
LastPass stores passwords so securely, not even its users can access them - jbredeche
https://www.theregister.co.uk/2020/01/20/lastpass_outage/
======
LeifCarrotson
The article went up an hour and a half ago, at the exact same time as
[https://status.lastpass.com/](https://status.lastpass.com/) updated to say
they were investigating. In under an hour, they acknowledged, identified,
fixed, and verified the issue.

The fix went out less than half an hour after they learned about it, and this
HN submission was posted 1 hour ago, so no one learning of the issue by means
of this HN submission will have been able to reproduce the problem.

Also, if you've enabled offline access to your vault (which used to be the
default IIRC, and would be smart regardless of your password manager of choic)
this won't affect you.

~~~
nullspace
That’s bullshit.

In reality (I was affected by this and it’s now fixed), this happened 3 days
ago, and I kept watching the status to see if they would identify it.

I had to upgrade to premium support for them to even respond to the issue. I
filed the issue on Friday or Saturday, and they got back to me on Sunday. And
it looks like they have fixed it now.

This was not a quick response time, don’t give them credit for this one.

~~~
mk89
It's a nice trick that many companies use.

The best way is to build small agents to monitor the service you depend on to
know whether they truly respect their SLA. In case of LastPass they don't even
have an SLA....so good luck with an updated status.

~~~
arcticfox
I learned another nice trick from GCP the other day; Stackdriver log ingestion
was down, at least for me and a number of people on Twitter, and they simply
put a yellow warning at the top of status.cloud.google.com while fixing it
instead of making an official incident.

Magic, 100% uptime!

~~~
ghastmaster
If the service is down for a limited amount of individuals I consider it still
up. This does beg the question of how many constitutes "down". I think the
nature of the problem and quantity of users affected is important.

~~~
jazzkingrt
I disagree. The SLA ought to be made on a per-customer basis. 1% of users
affected would mean 1% of users would be entitled to refunds/remedies that the
SLA prescribes.

~~~
antoncohen
GCP has different SLAs for each product, but the ones I've seen are per-
customer. The details vary by service, but they generally define downtime,
like x% errors for y% amount of time, and then have financial penalties for z%
downtime[1]. There are sometimes clauses requiring retries with exponential
backoff[2].

Their SLAs are short and readable. It is worth reading a few of them,
especially if you have a SaaS and are thinking about your own SLAs. Just
search Google for [google $product sla] to find them.

[1]
[https://cloud.google.com/stackdriver/sla](https://cloud.google.com/stackdriver/sla)

[2]
[https://cloud.google.com/datastore/sla](https://cloud.google.com/datastore/sla)

------
filipn
So glad I switched to 1Password, haven't had an issue since. They provide an
easy transfer of your passwords from LastPass, you can just follow their guide
and be done in 5 minutes: [https://support.1password.com/import-
lastpass/](https://support.1password.com/import-lastpass/)

~~~
deepspace
I was a longtime LastPass customer, but the service just kept getting worse
and worse, to the point where a year ago I realized I was spending more time
fighting the user interface than it was saving me. And their support was
absolutely useless.

So I also switched over to 1Password, and never looked back. It is such a
refreshing and trouble free experience compared to LP, and the few times I
needed to ask a question, their support team got right back to me with the
correct answer the first time.

~~~
ars
I've never used LastPass, why do people use it (or other password managers)
instead of the built in browser password manager?

~~~
jacekm
Until not so long ago, the browsers' password storages provided absolutely
zero security. They are better now, but still password managers offer some
advantages. For me the most important is the ability to use multiple browsers.
But there's other stuff: random password generator, ability to store custom
key/value pairs, 2FA, etc.

~~~
ars
> provided absolutely zero security.

I've been encrypting my Firefox password store for so many years I can't even
remember.

Is that not secure or something?

~~~
tylermenezes
Yes, actually. [https://palant.de/2018/03/10/master-password-in-firefox-
or-t...](https://palant.de/2018/03/10/master-password-in-firefox-or-
thunderbird-do-not-bother/)

(Maybe they've fixed this since, I'm not sure. It doesn't seem like security
is being taken very seriously in any case.)

------
doque
So in response to this story I decided to delete my (premium) account with
them. After confirming multiple times (good thing), I was shown this error:
[https://i.imgur.com/4dpn6d5.png](https://i.imgur.com/4dpn6d5.png)

How does error handling like this even make it to production?

I got an email as well confirming my account deletion and I can no longer log
in.

But all in all this clearly does increase my trust in Lastpass's security
competence.

~~~
MoronInAHurry
I got the same error while deleting my account over a month ago when it was
announced that their parent company LogMeIn had been bought by private equity:
[https://www.zdnet.com/article/logmein-sells-to-private-
equit...](https://www.zdnet.com/article/logmein-sells-to-private-equity-firms-
for-4-3-billion/)

So the deletion process has been erroring in that way for at least a month
now.

------
navidfarhadi
If you are looking for an alternative I highly recommend Bitwarden (not
affiliated with the company). I switched over from Lastpass around a year and
a half ago and am very happy with the service. All of the clients and the
server are 100% open source plus you can self host if you want to.

~~~
anonymouswacker
Switched from LastPass to BitWarden over the weekend. I have 1,200+ passwords,
and the transition was seamless. I even set up BitWarden on one of my web
servers so that I can control my data -- even that took less than 30 minutes,
thanks to BitWardenRS docker container.

The only thing I have yet to figure out for BitWarden is how to get a little
icon to show up next to user/password fields in forms. I just have to right
click and go to BitWarden (FireFox) to get there, which it just slightly more
work. Still worth it.

Why would I pay $36/year (LastPass) for something that I can control for free?

~~~
bogomipz
Is there an exporter available for BitWarden then? I'm guessing your 1,200
password had a seamless transition because of some tooling the project
provides? Is that correct? Cheers.

~~~
deadbunny
Not the person you're asking but you can export your passwords to CSV from
LastPass and BitWarden can import the CSV. The only issue is that the LastPass
export can be a bit sketchy and have a few errors you need to manually fix.

------
sigwinch28
I continue to use `pass` [0].

Luckily I'm technically minded, so it's not too hard to manage my GPG keys or
manage syncing the git repo every now and then.

What it lacks in swish UI and automagically-configured browser extensions it
gives in configurability, privacy, control over data, and freedom.

[0]: [https://www.passwordstore.org/](https://www.passwordstore.org/)

~~~
yjftsjthsd-h
I really want pass or something like it, but the two times I've tried, I got
stuck trying to figure out the gpg part. I suppose I should go and learn that
properly anyways, since in spite of its UX it's still an extremely widely used
and powerful tool, but it's a lot higher barrier to entry compared to "type in
password, unlock vault".

~~~
sigwinch28
The gist of it is that you need a keypair (a public and private key), which
GPG can generate for you.

Then whenever you insert something into the `pass` database (which is just a
directory tree full of encrypted plaintext files) the tool uses the public key
to encrypt the password (or anything else):

    
    
        pass generate --no-symbols shopping/ebay 16
    

Later, when you want to read a password, you ask pass to decrypt the file
using the private key from your keypair:

    
    
        pass shopping/ebay 16
    

The difficulty is really all in managing the keys, which can be quite a faff
to set up and then manage. If you're only using gpg for `pass`, IMO it's
easiest to copy the keypair (which gpg generated) to all your other machines.

A quick web search brought up a gist [0] which shows how to quickly get up and
running on a single machine.

If you want to use it on another laptop/desktop/*nix-like machine you'll need
to export both your public and private gpg keys and then import them on the
other machine. When using a phone you have to do something similar. The
Android clients were fairly straightforward, but Pass for iOS had a very, very
clunky way of getting the keys across. Regardless, it boils down to this: get
the gpg keypair on all of the devices and then get them all using the same git
repo for pass.

[0]:
[https://gist.github.com/flbuddymooreiv/a4f24da7e0c3552942ff](https://gist.github.com/flbuddymooreiv/a4f24da7e0c3552942ff)

~~~
yjftsjthsd-h
Thank you:) That gist does look like what I need; I'll have to try it out!

------
darkwater
On a side, am I the only person that doesn't like The Register write style,
especially the headings? Yeah, irony and fun all that you want, but it ends up
looking like a gossip/tabloid magazine

~~~
robocat
It is very “British” with wit, puns, long running silly gags, in-jokes, smart
headlines, sarcasm, and self-deprecating jokes.

However, The Register is usually technically correct and regularly breaks
important news (good journalism). Minor technical (or grammatical) errors will
be lambasted in comments.

Essentially, the style meshes well with it’s target readership, and they are
_very_ happy that anyone that doesn’t like the style auto-excludes themselves
from the readership/community.

~~~
darkwater
Didn't mean to question the story quality, but even given the British humour,
I still don't like The Register style.

------
RealStickman
Why one shouldn't use cloud-based services. I'm sticking to keepass. (I'm
syncing the keepass file over a cloud, but I still have a local copy on all my
devices against cases like these)

~~~
daveoc64
I'm sorry, what is your justification for not using cloud-based services?

Lastpass (like pretty much all of these online password managers) will work
offline, so if the service goes down, you can still access your data locally.

~~~
harryf
Not the OP and personally less radically against cloud-based services... But
storing something as critical as passwords with a SAAS company which is
obviously going to be target of attack and may or may not have the engineering
resources to provide a reliable quality of service... seems like a bad idea.

Google(Drive) at least I trust to have the engineering resources to keep data
secure, perhaps not from government secret services but at least random
hackers

~~~
chousuke
They don't really store your passwords, just an encrypted blob that's openable
with your master password (more accurately, a key that is derived from it
using an expensive operation so that brute-forcing is unfeasible.)

You do need to trust them enough that they will never sniff your master
password (AFAIK even the web vault is local only) but eg. the command-line
client is open source, so you can at least verify their protocol.

That said, I might switch to bitwarden at some point purely because it can be
self-hosted.

~~~
Faark
I just don't want to store my passwords in exactly the same way everyone else
does. I'm not a high value target, so my threat model is a 3rd party getting
screwed / screwing us. Just a little bit of customization should be enough to
throw off whatever tools attackers will build to mass harvest.

------
NopeNotToday
Some alternatives:

    
    
      * https://keepass.info/
      * https://bitwarden.com/
      * https://1password.com/

~~~
scandox
Yeah they'll never go down. Why don't these systems support local storage as
well? Is there greater security risk in syncing to a local device?

Edit: I do not mean browser localStorage

~~~
awinder
1Password does support local storage, cloud is used for syncing to local
storage so obviously in case of an outage you wouldn’t be able to sync
updates. But you would be able to access and modify locally and then it would
push when things came back online.

~~~
yreg
It also lets you sync via alternative services like Dropbox/Mega.

------
magd
LP has a history of problems, but my company forces us to use that crappy
product. I've complained about it for years. I use keepassx for personal,
1password for work, and lastpass for anything that I need to share with
coworkers. I always wondered who got the kickback from LP.

~~~
ryanmercer
>LP has a history of problems, but my company forces us to use that crappy
product.

I've been using them the better part of a decade, I've never had an issue and
find calling it a 'crappy product' to be shocking.

What sort of issues have you had?

~~~
iamaelephant
LastPass is riddled with problems, and the quality has dropped precipitously
since their acquisition by LogMeIn. For a sampling of their problems I suggest
searching this site for their name.

[https://hn.algolia.com/?q=lastpass](https://hn.algolia.com/?q=lastpass)

~~~
op00to
I’ve used them for a long time. I noticed zero change in the service.

~~~
iamaelephant
Ok man if it works for you then keep on keeping on. I have chosen to leave the
service due to a huge drop in reliability and several major security and
service incidents.

------
overcast
LastPass' UI is so clunky, confusing and under performant that storing
passwords securely is the least path of resistance for end users. I dread
using it daily at the office.

------
rafaelvasco
Been using LastPass for years. Couldn't imagine living without it, with the
gazzilon of passwords we have to handle. There's other services of course, but
I've never felt compelled to leave. But I'd much prefer to not have to deal
with any passwords at all in any service;

------
JohnTHaller
KeePass/KeePassXC on each device. Complex keyfile manually copied to each
device (never in the cloud). Password database protected by the keyfile and a
memorable complex password stored in your cloud folder of choice synced to
your devices. You now have a free, open source, secure, cloud synced password
service.

For additional security, you can manually copy the database between devices as
well. Or keep a separate manually copied database with your most secure
logins.

~~~
geekamongus
OK but can you tell my 80 year-old mom how to do this?

~~~
JohnTHaller
You can set it up for a non-techie and then just let it do its thing. I've set
this up for a few people who don't have a clue what a key file is.

------
franga2000
Wait, are they saying that the clients don't store a local copy? Or that the
local copy is inaccessible without the servers working?? That seems incredibly
irresponsible and I can't imagine a single reason for doing that.

Or is there something else going on that corrupted the users' local copies? If
the system is properly secure (i.e. data is encrypted and verifiable with the
user's password-derived key) this shouldn't be possible, right?

------
instaheat
I switched to Bitwarden after certain grievances with LastPass which I don't
even recall what they were now.

~~~
eteb
The final straw for me was LastPass being very late on going WebExtension for
Firefox. Not having a working password manager was not an option and the move
to Bitwarden was very smooth.

------
anderspitman
keepassxc (just a simple encrypted password file) + syncthing (copies that
file to all your devices) has been working pretty well for me on
Linux/Android. I believe there's still no syncthing client for iOS
unfortunately.

[0] [https://keepassxc.org/](https://keepassxc.org/)

[1] [https://syncthing.net/](https://syncthing.net/)

------
joemccall86
This will probably get buried, but this story had me shudder at the
possibility of being locked out of my 1password vault in a similar scenario.
In case anyone is in the same boat:

* My airplane-mode test passed both on my mobile device and browser (1password X).

* The team is aware of the situation with LP and wrote a very thoughtful response: [https://discussions.agilebits.com/discussion/comment/544136/...](https://discussions.agilebits.com/discussion/comment/544136/#Comment_544136)

* From the response above, 1password is SOC2 certified, so availability is taken very seriously.

------
spookyuser
I never see the app I am currently using for my password manager on HN
password manager threads so I will recommend it now.

I have been using Safeincloud [https://www.safe-in-
cloud.com/en/](https://www.safe-in-cloud.com/en/) for I feel like forever. The
dev is quick to add new features, like autofill on android, and windows hello
on windows.

It's a one time payment on android and IOS, Desktop apps are free.

I know that 1password is prob better and more secure, but I can't afford the
monthly rate.

------
BuildTheRobots
Not actually related to the article, but the headline makes me think of the
"Muddy Puddle Test" for crypto, which goes like this:

1) Drop your device(s) into a muddy puddle (destroying them).

2) Slip in said puddle so you hit your head. On waking up you're absolutely
fine, but are entirely incapable of remembering your passwords or encryption
keys.

3) Can you get your cloud data back?

If you can, then it's not actually secure.

~~~
whatshisface
What about biometrics?

~~~
BuildTheRobots
Biometrics are good for usernames but not passwords. It's much harder for
someone to get something out of your head than cutting off your thumb. - and
as playeren says, it's impossible to change it.

[http://news.bbc.co.uk/1/hi/world/asia-
pacific/4396831.stm](http://news.bbc.co.uk/1/hi/world/asia-
pacific/4396831.stm)

------
ghastmaster
Given the possibility of software failure, would it be wise to use multiple
password managers? I have the feeling this is a .45 vs 9mm question that
doesn't have a real answer. More software exposes risk of data being exposed
vs redundancy. I do not use software managers. I use a password protected
spreadsheet(100 passwords). I hope they are safely encrypted.

~~~
zndr
A seccond PW manager? Not necessary, an offline backup? Great idea. Most PW
managers allow you to export in some way shape or form. Doing so and
encrypting said file is a great idea, but also something that's hard to do
enough for _most_ people that I don't have a good solution.

~~~
ghastmaster
Excellent points.

------
kefabean
I like Enpass (enpass.io):

\- non-subscription version available

\- multi-platform (IOS, Android, MacOS, Linux, Windows)

\- offline access (local DB)

\- sync via non-Enpass servers (eg use dropbox, google drive, iCloud, box etc)

\- actively maintained

I have been using for ~3 years on a revolving door of devices and have _never_
experienced any issues - just works.

(Not affiliated in any way with Enpass)

~~~
casefields
Mobile free version limited to 25 items. That's not really free for 99% of
people.

------
zipwitch
Not even a mention of Password Safe?

[https://en.wikipedia.org/wiki/Password_Safe](https://en.wikipedia.org/wiki/Password_Safe)

It's what I've been using for Windows-running non-savvy relatives for decades.

------
generalpass
I have been using and paying LastPass since it launched with no serious issues
and a few minor ones.

The Register article makes gives no indication as to the number of users
having trouble with the current issue.

My single issue with LastPass is that they don't offer an APK download options
separate from the Google Play store, so my slow and steady migration will
require, at some point, migrating to a different password manager.

I made a trouble ticket regarding this issue and they informed me they have no
plans to offer a separately downloadable APK.

------
jagged-chisel
I feel like there have been enough incidents with LastPass that no one should
be using them. Am I biased due to reporting, or is it the case that they can't
be trusted?

~~~
ryanmercer
I've been using them the better part of a decade, I've never had a single
issue and am quite surprised to see so many people complaining about
them/mentioning issues in this thread.

------
jcam1960
As an alternative, lately, I've been using Passfindr. It's web-based but they
have an offline solution so that as long as you have made a backup. This kind
of crap won't shut you down. It will read out of the backup file through the
browser. And I use it for a lot more than passwords. I pretty much use it for
any kind of access. Works good.

------
notlukesky
SAASPASS personal password manager and Authenticator works offline (with cloud
syncing options). You can also use it for teams or companies (online and
offline options set by admin) and it is by default protected by 2FA.

www.saaspass.com

(I work for an IAM SI/consultancy and we use and implement SAASPASS for IAM
needs including enterprise password management, 2FA, directory services and
SAML-based single sign-on).

------
uptown
What’s the best (translation: easiest) password manager for non-technical
users with Windows and iOS devices? I’m trying to find a good solution to help
protect the accounts of my older parents. I use a legacy non-subscription
1Password version for myself so I’m not up to date about the subscription
model or product changes of recent versions.

~~~
casefields
I moved myself and the whole family to the often-mentioned Bitwarden 3 years
ago. It's been fantastic.

------
stevefan1999
My recommended alternative to LastPass: Bitwarden at
[https://github.com/bitwarden/server](https://github.com/bitwarden/server)

The ability to host it yourself is a big kudo to me, then we are no longer
constrained by LastPass like this case here.

------
fortran77
Based on this news, I just looked around and discovered that LastPass has a
way to export a CSV file of all the passwords in plaintext. I just did that
and have a PGP'd archive of my passwords stored locally. Not a bad thing to do
with any password manager.

~~~
cuillevel3
I think I did this once with one password service and was surprised that they
don't even send a warning email to inform me, that that just happened... very
scary.

------
Kiro
Am I the only one using Google's own password manager? Ideology aside I can't
think of someone with more engineering resources to prevent hickups and
breaches. Are there any benefits of other pw managers I'm missing out on?

------
tomaszs
What is unclear is if it was an application bug or server bug. In the first
case it is not so bad. Since you can downgrade. In the second case it may be
disturbing that LastPass requires server connection at all...

------
rb808
Yeah I will never trust a third party password system. Writing down on paper
works great. For most unimportant accounts use oauth or make up a random
password and forget it - if you need it again reset the password.

~~~
Whatarethese
I'm sorry but that is just ridiculous and time prohibitive.

~~~
perl4ever
You can use a manager that stores an encrypted database locally and prints it
out for backup.

Is this generally considered to be not viable?

------
arghblarg
An alternative to avoid electronic systems entirely:
[https://www.tindie.com/stores/russtopia/](https://www.tindie.com/stores/russtopia/)

------
iamaelephant
One of the best things I've done in my personal software life recently is
getting off LastPass. The only other piece of software I have seen decay in
quality so rapidly and markedly is PocketCasts.

~~~
ryanmercer
Ugh, they ruined PocketCasts when they bought it and did that major 'update'.
Fortunately I found Podcast Republic the day mine updated and haven't looked
back.

------
beanaroo
Another open-source, open-pgp based password manager worth mentioning is
[https://www.passbolt.com/](https://www.passbolt.com/)

------
aussieguy1234
I'd rather be locked out for a while, than to have my passwords stored
unencrypted. I've been using LastPass as a paid user for about 5 years.

------
riffic
I've migrated to Bitwarden. LastPass has been lacking in quality for a while
and this outage was the last straw.

------
fortran77
I was just thinking, it may be a good idea for me to print out my vital
passwords and put them in my safe....

------
Fritsdehacker
A lot of people here are saying this is why you shouldn't trust cloud services
for password management. And I agree. I use Keepass myself, however, that is
not a viable solution for most of my family and friends. They need something
dead simple, which is what cloud services like LastPass, Bitwarden etc. offer.
I think the LastPass user interface is horrible, though...

------
criley2
I'm shocked to see a post of such low quality on hacker news. It reads like an
instagram post or twitter replies. I'm not familiar with "theregister.co.uk"
but I honestly think it's the lowest quality article I've ever seen on this
website

~~~
iamaelephant
> I'm not familiar with "theregister.co.uk"

Then you're not qualified to be discussing software or the tech industry,
frankly.

~~~
yarrel
Or we're in an era where that sneering prototype for clickbait blogs is being
rightly consigned to the dustbin of history.

When faced with a link to an article on The Register, searching for the source
it's been copied from is a good first step.

~~~
perl4ever
I never go out of my way to look for their articles, but their shtick is
mildly amusing and they seem like an institution. As long as they are at least
a bit different from the rest of the tech press, something would be lost if
they went away.

------
hannofcart
Does anyone here use LessPass? I've been using it for a while now and am very
happy. No storage needed. One master password to generate reproducible
passwords based on the site's domain.

------
elliotec
Longing for the day that passwords become obsolete.

------
sys_64738
Let's put our passwords on a remote server which convinces us they're secure.
How did we even get here that such information leaves our control?

~~~
fullstop
Most people access services from more than one device and are not capable of
rolling, managing, and securing their own synchronized password database.
That's how.

It's not the best option, of course, but certainly better than weak and reused
passwords, right?

~~~
sys_64738
Is convenience more important than security? That's what you're saying here.

~~~
stordoff
Before using a password manager: I'm using short, memorable (often repeated)
passwords that are rarely, if ever, changed.

After using a password manager: I'm using long (generally 64 characters),
unique passwords, and if one is compromised, it's a 30s job to change it on
all of my devices.

Convenience _enables_ security. I could probably roll my syncing solution, but
I would _not_ be convinced it is secure (I don't have that level of
expertise), and I would probably end up using a third party anyway
(Dropbox/Digital Ocean). I'm not going to sync it manually to the 6 or so
devices I regularly use, plus others I use less frequently (it may be more
secure, but it's not practical). Because it's low friction, I end up using it
more, so it's a _net_ gain in security, even if it isn't perfect.

------
tcd
Keepass - choose your own way of syncing, can never go down, works without the
internet etc etc.

Cloud services...lol

------
draw_down
I’ll never forget when I was issued a new computer at a new job with LastPass
installed. It kept popping up a modal dialog (modal to the entire browser)
with some inscrutable network error message. I never even bothered trying to
use it after that.

------
dentemple
The reactionary nature of the typical HN poster is on full display here.

Lastpass had a bug that affected a small percentage of users. They identified
and fixed the bug within several days. What more do you want?

Is there really a competing product out there that guarantees NO BUGS? So,
then, why the extreme nod to #CancelCulture for what appeared to be just a
temporary issue?

~~~
geekamongus
Probably because of the way the handled it (or didn't for a few days, as was
the case here). Just guessing.

------
anderspitman
IMO[0] everyone should have at most one password - to their email account.
Everything else should be something along the lines of (in order of
preference):

1) SSO (federated! Not the Google/Twitter/Facebook/GitHub oligopoly nonsense
we have now), using email addresses as ids.

2) Emailed login links, a la Slack's magic links.

Email addresses aren't perfect, but they're the globally unique, federated IDs
we have, and good enough. Plus they have the advantage of years of figuring
out how to handle of realities of federation.

[0] I am biased. I recently launched a service in this space:
[https://emauth.io](https://emauth.io)

~~~
sib
I hope that emailed login links cease to exist.

I work at a large company. As a combination of lots of security scanning and,
I think, intentional slowdown for virus spread mitigation, external email can
take minutes to be delivered.

More than 50% of the time I receive such a link (including from Slack, for
example), it has timed out before it gets to me.

Just let me use a good, long, randomly-according-to-a-recipe-generated (and,
if needed, 2FA) for services and I'm happy.

~~~
anderspitman
Seems pretty specific to large organizations though? That's a completely
different thread model than someone wanting to log in to their social network
to share cat memes. You're completely right that it needs to be handling
differently and appropriately. But for everyday use, I've never had an issue
with delivery on commodity email providers.

