A while back I had an issue with Lastpass settings not being properly enabled on my account. I discovered that all settings were rendered, and in order to disable them they used 'display: none' rather than not rendering them on the dashboard at all.
The fix was for me to disable Display: none and it gave me access to the feature in a limited way.
After reaching out to support with screenshots, they fixed the issue and I gained full access, but it is clear to me that Lastpass uses 'display: none' as feature gating and that their software is absolute garbage.
Is LastPass one of those password managers that only encrypt passwords and leave other data as is? I always cringe when password managers do that. This is a funny joke for anyone who understands even a little about cryptography.
According to their security notice from a couple days ago, they have "fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data."
So, according to them, they encrypt the other fields. I suppose the website field is unencrypted to enable autodetection or something like that.
This is very frustrating... I operated with LastPass on the assumption that the other data was encrypted in there. So backup authentication codes stored. Alas, time to invalidate a bunch of crap.
As a shameless plug I'd like to suggest the project that I have been using for my personal credentials for quite some years now: https://derivepass.com/ . The encrypted website metadata is stored only locally (with only optional remote sync, and even that has to be your own server), and the passwords are not stored at all (they are generated from your master password).
So I've been happily using LastPass for a long time, but it looks like it's time to migrate off this dumpster fire. What's the HN consensus on the best replacement (which must be usable by my entire family) and, at least as importantly, is there a reasonably painless migration path?
Bitwarden. I’ve been using them ever since Lastpass discontinued their free version. I simply made a text file export of all my pw’s on lastpass and imported them into Bitwarden. Just make sure you delete your text file!
I have been self-hosting bitwarden_rs for many years now, and am very happy with it. It's free as in freedom, open source, and designed to be run and operated and secured by you exclusively, so you have full control over your data and don't need to rely on a third party being available.
Probably not the “HN consensus”, but if you have apple devices the built in password manager works great for me. Can even setup totp with each site and safari will auto fill
I pay close attention to the UX and UI of the tools that I use that are security critical.
I switched off of LastPass 2 years ago and convinced my brother to do the same because some things in LastPass apps started to feel very old, especially their 2FA implementation, which signals to me that either their stack is inflexible or there's a lot of churn in their dev teams. When those things are true, that means they're probably just maintaining old code instead of evolving it. Or even more terrifying: they don't know what needs to evolve.
Their interface has always felt clunky and outdated. I used to use them many years ago but ended up switching to Bitwarden and then to 1Password. I checked Lastpass out again a year or two ago, when evaluating if I wanted to stick with 1Password, and I was shocked to see that absolutely nothing had changed about their interface. Their password import-export mechanism was still a mess too. I had to manually fix-up many entries in the output CSV.
I work at a large company and against the opinion of many engineers and infosec folks, lastpass was picked as our preferred corporate password storage. I'm just waiting for a call from infosec asking me to log on and to rotate a bunch of creds. Happy Holidays.
In light of this breach, can someone explain to me why it's not stupid to keep all your passwords in one place? I've never used a pw manager because it seems absolutely inevitable that these sorts of leaks happen. It just seems like an incredibly put all your eggs in one basket cargo cult type move. I just can't stomach single points of failure like that for anything worth protecting.
Using a password manager is one of those infosec memes that gets oft repeated but doesn't make a lot of sense to me as being "more secure". To me it seems like your passwords existing outside of your head in any way is a risk, and to have them all in one place (even encrypted) seems way worse than having to go through the reset dance every once in a while because you forgot one.
EDIT: I was being a bit snarky and I apologize. As some commenters have rightly pointed out for the average person this is better than the uneducated alternative of using the same PW everywhere, and as method for reducing a random person's risk exposure it is extremely transmissible vs the alternatives.
That being said (as a commenter pointed out I should have included this in the post originally) I believe there are alternatives that are more secure such as using a mental algorithm that generates a unique password per site. I don't think that these sorts of things are prohibitively complicated, and I think never storing passwords outside of your head has a lot of benefits. That's my personal approach and I think it's a better way to go.
P.S. A lot of the fault lies with requiring accounts for things that don't actually require an account. Another problem that comes out of the SaaS model which can be completely avoided by just not making SaaS.
The average person, when not allowed to use a convenient password manager, will either use the same password for every site or come up with a predictable pattern. Encouraging a password manager helps make sure they don't get destroyed completely when a blog they signed up on 5 years ago is hacked.
This is partly because so many things want an account now. I have over 500 passwords saved, it would be straight up impossible to remember unique strings for each site.
The best tradeoff for me is (2)+(3) sacrificing (1), so I use a local password manager (named 'pass'). That said, I would never trust a 3rd party like LastPass.
I'm on the opposite side: I don't understand how a password manager can be compromised. Your passwords are encrypted and decrypted OFFLINE, on your device. You only ever send the ENCRYPTED vault. Your key never transits. How is that complicated?
The attack vector I'm worried about is a website I use improperly storing passwords (plaintext, etc) and having a leak. To protect against this I use a unique password per website. I cannot possibly remember a unique, secure password for every website I use.
For example, I am old and can't remember sh-t. I can only remember one master password, and I've already forgotten it twice. Now have it backed up on a piece of paper. Looking forward for a day when I forget where I put that piece of paper ...
Use an offline password manager, avoid SaaS. Make sure it's secured with Argon2 and burns a a few seconds of compute to unlock. Use hardware MFA tokens for your most critical accounts.
You could also tie individual copies of the database to the machine's TPM and only sync after decrypting (yet another factor).
> I believe there are alternatives that are more secure such as using a mental algorithm that generates a unique password per site.
That gets tedious when you also have to conform to stupid, different password policies on various sites.
If you want to compartmentalize things you could use multiple password databases with different master passwords? The master password is still something you have in your head.
If you don't keep your 2FA keys in your password manager, it offers much better protection than anything you can come up with in your head.
What happens when you need to change a password on one site? How do you know which password algorithm you're using on which site now?
Why am I asking you this? Because I was in the same situation and it became difficult to track. Now I keep all my passwords in a password manager, my 2FA codes in another app/service, and my recovery codes in the third place that's not connect with the first two in any way. Similarly, obviously, I don't have my 2FA service account + password in my password manager.
I am a LastPass user. Unfortunately. I have things in passwords notes field (like answers to security questions) because I assumed that the notes section was encrypted. Some comments here on HN made me think they are actually not encrypted. I asked if they were encrypted or not to LastPass support and to the support forum. That was 2 days ago and there has been no response. I’m going to take that as a no. I’m working right now to move off of LastPass. Unfortunately I have nearly 2,000 passwords on there, so it is taking forever.
How are you trying to move off such that it’s “taking forever”? Did you consider exporting your data from LastPass and importing the file into something like Bitwarden or KeePassXC?
Before deleting your account it would be good measure to update passwords to passwords you don't really use. You never know if deleted data is deleted from db as well.
For sure but we also don’t know how much “effective dated” data they store. If a backup from 3 months ago is leaked… what the pw on the acct was the day you deleted it won’t matter.
I'm attempting to call support and get them to give me this year's Premium subscription fee back. On the support page for deleting the account, there's a link to Contact Support. [1]
edit: A rep called right away. They will not give me my money back. It's in their terms and conditions that they won't even if there is a security breach and it's been longer than 30 days since I paid.
Just deleted my account - everything was fine. One thing to note, there's nowhere in the UI or account settings tab to delete my account. I had to go directly to the link.
I'm not seeing a lot of clarity on what I should do as a LastPass user? Nothing? Move to 1Password? I can't use iCloud keychain because I use Chrome on Mac.
[+] [-] burpee|3 years ago|reply
After reaching out to support with screenshots, they fixed the issue and I gained full access, but it is clear to me that Lastpass uses 'display: none' as feature gating and that their software is absolute garbage.
This was 100% intentional on Lastpass' side
[+] [-] matheusmoreira|3 years ago|reply
I love it when web sites do stuff like this. Makes it so easy to reverse engineer and circumvent their little controls just like you did.
[+] [-] garganzol|3 years ago|reply
[+] [-] runlevel1|3 years ago|reply
I think both no longer do, but the fact that they once did was very surprising to me.
[1]: https://1password.community/discussion/12237/metadata-is-not...
[+] [-] autophagian|3 years ago|reply
So, according to them, they encrypt the other fields. I suppose the website field is unencrypted to enable autodetection or something like that.
[+] [-] dividedbyzero|3 years ago|reply
[+] [-] driscoll42|3 years ago|reply
[+] [-] indutny|3 years ago|reply
[+] [-] rippercushions|3 years ago|reply
[+] [-] jason2323|3 years ago|reply
[+] [-] salil999|3 years ago|reply
There's a nice migration guide here: https://support.1password.com/import-lastpass/
[+] [-] lopkeny12ko|3 years ago|reply
[+] [-] CraigJPerry|3 years ago|reply
I really dig the 2FA auto-copy to clipboard feature in bitwarden.
[+] [-] SinParadise|3 years ago|reply
[+] [-] csomar|3 years ago|reply
They also have incredible support (browsers, iOS, apps, etc...)
[+] [-] xyst|3 years ago|reply
[+] [-] r00fus|3 years ago|reply
[+] [-] jiggawatts|3 years ago|reply
Junior LastPass manager: "Okay!"
[+] [-] danuker|3 years ago|reply
[+] [-] owlbynight|3 years ago|reply
I switched off of LastPass 2 years ago and convinced my brother to do the same because some things in LastPass apps started to feel very old, especially their 2FA implementation, which signals to me that either their stack is inflexible or there's a lot of churn in their dev teams. When those things are true, that means they're probably just maintaining old code instead of evolving it. Or even more terrifying: they don't know what needs to evolve.
Not regretting it so far.
[+] [-] ziml77|3 years ago|reply
[+] [-] erikrit|3 years ago|reply
[+] [-] bigmattystyles|3 years ago|reply
[+] [-] thot_experiment|3 years ago|reply
Using a password manager is one of those infosec memes that gets oft repeated but doesn't make a lot of sense to me as being "more secure". To me it seems like your passwords existing outside of your head in any way is a risk, and to have them all in one place (even encrypted) seems way worse than having to go through the reset dance every once in a while because you forgot one.
EDIT: I was being a bit snarky and I apologize. As some commenters have rightly pointed out for the average person this is better than the uneducated alternative of using the same PW everywhere, and as method for reducing a random person's risk exposure it is extremely transmissible vs the alternatives.
That being said (as a commenter pointed out I should have included this in the post originally) I believe there are alternatives that are more secure such as using a mental algorithm that generates a unique password per site. I don't think that these sorts of things are prohibitively complicated, and I think never storing passwords outside of your head has a lot of benefits. That's my personal approach and I think it's a better way to go.
P.S. A lot of the fault lies with requiring accounts for things that don't actually require an account. Another problem that comes out of the SaaS model which can be completely avoided by just not making SaaS.
[+] [-] dhdgrygev|3 years ago|reply
This is partly because so many things want an account now. I have over 500 passwords saved, it would be straight up impossible to remember unique strings for each site.
[+] [-] 0x45696e6172|3 years ago|reply
Pick two:
The best tradeoff for me is (2)+(3) sacrificing (1), so I use a local password manager (named 'pass'). That said, I would never trust a 3rd party like LastPass.[+] [-] Biganon|3 years ago|reply
And how did LastPass fuck this up anyway?
[+] [-] xboxnolifes|3 years ago|reply
So, I use a password manager.
[+] [-] EVa5I7bHFq9mnYK|3 years ago|reply
[+] [-] avianlyric|3 years ago|reply
So you do use a centralised password manager. You just call it email, rather than 1Password.
[+] [-] the8472|3 years ago|reply
> I believe there are alternatives that are more secure such as using a mental algorithm that generates a unique password per site.
That gets tedious when you also have to conform to stupid, different password policies on various sites.
If you want to compartmentalize things you could use multiple password databases with different master passwords? The master password is still something you have in your head.
[+] [-] Mystery-Machine|3 years ago|reply
What happens when you need to change a password on one site? How do you know which password algorithm you're using on which site now?
Why am I asking you this? Because I was in the same situation and it became difficult to track. Now I keep all my passwords in a password manager, my 2FA codes in another app/service, and my recovery codes in the third place that's not connect with the first two in any way. Similarly, obviously, I don't have my 2FA service account + password in my password manager.
[+] [-] nkrisc|3 years ago|reply
> I believe there are alternatives that are more secure such as using a mental algorithm that generates a unique password per site.
I’m going to forget it.
Either I use a centralized password keeper or the real login process is the reset password flow.
Using a password manager is probably more secure and convenient than whatever solution a can feasibly come up with in my own.
Everything requires a password and I will not be able to remember them all. It took me about 15 years to finally remember my own SSN.
[+] [-] itake|3 years ago|reply
- Password re-use
- Formulaic passwords
- Simple passwords that are easy to type on a phone
That are easily crackable
Or performing password recovery every time you want to login.
[+] [-] irrational|3 years ago|reply
[+] [-] 6ak74rfy|3 years ago|reply
[+] [-] daveoc64|3 years ago|reply
Take a look at the following analysis of the LastPass data structure:
https://github.com/cfbao/lastpass-vault-parser/blob/master/l...
[+] [-] selfmodruntime|3 years ago|reply
[+] [-] halukakin|3 years ago|reply
[+] [-] flandish|3 years ago|reply
[+] [-] neilv|3 years ago|reply
[+] [-] hintoftime|3 years ago|reply
edit: A rep called right away. They will not give me my money back. It's in their terms and conditions that they won't even if there is a security breach and it's been longer than 30 days since I paid.
[1]: https://support.lastpass.com/help/iknow-my-masterpassword-ho...
[+] [-] m-p-3|3 years ago|reply
[+] [-] Waterluvian|3 years ago|reply
[+] [-] gavinhoward|3 years ago|reply
* The entire file is encrypted,
* Using OPAQUE,
* On a FOSS local native client
* That integrates with a FOSS browser extension that pulls the information only from the local copy.
* And the only thing the server does is store the file and user account information.
How hard could it be? (Well, outside of getting the cryptography right.)
Looking at this incident and the behavior of LastPass, it seems it's impossible. Or it's too inconvenient for users.
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] pram|3 years ago|reply
Keychain integration with 2fa codes is really nice. Passkeys are awesome and I wish more sites implemented this. So far I only saw Google and eBay?
[+] [-] butz|3 years ago|reply
[+] [-] wyxuan|3 years ago|reply
[+] [-] wilg|3 years ago|reply