I can say with full confidence that this at least has nothing to do with their hostage situation:
> Having no formal support channel
When I last had to deal with their so-called support, all contact details were very efficiently hidden. Once you found a page with a phone number, and the hours you could call them, there was one final surprise:
"The phone number you are trying to reach is not in use". The only contact that works reliably at LastPass is their billing department. Make of that what you will.
While it was harder than it should have been to reach them. The one support interaction I’ve ever needed to have with them (domain name change went badly with master password email account re-verification before I added a secondary email) was amazing. They had a thorough security checking, identification confirmation process that would make it more difficult for social engineering, they were able to fix up the email over the course of a 45 minute phone call (I did mention it was thorough)
I vaguely remember eventually figuring out how to lodge some kind of issue or something because the UI of their credit monitoring was completely broken. It was impossible to use the service at all.
I think I eventually figured out some methodology of opening some graphical element in a new frame or something that got it working partially but that was what made me cancel everything and switch to BitWarden. Ridiculous.
Watch out! Another "bug" of the LastPass happens when you export your accounts.
I have exported all my accounts via the web interface, and the three times I've done that it export a truncated CSV file with about 30 lines, while printing the whole file content in the web page you access. That means the CSV you downloaded probably is not complete and you have to copy some lines from the web.
I was lucky to investigate a weird warning, about some missing fields in the last row, that SQLite gave me after importing all the accounts to a database.
When they were acquired by LogMeIn a few years ago, the thread on HN about it was recommending switching to Bitwarden. Which I did.
In a few weeks, I'll have to pay $10 to renew it.
Meanwhile, since December we have those kind of worrying news from LastPass which is almost 4 times more expensive than Bitwarden.
Sign in to LastPass web -> Advanced Options -> Export -> Verify export by email -> Advanced Options -> Export (again) -> List of passwords in CSV format.
The problem is if you aren't a paying customer, and you are locked to the mobile app, it doesn't have the password CSV option. So if you can access the desktop web option, sure, it works. But that's not true for all users.
I have quite a few gripes with Bitwarden, but I've never used LastPass so don't take this as a comparison.
1. Their auditing ("Event Logs") feature is unusable. It refers to items by some magical identifier which does not correspond to the name in the vault, e.g. "Viewed password for item ebabefac".
2. Payments by anything other than Credit Card are a mess, which is a serious pain if you have a lot of users. It took us weeks and many support interactions to get something as trivial as a bank transfer sorted.
3. It's still (!) lacking a feature to actually send people passwords ... as in sysadmin creates some account for a user, presses a magical button in BW, and it ends up in the user's vault (or maybe they get a message and are asked to import it, whatever). BW recommends you use the "Send" feature, which is basically a glorified pastebin.
4. The UX is .... not great. Organization vs Personal Collection view is confusing. Every time we onboard a new user we get questions about how they should store personal passwords.
It works well enough, but I don't think the enterprise plan is worth the 60/user/year price tag.
I switched to BitWarden when they dropped the subscription requirement for mobile, continued charging for my subscription for over a year and then announced they’d start charging again.
It’s… fine, but many areas of integration with browser and on iOS are significantly less polished and pleasant to use. Things like credit cards are entirely manual on iOS. It’s definitely a worse experience on the convenience side.
That, and even though it’s relatively easy to migrate, it’s even easier to not spend the effort reworking your workflows and ways you use password tools.
LastPass has been around for a very long time. I'm still using it because I haven't had much reason to migrate and I installed it probably a decade or more ago.
Lack of information. LastPass was also relatively decent software for a while. I only stopped using it two years ago, but also noticed at the time that they have significant marketing efforts compared to the competition.
It seems like LastPass is angling to become the AOL of password managers, and by that I mean they want a bunch of old customers who never bother to switch to something better.
At any rate there is no reason to use LastPass. There must be tens of password managers all geared towards a different kind of user and all better than LastPass.
1Password is another proprietary SaaS password manager. You "dodged this bullet" but shouldn't you also be concerned that 1P will do the same thing in the future?
Neither a bug nor an intentional ploy would surprise me. When I last used LastPass (2018) the web UI was quite buggy and difficult to use. Since then they have been acquired[1] by a PE firm and are about to be spun off again[2] as an independent company. Heaven knows who's steering the ship over there.
I don't know, maybe I'm old-fashioned, but I never used and never will use a password manager. I can't think of a reason to let a business know all my passwords while also making it my single point of failure.
As a LastPass user, I'm getting a bit nervous. I've looked through various other threads on suggestions, but, since it is inevitable - what do people recommend and why? I'd prefer only answers from people that have been using their solution for at least a couple of years, and even better, people that have been using theirs for even longer and through multiple iterations of "weird things happened to password manager X" cycles :)
LastPass has become garbage since it was purchased by LogMeIn (or whatever parent garbage company owns them these days). I can't comprehend why anyone would use them.
I can only personally recommend Bitwarden instead - it's open source and can never decrypt your passwords on prem. Browser plugin, mobile app, enterprise versions, etc. It has it all, and hasn't been a cunt to it's users from day 1.
Also, unlike LastPass, they haven't been hacked multiple times. I can not comprehend why anyone trusts them with their passwords - the company I work for included I'm afraid.
I use Firefox / Safari built-in password management. I do not know how secure they are but no issues in 10+ years and I certainly have access to all passwords in my keychain/account. Not locked behind some corporate service. They are saved locally.
Both easily generate long random passwords, etc.
For me this is a solved problem (until Firefox's service is hacked, of course) to the point that my real pain point is remembering the random strings I use for "security question" answers. For that I use a KeepPass database. But I wish FF/Safari would see the need and add security questions fields to their management.
No way am I giving real information for those. Why yes my mother's maiden name is cd559b1085b94b2dad32bb9e458e2422 so sorry to hear it was leaked, SONY.
1. avoid vendor lockin (if I want to switch browsers I can, or switch from iOS to Android)
2. enable portability, with passwords not just being available locally requiring manual migration to other devices
Do you have problems/qualms with the above just using browser password managers?
The problem I had with LastPass is that if you have any billing problem then you're immediately kicked down with to the free tier with all the problems that entails, including loss of access to regular support. Worse, they had a bug that prevented me upgrading back to premium with new payment details. The special contact form for billing support was non-obvious and they were not especially prompt or helpful. I've since migrated to BitWarden. No problem exporting, thank goodness, but it wouldn't have suprised me!
This is exactly why I switched to another password manager when they announced LogMeIn had bought them.
Same gross tactics and lock in. IIRC LogMeIn refused to let me delete my credit card details or cancel my plan and their “support contact” was completely unresponsive.
Can’t remember if I just used fake card details or blocked the transaction by locking/cancelling the credit card but it was a real nightmare.
Root cause of this issue: export is only possible from the desktop browser plugin, but lastpass locks free users to either desktop or mobile.
If your account is locked to mobile, you can't export your passwords.
I have another related issue: it is not possible to export your TOTP seeds from lastpass authenticator.
I contacted the lastpass/logmein dpo, which (in my case at least) got forwarded to their generic support-by-email. They were slow to respond, and eventually claimed they could not export my one time passwords because they are encrypted. This is obviously false, they can decrypt the data just fine (I actually switched to a new phone, authenticator data got synced as you would expect). And other apps such as Google Authenticator allow you to export your data.
I filed a gdpr complaint with my national Data Protection Authority, which after a long response time got accepted, and is now forwarded to the Irish DPA.
If you want to assert your rights, contact Lastpass/Logmein at [email protected] or via their support page [0] (from their privacy page [1]), and demand access to your data. If they refuse, or do not respond within 30 days, file a complaint with your DPA [2], with proof that you requested your data but got denied.
I had issues exporting my LastPass database to a CSV file a couple of weeks ago from a browser (no plugin installed). They seemed to render the CSV data inside a <pre> tag in an HTML page (I have no CSV browser plugin installed). I had to copy the text manually from the HTML source and paste/import it in another password manager.
> This company is so rotten. Just look at their recent track record showing pure user hostility. Why is anyone still using them?
Inertia. Lastpass still works, and frankly it's not high on my list of priorities to research and switch to a new password manager. Some people have time to obsess over this stuff, I don't anymore.
And frankly, data export barriers wouldn't be a difficulty for me (I wouldn't mind re-keying stuff if that's what it took, and that's what I did to get my passwords into LastPass). Deciding on a direction is way more work, and that's the real barrier.
Also, it's kind of pointless. The alternatives will almost certainty be some open source thing with major UX friction and personal maintenance burden, or some for-profit service that will eventually be corrupted in exactly the same way as LastPass has.
> Just look at their recent track record showing pure user hostility. Why is anyone still using them?
Because I've managed to miss any news damning enough to make me decide to switch.
It's possible that either:
a) I've overlooked something
b) You and I have different priorities
c) You're being hyperbolic.
I genuinely don't know which but your phrasing and tone makes me lean towards (c)
The internet is full of people shouting "God. [Company] is the worst!" - if you want to be persuasive then it's probably better to not sound like them.
As some have said the web export gave a truncated set. However the chrome browser plugin export function worked just fine and gave me a full export from two separate accounts.
This included one account that was seemingly locked in the web browser because I had cancelled my subscription and was locked into a re-subscribe page with no other options to proceed that I could figure out.
Just painlessly (finally) deduplicated my pwds in excel and imported to a bitwarden family plan. It's been so painless. The features I'm seeing make me fairly certain I'll be paying for a family org plan.
[+] [-] bostik|4 years ago|reply
> Having no formal support channel
When I last had to deal with their so-called support, all contact details were very efficiently hidden. Once you found a page with a phone number, and the hours you could call them, there was one final surprise:
"The phone number you are trying to reach is not in use". The only contact that works reliably at LastPass is their billing department. Make of that what you will.
[+] [-] hffftz|4 years ago|reply
It tells you that it is a credit monitoring service when you call, but it is indeed the password manager service....
800-830-6680 and then press 3 (the other 2 options disconnect you)
[+] [-] techdragon|4 years ago|reply
[+] [-] jcranberry|4 years ago|reply
I think I eventually figured out some methodology of opening some graphical element in a new frame or something that got it working partially but that was what made me cancel everything and switch to BitWarden. Ridiculous.
[+] [-] Reubachi|4 years ago|reply
[+] [-] suifbwish|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] jmrm|4 years ago|reply
I have exported all my accounts via the web interface, and the three times I've done that it export a truncated CSV file with about 30 lines, while printing the whole file content in the web page you access. That means the CSV you downloaded probably is not complete and you have to copy some lines from the web.
I was lucky to investigate a weird warning, about some missing fields in the last row, that SQLite gave me after importing all the accounts to a database.
[+] [-] wiether|4 years ago|reply
[+] [-] futhey|4 years ago|reply
Sign in to LastPass web -> Advanced Options -> Export -> Verify export by email -> Advanced Options -> Export (again) -> List of passwords in CSV format.
[+] [-] bborud|4 years ago|reply
I guess Bitwarden secured itself a test-run.
edit: for clarity, the downloaded csv was defective, the csv shown seems complete. This is a problem
[+] [-] tytso|4 years ago|reply
[+] [-] jmrm|4 years ago|reply
[+] [-] pedalpete|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] sucrose|4 years ago|reply
[+] [-] rodmena|4 years ago|reply
[+] [-] elric|4 years ago|reply
1. Their auditing ("Event Logs") feature is unusable. It refers to items by some magical identifier which does not correspond to the name in the vault, e.g. "Viewed password for item ebabefac".
2. Payments by anything other than Credit Card are a mess, which is a serious pain if you have a lot of users. It took us weeks and many support interactions to get something as trivial as a bank transfer sorted.
3. It's still (!) lacking a feature to actually send people passwords ... as in sysadmin creates some account for a user, presses a magical button in BW, and it ends up in the user's vault (or maybe they get a message and are asked to import it, whatever). BW recommends you use the "Send" feature, which is basically a glorified pastebin.
4. The UX is .... not great. Organization vs Personal Collection view is confusing. Every time we onboard a new user we get questions about how they should store personal passwords.
It works well enough, but I don't think the enterprise plan is worth the 60/user/year price tag.
[+] [-] misnome|4 years ago|reply
It’s… fine, but many areas of integration with browser and on iOS are significantly less polished and pleasant to use. Things like credit cards are entirely manual on iOS. It’s definitely a worse experience on the convenience side.
That, and even though it’s relatively easy to migrate, it’s even easier to not spend the effort reworking your workflows and ways you use password tools.
[+] [-] teej|4 years ago|reply
[+] [-] jscohn85|4 years ago|reply
[+] [-] staticassertion|4 years ago|reply
[+] [-] isoskeles|4 years ago|reply
It seems like LastPass is angling to become the AOL of password managers, and by that I mean they want a bunch of old customers who never bother to switch to something better.
[+] [-] leokennis|4 years ago|reply
[+] [-] mpalczewski|4 years ago|reply
[+] [-] efitz|4 years ago|reply
[+] [-] l30n4da5|4 years ago|reply
[+] [-] TAForObvReasons|4 years ago|reply
[+] [-] halfmatthalfcat|4 years ago|reply
[+] [-] AlexandrB|4 years ago|reply
[1] https://www.ghacks.net/2019/12/18/logmein-lastpass-to-be-acq...
[2] https://www.theverge.com/2021/12/14/22833319/lastpass-indepe...
[+] [-] stelonix|4 years ago|reply
[+] [-] gilbetron|4 years ago|reply
[+] [-] johnmarcus|4 years ago|reply
I can only personally recommend Bitwarden instead - it's open source and can never decrypt your passwords on prem. Browser plugin, mobile app, enterprise versions, etc. It has it all, and hasn't been a cunt to it's users from day 1.
Also, unlike LastPass, they haven't been hacked multiple times. I can not comprehend why anyone trusts them with their passwords - the company I work for included I'm afraid.
[+] [-] 4ec0755f5522|4 years ago|reply
Both easily generate long random passwords, etc.
For me this is a solved problem (until Firefox's service is hacked, of course) to the point that my real pain point is remembering the random strings I use for "security question" answers. For that I use a KeepPass database. But I wish FF/Safari would see the need and add security questions fields to their management.
No way am I giving real information for those. Why yes my mother's maiden name is cd559b1085b94b2dad32bb9e458e2422 so sorry to hear it was leaked, SONY.
https://en.wikipedia.org/wiki/2011_PlayStation_Network_outag...
[+] [-] qvrjuec|4 years ago|reply
1. avoid vendor lockin (if I want to switch browsers I can, or switch from iOS to Android) 2. enable portability, with passwords not just being available locally requiring manual migration to other devices
Do you have problems/qualms with the above just using browser password managers?
[+] [-] daveidol|4 years ago|reply
[+] [-] pleonasticity|4 years ago|reply
[+] [-] pmlnr|4 years ago|reply
[+] [-] komadori|4 years ago|reply
[+] [-] yoav|4 years ago|reply
Same gross tactics and lock in. IIRC LogMeIn refused to let me delete my credit card details or cancel my plan and their “support contact” was completely unresponsive.
Can’t remember if I just used fake card details or blocked the transaction by locking/cancelling the credit card but it was a real nightmare.
[+] [-] kabdib|4 years ago|reply
After they were acquired, LogMeIn was quite happy to charge my credit card for the premium service, for several years running. Never did get a refund.
[+] [-] JackMcMack|4 years ago|reply
I have another related issue: it is not possible to export your TOTP seeds from lastpass authenticator.
I contacted the lastpass/logmein dpo, which (in my case at least) got forwarded to their generic support-by-email. They were slow to respond, and eventually claimed they could not export my one time passwords because they are encrypted. This is obviously false, they can decrypt the data just fine (I actually switched to a new phone, authenticator data got synced as you would expect). And other apps such as Google Authenticator allow you to export your data.
I filed a gdpr complaint with my national Data Protection Authority, which after a long response time got accepted, and is now forwarded to the Irish DPA.
If you want to assert your rights, contact Lastpass/Logmein at [email protected] or via their support page [0] (from their privacy page [1]), and demand access to your data. If they refuse, or do not respond within 30 days, file a complaint with your DPA [2], with proof that you requested your data but got denied.
[0] https://support.logmeininc.com/contactus
[1] https://www.logmein.com/nl/legal/privacy/international#right...
[2] https://edpb.europa.eu/about-edpb/about-edpb/members_en
[+] [-] lini|4 years ago|reply
[+] [-] riffic|4 years ago|reply
[+] [-] tablespoon|4 years ago|reply
Inertia. Lastpass still works, and frankly it's not high on my list of priorities to research and switch to a new password manager. Some people have time to obsess over this stuff, I don't anymore.
And frankly, data export barriers wouldn't be a difficulty for me (I wouldn't mind re-keying stuff if that's what it took, and that's what I did to get my passwords into LastPass). Deciding on a direction is way more work, and that's the real barrier.
Also, it's kind of pointless. The alternatives will almost certainty be some open source thing with major UX friction and personal maintenance burden, or some for-profit service that will eventually be corrupted in exactly the same way as LastPass has.
[+] [-] andybak|4 years ago|reply
Because I've managed to miss any news damning enough to make me decide to switch.
It's possible that either:
a) I've overlooked something
b) You and I have different priorities
c) You're being hyperbolic.
I genuinely don't know which but your phrasing and tone makes me lean towards (c)
The internet is full of people shouting "God. [Company] is the worst!" - if you want to be persuasive then it's probably better to not sound like them.
[+] [-] foxtrottbravo|4 years ago|reply
[+] [-] u2077|4 years ago|reply
[+] [-] AndrewHayes|4 years ago|reply
As some have said the web export gave a truncated set. However the chrome browser plugin export function worked just fine and gave me a full export from two separate accounts.
This included one account that was seemingly locked in the web browser because I had cancelled my subscription and was locked into a re-subscribe page with no other options to proceed that I could figure out.
Just painlessly (finally) deduplicated my pwds in excel and imported to a bitwarden family plan. It's been so painless. The features I'm seeing make me fairly certain I'll be paying for a family org plan.