it's because a setting I changed months before..
Edit2: well done for confusing myself! I forgot that I have a custom icon pack installed, so it's just the icon pack that hasn't been updated with the new icon.
I hate when I do stuff like this to myself, wonder why I have X issue and then realize it's because a setting I changed months before..
This has to be the second most frustrating part behind being locked out. It’s hard to tell from the article but it sounds like if you use a web browser you can reset and get back in? Or is the...
affected customers cannot seek assistance from support since reaching out to LastPass support requires logging into their accounts which they can't do because they're locked in an infinite loop of being prompted to reset their MFA authenticator
This has to be the second most frustrating part behind being locked out.
It’s hard to tell from the article but it sounds like if you use a web browser you can reset and get back in? Or is the website also having issues?
I won't comment on the main topic of the thread due to a conflict of interest, but the article describes both that this procedure requires logging in through the web browser in order to kick off...
I won't comment on the main topic of the thread due to a conflict of interest, but the article describes both that this procedure requires logging in through the web browser in order to kick off the reauthentication process, and goes on to describe people not receiving the described location confirmation emails as well as people getting stuck in a reauthentication infinite loop. I believe it is the case that what the article is describing is entirely the website having issues for some people, as when your account is in this state you cannot access your account using any other client.
Consider this your weekly reminder to quit using LastPass. Bitwarden does everything LastPass does - but better, and it is free, and gives you the option to self-host.
Consider this your weekly reminder to quit using LastPass. Bitwarden does everything LastPass does - but better, and it is free, and gives you the option to self-host.
I have zero regrets about moving my family from LastPass to 1Password. It was easy to setup. We've implemented new password hygiene habits as part of the LastPass issues. Sort by last modified and...
I have zero regrets about moving my family from LastPass to 1Password. It was easy to setup.
We've implemented new password hygiene habits as part of the LastPass issues. Sort by last modified and look at the oldest two. Evaluate if the account is needed, if it isn't - delete it. If it is, reset the password. We do this monthly now. Takes less than five minutes.
Everybody keeps talking up Bitwarden -- I don't have an opinion about its functionality, which by all accounts is pretty good, but the dealbreaker for me is that they require you to create an...
Everybody keeps talking up Bitwarden -- I don't have an opinion about its functionality, which by all accounts is pretty good, but the dealbreaker for me is that they require you to create an account with them even if you have no plan to use their subscription or cloud services (both of which are also dealbreakers). There's no valid reason at all that should be necessary, and that makes them inherently untrustworthy.
I hear good things about KeePass but iirc correctly last time I looked they didn't have a browser plugin, and their Android support was less than stellar. Years ago I settled on Enpass, which has all the functionality I'm looking for w/o all that subscription/account nonsense (or rather, it's optional instead of required), and I've been pretty happy with it.
Basically my threat profile doesn't include "I have to worry about third parties having unlimited access to my devices in order to break some potential vulnerability in an otherwise established...
I find it a little odd you draw the line at cloud storage but are okay with Enpass being closed source and going years between security audits.
Basically my threat profile doesn't include "I have to worry about third parties having unlimited access to my devices in order to break some potential vulnerability in an otherwise established product." Sure there are potential scenarios where that might happen, but given other security precautions I take the probabilities of those scenarios occurring are negligible (YMMV of course). Enpass has been audited, several times and relatively recently, and after accounting for my threat profile the only real criticism I've come across re: them being closed-source is the borderline-racist accusation that being an Indian company makes them untrustworthy. I don't find them any less trustworthy than Microsoft or Apple. They don't store or transmit my data, so generally-speaking I only have to worry about what it does on my devices - and there've been no reports that I've seen of their software doing anything shady or unexpected on users' machines (which is not the case with MS or Apple).
I wasn't about to fork over $24/yr to be able to access my own passwords from my own device especially if I was the one responsible for keeping my password database synced.
I am 100% on-board with you on this, and if I had no other option but to use their subscription service then I would find an alternative. But they also have the single-purchase lifetime license, which I purchased (and for less than their current price - I don't remember now if that was because of how long ago I purchased it or if if I had some discount), because for me the price was worth it.
You can self-host Bitwarden...
Yes -- Bitwarden has great functionality by all accounts, I don't dispute that. but you still have to sign up for an account with them just to install it, which is totally unnecessary and therefore a shady business practice in my book.
Cloud-synced password managers are what is popular...
True, you make a lot of good points. But my problem with cloud services is that all "cloud" means is "somebody else's computer," which, yes, has benefits, but also has many drawbacks, some of which frequently make headlines but those aren't the only ones I have issues with. Personally (again, YMMV) I don't find those benefits to be worth the potential cost.
Again you make a lot of really good points. Totally true - in my mind that's mitigated somewhat by the attacker having to know which pwd manager I'm using and where the data file is stored, but...
Again you make a lot of really good points.
Don't need unlimited access - only short enough access to copy walletx.db...
Totally true - in my mind that's mitigated somewhat by the attacker having to know which pwd manager I'm using and where the data file is stored, but there are probably easy ways around that (security through obscurity being one of the weakest forms of security, after all), but moreso by the fact that there are very few scenarios in my threat profile where that level of attack is at a probability worth considering.
Also I can see how "any physical access = compromised" can be valid, but my impression is that's more the case with a higher-security/threat situation than I (normally) have to deal with. I will also readily admit that just being connected to the internet elevates that risk and exposes vulnerabilities, and I'm relying on the security of firewalls/antivirus etc to reduce that.
I hate to nit but it has only been twice now - not several times - and only the Windows client and Enpass API have actually been audited twice.
Good points, I didn't really get into the details of it and didn't understand at all the issues re: audit and the different platforms, so thanks for that information.
...registration of self-hosted servers would be justified as a useful security feature to alert users of vulnerable server versions to update if a vulnerability is found in the version they are self-hosting. And that turns out to be one of the reasons mentioned in their FAQ about why registration of an account is required even for self hosting.
I stand corrected that that does seem like it might be a valid reason. However that also seems to me to be really more of a PR cover for their real reason, which is also in the FAQ: Validate licensing of paid features. In plain English this means they can deactivate your copy of BitWarden at any time for any reason. There might be a low probability that this happens, but companies do that kind of shit all the time and that's not a threat I want to add to my profile. (edit: thinking about this more, I may be misinterpreting how their license validation works, but really I'm not interested enough to dig into it; it still seems unnecessary).
I just found it interesting because most people who are against cloud services are equally as against running anything proprietary/closed source. The overlap between the two groups is almost a perfect circle.
It's funny you should say that, b/c I have been moving into more open source alternatives (on Linux now but was a long-time Mac user, then Windows, and of course have to use Windows professionally for a host of reasons). But security is a situation-based continuum of threat balanced against usability, and I like to think I take appropriate precautions for my various use-cases. I could be wrong...
KeePass can almost be thought of as a family of products. The original KeePass client is still actively developed, but it's Windows-only and doesn't support certain modern features like browser...
KeePass can almost be thought of as a family of products. The original KeePass client is still actively developed, but it's Windows-only and doesn't support certain modern features like browser extensions.
For clients with browser integration, check out KeePassXC (Linux, Mac, Windows), and Keepass2Android (Android). They're both compatible with the KeePass database format, but not affiliated with the original KeePass project.
That's good to know - like I mentioned it's been quite a while since I looked into KeePass, and I'm not surprised it's continued to develop in its various branches. Thinking about it more, the...
That's good to know - like I mentioned it's been quite a while since I looked into KeePass, and I'm not surprised it's continued to develop in its various branches.
Thinking about it more, the other issue I remember having w/ KeePass was it was going to be a huge headache transferring my old Mac pwd manager info into KeePass. I don't even remember anymore which manager I was using, but it wasn't one of the big ones so there was no auto-transfer option; the only option was export/import as CSV. KeePass wasn't reading the category headings correctly and when I looked at the CSV and how KeePass was translating it I would've had to do quite a bit of manipulation of hundreds of pwds to beat it into shape. I may have ended up doing that anyway w/ Enpass (my memory is a bit fuzzy on the details now and it's quite possible I'm just blocking out the pain points), but with the other functionality issues it wasn't worth it for KeePass at the time.
I think it was either after the 1st or 2nd breach years back that I jumped the to 1Password, somewhere in the 5-6.0 range. I get it, they've gone SaaS like everything out there nowadays but hell,...
I think it was either after the 1st or 2nd breach years back that I jumped the to 1Password, somewhere in the 5-6.0 range. I get it, they've gone SaaS like everything out there nowadays but hell, it's turnkey as it gets. A lot of people don't like that they're highly pivoting towards the enterprise market but I think that'll make them innovate even more and take security even more seriously vs LastPass. So far, I'm happy but like most, am also getting subscription fatigue as well.
I can't imagine why anyone would've stayed with them after their poor handling of the latest security breach. Like many others, I also switched to BitWarden and my only regret was not doing it sooner. I actually pay the $10/year for premium because I wanted Duo support and the service is absolute worth that cost.
Simple. Family. I pay for a family plan, which several (less tech-savvy) family members use. It was hard enough convincing them to actually use LastPass, teaching them how to use it, and use it consistently so they would finally stop reusing the same passwords over and over again on every site. And I just don't have the time or energy to convince them all to switch password managers now, and then teach them how to use those new apps.
Is LastPass perfect? Far from it. Does it work good enough? Yes. Is it better than my family reusing passwords and constantly getting their accounts compromised, which I then had to sort out for them? Absolutely.
I might suggest 1Password if you ever want to move. Family-friendly and super affordable.
I agree with this @cfabbro. If it was just me I’d roll KeePass, but 1Password is extremely intuitive, their family plan is pretty cheap as long as your family is fewer than 6 people, and they’re a much more trustworthy and well run company than LastPass. My only complaint is that they sunsetted their native Mac app and replaced it with an inferior Electron app (blegh). But I think only I care about such things.
I think the hardest part about adopting a password manager is actually adopting the first one, teaching the benefits, and getting into the habit of using it. Your family likely now sees the value in using a password manager. The pains that you speak of seem mostly behavioral in nature, rather than about the tool itself.
The cutover to other services is very simple - export from LastPass, import to the other service. And since you're paying for the service, and you're the resident expert in this area, you call the shots. I host an email / Google Workspace domain for my family. And when Google was going to kick everyone off of the free tier and force them onto a rather expensive paid tier, I had simply told my family "Hey, here's what's going on, we're going to move to X service. Here's what to expect."
I think that the LastPass product itself is fine - I used it for 6 years. But I lost faith in the security company's ability to appropriately handle a major security incident.
I think you seriously overestimate some of my family's abilities when it comes to using technology. :P Not all of them live near me either. So, even from a logistics perspective, teaching them to use any new app wouldn't be quite as easy as you're suggesting. And even should I start trying to move them over to a new password manager, I would likely have to pay for both services for several months (at least) until I manage to get them all familiar with the new apps/extensions. And, to be totally honest, I frankly just don't care enough to go through with all that. LastPass is fine. It works for them, they're using it, and I've never run into problems with it, nor has any of my family.
Same issue here. I got my mom to use LastPass about a year or two ago. Luckily, one of her coworkers was asking telling her about password managers, so she got interested in them. But it was a slog to get her using the thing properly, especially she's mainly a mobile user (And I'm not).
I moved over from Lastpass to BitWarden last year after all of LP's fuck ups. I work in IT, so it was an easy move for me (though there are still some things that I miss from LP; maybe I just haven't found the right settings). I advised her to move over to BW, but knew that was going to be a struggle. I live in the Midwest; my parents live in the Southwest. My dad could help her, but he won't. He works in IT, but admittedly is an idiot when it comes to end user stuff. My brother recently moved out there; he's not in IT, but he's capable enough. But I know he also won't help her.
So I just told her to change all of her most important passwords, like financial and email passwords, and of course the LP master password. Figured that that was better than nothing.
I've done as much as I can. And as much as I'm willing. Probably better for her to be using LP than just the same 5 password over and over, anyway.
Fair enough! As the tech support person for my family, I totally sympathize with this. And, this answers the question of why people still are still using the service :)
Totally empathize with that sentiment, but I don’t think I could consider LastPass “good enough” at this point. I’m typically a bit more paranoid about security than average, but I have yet to see evidence that they are competent enough to be trusted with what are essentially the keys to my identity and my life.
I’m traveling at the moment and realized how absolutely fucked I would be if I lost my phone since 1Password has all of my information and I don’t have my secret key memorized (yet!). I don’t think a thief would be able to access my 1Password vault but I need it to access just about anything. If someone got a hold of my primary vault, it’s essentially game over–I’d be playing disaster recovery for a very long time. Fortunately some accounts of mine are only accessible with a FIDO key.
One of the simplest solutions for the family kinda users is to teach them how to use the built-in password managers of chrome, firefox, etc. Of course, this requires sticking to the same browser on all devices but is a neat and simple solution without needing any third party extensions.
I honestly wouldn't rely on that. Not for any security reason either. Simply put, I don't know any of my family that could tell me the difference between Edge, Chrome, Firefox, Opera, Safari, etc. OSes have a habit of changing and/or forcing certain links to open in certain browsers. Once that happens at a moment I'd rather be sleeping, I'll be getting a call asking why their browser doesn't remember their passwords any longer.
Teach them to use a specific app (like Bitwarden) and they will always look for that app. Also allows them to change ecosystems with ease. Don't have to worry about porting all your passwords from chrome on your android phone to safari when you switch to an iPad. You just drop the app on the device and it just works.
Certainly, you could just use browser password storage. I just look for the path of least family tech support.
Man, I'm glad I don't have anyone that tech-obtuse.
I just use Firefox for all my stuff and then write down physically anything not based in a website.
Anyone who wants my help with their computer is going to use firefox because I absolutely hate chrome.
The combination of their security breaches and jacking up their subscription price made me jump ship to Bitwarden a year or two ago. I have no regrets.
Everything that LogMeIn touches turns to shit.
Ahh, yeah I forgot about the price nonsense. When I started using that service, it was $12. Then it went to $24 and eventually $36 with no meaningful feature upgrades. The only reason I stayed with it as long as I did was because I had bought several years of subscription when they announced the first price increase.
Same. I can't remember when I made the switch, probably a similar time frame and I haven't looked back, it works great. I hadn't realized they had a Premium option til I saw your comment and might go for it, just because of how useful it is and how cheap it seems, though I honestly don't even know if I would have use for all the other features that they have. I'm probably not even using the Free account to its full potential now anyways.
I've been using KeePass (free and open source) for years. I keep my KeePass password database on Google Drive, synced between three PCs (one Linux, two Windows), my tablet and my phone (both iOS) and it's worked great for me.
I also use KeePass, but I keep it locally on my main desktop and then use Google Remote Desktop to connect when I need it on another computer.
KeePass is where it's at. Simple, open-source security is usually the best solution.
KeePass is fantastic.
On the Desktop, I use KeePassXC. It's a third-party, cross-platform client with additional features.
On Android, I use Keepass2Android.
I keep my password database synchronised across all my devices using SyncThing, which is sort of like having your own peer-to-peer Dropbox or Google Drive. This way, my passwords are never stored in the cloud.
Sure, my password database is encrypted - but if it's never stored in the cloud, I dont have much to worry about in the event that a serious vulnerability is ever discovered.
Is one of your devices always away from home? Or how do you handle the case that you have a house-fire or something, which to me is the primary reason I want a cloud backup for a few files and folders?
My phone is always on my person, so I'm not worried about a fire. I also have some backup copies stashed around. They aren't updated frequently, but they're up-to-date enough for me to be able to recover everything important.
Yep, I’ve been using KeePass for 10+ years now. I have never regretted it.
I was using KeePass and moved to KeeWeb. It's basically the same but KeeWeb is capable of reaching out to cloud services to fetch and update the database file so I don't need to worry about syncing to multiple devices.
Same. I use OneDrive but same difference.
By far my favorite solution, on desktop I use KeepassXC for my client, on mobile I got KeepassDX.
Oof, that sucks. Have been completely happy with Bitwarden and it's been solid if you are looking to leave.
Also a big fan of multiple MFA services for backup reasons, Bitwarden has it built in*, and something like Authy is a good fallback (and syncs between multiple devices).
edit: * I just learned that it's not in the free version, to do MFA you have to pay some money. Given that it's $10 a year it's a worthy microsplurge.
I left LastPass years ago after the first security breach and chose BitWarden as well. It's incredible. The free tier is all most people will need, so it's definitely worth checking out if you're still stuck on LP for whatever reason.
I didn’t even know there was a paid bitwarden tier, what does it have?
Same here. Former LP user who left for BW after that first big breach. 100% solid alternative.
The free tier does all I need but I like to pay for things that work well. $10 a year is a sweet deal for such a well designed piece of software!
Those people should have been moving passwords managers and changing passwords after LastPass got hack. The data was encrypted but still.
Also never have the Authenticator and Password manager with the same company or/and app. But that just my opinion anyways.
Use Authy or the new Google one that finally doesn’t fuck you over if you change phones.
Or like a KeePass + Aegis combo.
Are you me? This is the exact combo I use and, minus some pains keeping passwords between phone and PC up-to-date (for which I use Syncthing), it's been working great!
I've also learned that you can use KeePass to set up OTP/2FA. I know that defeats the purpose of having separate 2FA and password management apps, but I've found that the convenience sometimes outweighs the lessened security. I actually have all of my authenticator secrets also in Aegis. That's where they go first, in fact.
No online password manager is going to fare any better. Are you just going to jump around services every time there's a breach? Yes, losing the data sucks, but the data was secured. Every company that holds data is vulnerable. It's not a matter of if but when they get hacked. The most important part is that the data is encrypted at rest.
The other solution is a self managed keystore which is all fine and dandy, but you can't easily use those as a family or on mobile. And if you say, "well put it on dropbox" then you've completely negated the security advantage you had self managing it in the first place. Dropbox is just as vulnerable to data breaches.
1Password hasn’t ever been hacked and while you can’t speak for all personal instances it’s my understanding the BitWarden hasn’t been either.
I get the sentiment about nothing being perfect but there are options that are better than others and LastPass has a terrible track record.
Alas, the data wasn’t secure. There are a ton of issues with their security.
LastPass 100% mislead in their communication about the incident and absolutely cannot be trusted with your data.
They don’t have had the best track record and waited like a month to tell people they been hacked.
People are free to pick whatever they want, but this wouldn’t be my choice.
I left LastPass after the latest round of breaches. I did not leave because the breaches happened - I left because of the communication about the breaches.
Communication was slow, opaque, and consistently played down the severity of the issue. Everyone can, and probably will be, hacked. What matters is:
Google has a new one? Or did it just update the existing one to not fuck users over?
I don't know how long ago this is supposed to have happened, but I can't remember the icon being anything but that capital G that kinda looks like a stylized safe dial. Is that the new icon or do I still have the old version?
Edit: oh, I found an article about it: https://9to5google.com/2023/04/24/google-authenticator-sync-new-icon/
...I guess I still have the old version but it does say it's syncing to my Google account. I'm super confused.
Edit2: well done for confusing myself! I forgot that I have a custom icon pack installed, so it's just the icon pack that hasn't been updated with the new icon.
I hate when I do stuff like this to myself, wonder why I have X issue and then realize it's because a setting I changed months before..
Oh, the perils of being a tinkerer 😉
Looks like my custom icon pack got updated! Google Authenticator now has a new icon 😀
This has to be the second most frustrating part behind being locked out.
It’s hard to tell from the article but it sounds like if you use a web browser you can reset and get back in? Or is the website also having issues?
I won't comment on the main topic of the thread due to a conflict of interest, but the article describes both that this procedure requires logging in through the web browser in order to kick off the reauthentication process, and goes on to describe people not receiving the described location confirmation emails as well as people getting stuck in a reauthentication infinite loop. I believe it is the case that what the article is describing is entirely the website having issues for some people, as when your account is in this state you cannot access your account using any other client.
Consider this your weekly reminder to quit using LastPass. Bitwarden does everything LastPass does - but better, and it is free, and gives you the option to self-host.
I have zero regrets about moving my family from LastPass to 1Password. It was easy to setup.
We've implemented new password hygiene habits as part of the LastPass issues. Sort by last modified and look at the oldest two. Evaluate if the account is needed, if it isn't - delete it. If it is, reset the password. We do this monthly now. Takes less than five minutes.
Everybody keeps talking up Bitwarden -- I don't have an opinion about its functionality, which by all accounts is pretty good, but the dealbreaker for me is that they require you to create an account with them even if you have no plan to use their subscription or cloud services (both of which are also dealbreakers). There's no valid reason at all that should be necessary, and that makes them inherently untrustworthy.
I hear good things about KeePass but iirc correctly last time I looked they didn't have a browser plugin, and their Android support was less than stellar. Years ago I settled on Enpass, which has all the functionality I'm looking for w/o all that subscription/account nonsense (or rather, it's optional instead of required), and I've been pretty happy with it.
Basically my threat profile doesn't include "I have to worry about third parties having unlimited access to my devices in order to break some potential vulnerability in an otherwise established product." Sure there are potential scenarios where that might happen, but given other security precautions I take the probabilities of those scenarios occurring are negligible (YMMV of course). Enpass has been audited, several times and relatively recently, and after accounting for my threat profile the only real criticism I've come across re: them being closed-source is the borderline-racist accusation that being an Indian company makes them untrustworthy. I don't find them any less trustworthy than Microsoft or Apple. They don't store or transmit my data, so generally-speaking I only have to worry about what it does on my devices - and there've been no reports that I've seen of their software doing anything shady or unexpected on users' machines (which is not the case with MS or Apple).
I am 100% on-board with you on this, and if I had no other option but to use their subscription service then I would find an alternative. But they also have the single-purchase lifetime license, which I purchased (and for less than their current price - I don't remember now if that was because of how long ago I purchased it or if if I had some discount), because for me the price was worth it.
Yes -- Bitwarden has great functionality by all accounts, I don't dispute that. but you still have to sign up for an account with them just to install it, which is totally unnecessary and therefore a shady business practice in my book.
True, you make a lot of good points. But my problem with cloud services is that all "cloud" means is "somebody else's computer," which, yes, has benefits, but also has many drawbacks, some of which frequently make headlines but those aren't the only ones I have issues with. Personally (again, YMMV) I don't find those benefits to be worth the potential cost.
Again you make a lot of really good points.
Totally true - in my mind that's mitigated somewhat by the attacker having to know which pwd manager I'm using and where the data file is stored, but there are probably easy ways around that (security through obscurity being one of the weakest forms of security, after all), but moreso by the fact that there are very few scenarios in my threat profile where that level of attack is at a probability worth considering.
Also I can see how "any physical access = compromised" can be valid, but my impression is that's more the case with a higher-security/threat situation than I (normally) have to deal with. I will also readily admit that just being connected to the internet elevates that risk and exposes vulnerabilities, and I'm relying on the security of firewalls/antivirus etc to reduce that.
Good points, I didn't really get into the details of it and didn't understand at all the issues re: audit and the different platforms, so thanks for that information.
I stand corrected that that does seem like it might be a valid reason. However that also seems to me to be really more of a PR cover for their real reason, which is also in the FAQ:
Validate licensing of paid features.
In plain English this means they can deactivate your copy of BitWarden at any time for any reason. There might be a low probability that this happens, but companies do that kind of shit all the time and that's not a threat I want to add to my profile. (edit: thinking about this more, I may be misinterpreting how their license validation works, but really I'm not interested enough to dig into it; it still seems unnecessary).It's funny you should say that, b/c I have been moving into more open source alternatives (on Linux now but was a long-time Mac user, then Windows, and of course have to use Windows professionally for a host of reasons). But security is a situation-based continuum of threat balanced against usability, and I like to think I take appropriate precautions for my various use-cases. I could be wrong...
KeePass can almost be thought of as a family of products. The original KeePass client is still actively developed, but it's Windows-only and doesn't support certain modern features like browser extensions.
For clients with browser integration, check out KeePassXC (Linux, Mac, Windows), and Keepass2Android (Android). They're both compatible with the KeePass database format, but not affiliated with the original KeePass project.
That's good to know - like I mentioned it's been quite a while since I looked into KeePass, and I'm not surprised it's continued to develop in its various branches.
Thinking about it more, the other issue I remember having w/ KeePass was it was going to be a huge headache transferring my old Mac pwd manager info into KeePass. I don't even remember anymore which manager I was using, but it wasn't one of the big ones so there was no auto-transfer option; the only option was export/import as CSV. KeePass wasn't reading the category headings correctly and when I looked at the CSV and how KeePass was translating it I would've had to do quite a bit of manipulation of hundreds of pwds to beat it into shape. I may have ended up doing that anyway w/ Enpass (my memory is a bit fuzzy on the details now and it's quite possible I'm just blocking out the pain points), but with the other functionality issues it wasn't worth it for KeePass at the time.
I’ve been using iCloud passwords. Never really seen the benefit of using an outside application.
I think it was either after the 1st or 2nd breach years back that I jumped the to 1Password, somewhere in the 5-6.0 range. I get it, they've gone SaaS like everything out there nowadays but hell, it's turnkey as it gets. A lot of people don't like that they're highly pivoting towards the enterprise market but I think that'll make them innovate even more and take security even more seriously vs LastPass. So far, I'm happy but like most, am also getting subscription fatigue as well.