I left it for Bitwarden a few years ago (when they were acquired by LogMeIn in the first place), and have been happy with it. It will probably depend if there are certain capabilities you need,...
I left it for Bitwarden a few years ago (when they were acquired by LogMeIn in the first place), and have been happy with it. It will probably depend if there are certain capabilities you need, but Bitwarden's been great for me.
I use zx2c4 pass, together with passff for browser integration, replicated through a private self-hosted git repo. This is free software, self-administered, and based 100% on open formats and...
I use zx2c4 pass, together with passff for browser integration, replicated through a private self-hosted git repo.
This is free software, self-administered, and based 100% on open formats and protocols, and I love it; but it's not a drop-in replacement for one of the commercial password managers. The integrations are not as tight, interfaces not as shiny (though in most cases significantly more powerful), and you will have to administer it yourself; but if all that sounds fine to you, I'd highly recommend taking a look.
I switched to 1Password. Unfortunately it has a monthly fee, but it's handy to be able to protect accounts for my whole family and functionally act as household sysadmin. Once I habituate the...
I switched to 1Password. Unfortunately it has a monthly fee, but it's handy to be able to protect accounts for my whole family and functionally act as household sysadmin. Once I habituate the family to using a password manager I might transition us to BitWarden and save myself some money. $10 a year sounds way better than $5 a month.
Not only that, but it shouldn't even technically be possible for them to do anyways, since they only store the salted hash of your master password + your already encrypted vault data, and the rest...
Not only that, but it shouldn't even technically be possible for them to do anyways, since they only store the salted hash of your master password + your already encrypted vault data, and the rest of the operation is one-way, with encryption+decryption happening at the local device level. And were they to try to surreptitiously change that process so they could read your passwords, I imagine it would get leaked pretty quickly that they had. And ultimately, I very much doubt even the stupidest/greediest private equity firm in the world would risk all that just for the meager earnings they could make selling the data, IMO.
That you know of. Have you examined the source code running on the client, and on the server?
Not only that, but it shouldn't even technically be possible for them to do anyways, since they only store the salted hash of your master password + your already encrypted vault data, and the rest of the operation is one-way, with encryption+decryption happening at the local device level.
That you know of.
Have you examined the source code running on the client, and on the server?
I haven't ever inspected the proprietary code of Microsoft, Apple, Google, Amazon, Adobe, Etc either. Nor have I examined the code of every piece of open-source software that I use. Nor do I...
I haven't ever inspected the proprietary code of Microsoft, Apple, Google, Amazon, Adobe, Etc either. Nor have I examined the code of every piece of open-source software that I use. Nor do I compile everything from source myself. Why not? For the same reasons I don't actually need to have inspected the code of LastPass to still feel relatively comfortable using their software.
When it comes to software, both closed and open, the larger a company/project is, the more people that have worked on it, and the more eyes there are on it (internally and externally), the more trust you can generally grant them due to the fact that conspiracies get harder to maintain the larger they are and the more people that are involved.
Not only that, but a lot of people way smarter than myself in the netsec industry have already taken a deep look at Lastpass, and while some have identified the occasional vulnerability, none have accused them of foul play. E.g. The Google Project Zero team clearly keeps an eye on LastPass, as they have identified vulnerabilities in the past and properly reported them so LastPass could fix them. See: https://blog.lastpass.com/2017/03/important-security-updates-for-our-users.html/
Yes. Not sure how this is "irregular". Yes, there are fines that can be leveled against companies violating privacy laws. Fines don't usually work very well against a company filing bankruptcy.
Yes. Not sure how this is "irregular". Yes, there are fines that can be leveled against companies violating privacy laws. Fines don't usually work very well against a company filing bankruptcy.
LastPass always felt janky and poorly designed whenever I had to use it at work. It would flash content on the log in form, the UI of the dashboard was pretty dismal, and it didn't give a good...
LastPass always felt janky and poorly designed whenever I had to use it at work. It would flash content on the log in form, the UI of the dashboard was pretty dismal, and it didn't give a good sense of security at all.
Time to leave Lastpass. Best alternative?
I left it for Bitwarden a few years ago (when they were acquired by LogMeIn in the first place), and have been happy with it. It will probably depend if there are certain capabilities you need, but Bitwarden's been great for me.
I've switched from Lastpass to Bitwarden as well, about a month ago. Better compatibility with some apps on Android, better website (IMO).
Also chiming in for Bitwarden. I'm not a super power user, so my needs are pretty basic, but it's worked fine for me.
Same here. Bitwarden's been great.
I use zx2c4 pass, together with passff for browser integration, replicated through a private self-hosted git repo.
This is free software, self-administered, and based 100% on open formats and protocols, and I love it; but it's not a drop-in replacement for one of the commercial password managers. The integrations are not as tight, interfaces not as shiny (though in most cases significantly more powerful), and you will have to administer it yourself; but if all that sounds fine to you, I'd highly recommend taking a look.
I switched to 1Password. Unfortunately it has a monthly fee, but it's handy to be able to protect accounts for my whole family and functionally act as household sysadmin. Once I habituate the family to using a password manager I might transition us to BitWarden and save myself some money. $10 a year sounds way better than $5 a month.
KeepassXC
Even still, a great FOSS alternative is Bitwarden.
And selling your data to the highest bidder after they've gutted the assets from logmein, and saddling it with debt before liquidating
Right, suing a bankrupt business that went under will be successful.
Not only that, but it shouldn't even technically be possible for them to do anyways, since they only store the salted hash of your master password + your already encrypted vault data, and the rest of the operation is one-way, with encryption+decryption happening at the local device level. And were they to try to surreptitiously change that process so they could read your passwords, I imagine it would get leaked pretty quickly that they had. And ultimately, I very much doubt even the stupidest/greediest private equity firm in the world would risk all that just for the meager earnings they could make selling the data, IMO.
That you know of.
Have you examined the source code running on the client, and on the server?
I haven't ever inspected the proprietary code of Microsoft, Apple, Google, Amazon, Adobe, Etc either. Nor have I examined the code of every piece of open-source software that I use. Nor do I compile everything from source myself. Why not? For the same reasons I don't actually need to have inspected the code of LastPass to still feel relatively comfortable using their software.
When it comes to software, both closed and open, the larger a company/project is, the more people that have worked on it, and the more eyes there are on it (internally and externally), the more trust you can generally grant them due to the fact that conspiracies get harder to maintain the larger they are and the more people that are involved.
Not only that, but a lot of people way smarter than myself in the netsec industry have already taken a deep look at Lastpass, and while some have identified the occasional vulnerability, none have accused them of foul play. E.g. The Google Project Zero team clearly keeps an eye on LastPass, as they have identified vulnerabilities in the past and properly reported them so LastPass could fix them. See: https://blog.lastpass.com/2017/03/important-security-updates-for-our-users.html/
I'm being very practicable.
Especially when concerning vultures of the economic industry.
Fining a bankrupted company usually doesn't work very well.
Yes. Not sure how this is "irregular". Yes, there are fines that can be leveled against companies violating privacy laws. Fines don't usually work very well against a company filing bankruptcy.
I use Dashlane. It is a bit more expensive but includes a VPN so I don't have to get another one separately.
I use 1Password and am happy.
LastPass always felt janky and poorly designed whenever I had to use it at work. It would flash content on the log in form, the UI of the dashboard was pretty dismal, and it didn't give a good sense of security at all.