16 votes

LastPass is going to become an independent company

10 comments

  1. [8]
    Magical_Stardust
    Link
    I ended up going to bitwarden from lastpass. Has LastPass changed over the past year ?

    I ended up going to bitwarden from lastpass. Has LastPass changed over the past year ?

    3 votes
    1. [7]
      cfabbro
      (edited )
      Link Parent
      They altered the free tier, severely limiting it, and have raised their prices a few times. But otherwise, they're still pretty much the same. I still use them mostly due to vendor lock-in from...

      They altered the free tier, severely limiting it, and have raised their prices a few times. But otherwise, they're still pretty much the same. I still use them mostly due to vendor lock-in from having a family plan with them.

      It took me ages to finally convince all my family to start using a password manager to begin with (after several of them had accounts hacked due to data breaches and recycled passwords), teach them how to use it, and get them in the habit of actually doing so. And if I were to move to another password manager that means I would likely have to spend considerable effort helping migrate everyone else over as well. So even though LastPass is a bit more expensive than all the others, and their browser app is still a bit wonky at times, their service isn't really bad enough yet to motivate me to migrate everyone in my family elsewhere.

      This news is actually a good thing though, IMO, since now there will hopefully be less pressure on them to maximize profits, so they can focus more on improving their service.

      5 votes
      1. [6]
        alcappuccino
        Link Parent
        Sorry for making a not-so related question (just because I never asked anyone before). What constitutes a recycled password? If I have my password "abcde", and for every website I use something...

        Sorry for making a not-so related question (just because I never asked anyone before). What constitutes a recycled password? If I have my password "abcde", and for every website I use something like "tildesabcde" or "redditabcde", does this count as a recycled password?

        2 votes
        1. [5]
          cfabbro
          (edited )
          Link Parent
          When I say recycled passwords, in that particular case, I mean they were using literally the exact same password on multiple sites, which is a huge vulnerability. But that password scheme you're...

          When I say recycled passwords, in that particular case, I mean they were using literally the exact same password on multiple sites, which is a huge vulnerability. But that password scheme you're using, if it's really as simple as <site name>+<recycled password>, could definitely still count as being vulnerable, IMO. A hacker getting their hands on a list of email addresses and their associated passwords could easily scan that password list for site names, and replace those with whatever other site names they are going to attempt to access. So whether you should switch to a password manager, or change the scheme to something a bit more complex, depends on your willingness to risk that happening.

          I hope that at the very least you have your most important accounts (bank, credit card, email, etc.) behind totally unique passwords, because that greatly reduces the risks of any serious damage occurring even if you use a simple password schema like that everywhere else.

          6 votes
          1. [4]
            alcappuccino
            Link Parent
            I agree, of course, but if I use 2FA (when it is available by the service) and I use a random alias email for different websites, wouldn't the password uniqueness be somewhat "meaningless"? I'm...

            I agree, of course, but if I use 2FA (when it is available by the service) and I use a random alias email for different websites, wouldn't the password uniqueness be somewhat "meaningless"? I'm asking this, because to be honest, using a password manager is the last thing that I'm missing for being "almost secure", but, I always resisted password managers, not sure why. Maybe because if the password manager gets breached, then the hackers have all of my passwords. Or, at the end of the day, I just need to use always the random passwords that Firefox generates for me when creating a new account.

            2 votes
            1. [3]
              cfabbro
              (edited )
              Link Parent
              Ah, that's good to hear. 2FA significantly reduces the risks even if you use an overly simple password scheme, and should be adequate protection for most people. In addition to using the password...

              Ah, that's good to hear. 2FA significantly reduces the risks even if you use an overly simple password scheme, and should be adequate protection for most people. In addition to using the password manager to generate unique passwords for everything, I use 2FA for every site of importance to me too.

              I always resisted password managers, not sure why. Maybe because if the password manager gets breached, then the hackers have all of my passwords.

              That's an understandable fear, but unless you were very specifically targeted, that is very unlikely to happen IMO. Most hackers work at scale using massive breached site databases, and so only tend to go after low-hanging fruit. If they don't manage to get access to an account after the first few attempts at it they tend to give up and move on to the next account. And SAAS password managers are typically anything but low-hanging fruit due to their much stricter password requirements, higher security standards, and more advanced security controls/mechanisms than standard sites.

              E.g. Lastpass requires me to re-authorize each of my previously authorized devices using 2FA every 30 days, reinsert my master password at least once every 24hrs on each device, and do so again every time I try to view a stored password, change any settings, or edit any vault entries. It also reminds me to change my master password at set intervals, and prevents me from recycling the same master password, or even recycling any portion of previously used master passwords. And most importantly, it also geo-restricts access to my account so even if my master password got compromised only IP addresses from my own country (or other countries I specifically authorize if I am traveling abroad) can access the account, also warning me via email any time an unrecognized IP address accesses (or tries to access) my account.

              All of those things combined, as well as the fact that I don't store my primary email password in the vault, is why I have almost no fear of anyone unauthorized getting access to my Lastpass account or my password vault, or doing any lasting damage even if they do. But if even all those default security protocols are not enough to ease your worries, they also have some more advanced optional security settings you can enable too. E.g. IP whitelisting, automatically logging all devices out when another logs in, etc.

              2 votes
              1. [2]
                alcappuccino
                Link Parent
                Sorry for the late response. But thank you for the short and concise overview of the features of a password manager. You convinced me to create an account on a password manager (probably on...

                Sorry for the late response.

                But thank you for the short and concise overview of the features of a password manager. You convinced me to create an account on a password manager (probably on Bitwarden).

                I don't store my primary email password in the vault

                Thanks for the tip. I think this one is important since, every time you change something on an account, you get a notification on your e-mail. If they have my primary e-mail password, then that's the first thing they would change, and I would never know that something is happening.

                Anyway, I wish you happy holidays ;)

                1 vote
                1. cfabbro
                  (edited )
                  Link Parent
                  No prob. Glad I was able to help. Although it should be noted that security protocols and features will vary between password managers and account types/tiers, so YMMV depending on which you...

                  No prob. Glad I was able to help. Although it should be noted that security protocols and features will vary between password managers and account types/tiers, so YMMV depending on which you choose.

                  Thanks, I hope you have a nice holiday season too. :)

                  1 vote
  2. emnii
    Link
    I'm glad they're splitting off. I've been a paying Lastpass customer since before LogMeIn. It wasn't a disastrous merger but I absolutely noticed a slowdown in features and improvement after the...

    I'm glad they're splitting off. I've been a paying Lastpass customer since before LogMeIn. It wasn't a disastrous merger but I absolutely noticed a slowdown in features and improvement after the buyout.

    3 votes
  3. [2]
    Comment deleted by author
    Link
    1. meatrocket
      Link Parent
      I moved to Bitwarden several months ago when LastPass messed with their free tier and haven't looked back at all. It's a nice utility.

      I moved to Bitwarden several months ago when LastPass messed with their free tier and haven't looked back at all. It's a nice utility.

      5 votes