Hacker News new | comments | show | ask | jobs | submit login
LogMeIn acquires Lastpass (lastpass.com)
422 points by anu_gupta 653 days ago | hide | past | web | 417 comments | favorite

Huh. Gotta admit, I'm rather distressed by this, but I'm trying to think through it logically.

* They still don't have access to my raw passwords. Everything's already encrypted before it gets to them, and they don't have the key. They just store the encrypted data.

* They however do control access to the account. This means there's a point where they get all sorts of data on me, and while I personally don't mind, I must admit I felt a bit safer when I thought it was a smaller, purpose-built company managing things.

* Then again, LastPass hasn't had the greatest user experience lately. A mixture of simply not doing the data entry on some sites, and having a poorly designed UI for mobile that feels like little more than an extension of the desktop experience(which doesn't work very smoothly on mobile- it needs to be rethought from the ground up) means that perhaps the new things LastPass could do with this funding would make it more usable.

But at its core, this is a security company to me. Probably the only one I pay for directly. I love change and expansion in so many other industries, but I suppose I'm just not used to it here- perhaps that gut response of "I want my security to be utterly solid because of how bad it could be if it goes wrong".

This isn't quite a reason to jump ship for me yet, but I'll certainly be duplicating work to other services(which so far, I've found to be quite inferior).

This isn't quite a reason to jump ship for me yet, but I'll certainly be duplicating work to other services(which so far, I've found to be quite inferior).

Did you try 1Password (which works with Dropbox, Wifi sync, etc.)? Not affiliated with them, just a happy customer.

I actually did an evaluation of password storage services recently and chose LastPass over 1Password for a couple reasons:

1. 1Password is SUPER expensive for what it is. You really pay for the fact that it looks nice and integrates well with mac.

2. It has no enterprise level features (This is for my organization) such as user management, access logging and fine grained roles and sharing.

1Password might be good for an individual or a small team, but it's too simple for anything beyond that.

"You really pay for the fact that it looks nice and integrates well with mac."

Aren't those exactly the kind of things I'd want to pay for-- rather than opting for a cheaper solution that doesn't have those features?

For me look & feel and usability are nice, but not if it doesn't correspond to my needs.

I routinely use both a Ubuntu Linux laptop and a MacBook. Unfortunately 1Password does not support Linux.

And while I do use Dropbox, I like having the flexibility of switching to Google Drive. Speaking of look & feel, on Android the 1Password interface is the ugly duckling that doesn't use material design.

And back to price. At home I also have a Windows box that I sometimes use for media. My phone is an Android, but I also have an iPad. So 1Password would set me back $42 for OS X + Windows (includes the discount), about $7 for Android and another $7 for iOS. That would be $56 with the discount, or $84 without the discount. And that is expensive, I mean that's almost the price of an IntelliJ IDEA upgrade.

It's not terrible, I mean it does provide value and the price is sort of justified. But careful on the wanting to pay for things, as that's not how the world works. Do you know what happens to the farmers that invested money in the latest tractors and the seeds with the highest yield? Most are near bankruptcy, choked by loans and surviving on government subsidies. Just saying, wanting to pay for things is a sign that you've got more money than ability to spend, which is cool, but life is surprising and things change.

Keyword: "I". Personally I'd choose Keepass as it is OSS but we all have different priorities. Seems like LastPass has features targeted at enterprise customers and it's (unfortunately) rare that a large businesses makes purchasing decisions with a priority on UX.

Actually, I'd say 1Password is cheap for what it is; I opted to use it in my personal life because it was cheaper than LastPass. :)

The lack of enterprise features is a killer though. We currently use 1Password at work, but we're evaluating LastPass and Meldium as options to switch to purely for the password sharing, access control,etc. We don't want to switch, but it's not clear there's any option if you want to manage passwords reasonably smartly among a small team.

IN a business environment for sharing accounts, I very highly recommend PasswordState.

Its auditing and logging features are excellent.

I take it you don't use login manager on mobile devices.

LastPass costs (or used to cost) $12/year while 1Password is $29, so if you intent to use a password manage for more than two years it's cheaper to buy 1Password than keep paying for LastPass.

And just a side note, I bought my 1Password for Windows, currently I'm using it on Windows, Linux, Mac and iOS and they all work fine. My OS X says that it's trial has expired, but it still works just fine, I can create new passwords and encrypt the old ones just fine. Maybe there are some pro features I'm not getting, but it's doing what I need it to do.

How are you using it on Linux?

One of the first things from Google :)


But someone suggested Wine and I guess it works better, but this works just fine for my needs.

> 1Password is SUPER expensive for what it is.

I don't know about that. LastPass wants $12/yr for their premium service. 1Password charged me $60 for the Windows + Mac bundle back in 2011. Other than the fact that you have to pay up front, the price seems similar.

If it's for an organization you should probably use KeePass, as all the data is kept locally by the organization.

Allowing any third party access to sensitive passwords sounds like a bad idea.

My name is Eva Schweber and I work for AgileBits, the company that makes 1Password.

I would just like to clarify that AgileBits never gets access to your data or your Master Password. It is either stored locally on the user's machine or network or in his/her own Dropbox or iCloud account.

Please also consider officially supporting BT Sync.

I'm really not keen on Dropbox syncing as there is no need for a copy to exist on the cloud

I've got it working fine with BT Sync. All you need to do is put the .agilechain file in a sharable folder and load it up with 1password on both ends. It syncs up just fine.

Don't get me wrong. It works for me including a slightly hacky way on iOS.

However, it would be nice to have official iOS 1Password support since I believe 1Password can leverage BTSync via API much like Dropbox for a much more seamless experience.

My name is nfx, and I never trust in a closed source software.

I prefer KeePassX instead, so keep it in mind as well. While I wish there was an official version for mobile and it integrated into the browser, I almost like the separation as I've gotten used to it.

Be happy there is no mobile version. I don't know about you but I personally can't trust a mobile phone this days with anything sensitive. :(

KeepassDroid (for Android) and MiniKeePass (for iOS) both work well.

I haven't used it, but doesn't 1password support multiple vaults?

IE: your company makes a vault in a dropbox directory shared with employees, and multiple people just add that as a secondary vault?

conflicting changes are probably an issue though...

It does, and that's how it works. Conflicts in vaults are also not an issue. When you get the 1Pass popup, you can specify the vault with a hot key (Cmd 1 for Primary, Cmd 2 for Corp) etc, and then choose from whichever vault, if there is any overlap.

As a primarily Windows/Android/iOS user, I bought it and find it much better than LastPass, which I also paid for. I do have it on my Macs, but I use those about 10% of the time, I'm mostly Win/Android/iOS. It works great across all the platforms I use.

I wouldn't call it expensive really. It's not a recurring cost, so the price over time is really cheap.

rattic.org is a great open source option for enterprise/team use.

Hi danieldk, My name is Eva Schweber and I work for AgileBits, the makers of 1Password. I just wanted to thank you for sharing your love of 1Password with the other folks on this thread!

You guys might want to see if you can do a better job of publicizing the LastPass import. I googled for it and found some of your support forum threads where users had contributed scripts to do it, and I thought that was a bit iffy, so I resolved to deal with it later. I then saw another comment here that clued me in to the fact that LastPass has an 'export' feature that you guys can import from. 60 seconds later, it was done.

I'm sure you're getting a lot of new users today. Good luck! :)

Hi ntucker,

My name is Eva Schweber and I work for AgileBits, the folks who make 1Password.

That's a great suggestion, thank you. And thank also for the good wishes. It has certainly been a busy day!


I just bought 1password, switching from LastPass - one feature I really liked in LastPass was the ability to save the master password (I keep important passwords in my head and a password manager for less important things). Is there any chance this functionality will be provided? As it stands if I want to keep using 1Password I'll downgrade my Master Password strength (because it's a real pain to type it every time I reboot, especially on my phone) and that makes me feel more uncomfortable than knowing if someone knows my system login password they could compromise my vault...

LastPass did guard this functionality with a big "your security will be seriously compromised, are you absolutely sure?" prompt which I think is fair enough

You realize that having that option enabled is basically equivalent to having a plain text file on disk which has your passwords, right? If you encrypt your filesystem, this isn't so bad, but still any kind of remote execution exploit could basically gain access to all your passwords.

Well, it'd be encrypted with my login password as part of Keychain password storage under OS X (and with my device key + unlock code under iOS) so at rest it's still going to be fairly secure.

But, as I said, I don't use password managers for passwords that are really important, I use them for the bulk of online services where I'd like to use a different random username/e-mail & password for each.

Hi Eva,

Do you have any plans to integrate with Google Drive or iCloud drive in the near future?

Hi Subliminalpanda,

We have had many requests to integrate GoogleDrive and it is certainly something we are looking into. Our Mac App Store app does allow iCloud syncing through Cloudkit.

Eva Schweber Agilebits Support.1Password.com

Any chance you guys are going to run a promotion?

Hi bognition,

Just to be clear who I am, I am repeating that I am Eva Schweber and I work for AgileBits, the folks who make 1Password.

And to answer your question, yes. We have put all of our apps (including our in-app purchases) on sale for 40% off.

Sorry, what's your name again?

Nice! you just scored yourself another customer!

Hi bognition,

Awesome! Glad to hear it.

Am I missing something or is there really not a linux client?

Nope - no Linux client. Lot's of customers asking for one, too. There's a javascript client you can use on Linux, but a nice native Linux client would be ideal.

1Password is the only password manager that has been polished, feature complete, and low-impact enough to get me to actually use it. I gladly paid for it. If only all mobile browsers has easy ways for 1Password to integrate...

It's gotten a lot better, have you used the iOS9 app yet? Or I would imagine the Android app, their latest update on iOS is pretty good. While you are still using their app and spinning up a browser inside it, it doesn't feel that way anymore, and this is coming from someone suffering the pains of using this on an iPhone 4S.

The Android app is not particularly good, but it gets the job done. Much like the Windows client compared to Mac, it's clearly playing second fiddle.

They're doing a new "Windows Modern" (or whatever it's called) version, I need to give that a try sometime.

Is it usable on linux?

It's usable with their javascript-based version, but someone has also written a 1Password-compatible clone that works quite nicely: http://hg.icculus.org/icculus/1pass/

Works fine in Wine.

Can you tell me about any experiences with 1Password and IE ?

I've been a huge fan of the technical capabilities of Lastpass in general - I have many desktops and syncing generated passwords works great.

But it's never been something I could push to my business customers because it's never worked reliably under IE[0][1][2]. When I've bought this up in other forums, I only get the "oh.. using IE is dumb" sort of response, which is completely unhelpful for your average business. But it's an attitude I've often wondered if Lastpass had, based on their regular release cycles being heavily skewed away from IE[3].

0,1 and 2 are easily replicated in my environments:

[0] https://forums.lastpass.com/viewtopic.php?f=12&t=124495&star... [1] https://forums.lastpass.com/viewtopic.php?f=12&t=159855 [2] https://forums.lastpass.com/viewtopic.php?f=14&t=162395 [3] https://lastpass.com/upgrade.php?fromwebsite=1&releasenotes=...

70€ is quite expensive

For the secure storage of hundreds of passwords that sit in front of insane amounts of personal information, with support for auto-filling on desktop and mobile, easy syncing, archive sharing, and more...

It's really not that expensive for what you're trusting it with.

Edit: not affiliated, but it has to be my #1 favorite application on any platform.

> For the secure storage of hundreds of passwords that sit in front of insane amounts of personal information, with support for auto-filling on desktop and mobile, easy syncing, archive sharing, and more...

I have all those features plus a proper web extension for $12/year.

What annoyed me and made me switch to Last pass is that once I had all their apps, they released new versions which I had to pay for, again.

Hi themartorana,

My name is Eva Schweber and I work for AgileBits, the makers of 1Password. I just wanted to thank you for sharing your love of 1Password! We love our customers and with folks like you, is it any wonder why?

Not cheap, but undoubtedly the most common paid app I use. For me, the workflow of jumping in and out feel smoother and saves time compared to other products I've used. It's only a few seconds, but to me at least, I stay much more productive and in flow, which easily makes it a cost savings.

yes in US$ 12 vs 40+ dollar for single user

$12 a year vs. a one-time purchase. Just for clarification purposes.

One time purchase until the next major upgrade, then you need to pay more to stay up-to-date.

Hi Goronmon,

My name is Eva Schweber and I work for AgileBits, the folks who make 1Password.

While it is true that we think it is important for our potential customers to know that we may charge for a future version of 1Password, we have only done this once in the 9 years that 1Password has been available. And that was after a significant upgrade from 1Password 3 to 1Password 4 when we rewrote the entire app from scratch.

Customers who purchased 1Password 4 for iOS have received free upgrades (including Pro Features) to 1Password 5 and 1Password 6. The same is true for our 1Password 4 for Mac customers, who received 1Password 5 (our current version) for free.

I'm still on v3. I have the family licence. I'd like to move to v4+ but I don't see a cost effective upgrade route, for windows, ios and android in my case.

Hi junto,

My name is Eva Schweber and I work for AgileBits, the folks who make 1Password.

For Windows you are eligible for an existing customer discount. Just go to our store at http://agilebits.com/store and click on the Upgrade button under the license you are wanting to purchase. You will be prompted to enter your 1 Password 3 license code and then you will see the discounted prices you are eligible for.

We have also changed our sharing policies to match Apple's Family Sharing plan. Now a family living in a single household can have up to 6 users on a single 1Password for Mac or Windows license.

As far as Android goes, we have put the in-app purchase on sale for 40% off.

Does the free Android reader app still work with v4 as well?

Hi junto,

My name is Eva Schweber and I work for AgileBits, the folks who make 1Password.

To answer your question, yes it does.

I use LastPass on Android, Windows and OS X, that means at least $80.

1password for Android is free for the basic edition. The Windows & OSX bundle doesn't cost anything like $80 ($42 atm).

You said it, basic edition. I use the Android app to edit and create logins and secure notes. That means buying the pro features.

And, until the surprising 40% sale, the OS/Windows bundle was $69, if I add the pro Android app, it was $80.

With the 40% sale it is now $48, full 4 years of lastpass subscription

Then by all means, please continue trusting a complete database of the most valuable information in your life to the lowest bidder.

Which lowest bidder?

that means there is a annual subscribtion? i can't find any indo about that on thier site.

Hi Isn0gud, My name is Eva Schweber and I work for AgileBits, the folks who make 1Password.

1Password is not a subscription service. Instead we charge a one-time fee to purchase the app. That license remains valid for the duration of that version's lifetime.

Nope, they are too pricey and their Windows version is not that smooth like competitors. I'm using Sticky Password - http://www.stickypassword.com

I tried it for all of a week in the past. It's the top one I'm looking at moving to, but honestly the reviews that have been done by users of both are lacking on information, so I don't know what I'm giving up.

Very happy user of 1password here, features, UX and overall ethos of Agilebits are to be commended

+1 for 1password. Best password management software out there.

Hi zakelfassi,

My name is Eva Schweber and I work for AgileBits, the folks who make 1Password.

Thank you so much for the endorsement. Way to make my day!

Hi ge0,

My name is Eva Schweber and I work for AgileBits, the folks who make 1Password.

I just wanted to thank you for your kind words.

Seconded, a really amazing UI and UX with security at the forefront. Not to mention the apps are updated often to take advantage of the latest iOS and OS X features (they support other platforms but I don't use those apps).

It's not clear what the "Pro Features" in-app purchase includes. Is this something that's required for true usability?

Hi jobu,

My name is Eva Schweber and I work for AgileBits, the folks who make 1Password.

You do not need the iOS app's Pro Features for looking up or entering Logins. But you can read much more about what you do get for purchasing the Pro Features here: https://support.1password.com/guides/ios/pro-features.html

No. I just bought 1Pass and it is perfectly usable without Pro features on mobile. The major one is just ability to use multiple vaults.

Hi cburgess,

My name is Eva Schweber and I work for AgileBits, the folks who make 1Password.

Thanks so much for the complements! Our designers and developers work really hard and it great to see their efforts being so well appreciated!

Even on Android 1Password feels like a first class citizen (I think some third party app integration is lacking but i'm used to going back and forth to copy passwords). I am very happy with what it provides.

Hi suhailpatel,

My name is Eva Schweber and I work for AgileBits, the folks who make 1Password.

I don't know what version of Android you are on, but if you are running Android 4.0 or higher, you can use our snazzy Filling feature so you don't have to copy and paste Logins anymore. You will find more details here: https://support.1password.com/guides/android/filling.html

I was a longtime LastPass user and switched to 1Password about 6 months ago and have been really impressed by it.

I'm thinking of making the switch.

Question for you and others who have migrated from LastPass to 1Password:

Were there any sticking points? How did you go about moving over your password database?

I used to be a free user of LastPass and wanted a vault on-the-go. With LastPass the only option was an annual subscription, for an app that I didn't find particularly impressive.

Switching to 1Password was extremely easy. It offered simple instructions on how to import from LastPass and the pricing model (pay once for the piece of software) was a lot more compelling to me. As an added bonus, the app is super well developed and designed. It _just_ works, and works the way you expect it to. 100% satisfied.

Hi acrooks,

My name is Eva Schweber and I work for AgileBits, the folks who make 1Password.

I'm so glad to hear that the transition was and easy one and that you are so satisfied with our product! I will certainly share your kind words with our designers and developers.

Hi quanaut,

My name is Eva Schweber and I work for AgileBits, the folks who make 1Password.

You will find the users manuals for all of our platforms at http://support.1password.com and if you have any questions about specific features, please feel free to ask one of our support jedis at http://discussions.ahilebits.com.

Been using it for years on multiple machines and iOS devices. Works great, and I happily pay for it every once in a while. I'd rather support a small company dedicated to this, than get a cheap product from a corporation with unclear goals.

Hi jwr,

My name is Eva Schweber and I work for AgileBits, the folks who make 1Password.

Thanks so much for appreciating our dedication to our product. Security is incredibly important to us and we take the quality of our work very seriously.

Holy crap, this is annoying...

Eva - love your company and product, but you're spamming HN with this stuff. Update your profile to disclose your affiliation, up-vote the comments praising 1Password if you want, and answer questions candidly. Happy to see company reps participating in the conversation!

Just kill the "Hi so-in-so" and the boilerplate "I am Eva...". If all you have to say is thank you, upvote and leave it at that - your posts are taking up like 50% of the article commentary...

Adding to the other response here -- it's great to thank your customers, and you wouldn't want to hide that you're affiliated with AgileBits. But please bear in mind that people reading HN are here to read a discussion.

A good guideline is just "does this add useful/interesting content to the discussion?"; if not, think very hard before adding it.

Plus from the HN guidelines: Please don't sign comments; they're already signed with your username. If other users want to learn more about you, they can click on it to see your profile.

All that said, welcome to HN!

This is a little different. I think the disclosure is important. Maybe they could just be more succinct with it.

i've often felt that hn should support some sort of flair for people who want to make it clear that they are speaking for their company

Give okeylabs a look. Not out yet but for the future.

Can't watch their demo video -- blocked because of copyright infringement. Whoops.

Really? I can, what country are you in? At least there's animated sections under the main heading.

Does it work with Linux, Windows or Android?

Seems like the alpha is only for Apple products, I read that their next step is to support Windows and Android

> "They however do control access to the account. This means there's a point where they get all sorts of data on me, and while I personally don't mind, I must admit I felt a bit safer when I thought it was a smaller, purpose-built company managing things."

I've never really understood the appeal of account-based password managers. It was a startup and it needed a business model, sure, so from the company's perspective it makes sense. But from a customer's perspective you're accepting a new type of risk that you don't have to worry about if you use a glorified encrypted list (e.g. KeePass) to manage passwords. The payoff is convenience, but personally no amount of convenience is enough to make me comfortable with storing all of my encrypted passwords on a single server somewhere and hoping that there are no exploitable security vulnerabilities (or malicious insiders who might seek to profit from finding or introducing them). Having an offline password manager that never uploads data to a server provides defense in depth, though it's less convenient.

Agreed. Logically, something like KeepassX (https://www.keepassx.org/) is the most logical, secure choice. I think a lot of people pick Lastpass and such for the convenience of browser integration, but I don't think that's necessarily impossible with keepassx - just so happens that nobody is really working on it (which is a shame).

There's actually rather good browser integration for KeePass now, I just switched a few weeks ago from LastPass.

Check out http://keepass.info/plugins.html (I use PassIFox and ChromeIPass via KeePassHttp)

Another reason to use LastPass is if you need to share sensitive data with a team.

Group credentials and secure keys for production environments, among other things, can be shared using LastPass.

This one in particular -- I use KeePass for my personal stuff, still; but at work, there seem to be a ton of logins we need to share.

Never mind sensitive stuff -- we get lots of use out of LastPass for managing the list of test and demo users on our site. We setup sandbox accounts (with various types of users) for potential customers. Each time the main logins to into LastPass, so if they run into problems, anyone on the dev team can help them out (with no other coordination required).

I've not been terribly impressed by LP's usability, honestly; but for quite a while they've seemed to be the only mature product in this space.

I've noticed Dashlane seems to be catching up here; I'm keeping an eye on them.

Dashlane is pretty OK. I'm playing with Sticky Password now.

Beware, KeePass uses a weird custom key derivation function. LastPass uses PBKDF2 with a configurable number of iterations, a pretty widely accepted standard.

Maybe this has changed since I last checked but this and many other things seemed highly questionable on KeePass.

An important thing is that LastPass works on mobile.

So does KeyPassX, quite well actually, at least on iOS but there are Android apps as well.

iOS (MiniKeyPass): https://itunes.apple.com/us/app/minikeepass-secure-password/...

Source: https://github.com/MiniKeePass/MiniKeePass

How is trusting you data to several corporate entities better than to just one?

Huh? The data is only on my devices and no where else. I transfer the password database to the app via iTunes file sharing.

Back when I first signed up for LastPass, the killer feature for me was that it worked on my BlackBerry Curve. The fact that they made versions of LP for damn near every platform is what sold it for me.

I don't have a BlackBerry anymore, though. Now might be the time to jump ship.

Keepass has apps on Android, I've seen an implementation for WP, I'm not sure about iOS.

I wouldn't consider Keepass the most secure choice. One of the most common attacks in practice is phishing, and browser integration discourages carelessly pasting your password into something that looks like your bank's site. The Chrome password manager and LastPass can help there, but Keepass does not.

But if an attacker steals your Keepass file and acquires your password you won't notice.

Lastpass can detect logins from new IP adresses and throttle requests, send warning mails etc.

But sure, once their servers are cracked and their plugin is infected with master-password-stealing code it's all game over.

> Lastpass can detect logins from new IP adresses and throttle requests, send warning mails etc.

This, Duo integration and Linux support are the features that are making finding an alternative to LastPass difficult for me.

> The payoff is convenience

It's true for any level of password management. KeePass is less secure but more convenient than simply memorizing each of your long, secure passwords. Choosing less secure passwords or repeating passwords is more convenient than memorizing long, unique passwords.

Finding the right balance of convenience & security is critical for securing the myriad accounts of the "masses." We know that the average person isn't going to bother memorizing long unique passwords - even the most security conscious person won't do that (except for maybe a handful of super-critical passwords).

> They still don't have access to my raw passwords. > They however do control access to the account.

From point 2, point 1 is trivial to change. All they would need to do is update the extension or add some javascript (for the web login) to grab your master password in the clear.

Sure, a local password manager like Keepass could provide a new version that posted my p/w, key file, and DB up to a server somewhere, but I would have to manually install it, and it would have to get around a local program executable-firewall. No such challenges with auto-updating extensions and/or JS served from their server (or MITM.)

I don't know if the acquisition makes them more secure or less, but having worked at large companies, I tend to agree with:

> I must admit I felt a bit safer when I thought it was a smaller, purpose-built company managing things.

I have problems with the mobile also but there is nothing else that compares. Android has the standalone app and the integrated keyboard. Autofill with the keyboard doesn't work like the web browser, but you can still copy and past the individual fields. Is there anything else that has a good standalone mobile app, and has good keyboard integration?

What about KeePass? There's even a web front end.

Though really in an organisation you'd probably pay for one of those other solutions (Secret Server?)

LastPass has a web interface, is also available as a browser plugin and when I tried it the only password they asked for was my account password.

So how come they don't have your raw passwords? Because of their web centric approach, I doubt that they are encrypting it locally. And regardless, LastPass is a proprietary thing, so you can consider your passwords to be compromised anyway.

They are encrypting it locally. It isn't anything to doubt- it's been shown time and time again.

Nowhere in the payload that gets sent to them is your key. The only way you could consider your passwords compromised is if you think there's already a rainbow table out there to decrypt everything, which is ludicrous.

OK, I don't know how it works then.

The encryption happens in a browser extension or mobile app, or in client-side Javascript in the case of accessing it directly through their website.

There is an official, open-source lastpass CLI client: https://github.com/lastpass/lastpass-cli

Well looks like I'm going to have to convince, my wife, family, extended family, and friends that they all have to switch password managers now.

I'm blown away, I've been a fan since day one because of it's simplicity and availability.

I am torn between waiting to see what happens and giving them the benefit of the doubt and just changing all my passwords before Logmein can f--- me.

Having not used anything by Logmein or heard much about them, what's the reasoning behind wanting to jump ship asap?

Are they just bad at running a company or are you scared they will sell your data or similar?

Because you can't buy trust through an acquisition. You build trust, you don't transfer it through a merger.

This is 100% spot on. And when it comes to password mgmt, trust is everything.

LogMeIn is used by those phone scammers who ring up and say "We have detected a Windows Virus on your machine and are here to help". They then convince the mark to let them start a session, then surreptitiously download data from their machine using a back channel. (LogMeIn lets you share screens, but also access the filesystem in another panel and the other side can't see).

When you complain to LogMeIn and give them the details of the scammer, they couldn't give a rat's arse and just ignore you. Those kind of ethics do not belong with the owners of a password vault.

Source: Experience trying to report a bad actor.

I know the popular thing is to blame LogMeIn, but it would be very expensive to chase down the scammers. And, law enforcement is very likely to not give a shit, too. So, if the did what you said, likely it would be wasted effort.

"Thank you for the information, we will investigate/confirm, cancel their account, put them on a watchlist" would have done. I'm not after prison time, I'm after LogMeIn not allowing their service to be used by identifiable criminals.

Just based on the bad things everyone else is saying about them, I have to do some research and see if they are a good or crap company. They just have a lot of power regarding my passwords, and they are an unknown to me, but , in the other thread they were seriously disliked.

Edit: I read some of the comments on https://news.ycombinator.com/item?id=10359491 and most of them have bad things to say about LogMeIn.

I'm in the same awkward position. I've been a LastPass evangelist for years now. How can I abruptly switch to 1Password or whatever's most comparable to LastPass? The selling point I would make of, "Hey, this company exists solely to provide security to the world. They're passionate about using strong passwords and do everything in their power to ensure their service is both friendly and secure." wasn't just a talking point, but one of the primary reasons I ever used them in the first place.

I'm happy for the LastPass team that they were able to profit off their hard work, but I'm leery of what this means, not only for the hundreds of my passwords and notes LastPass has in its vault, but what sorts of "features" LogMeIn will want to forcibly integrate into the product--and then charge 50x my lowly $1 a month contribution.

I don't know why this guy is being downvoted. I, too, am now looking for a new password manager. All I need one is that does local decrypting only, supports Chrome and Firefox, and can do Android as well.

KeePass [http://keepass.info/] has worked well for me across Firefox and Android, though I haven't tried it on Chrome.

What do you mean when saying that KeePass works for Firefox?

It's likely GeorgeHahn means KeeFox - http://keefox.org/

"KeeFox connects Firefox to KeePass Password Safe"

That actually works rather well. You should add the toolbar button though, then it works like LastPass.

Blur from abine.com.

Unnecessary negativity; against the HN standards.

Be civil. Don't say things you wouldn't say in a face-to-face conversation. Avoid gratuitous negativity.

gratuitous- uncalled for; lacking good reason; unwarranted.

I feel that my comment falls into what I consider a fair statement about the severity of the situation. They have my passwords and could easily hike up their rates. This change may add features I didn't know I wanted, but thus far I'm happy with the way LastPass has been operating and I don't want a change.

This comment meets the standard. Negativity without any explanation was the issue. Thanks for clarifying.

The explanation was easily inferred. Not a huge fan of your interpretation.

What's your explanation then?

What are you asking me to do? Explain someone else's post to you after they took the time to spell it out specifically for you?

I won't be doing that.

Sorry, I meant "Why did he get downvoted then?" I got hit for trying to explain what I thought was a reasonable scenario.

I'll tell you what I think. I was right; he was too negative; and folks feel threatened by that. Fits the data here pretty well.

Well, export your data ASAP. At least if shit happens you won't lose it all. Would be funny if LMI spent 120MM just to have a product everyone leaves. lol.

Logmein has a great tech organization and certainly hasn't ruined meldium since they bought it. I think they've made a couple boneheaded moves around enterprise pricing that people have pointed out here, but expect they'll take good care of it.

I've had great success with dash lane so far. It even has the ability to share passwords securely with friends, colleagues.

I find this to be a huge unnecessary paranoid overreaction that I am not surprised to find on Hacker News. :/

This really rubs me the wrong way. Do not like the idea of my password manager bouncing around owners. Or infrastructure changes that new owners often push on the acquired company.

If there's one business I REALLY do not want to be moving about, and I want as little churn as possible for, it's a password manager.

The thing I liked about LastPass was that it seemed like the highly geeky, less startupy approach to password managers, more likely to be run for the long-term, less likely to be at risk of an acquisition.

Going to look into Dashlane.

I use opensource keepass. Sync my password db via dropbox. Totally works for me.

Using Dropbox for Security seems like a oxymoron? I fail to see that as anything I am willing to use.

"Using Dropbox for sync". It's just an option. Password db is already encrypted, so it does not matter which service is used for sync :)

Why? The database itself is encrypted. Dropbox is just a easy way to sync it between devices.

I store the private keyfile outside of Dropbox. To me it's a very acceptable tradeoff.

What makes you trust LastPass to spread your database to your devices more? And what makes Dropbox so bad?

Dropbox runs a binary on your machine; that's enough to suspect them. Stick with an open source password manager and an open sync service (S3 plus a script? Or a third party client like Arq).

Yeah... I'm not in the RMS camp

Nothing to do with software freedom, everything to do with security/auditability.

Yeah, with Dropbox software running on your machine, you not only have to trust them not to snoop on you, you have to trust their non-auditable code to be ~perfect~ against exploitation by others.

Unless you actually read through and understand your open source alternative line by line you aren't really running anything safer

Of course there is the argument that since it's open source it's safe since someone has "audited" it, but many times that's not true.

And even then unless you spend a lot of time trying to break it so you understand it completely you are way better off just writing your own solution, but that takes time and effort

Are there plugins for safari/firefox/chrome and does it work on ios and have a nice little cli?

I'm basically preparing to bail on lastpass with this news but need to have all my bases covered.

With KeePass I haven't felt the need for a browser plugin: Ctrl+C, Ctrl+V is easy enough for my tastes. Plus, in Windows the "auto fill" works more often than not (reducing things to just Ctrl+V in KeePass).

There are multiple KeePass clients on iOS and just about all of them support things like Dropbox sync.

A curses-based CLI for KeePass, KeePassC was just recently on HN: http://raymontag.github.io/keepassc/

Browser plugins saving me from having to copy/paste are a huge win in my opinion. Prevents me from accidentally copy/pasting things and makes for really nice login behavior.

I'll look at some of this tonight thanks!

> Are there plugins for safari/firefox/chrome

I just save+sync passwords in Firefox and use a strong master password. I (usually) only need to paste the password from Keepass once unless I elect to not save it (such as with financial logins).

> does it work on ios?

Google seems to return lots of results for iOS Keepass apps. You'll want to vet them on your own. I use KeePassDroid on Android and like it well enough.

I tend to use all 3 of the browsers for slightly different things so having plugins would be ideal but I suppose I could slum it with copy/paste as long as I follow the password/login route to reduce the chance a password gets exposed.

I forgot about my nexus tablet but android is the other thing to have a look into.

Yes there is a plugin for Firefox. Don't know about the others.

Does it work on mobile?

Yes, i have it running in my BlackBerry! Im pretty sure, iOS and Android alternatives would be available.

Yep. I have both an Android and iOS client that I use.

Dashlane looks really promising. Does anyone here have experience with it? Does it work as smoothly everywhere as LastPass did?

I used Dashlane at a previous company. It felt like a much buggier LastPass. I avoided it to the extent possible. Most of the problems seemed to be the usual non-standard HTML / Javascript hijinks breaking things but LastPass was pretty good at dealing with that whereas Dashlane seemed to get confused much more often. They may have improved since then. This was about a year ago.

I'm not affiliated with Dashlane in any manner but I thought I'd chime in with my experience as a user. I used to use LastPass but lost a bit of confidence in them when they asked users to reset their master password [1] when an anomaly was found present in network traffic from one of their DBs. Prior to this I was looking at open source alternatives but the syncing and add-ons for each browser (which made logging in and generating passwords easier offered by Dashlane) really caught my attention. These features aren't unique to Dashlane, I'm sure. New sign-ups reap the benefits of premium features for a month or so, then you could send an invite to a friend and accrue 6 free months of premium service when they sign up (which is what I did) for free. They also offer a public password generator [2] page. They support the major browsers (Safari, Chrome, Firefox). Dashlane also has a "security dashboard" which keeps track of password expiration, reuse, and weak password usage, with a base analysis score that gets presented to you when action on a site is required. If you want something for offline use and that is hardware based, I'd recommend checking out the Mooltipass [3]. I hope this helps.

[1] - https://www.duosecurity.com/blog/breaking-down-the-probable-... [2] - https://www.dashlane.com/password-generator [3] - http://www.themooltipass.com/

I'm a happy user of Mooltipass! Definitely a great alternative.

I switched everyone from Lastpass to Dashlane some time ago. From my perspective it works better everywhere except Linux (where it doesn't exist). We currently use it across Windows/OSX/IOS.

It is more expensive than Lastpass, but this news suggests Lastpass was underpriced for a long time.

Dashlane works under Wine on Linux as long as you also have Firefox or Chrome installed under Wine. I copy and paste back and forth.

Big fan of Dashlane's 2FA with Authy. Really easy to share passwords securely around my organization too.

Not having a Linux client is a real miss though, I also kept Lastpass because the Linux integration is seamless.

Dashlane treats passwords shared with you as second-class - you can't access shared passwords in their web app. So I would avoid Dashlane if you're seeking a solution for your team.

Is is pretty OK. I've tried also other alternatives and so far Sticky Password does a great job with the WiFi sync and cheaper price.

I use Dashlane, it is better but is not quite there yet in terms of multi-user support.

So, use an open source one.

Pretty key to have high quality mobile apps. Another big use case is having my teams be able to share passwords.

Highly useful to be able to have access groups like "team" (everyone, things like Zendesk) "team-secure" (stuff with CC's, like Amazon), "dev" (general dev accounts), and "dev-secure" (compose.io access and the like).

Makes it way faster to onboard new folks, and when people leave, to cleanly strip access and change passwords.

The open source tools don't solve for those kinds of use cases, as far as I know. Just "I have one computer, and want to store my passwords on that one computer."

Doesn't solve the mobile apps part but we run https://passopolis.com/, a continuation of Mitro (https://www.mitro.co/) that shutdown a couple of days ago.

The server and the chrome/firefox extensions that are opensource (https://github.com/WeAreWizards/passopolis-server, https://github.com/WeAreWizards/passopolis-extensions).

Right now it's mostly for us and other mitro escapees to continue using it so we didn't bother with the site design or the mobile apps. The exact feature you mention would be the first one to be done if we decide to monetize it though ! It would say opensource as well.

You could easily store KeePass database files on a network share. Create one file per access group, for instance. KeePass works pretty well with multiple database files (it has a simple tabbed interface when you do so and you can do things like color code the icons in the tabs). You can use network share permissions to make the database files read-only to particular users and KeePass will do the right thing with read-only files (mark it as read-only in the UI and disallow editing actions).

We're looking for the exact same thing, mobile apps and team management.

I've yet to find any open source software that does team management. Even multiple open source tools that work together to create this functionality would be great.

Sure, but now you're trusting your entire infrastructure to a black box which can be passed around to anyone with enough money. There are trade-offs, and you have to consider everything when comparing features, including the license.

Also, no way I would do anything important on my phone. These things seem to be about as secure as sieves.

What Open Source one was a convenient or as feature complete? Serious I love LastPass and I use it for everything BUT my banking. I just install the plugin on any device or open the webpage and I am all set with all my passwords.

I don't know what features you like or find important. But you have to consider the licensing model as a feature when choosing your software. What happens if the software is sold or no longer maintained?

For me, I use a plaintext file in a Truecrypt archive because I'm a massive dweeb.

You should be using VeraCrypt (https://veracrypt.codeplex.com/) rather than TrueCrypt. The authors of TrueCrypt even said to stop using it when they stopped maintaining it.

Yeah, I should. But Arch doesn't provide packages for it yet and there's no realistic attack vector against my usage of TrueCrypt, so meh. It's good enough until Arch starts shipping packages.

You can use Linux's own cryptsetup to mount TrueCrypt volumes. No TrueCrypt needed. There's documentation on the ArchWiki. https://wiki.archlinux.org/index.php/TrueCrypt

Cool, thanks!

Sure, but at that point, why is maintaining my own package better than just using Truecrypt?

I don't use Windows and that exploit isn't relevant to my use-case anyway (requires an evil local user). I'll move to another encryption program sometime, but it hasn't been a priority.

I used Lastpass for random web passwords (everything except banking/shopping) but moved to 1Password, mainly because they could sync between desktop and mobile without using the cloud.

A lot of folks only have experience with Logmein from the horrible way they handled transitioning users from the free to paid service.

My company has used Logmein Central for remote access to hundreds of PCs for years. The core software is great, reliable, and has been ever since we started using it.

The problem is that Logmein the company knows they're on top of the heap when it comes to remote management. They have no reason to innovate or improve where they can.

They added 2FA but otherwise we haven't seen a single new feature that we've taken advantage of in a very long time. Any features they do add hint at them wanting to be a RMM service but you'd have to be an idiot to trust them with more responsibility of your networks. Also a lot of those features require Logmein Pro which adds an insane amount of cost depending on how many systems you're managing.

Meanwhile there are bugs that have been around literally since we started using the software. For instance copy/paste while in a session will randomly break. The Logmein client software is very buggy on OSX, crashes often, search will randomly break.

Their support is basically non-existent, although I haven't tried in a while if you opened a ticket it would take days if not longer for a response and they'd usually just direct you to some unrelated KB or tell you post on the forums.

We use Lastpass as well so this should be interesting. I've yet to see a merger that actually improved things from our end as a MSP. Cisco bought Meraki, Dell bought SonicWALL, at this point I assume any time we see a merger that its time to find a new vendor.

I also remember when LogMeIn changed the number of users allowed in the free tier of Hamachi (a P2P VPN) -- it went from 10 to 5 with no notice, just randomly disconnecting half of the peers.

My first reaction to reading the title was "why?"

After reading the article (and then reading it again) I'm not left feeling confident that this is in any way positive for me as a LastPass Premium and Xmarks customer.

In particular the vague line about, "As we become part of the LogMeIn family over the next several months, we’ll be releasing updates to LastPass, introducing new features..." To me, LastPass is feature complete. So either I'm going to have a mind blowing, I never knew I needed that, moment, or more likely some sort of bloated crap is going to get shoe horned into LastPass.

LogMeIn purchased, and absolutely ruined, Hamachi back in 2006. That program was the perfect lightweight virtual LAN client in existence with all the necessary features. Within months of acquisition, Hamachi had several "updates" and became bloated beyond recognition, slow, buggy, and downright unreliable. I have the worst taste in my mouth from what LogMeIn did to a perfectly working product and won't use anything they offer because of it.

I forgot about Hamachi! I used to love that back in college, and you are right, they destroyed it. Salted the earth.

Yeah, they really ruined Hamachi. There isn't really a suitable replacement even now, to the best of my knowledge. I still resent them for that.

I hope they don't ruin LastPass also, but from here on out I'll be intensely skeptical.

Suitable (and open source) replacement:



Also does a lot of other things, and is evolving into a full-fledged SDN layer. If you don't want to use the pretty GUI they give you to create/manage networks you can run your own 'network controller' -- see READMEs in GitHub.

> My first reaction to reading the title was "why?"

You're reading Hacker News. You know what "exit" means.

This is true, but my first reaction was as a LastPass customer not as an observer of the company.

I also agree with colinplamondon's comment "The thing I liked about LastPass was that it seemed like the highly geeky, less startupy approach to password managers, more likely to be run for the long-term, less likely to be at risk of an acquisition."

So the thought of them seeking an exit never crossed my mind.

makes the point that this startup culture with a focus on exits and maker founders and VCs rich is often not beneficial to our customers

And I think at some point the customers are going to figure out that the startup merry-go-round is and never was intended for their benefit. Over time it's going to get harder for new startups to attract customers because people will realize that flashy new product offerings aren't likely to stick around (in a form that we actually want) for long.

And since "exit" has come to mean 50%+ chance that customers will be screwed over it also means that in the future having a decentralized product will be KEY to actually get investor money - there's only so many times this get-customers-screw-customers round-about can spin before it gets uninteresting from a capital gain standpoint.

I'm not so sure. It's also possible the it will always work, and what happens is you lose the early, informed users, and gain new users who are more moved by marketing.

Logmein is still in business, and buying companies. At first blush it seems like they'd be a good company to have a stake in.

The product is going to merged with another password manager LogMeIn acquired, Meldium.

Insert here, obligatory link to Our Incredible Journey (http://ourincrediblejourney.tumblr.com)

This is pretty terrible news. It would have been need to see LastPass get acquired by a company like AWS but LogMeIn doesn't really have the reputation required to ask people to trust them with all their passwords.

Also, the valuation also seems low to me. Maybe LastPass was having trouble generating recurring revenue. It seems like going public would be a better route for security companies but maybe the revenue wasn't there for an IPO.

I've had a paid subscription for years and used their enterprise service for 2 different startups. Hopefully the service doesn't start to suck. I'm already scouting alternatives.

We were in a similar situation a few months ago when Mitro announced that they were shutting down their service.

Mitro's owner being really nice, they open-sourced the browser extensions, server and mobile applications so we used them to run our own: https://passopolis.com/

We plan to keep the code open-source and we're working hard at the moment to introduce the organisation feature useful for start-ups. We plan to make the organisation feature a premium service so we can justify running and improving Passopolis for as long as it stays useful.

LogMeIn has many years of experience securing their remote management software, something that has incredible potential for malicious activity. They seem like a good candidate for keeping LastPass secure, based on their reputation from a technical standpoint.

Honestly if you're a security / privacy company, can you please just not get acquired? You can't 'transfer' your customers' trust to a third party like you transfer cash.

Agreed. Or just open source it so we won't have to trust you.

Using open source and not having to trust someone would be nice, but at a certain point I would rather not be running my own security-critical infrastructure for personal stuff (if I can avoid it). I only have so much time.

As long as it's a hosted service, you still need to trust the one who runs it.

Price was $110M + $15M in contingency payments.

From the LogMeIn investor release[1]

Under the terms of the transaction, LogMeIn will pay $110 million in cash upon close for all outstanding equity interests in LastPass, with up to an additional $15 million in cash payable in contingent payments which are expected to be paid to equity holders and key employees of LastPass upon the achievement of certain milestone and retention targets over the two-year period following the closing of the transaction.

1. https://investor.logmeininc.com/about-us/investors/news/pres...

That's funny. The LogMeIn employees have a financial stake in making sure that people DON'T exit en masse after the acquisition. I wonder why?

I would caution, then, that any interviews given by any staffer to the effect of "LastPass is not changing, your data is perfectly safe with LogMeIn, the prices will not skyrocket, etc." over the next few months should be taken with a grain of salt, since they quite literally have $15 million riding on you not leaving.

As opposed to any other acquisition (excl. acquihires) where the company doesn't have any incentive to keep customers at all and therefore everything they say must be completely true?

That's a whole lot to infer from that. Holding a significant portion of the sale in escrow pending retention, legal requirements, and other issues is pretty standard practice.

First comment on the blog so far: 'Oh no.'

My first reaction was to chuckle. I wonder how LastPass will change given the new ownership. We switched over to this at work almost a year ago, after trying to determine a password management strategy for years, and it's worked fairly well, although it hasn't sold me on switching from Keepass for personal use.

I'll be interested in what the Hacker News community thinks about this.

As a former Hamachi user and LastPass user/advocate, I had the exact same reaction when I saw this.

Congrats to Bob and Joe and LastPass team. I'm a former LastPass employee and will be forever empressed by their work ethic that I saw. They definitely deserve it.

If you're looking to change your password manager, I've been using `pass` [0] for years now, and it's one of he best open source project I have ever used. Everything works, it uses git for remote storage and gpg for encryption. There is no fancy browser plugin, but a command line to get the password is enough, since browsers cache the password afterwards and most sites use long lived sessions through cookies. And the android app works well.

Pass feels simple but it is actually elegant.

[0]: http://www.passwordstore.org/

I can second this - I've been using it for about a year now, and it's fantastic. I'm able to store password history in git, and automatically sync it between all of my machines, using a private GitHub repo for backup.

I also love pass. My problem now though is what to recommend to family and friends. I've been evangelizing lastpass to them for a while, but I'm not comfortable telling anyone to trust them anymore.

Precisely my problem as well, if only pass had a user-friendly interface under windows..

There are times when it might be better to disable comments on your corporate blog. This was one of those times.

Haha every single one of the comments on the blog is negative.

Confirmed - 39 comments. All negative.

These acquisition announcements are always the same, and always get the same sort of comments.

They tell of good fortune for the owners of the thing that has been sold, but never tell the users what's in it for them. And that's usually because there is nothing in it for them.

What am I supposed to be happy about?

I can't exactly agree with you. First, lots of acquisitions are good for the user because they often mean backing by a larger entity with deeper pockets, ensuring that the service you use will be around for longer.

Second, why do they owe you anything? Either you are a free user, at which point you don't really have a whole lot of say in what they do with their own company, or you are paying $12 for a stellar password manager, which I would say is definitely worth it.

I am not exactly a fan of LogMeIn, and I do really like LastPass and use it every day, but if they chose to sell their company and cash out, good for them. If the service somehow becomes bad, I will move onto one of many alternatives, though this time probably an open source one.

> Second, why do they owe you anything? Either you are a free user, at which point you don't really have a whole lot of say in what they do with their own company, or you are paying $12 for a stellar password manager, which I would say is definitely worth it.

Because I not only paid US$12,00 to them, but I have also invested time and thought in building habits and procedures based on their service.

If they their service becomes unworthy or cumbersome, or if I have any reason to distrust them, I'll have to look elsewhere, not only costing me time, but also giving me uncertainty and possibly having to choose a new service. And, if I have chosen Lastpass, is because I believe other services are not worth as much.

OK, but why do they owe you anything for the time you chose to spend with their product? In fact by repeatedly using their product you subtract from their bottom line since you are consuming computing and support resources. As far as I see it, $12 buys you a one year LastPass subscription, not a perpetual right to be consulted on any corporate moves they might make. Practically, you probably have a bit more say than a free user would about the product features, but not nearly as much as one of their team members.

In short, while this change to LastPass might not be good for you (or me) in the long run, I don't see why they'd have any responsibility to consult you or me about whether to sell to LogMeIn. We are customers, not shareholders.

In fact by repeatedly using their product you subtract from their bottom line since you are consuming computing and support resources.

I don't understand the point you're trying to make here. Their product is SaaS; by definition to use the product requires consuming their computing resources--that's what they're selling! Unless you're honestly of the mentality that companies have moral standing to tell you to eff-off once they have your money. But I don't think you are, so please clarify.

To answer your question, LastPass's popularity is largely due to word-of-mouth. People used LastPass because they liked it, they liked its ease of use, they liked what they perceived to be the honest nature of the company. Because people like the average user on HN, who are likely the "Tech guy" for all of their immediate friends and family, tell their families to use LastPass and help them set it up. When you piss off the guys who evangelized your product, you're not just losing his business; you're potentially losing the business of everyone whom they recommended it to.

Case in point, I convinced my girlfriend to start using it (she fortunately got 6 months for free via a student email and hence will suffer no monetary loss if we decide to switch) and was considering telling my family about it, but now I'm having second thoughts. And considering this is, again, a subscription model, the "Haha, we already have your money!" model only works for one year. The projected revenue based on the expectation of renewals, however, goes out the window.

My point is simply that LastPass has no responsibility to you and me to not ruin their product by selling to someone that might. If we were shareholders it'd be different, but as users we have very little say, and I think that's for the most part a good thing. Imagine if you had to treat all your users as shareholders.

Of course this sale to LogMeIn might mean the end of LastPass as a reliable and easy to use password manager. Of course it might cause you and me to spend time looking for an alternative solution, setting it up, etc. I am saying that none of that is LastPass's team's problem and I don't think that even a paid subscription for their service buys us the right to be consulted on their corporate strategy.

FWIW, regarding the ongoing complaints about the LP UI, they just released a beta update to their chrome extension a couple days ago. Still a ways to go, but they are/have been clearly working on the end user experience.


That actually seems to be quite the improvement. The vault actually seems useful now and doesn't look like a poorly built app from 2002. Thanks for sharing

Oh wow. Thanks for posting this. It's such an improvement.

I haven't had that much complaint about the chrome ext. What do people not like about it?

Lastpass premium customer here. It was $12/yr. (that will probably change after the 2yr/$15M target is over)

Right now lastpass encrypts in the browser and the company only saves a binary blob that they can't access. So your data is safe. But they said, "As we become part of the LogMeIn family over the next several months, we’ll be releasing updates to LastPass, introducing new features.." that makes me nervous.

The comments here have lots of suggestions like keepass, but none of them really compare with the Lasspass Android support where it will automatically log you into apps.

KeePass apps are usually open source. Presumably some smart devs can contribute such Android support to an Android KeePass app.

Congrats to LastPass team for a successful exit :)

I understand why the users might have concerns with "LogMeIn", but well one should've expected (at least on this forum) that this is going to happen.

I know this isn't the most popular comment. But, what the heck, be happy for the LastPass team, they've worked their ass off. That's what this forum is for, isn't it ? We(hackers) are all in the same boat.

I don't think anybody is unhappy for the LastPass team. Many of us use LastPass though and so we are nervous about the future of something we trust and use. I don't trust LogMeIn like I trusted LastPass and so now I have to contemplate finding a new solution to a problem that I thought was solved.

So hooray to the LastPass team and condolences to the LastPass customers.

Hopefully they do better with this than when they bought Hamachi. It was a great piece of easy-config VPN software, and they just ruined it.

I knew a lot of people who used it regularly. Now I can't think of any.

:( Hamachi quickly went to hell. I bet they use the tech Hamachi provided but the product was scrapped afaik.

I'd really love for some objective person to weigh in about why all the negative reaction to this. Is LogMeIn a terrible company? I have not used either LogMeIn or LastPass.

IMO not all that LogMeIn is a good/bad company, it's that LastPass was sold. Their (your) data is being moved from one company to another.

It's certainly possible that LogMeIn stays hands-off and LastPass continues all operations exactly as they did before, but then why would LastPass sell?

LogMeIn paid $x money for LastPass, and they intend to make $x + $y money for it, by doing things that LastPass was either unable or unwilling to do (otherwise, LastPass wouldn't have sold).

Usually this means that LogMeIn is going to try to "extract more value" from the customer.

Personally for me, I just can't trust a none security focused enterprise, running a security focused product. I just know that priorities will slowly change from security first to some random not so secure feature.

Additionally, LastPass did good job in disclosure of security incidents in the past. I'm pretty sure this won't happen now that they are tied with this big brand name which thinks that publishing security incidents is bad for its PR.

Bottom line - It's a matter of trust for me, and I don't trust them.

I don't really know but I'm surprised people liked using the thing to begin with. Always struck me as junky.

I can't speak for others, but the headline make my guts tighten. I personally experienced bad ethics from LogMeIn when trying to report those "We have detected a windows virus on a computer in your house" scammers.

I'm curious as well.

Some time ago LastPass automatically DELETED my five-year old account on Mendeley.

The "AutoFill" option of LastPass was turned on. I was browsing my profile settings on Mendeley. Somehow LastPass automatically commenced the account removal action, filled in my password, and confirmed the prompt. My account was gone.

I did NOT EVEN NOTICE when it happened. The only reason I know it now is because I managed to reproduce this behavior with a new account. I reproduced it one month later, after exchanging multiple nervous emails with Mendeley Support.

The potential for abuse of LastPass is huge. The hope is that LastPass will get better after this acquisition.

Out of curiosity, how did it go with Mendeley? Were they able to recover your account?

Not at all. I lost my account. I've used my offline local copy of the database to reproduce most of it though.

I'm also not pleased by this news, given the track record of Logmein and how they butchered Hamachi (mind you, that was years ago), the price gouging and increases to the Pro and Central customers, etc...

I could grumble for awhile, but I do see one positive change I think will be made quite soon - Lastpass Enterprise did struggle to pass passwords through remote sessions (to a client server, for example). We played with using Thycotic Secret Server, but Lastpass Enterprise is better in so many other ways that we dealt with copy/pasting passwords into the remote session. If Logmein can bring Lastpass integration through their remote tools I'll be really happy, and I think it will drive people back to Logmein who left over the past few years price gouging.

That all said... Logmein was really really terrible about grabbing the clipboard of any user who had recently connected and hanging onto it. 'Pasting' into a session often splooged some other guys clipboard contents (funny jokes, personal password, embarassing URL)...

https://passopolis.com/ - I'm using this (formerly known as Mitro)

Open source

I see a bunch of lame commits like changing logos and names and no actual work on mitro -- not sure how encouraging that is, since you've already jumped at changing the name and making a company around it.

Perhaps the original app was feature complete and not a lot of work needed to be done on it? It's based on a third party password management service that open sourced its code before shuttering, so this would naturally be step one in relaunching something based on that code.

I'm one of the people running passopolis. We think that Mitro was already pretty good but we've fixed several bugs, packaged it for the Chrome store, made sure the server runs reliably etc. As the FAQ explains we changed the name to avoid confusion when Googling.

We're also not building a company around it, we've absorbed the work of keeping it running as our agency (wearewizards.io).

If we start charging it's going to be for some actually new feature, not for the current product.

I cringed when we got this email since we use LogMeIn Pro at work.

For everyone else, I hope they don't butcher the free version like they did with LogMeIn.

As someone who has never used LogMeIn, could you explain what the problems are? I use LastPass pretty extensively (and was thinking of buying a subscription later this month), but have never used LogMeIn.

LogMeIn used to have a free product that they then took to Premium only. I used to use them extensively until then.

Now they also seem to be notorious for price hikes, although I have no first-hand experience. I'm a LastPass Premium subscriber and have enjoyed using it, but I'm worried about what the future holds now.

My beef with them was when we quit using the 'Pro' product. We were using a feature that let us do software updates and scripting, which was kind of pointless when we could do those things with Windows server or other solutions.

We then went down to the 'Central' version of LogMeIn, as it still provided remote access capabilities (which was all we wanted) and were able to save a bit of money. Well, two months later they billed us the full renewal price of the old product ($2499) and it took us 6 months of back and forth with them to refund that.

Assuming your passwords are in a "stable" state (i.e. you're not constantly adding new logins to your vault), it would probably be a good idea at this point to make a backup of LastPass's database via the Export feature and hold onto that backup. I know I'm on the paranoid end, but I have this sneaking suspicion that the Export feature might "disappear" in the coming months to try to curtail a mass exodus of users.

I think that's unlikely, given how they handled the expiration of the Free LogMeIn accounts.

How were they handled? I didn't have one.

Any suggestions for alternatives? I need yubikey support, Chrome & Firefox plugins (Linux & OS X) and an Android app.

So you absolutely must use Yubikey for 2factor auth instead of one of the many alternatives?

Yes, unless you suggest another hardware token with NFC in the same price band (sub $100).

Some of these tools (1Password in particular) seem geared toward individual password management. And LastPass wasn't exactly user-friendly. What are you using for group/team password management?

I use keepassx, it will allow you to keep a local repository of all of your passwords and sensitive information encrypted and accessible to all of your team members.

Commonkey is another great program and is free for teams of three.

I use Passpack. The workflow is a bit janky, but it does the job. I'm not sure what other options would be good for sharing passwords with groups of employees, though.

I use 1password and export some of the items when I want to share them. But it's not my main use case, so it's not a problem that it's a bit cumbersome.

I didn't want to have my passwords stored on any servers from external companies. Instead I use tarsnap to backup my passwords.

Are there any real alternatives to Lastpass, that has working browser plugins and also work on Android devices?

One option I've been meaning to look, but haven't had a reason to because of LastPass is Encryptr [https://encryptr.org/], but now I might need to. They have Android and Linux support, but not browser plugin I think. Also, it comes from the same people as SpiderOak...

Encryptr is interesting and looks very nice. Includes source: https://github.com/devgeeks/Encryptr

But it doesn't appear to have anything like Lasspass's autofill on android that supports the fingerprint reader.

So you'll be using the clipboard to copy and paste passwords on Android, which is (I believe) much less secure.

Roboform works everywhere: http://roboform.com

I just created a list this morning to help my family figure out an alternative to LastPass.

Here it is: http://afaqurk.github.io/lastpass-alternatives/

Linux User - I am looking at Keeper https://keepersecurity.com

My devices - Linux Desktop, Laptop, Windows 7, 8 and 10 Machines at work, Android Phone, iPad (Work)

Lastpass worked on all of them. The only alternative I could find was Keeper https://keepersecurity.com that worked with all of my devices.

Anyone have experience with Keeper Security?

Likewise, I'm similarly cross-platform and just found http://enpass.io/

Wondered if people have experience with them.

Am I blind? Where is the pricing for Enpass? It says free download free updates but then in middle it says pay once use forever.

*Free version can store upto 20 items only. Price for Life-time Pro ver is $9.99 per platform with no other server or subscription charges.


So for me that is $20 for iPad and Android BUT my iPad is a company product that is likely to switch on me shorty with an upgrade.

So this might not work if it is $20 per platform per personal and business use.

You're not blind, I can't find it either.

And I've already got spider sense tingles about them... lack of SSL cert for a security company? No pricing info? No "About Company"?

Wonder if now is the time to look at alternatives, before the service potentially changes.

I hear a lot of good things about 1Password, which seems to work for my iPhone/MacBook. Anyone know if there's a reasonable option for using it on Windows?

There is an official 1Password version for Windows: https://agilebits.com/onepassword/windows

They also have bundled licenses for both platforms.

Just a note - the 1Password Mac app is MILES ahead of the 1Password app. I've been using both for about 3 years now, and the separation is only getting larger. 1Password is smooth, fast, and fluid on Mac OSX. 1Password works, but is none of those on Windows.

There is 1Password Windows Modern Alpha[1] which so far looks very promising. It's still not very suitable for a day to day use though. (Screenshot: click "Getting started" in the forum, then "Windows 10 Store")

[1]: https://discussions.agilebits.com/categories/windows-modern-...

I chose 1Password because it works seamlessly across iPhone/MacBook/Windows.



The Windows version runs fine in WINE, alternatively they offer a very cut-down web-based solution called 1Password Anywhere (which I use on my Chromebook).

(There's an official Android client too, which wasn't mentioned above)

The only way to get some (read-only) support in Linux is by syncing the 1Password folder with Dropbox (last time I tried it did not work locally). If you open the webpage that is in that folder via Dropbox, you can log-in and read password.

They have browser extensions, so you can use it through that way on Linux it seems.


"IMPORTANT: This extension requires 1Password 4 for Mac or Windows", so I guess not.

No, it doesn't work in Linux, it needs the desktop app to work.

Does it have android fingerprint login/auth like Lastpass? This is my favorite feature and would hate to lose it.

They are supporting it only in marshmallow as of now

No, it doesn't and it seems that it doesn't have 2 factor authentication or yubikey supper

1Password stores its encrypted data 'offline', so 2FA does not make sense for their product.

Even with LastPass offering 2FA, its just that, authentication, its not used as part of the encryption/decryption process (I did read somewhere it helps with your local cached copy, but it doesn't effect the copy stored on their servers)

If you wanted to use your YubiKey with 1Password, you could set a static password and 'split' your master password (half you remember, the other half is keyed in by the YubiKey)

> 1Password stores its encrypted data 'offline', so 2FA does not make sense for their product.

Why doesn't makes sense in a mobile device?

> Even with LastPass offering 2FA, its just that, authentication,

Like Touchid

Oh great! I've been using lastpass for a long time, I might've just overlooked this at the time.

And this is precisely why I'm not using other people's (proprietary) password managers.

And if you really have to pick a proprietary thing, then 1Password has always been better because it doesn't have an online component, syncs with Dropbox only if you want it to and whatever happens with the app, the Dropbox sync includes an HTML/JS interface that can read the dumped passwords, plus the format is documented.

First off, congrats to the LastPass team! You guys have built an awsrome product and company.

My hope now is that LastPass won't go down the same path as Meldium, after they were acquired by logmein; the product went downhill very quickly.

In the case of Meldium, it seems they were trying to improve the UI by improving the design at the expense of functionality. It feels like LastPass is in a similar position now.

I'm sorry you feel that way and will try to correct it. Can you send me feedback on the functionality that's not working as well now in Meldium? There's definitely some edges we're still working through and I'd love to make sure we make it awesome for you asap. You can drop me an email as well (boris at meldium dot com)

I have to agree. The new interface is too much bells and whistles not so much functionality. Another weird behavior is the chrome which doesn't open a new tab immediately but hold for couple of seconds. This makes you wonder if you should wait before you can switch to a different tab.

We'll work on fixing that. I think it's safe to say that particular tab experiment hasn't worked out.

logmein has almost ruined my current favorite password manager Meldium. After they acquired it the service has become gradually to the point it does not work on half the sites stored in it. This week I finally decided to start migrating to LastPass (a few clients use it and it appeared a more dependable alternate). Guess will continue my search for alternates.

I'm thinking about going with KeePass. I don't want to deal with this again with 1Password if/when they get bought.

I think there is an important difference between LastPass and 1Password: 1Password stores data in a folder you point it to. It is never in any form transferred to their servers.

Are there open source "clients" that can access the 1Password data I store locally?

The file formats are extremely well documented https://support.1password.com/opvault-design/ and many 3rd party tools exist for reading the data.

Yes, there are. The storage format is "open", and afaik, the current revision is v5. See on GitHub: https://github.com/search?utf8=&q=1password

Price was $110M + $15M in contingency payments.

From the LogMeIn investor release[1]

Under the terms of the transaction, LogMeIn will pay $110 million in cash upon close for all outstanding equity interests in LastPass, with up to an additional $15 million in cash payable in contingent payments which are expected to be paid to equity holders and key employees of LastPass upon the achievement of certain milestone and retention targets over the two-year period following the closing of the transaction.

1. (https://investor.logmeininc.com/about-us/investors/news/pres...

You have some extra characters at the end of your link


I had to find out about this from HN. Never got an email, even being a premium member.

I got two of them, one at 1322 UTC and the other at 1454 UTC (two Premium accounts).

Yeah, I can understand the press release being first because LogMeIn is publically traded, but the delay is weird. I just got an email from LastPass now (as a premium member).

I got an email, and then saw this post on HN...and then backed up and deleted my account. Wasn't going to renew anyways, just happened to be perfect timing.

Encryptr is an alternative that I've had my eye on:


They don't plan to ever do auto-fill for security reasons, which I'll admit disappoints me.

I was curious about Encryptr as well. I hope the maintainer will change to less purist approach and understand that for most of us, copy/paste of login details is just no-go.

My homegrown alternative to password managers like LastPass and 1Password: An encrypted zip file.

The zip contains

* encrypt.sh

* payload, a folder containing subfolders, password text files and other personal information.

To "unlock", extract the zip.

To "lock", run encrypt.sh.

Make sure that the extracted data won't get backed-up at any time. I just came up with this a few days ago. Let me know if you have any concerns about this.

Here's the encrypt.sh: http://pastebin.com/DudVinms

How do I access this from my phone? Same with other open source solutions... the only way to open it on my phone is to trust an unknown app developer to open it for me.

I trust GNU zip, but can I trust MiniKeePass? Can I trust iZip?

I would avoid using .zip file format encryption, who knows how safe that is. PGP as encryptor would probably be a better choice.

It depends on what you use to create the .zip file. The zip command uses the insecure PKZIP algorithm. 7z supports AES-256 encryption.

Mine: passwords.txt.gpg (PGP/RSA encrypted text file)

Open/edit works seamlessly in Emacs.

As someone who recently jumped from Lastpass to 1Password... I wish them the best, but I feel I'm working with the far superior product. Especially on iOS + OS x.

I've recently done the same, but the lack of support for Linux and their lackluster Windows version kinda bums me out.

Why's the Windows version "lacklustre" compared to the Mac version? I thought 1Password 4 for Windows is at feature-parity with the Mac version, they even have sync over wifi which was missing in 1Password 3.x for Windows.

Just one more reason why password management by a company is a bad idea. The company may be good now, but companies can be acquired or evaporate on short notice.

Do LogMeIn users have a feeling as to whether this is a good thing? Will they bring any visual polish, or UX consistency to the jumble that is Last Pass?

Paying LastPass user here. Not sure how this is going to go down. TBH I'm hoping that nothing will change. Yes, the UX might not be the best in the world, but to me, the important thing is availability and security (probably not in that order). A browser extension and a decent android app is what I need, and I already have that.

Paying LastPass (Enterprise) user here too. I hope the extension gets a complete overhaul. I've experienced dataloss multiple times due to inconsistent interface issues. Support just shrugs and points me to 3rd party backup solutions. I see the UX problems as critical, but yes...just below security.

Paying LP Enterprise user also. Totally agree. I spent 45 mins today just explaining to new employees how to get everything set up. The UX something that absolutely needs work

Then again, it's currently good enough that we are paying them a pretty large yearly sum, so perhaps there is no business case for spending the resources to improve it.

Anyone aware of good alternatives? Primarily for enterprise customers who want to share passwords between teams.

We have developers, and regular ol' employees who use this of varying levels of computer comfort. We need to be able to share passwords org-wide and team-wide.

And on a personal note, I need to be able to manage my own passwords and my partner's and we share from time to time.

I am constantly impressed and pleased with 1Passsword - both the ease of use and their constant stream of updates. My family has a shared password Vault for common passwords, and private values for non-common ones.

Can anyone enlighten me on when sharing passwords between teams is necessary? It seems to me as though it's always a bad idea because people leave and it's generally possible for everyone to have their own account.

Five words "demo accounts and test users"

Thycotic Secret Server - http://thycotic.com/products/secret-server/ - is the gold standard I believe.

I believe Personal has a business plan for sharing passwords and data between teams. I haven't tried it though.


No 2FA?

We're testing Hashicorp's vault - why share system passwords when you can use OTPs provided on demand? Its still early, but looks promising to me.

We started using Vault in our Docker infrastructure for storing sensitive configuration data, and I've since migrated to using Vault for a hell of a lot more. It really is a great piece of software.

Disclaimer: I work for Okta.

Have you considered Okta [http://www.okta.com] for your enterprise needs?

Dashlane is phenomenal for sharing passwords and excellent for auditing them.

A prime acquisition target, would you say?

Please no :(

As a LastPass Premium customer for longer than they've owned XMarks and a combined product customer since, this concerns me. I'm not planning to change my LastPass usage until/unless they change how the product works, but I'm a bit more leery of steering customers to the Enterprise product now and will be investigating alternatives in that space.

As for XMarks, I'm torn. It has nice potential, but I feel like the company has basically let it stagnate warts and all. Some seemingly-obvious features like tracking changes to saved bookmarks (diffs, not checking the content of the URL) don't exist, and the ways to get archival data out to do it yourself are clunky and manual. What made me start wanting that was a browser going funky and losing a chunk of bookmarks - I had to kind of ballpark when that was, go back, dump a backup, find them in the HTML dump backup file then recreate and I'm not certain I ended up getting them all.

This actually sounds like a smart deal for LogMeIn. Purchase price is $110mm of cash with a $15mm earn-out-- seems reasonable considering LastPass has millions of users and is a pretty sticky service (I've been a premium user for the last couple of years, mostly to be able to use their iPhone app).

had million of users judging by the announcement comments

After having to deal with LogMeIn for a company I used to consult for....

Yeah, I'm going to be switching password managers.

I upgraded my account yesterday for five more years. ;-) But honestly, if everything will keep working as it is, I really don't care about the name behind it. If LastPass did as they said they do (everything is encrypted, they don't have access), it doesn't matter.

I have used LastPass Premium since they started.

What gets me down about this is the trust I had for the service LastPass provided. I appreciated their open and pre-emptive communication. They were willing to dive into the details of a possible issue and explain everything about it.

LastPass was good while it lasted. As an FYI to anyone looking for other options, I migrated to 1Password (based on reviews/suggestions in this thread). It just took a few minutes to migrate. 1Password supports importing LastPass export file.

My company uses join.me (a Logmein product) all the time for easy screen sharing. It's one of the few quick screen sharing apps out there that doesn't require a heavy download and is user friendly enough to be used by all of the people in our company and all of our client.

I've been using LastPass since 2011 and have been really happy with it (other than the slightly opaque UI and design from the 90's).

I'm hopeful about the acquisition, maybe logmein can give some UI/UX guidance to the LastPass team, while the LastPass team can help expand and grow to help more people to use a password manager.

If not, there are plenty of other password managers out there, I suppose.

When I started my job I got a laptop with the extension for LastPass installed to Safari. One of the first things I encountered was an error dialog, modal for the entire Safari app, telling me of some nonsense problem with Lastpass, which at that point I hadn't even used yet! So I never started using it after that.

I occasionally use 1Password for the iPhone, but still mostly rely on the built-in OS X Keychain app. 1Password is too expensive for the Mac and all the other managers don't seem to place much emphasis on UX.

This class of application is quite poor to use overall. Even as nice as 1Password is, its syncing story is not very good.

Looks like Dashlane ($40) and Sticky Password ($20) are viable alternatives. Both are more expensive than Lastpass. Reading the reviews, these seem like the best so far. Anyone with experience on either of these they can share?

Yep, I'm switching to Sticky Password too. According to this they offer a discount too: http://heavy.com/tech/2015/10/lastpass-alternatives-logmein-...

I'm seeing Dashlane at $40 per year. That's pretty steep.

One of the reasons I chose 1Password over LastPass is because you can choose where to store your data (iCloud, Folder on your System, Dropbox). I don't think you should trust your passwords to any company.

Yes, so I'm switching over to a different one. LogMeIn is always a mess when they acquire another company. So far Sticky Password seems like a decent alternative with some servers saying they offer a great discount. http://heavy.com/tech/2015/10/lastpass-alternatives-logmein-...

Everyone seems pretty unhappy about it via the comments on the article.

What about Password Safe "Passwddsafe" I use it om my computer and android and I'm very satisfied. And of course the fact that is designed by Bruce Schneier is a plus for me.

If you are looking for an alternative password manager, take a look "Intuitive Password" online password mansger (www.intuitivepassword.com). I have more than 200 passwords and they are all different for each site, I use it everyday. It works on all devices including smartphones, tablets, laptops and desktop PCs without installation required. Intuitive Password provides a Data Restore Points feature so you can't lose your data using their service.

There's something really odd happening with i18n on that blog. It recognizes my primary browser language as German and hence displays menue items and the right side bar in German. So far so good. However, it also partially translates the actual text into German, i.e. for some sentences the first word is translated while the rest remains English:

- Zunächst, we (LogMeIn/LastPass) have no plans ... - Zweitens, this acquisition provides us ... - Seitdem, LastPass has grown by leaps ...

Congrats to Bob and Joe and LastPass team. I'm a former LastPass employee and will be forever empresses by their work ethicc that I saw. They definitely deserve it.

The stark reminder that your password manager can change hands is probably the most bothersome part of this.

Overall it's probably a good thing that the product is transferring to a more financially stable company with healthy enterprise sales. I'd rather it head in that direction than struggle for a long period of time and put my data at risk. The worst thing that could have happened with this product would have been a spiral of neglect

Just one more reason why password management by a company is a bad idea. The company may be good now, but companies can be acquired or evaporate on short notice.

What are best self-hosted password managers right now? The only one I know of is KeePass2

Something I can serve from a VPS that works on most platforms.

Please don't fuck it up.

Not sure if good or bad...

Me either. I was a big fan of logmein when they had a free version but it wasn't something I was willing to pay for. LastPass is though.

I don't like the announcement and I hate how they've done it. Under the signature on the blog announcement, they've added 13 paragraphs in the HTML source to bury the comments off the page. On OSX Safari and Firefox, I see no way to add new comments. Way to start as a new dawn. I wish I hadn't renewed recently.

So it seems that Sticky Password offers a 50% discount in regards to what happened to Lastpass: http://blogen.stickypassword.com/looking-for-an-alternative-...

Call me naive, but I created a change.org petition to try and make the voice of concerned users heard: https://www.change.org/p/lastpass-leadership-lastpass-stay-i...

Even if this petition accumulates hundreds of thousands of signatures, what should happen? The sale has been announced, which means that, but for regulatory approval (if any), it is done: The owners of LastPass have agreed to terms and have signed contracts indicating this, contracts that are binding.

Were they to change their minds LogMeIn could in all likelihood sue both LastPass and the owners of LastPass, personally and severally, for breach of contract and for a number of other things.

No government will interfere either, as few if any governments will assert that they know both a business's business and the needs of that business's customers better than the business itself - not to mention because of the precedent it could set and uncertainty it could engender.

The best response of concerned customers is one, research, and two, should the research so indicate, voting with their feet and either saying put or moving to another service.

I've been using an excel workbook that is stored in an encrypted image as my ways to manage passwords.

How are these services that people mention in the comments, better at doing the same?

Is there a better way someone has come up with to manage passwords where you don't have to rely on these services?

Local keepass database, synced with $yourpreferredcloudservice.

On my Android phone I use a keepass app that includes a keyboard, which integrates typing in username/password.

Also supports 2fa totp, which feels to me like poking holes in the whole idea, but if you want to use it it's there.

> Also supports 2fa totp, which feels to me like poking holes in the whole idea

I'm a Keepass user and I didn't know it had support for 2fa. Why do you feel it's poking holes in the idea?

- they automatically fill login forms in browser. Nicer than copy/pasting things around and more secure: there's malware stealing clipboard contents, and you can also accidentally CTRL+V your password in chat window ;-)

- Excel has larger attack surface than purpose-built password managers. Have you checked Excel doesn't leave behind recovery copies of your passwords file in c:\windows\temp ?

Mainly in the user experience, not having to deal with setting up and backing up a personal encrypted store, and the ability to access the same data from multiple machines.

The cost, of course, is in the data being remote, and you generally have to trust the company and processes around their handling of your data.

I pay for LastPass because on Android, it will automatically fill in passwords on any screen, saves a ton of time, I wouldn't want to fuss around with a spreadsheet on my phone...

Just in: Zoho Vault offers free migration to LastPass Users.

Link: https://www.zoho.com/vault/logmein-lastpass-acquisition.html

I saw Passwordbox getting acquired by Intel, now this. I don't think I'm going to switch to 1Password or another. I think they are just going to be acquired one day by unknown big entity... better be safe and keep your passwords to yourself

As everyone is suggesting alternatives here, one more vote for KeePass with Dropbox (giving you use 2-factor authentication with Dropbox), KeeFox + KeePass2Android. Lovely, free, relatively secure.

I love Dashlane

I switched to LastPass from Dashlane recently. I do like Dashlane better, but unfortunately no linux client was a deal breaker...

Not only do they not have a Linux client, but their web client is super limited - it won't give you the passwords that have been shared with you, for example, and you can't register an account through it (on Linux I literally had to install the iOS app on my iPhone to create an account, have my colleague add my account to the team, and then once I could finally log in to the web app, even though it showed me on my team, it wouldn't give me any team passwords).

Is Dashlane "for Teams" comparable to LastPass Enterprise?

Seems like a smart move for selling bulk licenses to large companies.

I really hope the product continues to exist and get better. Their enterprise offering works well enough and is very useful, even though the UX is a bit ancient and awkward at times.

Whew, glad this happened sooner rather than later. My subscription was up for renewal in a month. At least it makes the renewal decision easy.

Whew, I was on the fence between this and 1Password after Mitro shut down, just a couple days ago... Glad I went with 1Password LOL

Been using 1Password for years now... those guys are super committed to their software, I really like their product.

I've been a serious 1Password user for ~3 years. Love it. Mac OSX app, and Chrome plugin are amazing. It's a little pricey, but I think it's worth it. However - don't think about using 1Password if you're on a windows machine - their windows app is really janky and works just enough to be usable

Just for the sake of multiplatformability...

Is there something remotely as good as 1Password for Linux?

LastPass works really good on Linux.

It's true. They have a little shell script that you run once and it adds their plugin to all the installed Chromes, Chromiums, and Firefoxes on your machine.

I've played with Linux and never figured this out- What's the difference between Chrome and Chromium?

Nevermind, I remembered how to Google... http://www.howtogeek.com/202825/what’s-the-difference-betwee...

I guess I meant, "that is not LastPass" lol

Weird, I use 1Password on Windows and iOS and it works great.

I would just like to add my voice to the cacophony of others shouting into this particular echo chamber: Peace out Lastpass

Time to switch back to KeePass. Lastpass is much more enjoyable to use but LogMeIn seems to ruin everything they touch


And I literally just migrated all of my stuff from KeePass to LastPass like two weeks ago.

Back to the drawing board, I suppose.

I dropped lastpass for dashlane awhile ago, it's much better at actually filling out forms.

Xmarks goes with it, I assume?

Anyone want to help keep Mitro up and running. I've got some spare racks.


1)Pen & Paper

2)Protected word doc saved in dropbox under an unassuming title like "Low fat, low calorie, totally un-appetizing vegan meals"

Just wait until the inevitable data breach and there gone

For anyone thinking about jumping to KeePass - consider the fact that they're still hosted at SourceForge.

That's a major red flag for me and I've been keeping my eye out for an alternative for a while now.

Roboform: http://roboform.com has been excellent for me. Not sure why I switched to LastPass, but I'm switching back.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact