
LastPass Extension slows Chrome's responsiveness by up to 50% - pastelsky
https://twitter.com/_pastelsky/status/1180864405648502784
======
scottfr
If you take a look at their extension, it injects a number of separate content
scripts on the document_start event for a webpage. This blocks document
loading and Google's recommendation is to load content scripts on
document_idle which would not block loading.

These scripts that are injected into every page (including all iframes)
include this one which is a 25,000 line file:

[https://crxcavator.io/source/hdokiejnpimakedhajhdlcegeplioah...](https://crxcavator.io/source/hdokiejnpimakedhajhdlcegeplioahd/4.34.0.6?file=onloadwff.js)

Things like this can have large impact on performance. My company develops a
Chrome extension and we are very focused on optimizing the performance of our
content script and minimizing its impact on host pages. We handwrite all the
Javascript code in the content script and manually include the very few third
party dependencies we have in it. Yes, it would be a lot easier to use NPM
with Webpack to build the content script file, but it's important to keep
content scripts as slim as possible.

~~~
greggman2
Also their Privacy Policy says they spy on absolutely eveything and share it
with anyone and everyone. Just guessing that's what some of those 25k lines
do.

~~~
sieabahlpark
Gotta make sure your passwords are nice and safe while selling your data to
subsidize your password vault.

------
tmikaeld
I used LastPass for many years until I got tired of the slowness/high CPU,
then I saw that Bitwarden had done a lot of work on performance and switched
to it.

Never had any issues and I have at least a thousand entries.

And quickly searching passwords is one thing, but Lastpass was slow with
filling forms and input fields too. Bitwarden use the same method as
1password[1] for autofill, which works great!

[1]
[https://github.com/bitwarden/browser/blob/master/src/content...](https://github.com/bitwarden/browser/blob/master/src/content/autofill.js)

~~~
kevindong
My main reason for switching away from LastPass was that Bitwarden's UI was
much better looking. It's been working great for me since then (even after
switching from Chrome to Safari).

~~~
rhino369
Can you export your passwords from LastPass to bitwarden easily?

~~~
psv1
Yep - I just did it after reading this post.

~~~
dstroot
Me too.

------
overcast
This is my experience with everything LastPass touches. Chrome, Firefox,
Standalone, iOS, same unresponsive nonsense. Thankfully that's limited to only
the corporate environment for me, but if you have a choice, 1password has been
amazingly slick for me outside of it.

~~~
pmiller2
Funny you should mention the corporate environment. My company has a LastPass
subscription and encourages us to use it, but they don’t prevent us from
installing extensions, within reason. Given that , are there any good
alternatives that are both secure and trustworthy while imposing as small a
performance burden as possible?

~~~
overcast
I signed up for 1passwords Cloud service, because I needed it on just about
every OS and browser under the sun. Works great!

------
cpbotha
I did this same experiment in September of last year. (just checked my orgmode
notes)

My conclusion then was that the speedometer 2.0 benchmark is dominated by page
load, because it does that a zillion times as it goes through all the
different todomvc implementations.

The lastpass performance tax shows up mostly during page load.

The question is, how representative is the speedometer benchark of normal use?

~~~
pastelsky
It isn't perfect, and it does penalize LastPass's behaviour more due to its
poor startup performance.

But I don't think it is entirely unrepresentative of real world performance.

If your hypothesis is correct — if you have LastPass installed, your pages are
probably going to load slower and you'll experience a longer "uncanny valley".
The tax paid is worse for pages that are otherwise lightweight.

~~~
y4mi
> _uncanny valley_

You might want to look up that term sometimes. It means something different
than you seem to think.

~~~
pastelsky
I was referring to the time between the browser paints your site and when JS
execution kicks in.

See
[https://www.fastly.com/cimages/6pk8mg3yh2ee/3Toq5jWy0EuqG8KU...](https://www.fastly.com/cimages/6pk8mg3yh2ee/3Toq5jWy0EuqG8KUw6eGYa/7c964ce5154f09538180381e515142cd/uncanny-
valley.png)

~~~
y4mi
I can't find any other source for that definition besides that picture.

Where does it originate if I may ask?

~~~
pastelsky
The term isn't very ubiquitous, but the problem it describes is. Some
references —

[https://addyosmani.com/blog/rehydration/](https://addyosmani.com/blog/rehydration/)

[https://developers.google.com/web/updates/2019/02/rendering-...](https://developers.google.com/web/updates/2019/02/rendering-
on-the-web)

------
dmix
I built a Vue.js component for a Rails form that had tons of hidden fields and
we couldn't figure out why it was grinding to a halt and lagging only on my
bosses machine.

Turns out it was Lastpass and using their lp-ignore flag didn't do anything
since it was loaded after the fact.

We ultimately decided to just have an advisory to tell people to disable
Lastpass if it came up. Which involves going to the Account settings page and
adding a 'Never URL' [https://support.logmeininc.com/lastpass/help/disable-
lastpas...](https://support.logmeininc.com/lastpass/help/disable-lastpass-for-
specific-sites-lp040006)

~~~
gremlinsinc
Curious why all the hidden fields though? Seems like an anti-pattern. I
haven't used a hidden field in years.

I mean props if using server passed data would easily pass the data to your
vue context.

I don't even use <form> tags anymore. just bind everything to a json object
and transform the data as needed if combining stuff then send it off to the
api on-click. Saves some work because I don't have to use the prevent tag in
the form element or worry about the submit button binding.

I just add an @click to a normal button element and use axios w/ some
modifications to enable our auth scheme. (Headers and what not).

~~~
dmix
I'm building very complex B2B software (link to company is in profile) doing
phone call tracking and its a large legacy Rails app with standard `form_for`
type forms.

On one page there could be hundreds of records because some customers like to
create a thousand objects for one marketing 'campaign' and have customers
routed (via IVR or geo or other flags from the source website/ad embedded js)
to a thousand different sales agents depending on fine-tuned criteria (like if
they press 1 to say they are over 50), and from there it could trigger a
hundred different conversion triggers (for ex: to do CPA payouts to the
traffic sources) and webhooks to various analytics services.

Anyway I'm slowly redesigning each part of the giant forms one-by-one and
instead of AJAXing some parts separately I'm injecting the data into hidden
fields which get submitted via traditional HTTP form-data along with the old
forms.

I built a Vue component that automatically generates Rails friendly forms from
any object. Including nested arrays of objects, with any degree of nesting. I
plan on publishing it soon OSS as RailsForm.vue.

It sounds crazy but it was actually really simple to do and is only a
temporary transitional thing. The only problem is I'm pushing the limits of
browser memory/CPU on some customer accounts so I've made some performance
optimizations like only rendering the hidden fields once the submit button is
pushed.

------
szastupov
I honestly don’t understand why people use LastPass when everything about it
screams poor quality. Is it the lack of taste or alternatives for non Apple
platforms?

~~~
hendersoon
My feeling is most use Lastpass because it's free and they don't know about
Bitwarden, or (for the techies) didn't hear that Bitwarden passed a third-
party code audit.

Lastpass also has a bunch of features missing in Bitwarden, but they're
largely long tail stuff. My biggest complaint is it doesn't support biometric
authentication on desktop.

------
hendersoon
My speedometer 2.0 tests on Firefox 70b12 win64.

No password addon: 74.5

Bitwarden: 74.0

Lastpass: 39.7

Pretty grim for LP.

~~~
humantiy
Thanks for posting. I figured this issue wasn't just chrome. Been meaning to
switch to BW and this might be the kick I needed instead of 'just living with
it' anymore.

------
Daniel_sk
Every time I read those stories I am happy to be paying for 1Password.

~~~
skrause
When I was using 1Password a few years ago it was _much_ worse than this
LastPass problem: The Windows version of 1Password resulted in a stuttering
mouse cursor and completely lagging UI of the whole Windows system every time
the CPU was used 100%. Uninstalling 1Password immediately fixed the problem
and I could reproduce it on 2 different systems. I never looked at 1Password
again.

------
pastelsky
FWIW, this isn't a Chrome-only issue. One can see similar differences on
Firefox as well.

~~~
eitland
The LastPass standalone program on Windows was unusably slow as well last I
tested it (left LastPass some moons ago.)

------
ycombonator
If you are on iOS, do you see any reason to use 3rd party password managers ?
I don’t seem to find any use for them if I am using the built in password
manager

~~~
33Backpack33
I find a password manager is more than just for passwords. I store PIN codes,
Code, security questions, important notes, and so many other things.

------
SubiculumCode
Top on this, LastPass premium prices went from $12/year several years ago to
$36/year. Kind of gone to crap now that LogMeIn bought them up.

~~~
humantiy
Can't say this wasn't unexpected given their history with other acquisitions.

------
AhtiK
Is anyone else happy with the Trezor password manager [1]? After years of
using LastPass, I just bought a physical Trezor wallet and its password
manager works well enough considering it's a one-time-purchase.

[1]
[https://wiki.trezor.io/User_manual:Password_Manager](https://wiki.trezor.io/User_manual:Password_Manager)

------
blfr
Slow, buggy, and brittle. What is a good replacement for a small team that
needs to share logins, passwords, and other secrets?

~~~
Spivak
Bitwarden. You can self-host the bitwarden_rs backend and basically get
premium features for free as well.

------
foxyv
I just switched from LastPass to BitWarden as suggested by a few comments
below. I never realized what it was doing to my browsing experience. I thought
it was just my internet connection or VPN slowing down! I wonder if there is
an extension to show what other extensions are adding time to your browsing?

------
BearsAreCool
I've been wondering why my chromium installation has been feeling slower
recently, thanks for the heads up.

Any insight into why LastPass slows everything down so much? It seems like it
has a relatively simple job to do.

------
lloydatkinson
I've never had a positive experience with LastPass - this news doesn't come as
a surprise.

------
zamalek
This is why I switched from Dashlane to 1Password a few years back. Dashlane
was activating WebVR (pegging a core at 100% in the process), no idea why it
was interacting with WebVR.

It might be worth checking if disabling WebVR does the trick in this case (it
worked for Dashlane, but I own an HMD).

------
tschellenbach
main reason why i switched from lastpass to 1password

------
mackey
I assume this is caused by having "Autofill" turned on?

~~~
pastelsky
This is on a fresh copy of Chrome, with LastPass installed – without me being
logged into LastPass, or having AutoFill turned on.

Speedometer does use TodoMVC heavily, and I wouldn't be surprised if this was
because of the text input elements.

~~~
ben_jones
This is an important reminder that it's important to periodically review
default tooling whether they be chrome extensions, desktop apps, phone apps,
etc..

Im definitely guilty and glad someone did the research!

