> I'm less thrilled about it being written in a garbage collected language
What are the security problems with garbage-collected languages?
(not being sarcastic, don't have an agenda, I have no previous knowledge on this, and am not a security expert. Just had never heard this suggested before, and am curious what he meant. Legit question!)
Usually security nuts like to override the clear-text string with zeros or random characters before calling free() on it. This way, if this chunk of data stays in memory (which is most likely the case with libc's free()) it cannot be read by exploiting a buffer overflow.
With garbage collected language, programmers don't know when their variable is "free()ed", since it could be held in multiple thread, and the last thread dying will release the memory for this variable. Since programmers often don't know when the password variable will be "free()ed", it is very unlikely that they scrambled the password before releasing the memory. Thus, leading to the password being kept in some region of the program memory, in clear text, exploitable by a buffer overflow & co. for an indefinite amount of time.
People have described the concern about memory not being zeroed in a predictable way, but not why that's a security concern. And, honestly, for most people I don't think it is. If an attacker is in a position to read arbitrary memory out of your browser then the chance that they won't obtain something else about as powerful as a password (eg, a valid session cookie) seems minimal. Or a crash dump file may include passwords, but then how does someone have access to that and not be able to read your cookie store? For a niche set of people I think there's greater concern around cold boot attacks - someone with physical possession of a suspended machine powers it off and quickly boots another OS, then dumps RAM (think laptop being taken away from you in an airport situation). That can be mitigated through firmware just wiping RAM on unclean boots (TCG has a spec for this, Linux and Windows implement it), and getting around that involves much more invasive attacks.
I don't want to say the concerns are entirely unwarranted, but I really don't think it's a big deal for the vast majority of people.
At the risk of conjuring a strawman, I've heard people worry about the loss of control, like maybe the process has some sensitive data in RAM that it will release and then the OS will alloc() it to another process. And that's true on one level, but nothing prevents a garbage collected language from overwriting all the data in a block of RAM as it free()s it. I think the risk of memory related bugs in a non-managed language is far, far greater than any GC-related hypothetical risks. And then you have languages like Rust which "feels" like it's a GC language because it manages all the alloc()s and free()s for you, but isn't GC at all because the language's semantics make those calls deterministic.
I'd vastly rather see sensitive security software developed in a modern garbage collected language (or in Rust and similar languages) than in C or C++.
The arguments people are giving about being able to explicitly call `free` make a lot of sense to me for getting rid of some attack vectors, but it still seems like the security risks of using a memory-unsafe language would heavily outweigh the risks of the garbage collector not clearing strings fast enough?
I know that's not an either-or proposition, there are memory safe languages that aren't garbage collected. But if people aren't talking about those languages, if they're just bringing up C or something...
I am not an expert, I might not know what I'm talking about here at all -- but my instinct is that I would rather see security-critical code written in a garbage collected language than in C. Frankly, I don't trust developers not to make memory errors in C.
Maybe I'm underestimating the risk of the garbage collector not zeroing out variables? Or maybe I'm over-complicating it and the answer is just the obligatory "write it in Rust" refrain so you can avoid both problems?
But I'm also a little surprised to see this line, my impression was that security advice was starting to trend towards recommending GC languages, not away from them.
These kind of concerns are so funnily out of touch.
The real dangers always turns out to be crazily bad security practices (the kind obvious to everyone after the fact), not theoretical attacks that probably weren’t ever demonstrated in the wild.
I'm not an specialist, but I suspect the rationale is that you have less control of how the memory is cleaned up after use. In special, the GC can actually copy objects around without the programmer's knowledge, potentially making multiple copies of secrets which the programmer cannot clean up (by setting the bits randomly) later on. Without a GC, the programmer is able of knowing how many copies there are of any given secret and can dispose of them, if needed. On that note, probably writing their own "malloc" is probably a good choice.
That said, I'm sure there are workarounds even in GCed languages. For instance, you can usually create C extensions which could allocate and manage memory outside of the GC's control. So, such extesion could potentially give back memory control of certain special memory regions where secrets can be stored, while everything else just goes through normal GC.
I buy the explanations that they mostly want to be able to explicitly overwrite sensitive memory at a time of their choosing.
My question: does the nondeterministic execution pauses that garbage collection injects into a program's runtime aid or prevent timing attacks?
It seems like it would prevent them, since it makes it that much harder to predict execution duration, but I have this vague impression that high-security operations are more likely to demand real-time computing. Maybe that's just incidental, and applications that must highly perform also tend to need to be secured from attack?
I suppose it's a lot more difficult to wipe memory clean in a garbage collected language.
For example:
password = "my-secret-password";
// do stuff then remove the pass from memory
password = "" or null or delete or unset
We have no guarantee that the first string "my-secret-password" will be collected and removed any time soon whereas in C or C++ we could just memset it before freeing it.
But that feels like a very generous interpretation, I'm sure the author really meant it as a "real programmers don't use GC language"...
> What are the security problems with garbage-collected languages?
None that I'm aware of. I think this is a petty swipe at programmers who use garbage-collected languages, implying they're "less" than programmers who use "real" languages that don't have garbage collection.
I have been a LastPass customer for over 10 years and I think this January when my yearly subscription ends, I will finally not renewing.
I’ve shrugged off a lot of strangeness that has been happening with them as a fledging company’s growing pains. Unfortunately, this incident is the final straw. I think we are going to see a lot more come to light and their lack of any sort of transparency on this is a cardinal sin in the Infosec world. As an aside, it’s interesting to see their fall from grace from their reception section on Wikipedia: https://en.m.wikipedia.org/wiki/LastPass#Reception
I’m moving to bitwarden and not looking back. I would be interested to see some people write about this transition as I’m not sure if I want to export/import or start anew and move things manually.
I just did the migration (to 1password though, sorry the lack of tags is very bad for organization), 6 years old customer.
Key points:
- Refresh the website list from the extension before starting, ideally clear the extension cache first (will sign out)
- export from the extension
- attachments and password history are not exported
- there is a lastpass-cli that will help you export attachments
- there is a hacked together PR from myself that will help you export the password history
The import worked very well in 1password aside from attachments/history.
What I did though was tag all my password with "lp-breach-aug-2022" and then as I go through them and change them, I remove the tag
> I would be interested to see some people write about this transition as I’m not sure if I want to export/import or start anew and move things manually.
Did it about 18 months ago. I was expecting it to be more cumbersome than it was. Export from LastPass, import to BitWarden, manually compare.
Simples. It all worked IIRC, though I only have a few dozen entries as I'm in the habit of clearing old ones down. Left LastPass going for a few weeks just in case, then closed it down and the data was deleted.
Edit: If I was doing it now, I'd do it from scratch and change every LastPass-aware credential as I go. That info is out there now; you don't want to be using it any more.
Seeing more articles about export/import woes would be great.
When I moved over to KeePass I was able to export and import all of my passwords but the field labels got pretty mixed up, and it was a little bit of a pain to correct. That might be fixed now, but it would be interesting to see people's experiences importing into other services beyond just "here's how you export from LastPass to CSV".
Edit: as other people mentioned, I also didn't get any password history with my export, which isn't a big deal to me but is worth highlighting.
you can ask them to cancel ahead of time and get a refund as long as you explain it's because the lost of trust and the fact that they don't provide the service they advertise. I did it yesterday and I encourage everyone to do it. Even if they stop, the refunds send a STRONG message to management. Also don't be shy to chargeback if your CC company allows you to. Companies like LastPass need to be made an example of, and you have the power in this situation.
I'll be in the same boat when my subscription is up, not sure exactly when it is (I should really check). My discontent had been growing for a while and it's been getting harder to defend it to friends and family, who I had to BEG to get to use a password manager to start, even though now they all swear by it. I'd like them to change along with me, but am worried about how difficult it would be.
I've made the transition to multiple different services over the years, not on a large professional scale so I cannot comment on doing that and I reckon doing that would require completely different advice than I am suggesting below.
I would highly recommend starting new. Every transition between managers has wound up leaving me having to manually delete fields after the fact anyways, or just keep those fields littering the manager. Sometimes even incorrect fields when moving away from LastPass which is even more of a bother. Starting new also gives you a chance to get more used to the new manager's features, and when transitioning you can add specific fields based on crucial information that might have otherwise been lost in automatic moves.
Use this transition as a justification to change your passwords to the services you use, and also a way to decide whether you want to keep using that service or submit a deletion (most you can do this on your own, other times you have to send a GDPR deletion request). I know it takes more effort, but spend a chill weekend doing so, and you'll be glad you did. Plus you can also review some security settings on your services, like force sign out all other devices and changing your 2FA settings.
I used to be a LastPass user and also used to use their GoTo services for work. Shortly before all of this was revealed, I noticed a problem with their API and sent their customer service team message about how their API is not working correctly and is simply responding with wrong data and they basically said "too bad" and said they weren't gonna fix it due to time constraints. I even tried their forums but they deleted the Thread, marking it as "Spam".
I then stopped using my account on LastPass and literally a few weeks later they revealed the "security incident". Had to change all my passwords but I'll never get near this company ever again.
I moved off of LastPass a while ago, but hadn't actually deleted my account because of laziness/inertia. This breach was finally the impetus to get me to full-on delete my vault and start the process of cleaning up my old accounts.
Luckily I've been off of it long enough that I suspect most of my regularly used accounts are different anyways, but I'm still going through the process now of methodically rotating all of them (I may change some of the email addresses as well).
----
I think a lot of people even casually knew LastPass wasn't at the same quality level as other solutions, but inertia is powerful. Sometimes you need something glaring to be the final straw that breaks the camel's back.
It's been long overdue; I moved off of Gmail as well a while ago but haven't gone through and systematically changed all of my account email addresses; there are still a few older services I have that send emails over. The new year is a good opportunity to clean that stuff up.
The scariest part was it was a backup of theirs that was stolen. So deleting all your info might not have even protected it. It could still be in an old backup and get stolen. :(
I've deleted my stuff now anyway, it's all we can do. :(
I think that keepass with periodic manual backups of the keystore is the right solution for most people (maybe not for orgs.) I've never trusted these "cloud" password companies to do their job right.
After reading this, I acted on a decision I was on the fence about. I already have moved to Bitwarden and like it a lot better, but this post prompted me to go into LastPass and actively delete my account.
The next thing to do will be to start changing passwords. As with most of us, that's a project of serious scope that I do not look forward to.
> As with most of us, that's a project of serious scope that I do not look forward to.
I've spent the better part of the past three days doing just this. Get some good music and some good coffee, and it can actually be pretty cathartic. I enjoyed the hygiene exercise much more than I thought I would.
Same boat. I'm mentally kicking myself having moved off so long ago but not having taken the final action that would have prevented me from being caught up in this breach at all.
When I first moved off I didn't want to close the account just in case something went wrong with the transition. But after it was clear that the transition was fine, then I should have gone back and just finished up the final step.
I probably needed to do a full account cleanup anyway at some point, but I just wish I had been slightly more proactive about deleting my data. It's a good lesson to learn, I'm thinking that as part of the account cleanup I should also take a look at what other accounts I have lying around that are unnecessary.
So I've been doing this and I strongly recommend keeping LastPass (LP) until you've deleted all your credentials from there.
My workflow is to launch the login from LP (using the app), use those credentials, and change the passwords using Bitwarden. Otherwise, you might accidentally set a new password that doesn't actually work and have to go through painful password reset processes.
I'v migrated maybe 2 years ago and deleted LP account. But I'm now wondering if that delete REALLY wiped off my account? Including some long-term backup or something? Has anyone asked LastPass? Anyone here with internal knowledge?
I may never find out for sure, even if I ask LastPass...
The post looks a bit weird on first sight: "I always knew LastPass has a ton of flaws, but promoted it anyway".
This may make sense though. LastPass seemed to be the only one with a good enough UX. And without a good enough UX, you can't make users actually use it. Using an imperfect but usable password manager is still much better than not using one with better security but poor UX.
(Here comes the old adage: make the friction low for the customer, and any shortcomings elsewhere will matter little.)
Its awesome, supports team work, and if you have NC its no brainer. Probably too much work to install NC if you don't use it but in small company settings its probalby good idea as you need online office anyway.
I moved to Bitwarden from KeePass and haven't looked back.
The UIX of Bitwarden can be a bit meh at times but it's also boring, predictable, and solid. I'm just saying this as someone who hates save buttons in the upper-right hand corner of things - just... small nitpicky stuff like that. Sometimes I have to look for a button or their use of iconography confuses me a bit.
I would do my own hosting for a distributed password database but the older I get the less I trust myself to keep that stuff locked down and patched. Given the number of users I feel Bitwarden has more skin in the game to keep their solutions tight.
If you're not looking to self-host I can't recommend Bitwarden enough!
Reading about what password managers people prefer is interesting and a good example of why UI is hard. The fact some people like lastpass UI is fascinating but also not surprising because it does have a less modern look that some people could be into.
I used Google Passwords for a long time before deciding to move to something not OS dependent. My first pick was LastPass. I used it for maybe one month, but found their browser extension and Android app pretty bad. So I decided to move to BitWarden. I am very glad that I did this, otherwise I would have been changing all my passwords like a maniac.
I use a mix of pass(1) and LastPass, but this incident has convinced me to put everything on pass. But I don't really use it the "recommended" way, where you put the password on the first line. It's not a great fit for a consultant when half my customers want to give me my own Gmail/Atlassian/etc account. So I tend to keep big files of free-form text instead. But if I'm going to use it with a browser, the manual copy-paste will get annoying, and I want to switch to the normal pattern. Does anyone have any suggestions? I guess with decent auto-complete I can do something like `google/foo` and `google/bar`. If you have tips let me know!
I consider the flexibility of pass(1) to be one of the best features. In my case, I use a hierarchy to manage secrets across different orgs and classifications. The structure I use is:[ORGANIZATION]/[CLASSIFICATION]/[SITE|APP]/[USER]
The folder structure allows for different keys to be used in .gpg-id files, so secret access can be limited on different devices based on which keys are available. For example, only a subset of keys are available on my android phone via the Password Store app from F-Droid, with all devices using a shared password-store synced using git(1).
Completion with bash works well (on Fedora) and following the convention of having the password on the first line allows for the android app to work and you don't need to worry about someone looking over your shoulder by using 'pass -c ...'.
Well, that sounds bad. I mean, I'm not an infosec expert, but I can follow enough of that to see that it's not good. I use Lastpass at work, because we have a site license, but maybe I'll look into whether I can switch over to bitwarden. I don't expect perfect security, but I expect them to at least try.
LastPass user experience has grown terrible over the years. The iOS app regularly freezes for over ten seconds with no response.
Trying to login to LastPass on a second device, with 2FA enabled, regularly takes me over five minutes. Why?
Login to app. Lastpass tries to auth using watch app. That's broken, so ask for a SMS. Enter SMS.
That doesn't work. it wants master password again. Ok we're in! but now whatever flow to login to an app is broken. Open app, try and use the helpful keyboard shortcut that's broken. ok go back to last pass. copy the password. Oops it wants to enter master password again. Ok. Good thing I picked a long master password. Ok now back in. need to search the site I wanted. got it. copy password, switch apps, paste. DONE!
Also, security vulnerabilities?! Definitely going to switch to Bitwarden.
I feel like a shill at this point but just use Bitwarden. open source, cloud sync by default, alternative self-hostable backend if you want to, no device limit, doesn't cost anything which is just about the only thing that concerns me because the free plan seems too good honestly.
> In fact, if password management is done correctly, I should be able to host my vault anywhere, even openly downloadable (open S3 bucket, unauthenticated HTTPS, etc.) without concern
This is the key point. Properly implemented, you should feel very relaxed if your encrypted data is leaked.
I'm using BitWarden, but 1Password's "secret key" concept is smart, it means your data is still very secure even if your password sucks.
Use of 3rd party password trackers has been a periodic concern for our organization. We do B2B business with banks, so the temperature is increased somewhat. There are kinds of credentials we have access to that genuinely terrify me.
I've been debating building an in-house solution for managing secrets, if for no other reason than to get all of this information off of 3rd party computers. No serious proposals have been put forth, but I don't think this stuff is exactly rocket science either. Our requirements are functionally-equivalent to a copy of passwords.xlsx on a network share.
I jumped the LastPass ship a couple of years back. There had been some security incidents at that time, but they could still be downplayed.
What drove me away was the lingering impression that they were more focused in figuring out how to monetize their product, rather than improving it: E.g. one year feature X required a $1/m plan, next year it was free, and the third year it required the $5/m plan. At the same time, their apps/extensions seemed sluggish and stagnant.
That didn't exactly inspire trust in a product that is essentially the gateway to most of my online activities.
[+] [-] jrochkind1|3 years ago|reply
What are the security problems with garbage-collected languages?
(not being sarcastic, don't have an agenda, I have no previous knowledge on this, and am not a security expert. Just had never heard this suggested before, and am curious what he meant. Legit question!)
[+] [-] acatton|3 years ago|reply
With garbage collected language, programmers don't know when their variable is "free()ed", since it could be held in multiple thread, and the last thread dying will release the memory for this variable. Since programmers often don't know when the password variable will be "free()ed", it is very unlikely that they scrambled the password before releasing the memory. Thus, leading to the password being kept in some region of the program memory, in clear text, exploitable by a buffer overflow & co. for an indefinite amount of time.
[+] [-] mjg59|3 years ago|reply
I don't want to say the concerns are entirely unwarranted, but I really don't think it's a big deal for the vast majority of people.
[+] [-] kstrauser|3 years ago|reply
I'd vastly rather see sensitive security software developed in a modern garbage collected language (or in Rust and similar languages) than in C or C++.
[+] [-] danShumway|3 years ago|reply
I know that's not an either-or proposition, there are memory safe languages that aren't garbage collected. But if people aren't talking about those languages, if they're just bringing up C or something...
I am not an expert, I might not know what I'm talking about here at all -- but my instinct is that I would rather see security-critical code written in a garbage collected language than in C. Frankly, I don't trust developers not to make memory errors in C.
Maybe I'm underestimating the risk of the garbage collector not zeroing out variables? Or maybe I'm over-complicating it and the answer is just the obligatory "write it in Rust" refrain so you can avoid both problems?
But I'm also a little surprised to see this line, my impression was that security advice was starting to trend towards recommending GC languages, not away from them.
[+] [-] hcks|3 years ago|reply
The real dangers always turns out to be crazily bad security practices (the kind obvious to everyone after the fact), not theoretical attacks that probably weren’t ever demonstrated in the wild.
[+] [-] aflag|3 years ago|reply
That said, I'm sure there are workarounds even in GCed languages. For instance, you can usually create C extensions which could allocate and manage memory outside of the GC's control. So, such extesion could potentially give back memory control of certain special memory regions where secrets can be stored, while everything else just goes through normal GC.
[+] [-] letmeinhere|3 years ago|reply
My question: does the nondeterministic execution pauses that garbage collection injects into a program's runtime aid or prevent timing attacks?
It seems like it would prevent them, since it makes it that much harder to predict execution duration, but I have this vague impression that high-security operations are more likely to demand real-time computing. Maybe that's just incidental, and applications that must highly perform also tend to need to be secured from attack?
[+] [-] tredre3|3 years ago|reply
For example:
We have no guarantee that the first string "my-secret-password" will be collected and removed any time soon whereas in C or C++ we could just memset it before freeing it.But that feels like a very generous interpretation, I'm sure the author really meant it as a "real programmers don't use GC language"...
[+] [-] ffssffss|3 years ago|reply
[+] [-] grecy|3 years ago|reply
None that I'm aware of. I think this is a petty swipe at programmers who use garbage-collected languages, implying they're "less" than programmers who use "real" languages that don't have garbage collection.
[+] [-] samtho|3 years ago|reply
I’ve shrugged off a lot of strangeness that has been happening with them as a fledging company’s growing pains. Unfortunately, this incident is the final straw. I think we are going to see a lot more come to light and their lack of any sort of transparency on this is a cardinal sin in the Infosec world. As an aside, it’s interesting to see their fall from grace from their reception section on Wikipedia: https://en.m.wikipedia.org/wiki/LastPass#Reception
I’m moving to bitwarden and not looking back. I would be interested to see some people write about this transition as I’m not sure if I want to export/import or start anew and move things manually.
[+] [-] Fire-Dragon-DoL|3 years ago|reply
Key points: - Refresh the website list from the extension before starting, ideally clear the extension cache first (will sign out) - export from the extension - attachments and password history are not exported - there is a lastpass-cli that will help you export attachments - there is a hacked together PR from myself that will help you export the password history
The import worked very well in 1password aside from attachments/history. What I did though was tag all my password with "lp-breach-aug-2022" and then as I go through them and change them, I remove the tag
[+] [-] kcartlidge|3 years ago|reply
Did it about 18 months ago. I was expecting it to be more cumbersome than it was. Export from LastPass, import to BitWarden, manually compare.
Simples. It all worked IIRC, though I only have a few dozen entries as I'm in the habit of clearing old ones down. Left LastPass going for a few weeks just in case, then closed it down and the data was deleted.
Edit: If I was doing it now, I'd do it from scratch and change every LastPass-aware credential as I go. That info is out there now; you don't want to be using it any more.
[+] [-] danShumway|3 years ago|reply
When I moved over to KeePass I was able to export and import all of my passwords but the field labels got pretty mixed up, and it was a little bit of a pain to correct. That might be fixed now, but it would be interesting to see people's experiences importing into other services beyond just "here's how you export from LastPass to CSV".
Edit: as other people mentioned, I also didn't get any password history with my export, which isn't a big deal to me but is worth highlighting.
[+] [-] luckydata|3 years ago|reply
[+] [-] spacefiish|3 years ago|reply
[+] [-] waboremo|3 years ago|reply
I would highly recommend starting new. Every transition between managers has wound up leaving me having to manually delete fields after the fact anyways, or just keep those fields littering the manager. Sometimes even incorrect fields when moving away from LastPass which is even more of a bother. Starting new also gives you a chance to get more used to the new manager's features, and when transitioning you can add specific fields based on crucial information that might have otherwise been lost in automatic moves.
Use this transition as a justification to change your passwords to the services you use, and also a way to decide whether you want to keep using that service or submit a deletion (most you can do this on your own, other times you have to send a GDPR deletion request). I know it takes more effort, but spend a chill weekend doing so, and you'll be glad you did. Plus you can also review some security settings on your services, like force sign out all other devices and changing your 2FA settings.
Think of it as a new year refresh
[+] [-] snehk|3 years ago|reply
I then stopped using my account on LastPass and literally a few weeks later they revealed the "security incident". Had to change all my passwords but I'll never get near this company ever again.
[+] [-] danShumway|3 years ago|reply
Luckily I've been off of it long enough that I suspect most of my regularly used accounts are different anyways, but I'm still going through the process now of methodically rotating all of them (I may change some of the email addresses as well).
----
I think a lot of people even casually knew LastPass wasn't at the same quality level as other solutions, but inertia is powerful. Sometimes you need something glaring to be the final straw that breaks the camel's back.
It's been long overdue; I moved off of Gmail as well a while ago but haven't gone through and systematically changed all of my account email addresses; there are still a few older services I have that send emails over. The new year is a good opportunity to clean that stuff up.
[+] [-] ChrisClark|3 years ago|reply
I've deleted my stuff now anyway, it's all we can do. :(
[+] [-] LarryMullins|3 years ago|reply
[+] [-] geocrasher|3 years ago|reply
The next thing to do will be to start changing passwords. As with most of us, that's a project of serious scope that I do not look forward to.
[+] [-] joegahona|3 years ago|reply
I've spent the better part of the past three days doing just this. Get some good music and some good coffee, and it can actually be pretty cathartic. I enjoyed the hygiene exercise much more than I thought I would.
[+] [-] danShumway|3 years ago|reply
When I first moved off I didn't want to close the account just in case something went wrong with the transition. But after it was clear that the transition was fine, then I should have gone back and just finished up the final step.
I probably needed to do a full account cleanup anyway at some point, but I just wish I had been slightly more proactive about deleting my data. It's a good lesson to learn, I'm thinking that as part of the account cleanup I should also take a look at what other accounts I have lying around that are unnecessary.
[+] [-] dqv|3 years ago|reply
My workflow is to launch the login from LP (using the app), use those credentials, and change the passwords using Bitwarden. Otherwise, you might accidentally set a new password that doesn't actually work and have to go through painful password reset processes.
[+] [-] barbazoo|3 years ago|reply
[+] [-] jve|3 years ago|reply
I may never find out for sure, even if I ask LastPass...
[+] [-] nine_k|3 years ago|reply
This may make sense though. LastPass seemed to be the only one with a good enough UX. And without a good enough UX, you can't make users actually use it. Using an imperfect but usable password manager is still much better than not using one with better security but poor UX.
(Here comes the old adage: make the friction low for the customer, and any shortcomings elsewhere will matter little.)
[+] [-] majkinetor|3 years ago|reply
LP extension and web vault ARE pure garbage:
1. It can't even recognize sites correctly ?! WTF really. I usually get 10 or so (looks like random) hits for any site but not the one that I should.
2. It offers me to extend pro support 5 years after I stopped paying for it. What I need to do for it to stop ffs.
3. Its UI is simply outrageous, i.e. if you search something it shows empty folders among those that contain the item etc.
I recommend NextCloud Passwords plugin: https://apps.nextcloud.com/apps/passwords
Its awesome, supports team work, and if you have NC its no brainer. Probably too much work to install NC if you don't use it but in small company settings its probalby good idea as you need online office anyway.
[+] [-] folkhack|3 years ago|reply
The UIX of Bitwarden can be a bit meh at times but it's also boring, predictable, and solid. I'm just saying this as someone who hates save buttons in the upper-right hand corner of things - just... small nitpicky stuff like that. Sometimes I have to look for a button or their use of iconography confuses me a bit.
I would do my own hosting for a distributed password database but the older I get the less I trust myself to keep that stuff locked down and patched. Given the number of users I feel Bitwarden has more skin in the game to keep their solutions tight.
If you're not looking to self-host I can't recommend Bitwarden enough!
[+] [-] jeffybefffy519|3 years ago|reply
[+] [-] rvz|3 years ago|reply
By just searching "LastPass" it is almost always a security breach or hack. [0]
[0] https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...
[+] [-] psnehanshu|3 years ago|reply
[+] [-] tasuki|3 years ago|reply
You gave them your passwords. What makes you think your passwords are safe?
[+] [-] pjungwir|3 years ago|reply
[+] [-] SailingCactus33|3 years ago|reply
e.g.: Personal/Confidential/google.com/[email protected] Client1/Secret/google.com/[email protected]
The folder structure allows for different keys to be used in .gpg-id files, so secret access can be limited on different devices based on which keys are available. For example, only a subset of keys are available on my android phone via the Password Store app from F-Droid, with all devices using a shared password-store synced using git(1).
Completion with bash works well (on Fedora) and following the convention of having the password on the first line allows for the android app to work and you don't need to worry about someone looking over your shoulder by using 'pass -c ...'.
[+] [-] malteof|3 years ago|reply
[+] [-] Veen|3 years ago|reply
[+] [-] olkingcole|3 years ago|reply
[+] [-] mattwad|3 years ago|reply
[+] [-] Finnucane|3 years ago|reply
[+] [-] AceJohnny2|3 years ago|reply
[+] [-] cwoolfe|3 years ago|reply
[+] [-] Barrin92|3 years ago|reply
[+] [-] TillE|3 years ago|reply
This is the key point. Properly implemented, you should feel very relaxed if your encrypted data is leaked.
I'm using BitWarden, but 1Password's "secret key" concept is smart, it means your data is still very secure even if your password sucks.
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] wnevets|3 years ago|reply
[+] [-] bob1029|3 years ago|reply
I've been debating building an in-house solution for managing secrets, if for no other reason than to get all of this information off of 3rd party computers. No serious proposals have been put forth, but I don't think this stuff is exactly rocket science either. Our requirements are functionally-equivalent to a copy of passwords.xlsx on a network share.
[+] [-] m000|3 years ago|reply
What drove me away was the lingering impression that they were more focused in figuring out how to monetize their product, rather than improving it: E.g. one year feature X required a $1/m plan, next year it was free, and the third year it required the $5/m plan. At the same time, their apps/extensions seemed sluggish and stagnant.
That didn't exactly inspire trust in a product that is essentially the gateway to most of my online activities.