28 votes

Starting March 16, LastPass users on the free plan will only be able to use it on one "device type" (either PC or mobile)

40 comments

  1. [8]
    spit-evil-olive-tips
    Link
    They were acquired by LogMeIn back in 2015. I guess the surprising part is how long they waited before moving a previously-free feature behind a paywall like this. If anyone's getting kicked away...

    They were acquired by LogMeIn back in 2015. I guess the surprising part is how long they waited before moving a previously-free feature behind a paywall like this.

    If anyone's getting kicked away from LastPass as a result of this, I use and recommend Bitwarden. The killer feature of having your passwords synced between desktop/laptop and mobile is not locked behind a paywall.

    We had threads with general password manager recommendations here and here.

    31 votes
    1. [7]
      gimmemahlulz
      Link Parent
      I love bitwarden. My favorite feature has to be it's ability to do two factor authentication. When you auto-fill a username/password on a site, you can then immediately ctrl+v to paste the auth...

      I love bitwarden. My favorite feature has to be it's ability to do two factor authentication. When you auto-fill a username/password on a site, you can then immediately ctrl+v to paste the auth code without having to do anything extra. Save time and frustration!

      7 votes
      1. [6]
        Cycloneblaze
        Link Parent
        I always thought this was a bit weird; surely the point of two-factor authentication is that you're getting the codes from a separate device?

        I always thought this was a bit weird; surely the point of two-factor authentication is that you're getting the codes from a separate device?

        10 votes
        1. [5]
          Gaywallet
          Link Parent
          You are logging into Bitwarden, thus providing the second factor of authentication. The first factor is the website you are logging into. It gets confusing because Bitwarden is also providing the...

          You are logging into Bitwarden, thus providing the second factor of authentication. The first factor is the website you are logging into. It gets confusing because Bitwarden is also providing the password itself rather than your memory, but technically speaking it is still 2FA.

          3 votes
          1. [4]
            spit-evil-olive-tips
            Link Parent
            As always, it depends on your threat model, but I'd argue it's not true 2FA, because the password and TOTP secret key for sites are stored alongside each other in the Bitwarden database. Access to...

            As always, it depends on your threat model, but I'd argue it's not true 2FA, because the password and TOTP secret key for sites are stored alongside each other in the Bitwarden database. Access to that database is nominally protected by 2FA, but if an attacker gains access to that, they have one-factor authentication to every site saved in the database.

            For example, if my laptop is stolen while I'm logged in to Bitwarden, the thief can log in to any of my accounts, even ones like AWS that prompt for the 2nd factor every time. If I keep 2FA secrets separate (on my phone) then the thief is out of luck unless they steal both my laptop and phone, and bypass the security on my 2FA app.

            13 votes
            1. Gaywallet
              Link Parent
              All entirely fair points, also I would say it's important to mention that you can set timeouts on Bitwarden and a password on your laptop. Both of these would be mitigating factors as to how...

              All entirely fair points, also I would say it's important to mention that you can set timeouts on Bitwarden and a password on your laptop. Both of these would be mitigating factors as to how vulnerable you would be to a theoretical attack such as the one described.

              5 votes
            2. [2]
              jackson
              Link Parent
              The point of 2-factor is "something you know" and "something you have." The "something you know" is your Bitwarden password, which only works on "something you have-" your laptop. This would be...

              For example, if my laptop is stolen while I'm logged in to Bitwarden

              The point of 2-factor is "something you know" and "something you have." The "something you know" is your Bitwarden password, which only works on "something you have-" your laptop. This would be like saying if someone stole my phone they know have 1-factor authentication as it is my TOTP generator.

              Does Bitwarden not auto lock and require your master password to use after a few minutes?

              2 votes
              1. spit-evil-olive-tips
                Link Parent
                I'm giving that as one example of a way in which my entire Bitwarden database might be compromised. Another example might be a Chrome or Firefox extension I already have installed that gets...

                I'm giving that as one example of a way in which my entire Bitwarden database might be compromised. Another example might be a Chrome or Firefox extension I already have installed that gets hijacked, pushes malicious code, and that code uses an exploit to get around whatever sandboxing measures the browser has in place, then exfiltrate my password store right after I enter my master password for decryption.

                However it happens, let's assume the bad guys got a hold of my full, unencrypted password database. Worst-case scenario for a password manager like Bitwarden. How bad is it?

                If you're storing the TOTP secret key (which is all you need, along with the current time, to generate a typical 6-digit 2FA code) alongside the passwords, the attacker now has absolutely everything they need to impersonate you. By copying those secret keys from your phone into Bitwarden, you've reduced it to a single factor.

                Instead, if the 2FA secrets are stored separately (such as on a phone, or a hardware token) the attacker will be unable to log in to any 2FA-enabled account. If the threat model is "someone stole my laptop while Bitwarden was unlocked" then maybe they have my phone as well, but in the "browser extension stole them" scenario, it seems extremely unlikely.

                Lack of 2FA means the attacker in this scenario couldn't access my email (critical, since so many "reset password" workflows use email verification), my bank, my Amazon account (either to buy things with my account, or spin up AWS instances and mine Bitcoin), or many other things.

                This is the real value of 2FA in my mind - I had a worst-case scenario breach of all my site-specific passwords, but storing the 2FA keys separate from the passwords allowed me to limit the damage and retain control of my most important accounts.

                3 votes
  2. [26]
    bilbodwyer
    Link
    Whelp, guess I'll be moving on from LastPass then! Any recommendations for an alternative? And does anybody have experience with self-hosting a password manager?

    Whelp, guess I'll be moving on from LastPass then!
    Any recommendations for an alternative? And does anybody have experience with self-hosting a password manager?

    7 votes
    1. [8]
      dedime
      (edited )
      Link Parent
      I've made a lot of password manager recommendations in the past, and I still stand behind KeePass! I've been using this set up for almost 7 years. Specifically: KeePassXC - for the desktop app....
      • Exemplary

      I've made a lot of password manager recommendations in the past, and I still stand behind KeePass! I've been using this set up for almost 7 years. Specifically:

      • KeePassXC - for the desktop app. Available at https://keepassxc.org (Free, open source software)
      • KeePassXC-Browser - An extension for autofill in your browser of choice, on the chrome / firefox extension stores (Free, open source software)
      • Keepass2Android - An android app for opening KeePass databases, on the play store (Free, open source software)
      • Google Drive Sync (Or any file syncing program of your choice, it doesn't affect the security) - For syncing the encrypted password database file to all of your devices. This is secure, because the database file is encrypted. (Gratis, but closed source software)

      This complete solution provides you the following crucial features, ones that I use and appreciate daily:

      • Password syncing to all of your devices
      • Strong, verifiably secure encryption of your passwords
      • TOTP, both the standard version and Steam version
      • Autofill for usernames / password in your browser

      And it also boasts other useful features:

      • Support for hardware keys and key files, in addition to a password, for your password database (I use a key file that I physically copy, offline, to my devices)
      • CLI support
      • SSH-agent integration - Automatically add your SSH keys to SSH-agent when you unlock your password database. This is a godsend.
      • Dark mode (KeePassXC)
      • Completely free, open source software - Nobody is going to pull the rug out from under you, and insist you pay them to continue using the software. KeePassXC, Keepass2Android, and the KeePassXC-browser extensions are completely free, will always be free, and are here to stay.
      • No need to host your own servers - suitable for the tech-inexperienced

      This set up has been so useful for me I use it for things outside of just passwords. For example, I store my credit cards, clothing size measurements, SIN, driver's license information, and other useful information in my password database.

      20 votes
      1. [2]
        vord
        Link Parent
        Do tell. I thought Steam two-factor was exclusively through their app. I would be very happy to uninstall another app.

        Steam version

        Do tell. I thought Steam two-factor was exclusively through their app. I would be very happy to uninstall another app.

        3 votes
        1. dedime
          Link Parent
          It's been a while since I've set it up, but it still works beautifully. In KeePassXC, the method for setting it up is the same as setting up any other TOTP but you select the toggle for "Steam...

          It's been a while since I've set it up, but it still works beautifully. In KeePassXC, the method for setting it up is the same as setting up any other TOTP but you select the toggle for "Steam token settings".

          The tough part is obtaining your secret key. Steam does not expose this to you in any obvious ways, however if you're technically inclined you'll be able to follow the following instructions to retrieve this secret key: https://github.com/SteamTimeIdler/stidler/wiki/Getting-your-%27shared_secret%27-code-for-use-with-Auto-Restarter-on-Mobile-Authentication#getting-shared-secret-from-steam-desktop-authenticator-windows

          6 votes
      2. [4]
        Don_Camillo
        Link Parent
        that is the way to go. safe, secure, will work (quasi)forever once set up.

        that is the way to go. safe, secure, will work (quasi)forever once set up.

        1 vote
        1. [3]
          Mnmalst
          Link Parent
          The only thing to make it even more secure is by using syncthing. This way the keyfile never leaves your own hardware. I use this setup and it works great.

          The only thing to make it even more secure is by using syncthing. This way the keyfile never leaves your own hardware. I use this setup and it works great.

          2 votes
          1. dedime
            (edited )
            Link Parent
            Syncthing is great, and would be a perfect fit for KeePass! In my case, it doesn't add any additional security as I copy my keyfile around via USB and never transmit it over the internet.

            Syncthing is great, and would be a perfect fit for KeePass! In my case, it doesn't add any additional security as I copy my keyfile around via USB and never transmit it over the internet.

            3 votes
          2. Don_Camillo
            Link Parent
            if you use a proper masterkey (as you should, come on, its the only one you need to remember) it is safe anyway. good cryptography is something amazing. and if you need more assurance use a...

            if you use a proper masterkey (as you should, come on, its the only one you need to remember) it is safe anyway. good cryptography is something amazing. and if you need more assurance use a keyfile you copy manually.

            1 vote
      3. no_exit
        Link Parent
        I set this up a couple minutes ago and the browser integration seems pretty good, I've been meaning to get off LastPass for a while so I guess it was nice of them to give me the push I needed....

        I set this up a couple minutes ago and the browser integration seems pretty good, I've been meaning to get off LastPass for a while so I guess it was nice of them to give me the push I needed. here's the column import match for anyone else making the switch.

        1 vote
    2. stu2b50
      Link Parent
      There's bitwarden, for now it's free tier is fairly unlocked and it's also open source and self hostable. However, I pay for its premium option to hopefully contribute to its continually independence.

      There's bitwarden, for now it's free tier is fairly unlocked and it's also open source and self hostable. However, I pay for its premium option to hopefully contribute to its continually independence.

      13 votes
    3. spit-evil-olive-tips
      Link Parent
      bitwarden-rs is the best self-hosted option I know of. I use the "official" Bitwarden backend rather than self-hosting, but I've heard good things about the self-hosted option. Before I switched...

      bitwarden-rs is the best self-hosted option I know of. I use the "official" Bitwarden backend rather than self-hosting, but I've heard good things about the self-hosted option.

      Before I switched to Bitwarden I had a self-hosted setup using pass plus syncthing.

      8 votes
    4. [12]
      Adys
      Link Parent
      1password if you can afford it or for work purposes. Bitwarden otherwise.

      1password if you can afford it or for work purposes. Bitwarden otherwise.

      7 votes
      1. [7]
        joplin
        Link Parent
        Man, I wish I could still recommend 1Password. I use the older version that doesn't require a subscription and which they don't sell anymore. I absolutely don't want my passwords stored on someone...

        Man, I wish I could still recommend 1Password. I use the older version that doesn't require a subscription and which they don't sell anymore. I absolutely don't want my passwords stored on someone else's servers, and I absolutely don't want to pay a subscription for a product that doesn't require periodic downloads of updated media. If I did want to store my data in the cloud, it wouldn't be with them, anyway. I love being able to sync all my devices locally on my own network.

        It's sad because it's a great product, but they've absolutely ruined it with their recent changes.

        6 votes
        1. [3]
          Chinpokomon
          Link Parent
          I mean, you weren't really. You were storing random numbers on someone's server, and when those random numbers mathed with another secret number you provided, the client on your device would...

          I absolutely don't want my passwords stored on someone else's servers

          I mean, you weren't really. You were storing random numbers on someone's server, and when those random numbers mathed with another secret number you provided, the client on your device would provide the password. You can certainly keep those protected random numbers off a third-party server, but provided your master password is already robust from attacks because it is a large key space, either by length and/or complexity, it isn't something which could be determined only by that which is stored.

          That's not to say that there aren't products which would serve your needs better, but describing the server as storing your passwords isn't completely accurate.

          3 votes
          1. [2]
            Adys
            Link Parent
            I interpreted @joplin's objection as concern that if the servers go down, their passwords disappear. Which is partly the case, depending on whether you have a locally cached copy or not.

            I interpreted @joplin's objection as concern that if the servers go down, their passwords disappear.

            Which is partly the case, depending on whether you have a locally cached copy or not.

            3 votes
            1. cfabbro
              (edited )
              Link Parent
              1Password (and most SAAS/cloud-based password managers that I know of) store the password vault locally on devices that have successfully logged into the account at least once in order to...

              1Password (and most SAAS/cloud-based password managers that I know of) store the password vault locally on devices that have successfully logged into the account at least once in order to facilitate offline use. So losing access to your passwords in the case of an internet outage or service failure shouldn't be much of a concern. The only issue you might run into is if you haven't logged in on a device recently then the local vault on that device may be a bit out of date, which could prevent you from logging into new accounts created on another device.

              2 votes
        2. Adys
          Link Parent
          In your case it sounds like using keepassxc with a custom cloud save or whatever is more up your alley. I do not recommend this to people however as most simply do not have the time or skill to do...

          In your case it sounds like using keepassxc with a custom cloud save or whatever is more up your alley. I do not recommend this to people however as most simply do not have the time or skill to do that themselves.

          2 votes
        3. [2]
          Shahriar
          (edited )
          Link Parent
          Edit: suggested KeePassXC when I meant KeePass. Not familiar with the fork in the former. I'd recommend KeePass with Syncthing! Have your password database synced between your own devices, no need...

          Edit: suggested KeePassXC when I meant KeePass. Not familiar with the fork in the former.

          If I did want to store my data in the cloud, it wouldn't be with them, anyway. I love being able to sync all my devices locally on my own network.

          I'd recommend KeePass with Syncthing! Have your password database synced between your own devices, no need for servers.

          1 vote
          1. joplin
            Link Parent
            Well, as I said, I'm still using the older 1Password that lets me do what I want. I just wish newer versions did, too. But I'll probably have to ditch it eventually, and when I do, I'll give...

            Well, as I said, I'm still using the older 1Password that lets me do what I want. I just wish newer versions did, too. But I'll probably have to ditch it eventually, and when I do, I'll give KeePass a look. Thanks!

            1 vote
      2. Weldawadyathink
        Link Parent
        1Password is great. I switched my family from bitwarden to 1Password about a year ago. Since I got it setup, I haven’t received any calls about 1Password not working (user error calls happen as...

        1Password is great. I switched my family from bitwarden to 1Password about a year ago. Since I got it setup, I haven’t received any calls about 1Password not working (user error calls happen as always). It is the first password manager that I have used that is rock solid stable. If you are the “tech support” person of your family, 1Password is the best.

        3 votes
      3. [3]
        mrbig
        Link Parent
        Does Bitwarden store stuff online in a way that a layman can I use, or is this more of self-host kinda think? Lastpass price is a bit much in my currency.

        Does Bitwarden store stuff online in a way that a layman can I use, or is this more of self-host kinda think?

        Lastpass price is a bit much in my currency.

        1. pvik
          Link Parent
          You can self host bitwarden (or bitwarden-rs) if you want; but bitwarden also has a public instance you can use at http://vault.bitwarden.com They also have a free tier, which I think should work...

          You can self host bitwarden (or bitwarden-rs) if you want; but bitwarden also has a public instance you can use at http://vault.bitwarden.com

          They also have a free tier, which I think should work for personal use. Pricing and feature comparison is here

          1 vote
        2. Cycloneblaze
          Link Parent
          In short, it's cloud-based in exactly the same way that LastPass is (if you used that). But you can self host, unlike with LastPass.

          In short, it's cloud-based in exactly the same way that LastPass is (if you used that). But you can self host, unlike with LastPass.

          1 vote
    5. knocklessmonster
      Link Parent
      I've been using Bitwarden. It's front and back end are completely open source, it works cross platform (I use it on Windows, Linux and Android, as well as browser plugins). You can self-host with...

      I've been using Bitwarden. It's front and back end are completely open source, it works cross platform (I use it on Windows, Linux and Android, as well as browser plugins). You can self-host with Bitwarden as well.

      If you're worried about "free," they subsidize the free service with paid users.

      5 votes
    6. babypuncher
      Link Parent
      If you use a cloud storage service like DropBox or iCloud Drive, you can easily self-host a KeePass 2.x database on it without needing to run your own server. I have found the experience pretty...

      If you use a cloud storage service like DropBox or iCloud Drive, you can easily self-host a KeePass 2.x database on it without needing to run your own server. I have found the experience pretty seamless across Windows, macOS, and iOS using KeePassXC (desktop app) KeePassium (mobile app). The latter even supports using TouchID and FaceID to unlock your database, and integrates with iOS' built in password management API.

      The only rough part comes from my choice of iCloud over DropBox. Apple does not provide a Linux client. This isn't an issue for me, as my only Linux machine is a desktop that is always on the same network as my Windows-powered home server, so I just made iCloud Drive available as a network share from the server and made a service that auto mounts it after boot.

      2 votes
    7. teaearlgraycold
      Link Parent
      If you only need to store web passwords then you can use Firefox or Chrome to keep track of them for you. Firefox even lets you locally encrypt them and can generate secure passwords for you when...

      If you only need to store web passwords then you can use Firefox or Chrome to keep track of them for you. Firefox even lets you locally encrypt them and can generate secure passwords for you when you sign up for a service. No 2FA support, though.

  3. Cycloneblaze
    Link
    Actually, LastPass didn't used to have this feature free. Once upon a time using it on mobile devices was premium-only; I know because I paid for it. This was before they got bought by LogMeIn,...

    Actually, LastPass didn't used to have this feature free. Once upon a time using it on mobile devices was premium-only; I know because I paid for it. This was before they got bought by LogMeIn, too. I stopped paying when they made it free to use on mobile, because that was my only reason for paying.

    I was surprised when they made that free, and I'm not surprised they have gone back on it. Interesting that they're allowing you to use it for free on either mobile or desktop now, instead of only on desktop.

    5 votes
  4. [3]
    keb
    Link
    I've been happily using Firefox Lockwise to sync my passwords, but have been hearing about Bitwarden often. Can anyone tell me why I should move away from Lockwise? I'm not security-savvy.

    I've been happily using Firefox Lockwise to sync my passwords, but have been hearing about Bitwarden often. Can anyone tell me why I should move away from Lockwise? I'm not security-savvy.

    3 votes
    1. screenbeard
      Link Parent
      I use Bitwarden because I needed a password manager on Windows and Linux browsers, but also on my mobile. Bitwarden has (almost) seamless integration on mobile as a replacement for the built in...

      I use Bitwarden because I needed a password manager on Windows and Linux browsers, but also on my mobile. Bitwarden has (almost) seamless integration on mobile as a replacement for the built in password manager and so I can log into apps as easily as their website counterparts.
      Lockwise was fine when I tried it, but lacked things like credit-card form filling or a way to record arbitrary secure notes such as security passphrases for arbitrary uses.

      1 vote
    2. p4t44
      Link Parent
      Bitwarden offers some more features (e.g. you can store a password without an email or URL) and it can work with different browsers.

      Bitwarden offers some more features (e.g. you can store a password without an email or URL) and it can work with different browsers.

  5. Maddox
    Link
    All you truly need for a secure password management system. . . KeepassXC one secure password (to unlock the database) one cloud host If you are a high-value target, there are other options.

    All you truly need for a secure password management system. . .

    • KeepassXC
    • one secure password (to unlock the database)
    • one cloud host

    If you are a high-value target, there are other options.

    2 votes
  6. eladnarra
    Link
    Well darn. I recently switched my email over to Zoho, so I might check out their password manager, although I don't know how secure it is.

    Well darn.

    I recently switched my email over to Zoho, so I might check out their password manager, although I don't know how secure it is.

    1 vote