28
votes
Starting March 16, LastPass users on the free plan will only be able to use it on one "device type" (either PC or mobile)
Link information
This data is scraped automatically and may be incorrect.
- Title
- Changes to LastPass Free - The LastPass Blog
- Authors
- Dan DeMichele
- Published
- Feb 16 2021
- Word count
- 703 words
They were acquired by LogMeIn back in 2015. I guess the surprising part is how long they waited before moving a previously-free feature behind a paywall like this.
If anyone's getting kicked away from LastPass as a result of this, I use and recommend Bitwarden. The killer feature of having your passwords synced between desktop/laptop and mobile is not locked behind a paywall.
We had threads with general password manager recommendations here and here.
I love bitwarden. My favorite feature has to be it's ability to do two factor authentication. When you auto-fill a username/password on a site, you can then immediately ctrl+v to paste the auth code without having to do anything extra. Save time and frustration!
I always thought this was a bit weird; surely the point of two-factor authentication is that you're getting the codes from a separate device?
You are logging into Bitwarden, thus providing the second factor of authentication. The first factor is the website you are logging into. It gets confusing because Bitwarden is also providing the password itself rather than your memory, but technically speaking it is still 2FA.
As always, it depends on your threat model, but I'd argue it's not true 2FA, because the password and TOTP secret key for sites are stored alongside each other in the Bitwarden database. Access to that database is nominally protected by 2FA, but if an attacker gains access to that, they have one-factor authentication to every site saved in the database.
For example, if my laptop is stolen while I'm logged in to Bitwarden, the thief can log in to any of my accounts, even ones like AWS that prompt for the 2nd factor every time. If I keep 2FA secrets separate (on my phone) then the thief is out of luck unless they steal both my laptop and phone, and bypass the security on my 2FA app.
All entirely fair points, also I would say it's important to mention that you can set timeouts on Bitwarden and a password on your laptop. Both of these would be mitigating factors as to how vulnerable you would be to a theoretical attack such as the one described.
The point of 2-factor is "something you know" and "something you have." The "something you know" is your Bitwarden password, which only works on "something you have-" your laptop. This would be like saying if someone stole my phone they know have 1-factor authentication as it is my TOTP generator.
Does Bitwarden not auto lock and require your master password to use after a few minutes?
I'm giving that as one example of a way in which my entire Bitwarden database might be compromised. Another example might be a Chrome or Firefox extension I already have installed that gets hijacked, pushes malicious code, and that code uses an exploit to get around whatever sandboxing measures the browser has in place, then exfiltrate my password store right after I enter my master password for decryption.
However it happens, let's assume the bad guys got a hold of my full, unencrypted password database. Worst-case scenario for a password manager like Bitwarden. How bad is it?
If you're storing the TOTP secret key (which is all you need, along with the current time, to generate a typical 6-digit 2FA code) alongside the passwords, the attacker now has absolutely everything they need to impersonate you. By copying those secret keys from your phone into Bitwarden, you've reduced it to a single factor.
Instead, if the 2FA secrets are stored separately (such as on a phone, or a hardware token) the attacker will be unable to log in to any 2FA-enabled account. If the threat model is "someone stole my laptop while Bitwarden was unlocked" then maybe they have my phone as well, but in the "browser extension stole them" scenario, it seems extremely unlikely.
Lack of 2FA means the attacker in this scenario couldn't access my email (critical, since so many "reset password" workflows use email verification), my bank, my Amazon account (either to buy things with my account, or spin up AWS instances and mine Bitcoin), or many other things.
This is the real value of 2FA in my mind - I had a worst-case scenario breach of all my site-specific passwords, but storing the 2FA keys separate from the passwords allowed me to limit the damage and retain control of my most important accounts.
Whelp, guess I'll be moving on from LastPass then!
Any recommendations for an alternative? And does anybody have experience with self-hosting a password manager?
I've made a lot of password manager recommendations in the past, and I still stand behind KeePass! I've been using this set up for almost 7 years. Specifically:
This complete solution provides you the following crucial features, ones that I use and appreciate daily:
And it also boasts other useful features:
This set up has been so useful for me I use it for things outside of just passwords. For example, I store my credit cards, clothing size measurements, SIN, driver's license information, and other useful information in my password database.
Do tell. I thought Steam two-factor was exclusively through their app. I would be very happy to uninstall another app.
It's been a while since I've set it up, but it still works beautifully. In KeePassXC, the method for setting it up is the same as setting up any other TOTP but you select the toggle for "Steam token settings".
The tough part is obtaining your secret key. Steam does not expose this to you in any obvious ways, however if you're technically inclined you'll be able to follow the following instructions to retrieve this secret key: https://github.com/SteamTimeIdler/stidler/wiki/Getting-your-%27shared_secret%27-code-for-use-with-Auto-Restarter-on-Mobile-Authentication#getting-shared-secret-from-steam-desktop-authenticator-windows
that is the way to go. safe, secure, will work (quasi)forever once set up.
The only thing to make it even more secure is by using syncthing. This way the keyfile never leaves your own hardware. I use this setup and it works great.
Syncthing is great, and would be a perfect fit for KeePass! In my case, it doesn't add any additional security as I copy my keyfile around via USB and never transmit it over the internet.
if you use a proper masterkey (as you should, come on, its the only one you need to remember) it is safe anyway. good cryptography is something amazing. and if you need more assurance use a keyfile you copy manually.
I set this up a couple minutes ago and the browser integration seems pretty good, I've been meaning to get off LastPass for a while so I guess it was nice of them to give me the push I needed. here's the column import match for anyone else making the switch.
There's bitwarden, for now it's free tier is fairly unlocked and it's also open source and self hostable. However, I pay for its premium option to hopefully contribute to its continually independence.
bitwarden-rs is the best self-hosted option I know of. I use the "official" Bitwarden backend rather than self-hosting, but I've heard good things about the self-hosted option.
Before I switched to Bitwarden I had a self-hosted setup using
pass
plus syncthing.1password if you can afford it or for work purposes. Bitwarden otherwise.
Man, I wish I could still recommend 1Password. I use the older version that doesn't require a subscription and which they don't sell anymore. I absolutely don't want my passwords stored on someone else's servers, and I absolutely don't want to pay a subscription for a product that doesn't require periodic downloads of updated media. If I did want to store my data in the cloud, it wouldn't be with them, anyway. I love being able to sync all my devices locally on my own network.
It's sad because it's a great product, but they've absolutely ruined it with their recent changes.
I mean, you weren't really. You were storing random numbers on someone's server, and when those random numbers mathed with another secret number you provided, the client on your device would provide the password. You can certainly keep those protected random numbers off a third-party server, but provided your master password is already robust from attacks because it is a large key space, either by length and/or complexity, it isn't something which could be determined only by that which is stored.
That's not to say that there aren't products which would serve your needs better, but describing the server as storing your passwords isn't completely accurate.
I interpreted @joplin's objection as concern that if the servers go down, their passwords disappear.
Which is partly the case, depending on whether you have a locally cached copy or not.
1Password (and most SAAS/cloud-based password managers that I know of) store the password vault locally on devices that have successfully logged into the account at least once in order to facilitate offline use. So losing access to your passwords in the case of an internet outage or service failure shouldn't be much of a concern. The only issue you might run into is if you haven't logged in on a device recently then the local vault on that device may be a bit out of date, which could prevent you from logging into new accounts created on another device.
In your case it sounds like using keepassxc with a custom cloud save or whatever is more up your alley. I do not recommend this to people however as most simply do not have the time or skill to do that themselves.
Edit: suggested KeePassXC when I meant KeePass. Not familiar with the fork in the former.
I'd recommend KeePass with Syncthing! Have your password database synced between your own devices, no need for servers.
Well, as I said, I'm still using the older 1Password that lets me do what I want. I just wish newer versions did, too. But I'll probably have to ditch it eventually, and when I do, I'll give KeePass a look. Thanks!
1Password is great. I switched my family from bitwarden to 1Password about a year ago. Since I got it setup, I haven’t received any calls about 1Password not working (user error calls happen as always). It is the first password manager that I have used that is rock solid stable. If you are the “tech support” person of your family, 1Password is the best.
Does Bitwarden store stuff online in a way that a layman can I use, or is this more of self-host kinda think?
Lastpass price is a bit much in my currency.
You can self host bitwarden (or bitwarden-rs) if you want; but bitwarden also has a public instance you can use at http://vault.bitwarden.com
They also have a free tier, which I think should work for personal use. Pricing and feature comparison is here
In short, it's cloud-based in exactly the same way that LastPass is (if you used that). But you can self host, unlike with LastPass.
I've been using Bitwarden. It's front and back end are completely open source, it works cross platform (I use it on Windows, Linux and Android, as well as browser plugins). You can self-host with Bitwarden as well.
If you're worried about "free," they subsidize the free service with paid users.
If you use a cloud storage service like DropBox or iCloud Drive, you can easily self-host a KeePass 2.x database on it without needing to run your own server. I have found the experience pretty seamless across Windows, macOS, and iOS using KeePassXC (desktop app) KeePassium (mobile app). The latter even supports using TouchID and FaceID to unlock your database, and integrates with iOS' built in password management API.
The only rough part comes from my choice of iCloud over DropBox. Apple does not provide a Linux client. This isn't an issue for me, as my only Linux machine is a desktop that is always on the same network as my Windows-powered home server, so I just made iCloud Drive available as a network share from the server and made a service that auto mounts it after boot.
If you only need to store web passwords then you can use Firefox or Chrome to keep track of them for you. Firefox even lets you locally encrypt them and can generate secure passwords for you when you sign up for a service. No 2FA support, though.
Actually, LastPass didn't used to have this feature free. Once upon a time using it on mobile devices was premium-only; I know because I paid for it. This was before they got bought by LogMeIn, too. I stopped paying when they made it free to use on mobile, because that was my only reason for paying.
I was surprised when they made that free, and I'm not surprised they have gone back on it. Interesting that they're allowing you to use it for free on either mobile or desktop now, instead of only on desktop.
I've been happily using Firefox Lockwise to sync my passwords, but have been hearing about Bitwarden often. Can anyone tell me why I should move away from Lockwise? I'm not security-savvy.
I use Bitwarden because I needed a password manager on Windows and Linux browsers, but also on my mobile. Bitwarden has (almost) seamless integration on mobile as a replacement for the built in password manager and so I can log into apps as easily as their website counterparts.
Lockwise was fine when I tried it, but lacked things like credit-card form filling or a way to record arbitrary secure notes such as security passphrases for arbitrary uses.
Bitwarden offers some more features (e.g. you can store a password without an email or URL) and it can work with different browsers.
All you truly need for a secure password management system. . .
secure
password (to unlock the database)If you are a high-value target, there are other options.
Well darn.
I recently switched my email over to Zoho, so I might check out their password manager, although I don't know how secure it is.