Hacker News new | past | comments | ask | show | jobs | submit login
LastPass bug leaks credentials from previous site (zdnet.com)
310 points by Daviey 9 months ago | hide | past | favorite | 192 comments

Switched to BitWarden a few months ago from years of using LastPass. Zero regrets... it is in every way better for my use case. Switching wasn't hard either. Even gave BW my money, it is worth supporting them.

I'm avoiding the browser extensions, they seem to be a security nightmare. KeePass and similar are a better way to go, if slightly more labor intensive.

Anything that isn't context aware (i.e. knows which website you're on so can provide the relevant information) is doomed to failure right out the gate.

I'd prefer people are using any password manager than go for perfection and then quit completely because it was a terrible UX. KeePass may be more secure against certain specific attacks, but it is largely irrelevant if people are going to contrast it against using no password manager at all because it was too cumbersome.

The bigger issue is that anything that's not context-aware is vulnerable to phishing.

You might think you'd notice if the site you're on had a different URL than the one you're expecting, but that level of constant vigilance might turn out to be more difficult to maintain than you expect. Especially when you take into account some of the more exotic phishing techniques like IDN homograph attacks.

Even more so with browsers actively trying hide URLs.

>> Anything that isn't context aware (i.e. knows which website you're on so can provide the relevant information) is doomed to failure right out the gate.

Sorry, not doomed to fail.

I'm not gonna use a password manager that is "context aware" and has the capability to auto-fill for sensitive sites - that's just my threat model. I'm okay with context aware storing of less critical passwords.

It's not just usability: The context awareness means it will prevent you from filling a password on a phishing site. I share your wariness of the browser extensions, but you're betting that a software bug is more likely than human error. Even skilled security-aware users fall victim to phishing on a regular basis, so I'd rather trust the software.

> The context awareness means it will prevent you from filling a password on a phishing site.

This is literally one of the last major attack vectors since password managers became somewhat more popular.

They all do encryption well, even the ones that keep the database on a server you don't control it's most probably actually encrypted, etc. They do the basic password manager thing. They keep your passwords.

Every time there's something wrong/vulnerable with a password manager, it is because it's a browser extension and the attack surface between the password manager and the browser is being attacked.

> I share your wariness of the browser extensions, but you're betting that a software bug is more likely than human error.

Well, it literally has been.

(this is why I'm using Keepass and no browser extension for my passwords)

The vast majority of people don't have the same threat model, and unfortunately just want the product to work, or they won't use it at all. If you can't provide relevant information for the current website, you just won't be able to succeed as a password manager outside of niche markets.

Yes, but that's the essence of the whole problem: there are ways to spoof what the current website is, causing your context-aware password manager to spit out data it shouldn't. Diabling autofill pretty much eliminates the whole vector though, without breaking UX that hard.

> there are ways to spoof what the current website is, causing your context-aware password manager to spit out data it shouldn't.

Can you give an example?

There was this example from 2017. https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-u...

I seem to remember reading about similar stuff done elsewhere, but don't remember the details (or apparently a useful search term :P).

Isn't the XSS example highlighted here a good example?

What is your concern exactly? Bitwarden by default doesn't autofill forms, you have to open the Bitwarden menu and click on the title of the website you're on.

There is an option to autofill, but it's buried in advanced settings and Bitwarden will display a warning if you try to enable it. (This message ought to be worded more explicitly—it currently says "this feature is in beta" rather than "this feature will decrease you're security"—but, still, not a default.)

What about the threat of misspelling the address or phishing? I get a lot of comfort from the fact that the extension verifies that I'm on the website I think I'm on.

Yes, for less technical people that's great, but for people who are willing to deal with it for improved security, it's worth it. I'm not suggesting it to mom and pop here.

> Anything that isn't context aware .. is doomed to failure > ... I'd prefer people are using

why should I as someone who is securing my own passwords care about your preferences or what will and won't work for someone else too lazy to be concerned?

KeePass isn't a solution in case you want to share passwords with family or team members.

KeePass is barely decent for personal use only, and only for the desktop.

The quality of the available apps differs from platform to platform. For example Bitwarden has a decent iOS app, 1Password has a superb iOS app and in contrast the available KeePass app for iOS is a piece of shit – no offense intended but it's basically unmaintained, barely usable and does no sync so you'd better watch out for conflicts.

I dunno what you're using, but KeePass' Android app and the Linux desktop app are pretty great. Sync goes via a separate sync service (Dropbox currently but it could be anything), which is the way I want it.

And just like I think a password manager shouldn't be a browser extension, I also don't think it should encourage behaviour like sharing passwords among people ... I mean, really? That's literally password reuse, don't feel good about it. Of course a password manager shouldn't encourage it.

"Our son Jim made this password using his password manager thingy so it's probably really secure and now we use it for all our banking and government stuff"

I mean it's sincerely better to keep a "family password" on a post-it, so you don't confuse it with passwords you're actually trying to keep secure.

I use KeePassXC in multiple groups with different synchronization software (Dropbox, self hosted client side encrypted Seafile, etc.), for each group I use a different .kdbx and .key (of course that one not synchronized).

There are multiple .kdbx apps, like MiniKeePass on iOS, which is decent, but it's lacking active development at the moment.

We use Keepass2Android[1] on Android and KeePass Touch[2] on iOS, synchronize it via Google drive and share it with family across various devices on Linux and Windows. Separate DB for family outside the country and it works beautifully.

[1] https://play.google.com/store/apps/details?id=keepass2androi...

[2] https://apps.apple.com/us/app/keepass-touch/id966759076

I've used keepass in a team before. We just kept the file in a synced shared folder. Worked fine.

There is no KeePass-app for iOS (in the sense of the one/official). I think you mean MiniKeePass.

There is Strongbox on iOS and it's by far the best mobile KeePass-experience i've ever had.

keepassdx for android works great

> KeePass and similar are a better way to go, if slightly more labor intensive.

Slightly? Just thinking about the synchronization between machines makes this an understatement in my opinion.

I store the keepass file in a cloud sync service. The file is encrypted.

The keepass application can perform "auto-type" which works for all sensible applications and websites that have username/password input fields and a log-in button.

Recently, more and more websites split the log-in into two screens, first email and then password. This completely breaks auto-type and is horrible in every way. Please don't do it.

You're able to adjust auto-type for accounts that break the login into two pages. I learned this fairly recently as I had the same frustration as you. Ref: https://keepass.info/help/base/autotype.html

This works if your environment allows a) installing applications and b) cloud sync using consumer clouds (dropbox, gdrive, etc

You are right that this is a good approach for many it will certainly break for many as well.

> This works if your environment allows a) installing applications and b) cloud sync using consumer clouds (dropbox, gdrive, etc

Re a) https://keeweb.info/ toss this onto any ol' free tier web host you want. No app install necessary. It's not as nice as the apps, but it works.

Re b) Is there an environment that both has a web browser that you want password management with and doesn't let you access any consumer cloud sync service?

There sure is. Most big companies work that way I would imagine. I can install browser extensions, no problem but local apps are restricted. Also Dropbox and others are blocked at the corporate firewall level.

Surely in such a place, blocking all that access means they care about security and therefore provide you with a password management solution that you also have no choice over.

I mean, installing browser extensions to deliberately get around their security measures seems a little bit counterproductive. They aren't more secure than local apps. Do you take this company's security measures seriously or is it just some hurdle to get around for you?

> I can install browser extensions, no problem but local apps are restricted.

Yes, which is why I posted the alternative to installing an app. You can use Keepass + drive/dropbox sync without installing anything using keeweb.

You do not need to install apps to access drive, dropbox, etc...

PasswordWallet can auto-type across split login screens since it can be configured to pause between username/password.

You can configure this in KeePass as well, I've done this for a few sites I actually use a lot. But I can't be bothered for every single service that decides to re-invent login.

If you don't require real-time diffing, i.e. only one user modifies the file at a time, dropping your keyDBs in a Keybase shared folder might solve your problems.

For just over a year I've been using Syncthing with a folder specifically for KeePass, and it's worked really well - I just have a raspberry pi running 24/7 so my phone and PC pick up the changes whenever I reopen my database. I imagine it's similarly hassle-free with a self-hosted cloud like Owncloud, too.

> Slightly? Just thinking about the synchronization between machines makes this an understatement in my opinion.

What are you on about? Synchronization is easy, you can use just about any service you like.

The fact that it's not kept on a server by the same commercial party that also sold you the security product, is a feature. And obviously necessary, since KeePass is free and open source.

I see leaking credentials bugs with browser-extension operated online storage commercial password software all the time on HN. Obviously you're paying for shiny, not security.

what people keep forgetting is that not everyone is in the situation where they are able to use those services. Using Keepass with cloud sync via Dropbox (or Gcloud, etc) is not possible in a lot of corporate contexts.

But then they should run their own Nextcloud perhaps?

I've had my KeePass file stored in the cloud for years. I use the KeeAnywhere plugin on my Windows boxes for syncing there. And the Keepass2Android app natively supports cloud syncing also. Both even handle merging if the underlying file changes since load.

I didn't know about merging! That's really cool. I'd want to test it out before trusting on it though.

I used to use KeepassXC and I just kept my keepass database in a private github repo. It had the added advantage of being accessible from any command line as well as full version history of my passwords.

I use dropbox to keep my db sync'd between my desktop and android phone.

I did that until Dropbox dropped support for ecryptfs. Using Bitwarden now, very happy with it.

It's back now, but that felt like a rather short-sighted decision from management :(


I didn't know that, thanks for the info!

What is your phishing protection? Making sure you read the URL?

Just add the original URL into the specified field and copy paste it each time you need to access said website.

KeePass is the best at what it does and stays local as any password manager should do. If you need more security & portability encrypt the DB with VeraCrypt, sync with whatever service you trust.

Just a note that URL is the one field in Keepass where you may not need to copy/paste. As long as your default browser setting is set to the browser you want to use for the URL double-clicking on the URL in Keepass opens it in said browser.

I wish keypass didn't feel so awful to use. I hate that you can't change the font of the notes section, especially since it's the only section I use in their entry type.

Crazy amount of hate on KeePass in this thread ... I really don't get why it's not a more common solution on HN, it's free and open source and leaves the syncing to you, and doesn't live inside a browser extension ... it literally ticks all the boxes that a good password manager should have.

I don't know if the iOS client is that bad, but the Android one is just fine.

Use Lastpass but not the browser extension. Keep a different browser just for opening the Lastpass website and copy-paste the passwords from there.

yep, keepass is my preferred password manager. i have the database in a dropbox folder to handle syncing between my desktop and android phone.

My issue with bitwarden (which is why I ended up choosing 1password) is that it doesn't provide an Android keyboard to insert passwords into apps that block clipboard access. (Keepass has this, but I wanted a simpler synchronization story.)

You should make a feature request. These guys are on a fast development pace.

Love to hear more about why BitWarden is a safer choice than Lastpass if anyone cares to chime in. Thanks.

It isn't. But they're both safe choices.

Both are based on the same underlying principles (AES encrypted database, encrypted using a slow hash of the master password). Both have been audited professionally. Both have browser extensions whose source code you can read (it is JavaScript, just open the extensions directory). Both support a full array of 2F options.

People are moving from LastPass to BitWarden because it is a better product. Plus many dislike LastPass's owners due to the LogMeIn pricing/business practices (like difficulty cancelling/early cancellation to avoid additional billing/aggressive sales people/etc).

The only advantage BitWarden may have is its backend is open source software and you can run a copy yourself (although most choose not to). If you're running it yourself BitWarden is likely your primary contender. If you aren't the difference is largely academic.

Pretty sure LP's source is minified/obfuscated, it isn't just "open the extension's directory". In my experience LastPass was also much much slower in too many use-cases.

Thank you, that's helpful.

lastpass' privacy policy is very privacy hostile. They're now aggressively offering a free product with the ability to monitor (and sell) all browsing behavior tied to you as an individual (thanks to LogMeIn).

>How We Use the Information We Collect and Receive

>LogMeIn may access (which may include, with your consent, limited viewing or listening) and use the data we collect as necessary (a) to provide and maintain the Services; (b) to address and respond to service, security, and customer support issues; (c) to detect, prevent, or otherwise address fraud, security, unlawful, or technical issues; (d) as required by law; (e) to fulfill our contracts; (f) to improve and enhance the Services; (g) to provide analysis or valuable information back to our Customers and users. [1]

(e) is a very broad and loosely defined category. A contract can include Anything and this ambigious statement enables LogMeIn to inturn do anything with data they collect from all their services (including Lastpass).

In the new firefox updates, Lastpass won't let you open/run the extension until you provide it the abiltiy to monitor all browsing behavior (whereas on chrome I have it restricted to monitor sites when the extension is clicked/activated)... I will not be renewing my premium service and am looking to migrate away to another service.

[1] https://www.logmeininc.com/legal/privacy

LastPass only collects data on how you use the product and how well the product works. It doesn't collect info about your sites or browsing activity.

Says who? It's governed by this privacy policy and will not work until it has browsing and tab data

In my experience, LastPass UX leaves a lot to be desired. Also, I've heard a lot of stories regarding security negligence at LogMeIn (parent company of LastPass).

Allows you to run your own server.

I can also vouch for how much better BitWarden is. I was a LP customer for a long time. BitWarden reminds me of LP from 5 years ago, when it was fast and clean.

I switched to Bitwarden as well, from 1password, which I switched off of from Lastpass. It’s not as pretty as 1password, but it’s cheaper, platform support is better (1password X helped here but it was too-little-too-late for me,) and it’s open source which is a nice touch. I have no regrets either; paying customer as well.

I tried KeePass XC on the side and I’ve gotta say, very formidable option if you want one that is FOSS and with no central server. My only real issue is the mobile app story.

I tell everyone I can about bitwarden. I see many colleagues using Dashlane or even LastPass but bitwarden just takes the cake for me. It does a great job at staying out of the way and reliably doing whatever it is I need it to do and I can’t recommend it enough!

Yeah, BitWarden absolutely has the best UX of any password manager out there (for the subset of password managers that are cross-platform... it's possible there's something better out there for a single platform, but that's not terribly useful for me).

+1 for Bitwarden.

Considered doing the self-hosted approach, but wound up paying to support the project.

+1 for bitwarden, moved to them a few months ago and its been rock solid.

I'm a long time KeePassX user. What do you like about BW the most?

Can confirm BitWarden as a great LastPass alternative. Have been a paying LastPass user for years and have switched the the paid BitWarden. Zero issues and 100% open-source

I use LastPass and hate it (searching 'gmail' shows every site where I use my email address before it shows Gmail).

How does BitWarden compare to 1Password?

Ditto, they have my $10/year as well.

Does Bitwarden do a phone app?

Yes and it integrates with the OS level password autofill systems.

Yep, both iOS and Android.

how do we know if BitWarden is safe from this type of attack?

Why do you trust their implementation more than LastPass?

Not parent, but BW is opensource, and they have not had any high-profile incident yet, afaik.

They also give you the option to self-host, so you don't have to trust their hosting service if you don't want to. Own your data!

Can you trust your own hosting though?

Maintaining a single node just for a Bitwarden service isn't a "set and forget" endeavour. It is easy to misconfigure Linux to be insecure, most distro's ship with too much software, and auto-update is often inadequate to maintain a secure environment.

There's far too many compromised Linux servers out in the world that people set up "to do one thing" turned on auto-update and then forgot about for years. Botters and spammers love them.

This has little to do with Bitwarden itself and everything to do with how much knowledge and time is required to correctly run any internet accessible server. People are inherently lazy and it is very easy to get apathetic when it just continues to work, until something bad happens.

> Can you trust your own hosting though?

Some people, organizations, or groups can, absolutely.

While this is definitely a valuable question to ask, self-hosting is still valuable for many. Also, as we have seen repeatedly, assuming a random company will devote resources towards security can be a very silly assumption.

> Maintaining a single node just for a Bitwarden service isn't a "set and forget" endeavour.

Yes it is. It's a docker image, you're not setting up anything about the host that's exposed to the internet. Toss on watchtower to auto-update it and why would you ever need to touch it again?

The system hosting docker isn't getting updates, no, but it's not publicly reachable, so that's low risk. The system that is publicly reachable is entirely contained & auto-updated, so that's covered. What else is there to worry about?

You just repeated back the exact problem scenario I set out above but abstracted it into a Docker container, adding an additional point of failure, and then called it a solved problem.

Sorry, but nope. The Docker container itself is a fully functional machine. It also holds your most prized data (password database/password host). Turning on auto-updates and watchtower then leaving it unmaintained indefinitely was exactly the problem I was posting about above.

Scary that people think Docker is a security solution. It isn't. The Docker container is a full machine. The Docker host is a full machine. You've now doubled your points of failure and are zero percent more secure.

> Turning on auto-updates and watchtower then leaving it unmaintained indefinitely was exactly the problem I was posting about above.

What? It's not unmaintained at all. It's continuously maintained by the updates to the container. That's the whole point. Just because the user that did the deployment isn't the one doing the maintenance doesn't mean it's unmaintained.

The end-user isn't the one building the docker container, maybe that's where you're getting confused. Bitwarden themselves are maintaining it. That's how they are shipping the software for self-hosted deployments. Professionally maintained and self-hosted. That's why docker enters the picture, not for some imagined security reason as you incorrectly claim.

The bug report says:

    by iframing popupfilltab.html (i.e. via moz-extension, 
    ms-browser-extension, chrome-extension, etc). It's a
    valid web_accessible_resource.
    // or y.src="moz-extension://...";
My understanding is that this should not work with the Firefox version of LastPass, since each installation of the extension is given a unique id which can't be guessed by web pages -- that is unless the unique id is made visible to web pages by the extension itself.

I have not read the article in detail, but earlier news stories I've seen said that not all platforms were effected. Chrome and I believe Opera were mentioned, but not firefox.

It's interesting to note that browser extensions continue to be the primary point of vulnerability for password management solutions. IIRC, it's been quite a long time since vaults themselves were breached.

It is an undeniably more secure option to use password managers without their associated extensions. Certainly less convenient, but ponder carefully your threat model.

Unfortunately the browsers persist in not providing the necessary APIs to allow the password managers to work safely.

The Mozilla bug (1344788) has been open for three years with no meaningful action in 2. It's been stuck waiting for security review, with nobody empowered to do it.

They listed it as "Security: Minor bug fixes" in their release notes (v4.33.0, https://lastpass.com/upgrade.php?fromwebsite=1&releasenotes=...)

Leakage of credentials seems like more than a "minor" bug - particularly for software whose whole purpose is to securely store those credentials.

well, users already leave passwords in the clipboard as normal usage...

This is one reason why I believe that browser based password managers are flawed. I've written about this in the past (link below). These apps are popular with normal people (due to convenience), but long-term, we should not trust web browsers plugins or add-ons as password managers.


That only makes sense when you ignore the bigger picture. Before browser-based password managers people weren't using password managers at all.

The two most common (and successful) attack vectors have been via password reuse and low password quality. Convenience, context aware, device agnostic, browser based, password managers have been successful in convincing the general public to use a password manager at all.

The use of a password manager allows people to have per-site and higher quality (e.g. long/difficult to remember) passwords. This has had a positive impact on people's security.

KeePass and similar "offline" solutions avoids some specific attack vectors. However, both "offline" solutions and browser-based extensions also share a great deal of vectors. For example if bad-ware has local execution inside the user's context, all bets are off (assuming you're running KeePass and the database is decrypted in memory, which you need to in order to retrieve a password).

It is fine to suggest options people feel are superior, but ultimately the conveniences are a security benefit within themselves because people are actually using and sticking to password managers (thus avoiding password re-use/low quality passwords).

I agree with your assessment of why traditional password managers have flaws, but I disagree with your conclusion.

Security has always been a balance between usability and safety, and when you set security policy, you always do it in the context of who is using it and their needs.

Integrating the password manager into the browser makes a lot of things easier as an end user. If I told my parents/grandparents and non-programmer friends to use something like DBG or Password Safe, they would just go back to guessable and reused passwords. Given the choice, I would rather have them use a browser based password manager.

If we're really talking about how to move the needle on protecting logins, I would rather push FIDO/U2F. Keeping a cryptographic second factor on your keychain, phone, or computer carries more added safety at a lower usability cost.

While in browser password managers have drawbacks, they have the big advantage that they stop fishing / fake domain attacks. I think I'm much mor likely to fall for one of those, than my password manager get hacked.

Also, generating all passwords off one master password deterministicly sounds like an awful, awful idea. If someone manages to get one of my passwords, they can try performing an offline attack against the encoding password. If they succeed, they have everything.

It's 2^15 rounds of pbkdf2 with long inputs. There is no master password as nothing is stored. Good luck.

How well does that scale to more than a handful of passwords? I currently have around 400 in my password manager.

Your documentation says:

> If you need to change all of your passwords, change the sentence.

Note that this works the other way, too: unless you are changing all your passwords, you cannot change the sentence.

Since it is extremely unlikely that I'd ever want to change all 400 passwords at once, in effect that means I'm never going to be able to change the sentence.

All password changes, then, will be done by changing the per-site word. The documentation suggests:

> Use a different word for different sites. Be consistent with case (e.g. google, facebook, twitter, etc.)

OK, that's easy for the initial password, but what happens when I want change my Google password and have to change the word? The obvious approach is to change it to "google2", and the next time change it to "google3", and so on.

Am I expected to remember what variation each of my 400 sites is on? That's probably not practical for most of us, so I'm going to have to have that stored somewhere, and am going to need that storage available to me whenever I need to reconstruct a password, so I need it stores some way that syncs across my devices.

Your document lists not having the burden of storage as an advantage of the generated password approach, but I don't see how to deal with remembering the words without having storage. The burden of storing the words, or storing the version suffix of the words, is less than that of storing encrypted passwords because it isn't as bad if they get out, but it is still a burden.

The document says of password manager master passwords:

> This "master password" is a weak point. If the "master password" is exposed, or there is a slight possibility of potential exposure, confidence in the passwords are lost.

Exposure is also pretty big if the sentence for password generation gets exposed. I think most people are going to use words for sites that are simple, like the ones given as examples in the documentation ("google", "facebook", "twitter"). If I'm able to get someone's sentence, there is a good chance I'll be able to guess their words for a lot of major services.

It seems to me that the main security advantage this approach has is that it is not using a browser plugin, so for a remote site to compromise it they are going to have to find a way to spy on the user when they are typing in the master sentence. For something running in the browser to do that, it's going to have to both find a bug in the browser that lets it get past the browser's security, and find some exploit in the OS that lets it once it escapes the browser to get past the operating system's security that protects processes from each other.

Classic LastPass. Shoddiest pw manager out there with history of editing wiki pages to hide their sad track record.

Interested in this. Got a link?

Is that true about LastPass being the most popular password manager?

I just can't imagine it, I'm forced to use it with a client, and it has hands down the worst UI experience I've ever seen.

Really? I find this hard to believe, as a dev and internet user. Facebook, instagram, etc have far worse interfaces.

You add the extension, easily add/generate/create/autofill your login info. It's usually as simple as clicking an icon that appears in the relevant field.

The vault UI is horrifyingly difficult.

Also their registration flow is horrendously awful. Try setting up a Family plan where you log out of your personal and log into your family plan and you'll see how frustratingly sticky it is.

Too many buttons and features for such a simple problem. Development is cancer.

Click plus, click password, fill in fields. That's not too difficult, is it? Although that "click password" step wasn't needed before the recent update. I imagine the typical user is just doing that and using the search field. And most would primarily use the extension or mobile app.

I've seen plenty of awful registration flows, so I'm sure that's true. I haven't had to do that for a few years.

yes, I was blown away by how bad it is the first time I saw it.

password management isn't a hard problem (outside of security concerns), why the hell did they end up with that UI?

No, OP has to be exaggerating

I meant out of all the password managers I've used, and I'm not exaggerating.

it's ridiculous that I have to go to the edit page just to copy a password. Neither Keypass, nor LastPass, nor any other password manager I've used, suffers from this.

And the amount of time it took for me to figure out how to create a password and allow others access to it is kind of silly.

But you _don't_ have to go to the edit page just to copy a password.

then perhaps you can enlighten me, because to this day it's the only way I've seen to actually copy the password.

Have you used Amazon Web Services Web Console? Worst UI experience I've had up to this point. However, it's a great product.

I think companies like this devote their resources to back end shit and keep the front end shit simple on purpose to prevent even the hint of a security bug that would make them look bad.

Long time last pass user...what do you recommend?

Team of 15-30 people, need shared username/password credentials for web, FTP, and DB systems. Also other arbitrary secure "notes", e.g. SSH key. Needs 2FA as well.

1Password is quite nice. Migrated a team from LastPass to 1Password recently, the experience was very smooth.

If I recall correctly, you can use `pass` as a team and individually revoke / add keys as the team changes.

With that said, LastPass or something similar is an easier solution for a team.

https://padloc.app (currently in beta. shoot me an email if you want to try it: martin@padloc.app)

1pass has a much better UI imo.

LastPass has a free tier. I would expect a lot of people use that tier driving up its usage.

Unfortunately, the word "popular" is ambiguous. It can mean either the most used, or the most liked. Given that they provide a useful service and have a free tier, it's almost certain that their 'popularity' (sense 1) is much higher than their 'popularity' (sense 2).

I worked at a company that used LastPass. The whole service was a complete train wreck, but I used it and therefore contributed to their ability to claim to be the most popular password manager.

Is that the “new” ui you’re speaking of? The old, pre 2019 UI, on MacOS was actually pretty nice and clean but the new webview one is a sad turn in the wrong direction.

I quit LastPass when they were acquired by LogmeIn and doubled their prices to $24 a year, and their constant issues with autofill (atleast for websites in my country).

I switched to Bitwarden and haven't faced an issue since.

I, too, began looking after the doubling in cost (without any notice that I noticed) plus the autofill issues, and switched to Bitwarden.

This story reminded me that I hadn't deleted my LastPass account yet, and when I did I got a buggy error message, something to the effect of "Error: .A" after the double-confirm. Looks like the deletion went through, though... just an error in the process, which is uninspiring.

Even worse, before it was just 12$ and now it is 24$ before taxes so you end up paying 29,52$. A 246% increase.

I got my renewal notice email in the other day. It's $36 now.

"Your LastPass Premium subscription will renew at $36 per year; this reflects the 2019 updated list price."

I think I'm going to switch to Bitwarden after reading some of the comments in the thread.

People are really complaining about this, but honestly the features I get from the product absolutely justify paying $2/month. I'd probably pay $3-4 before it wouldn't become worth it for me

For me they have tripled the price since I first subscribed and the bugs aren't getting fixed.

I'm tired of the fill problems on iOS and Firefox and the price increases compound my irritation.

Was prepared to change all my darn credentials when clicking on that. For those clicking the comments first, the byline is: "LastPass has released a fix last week. Vulnerability details are now public. Users advised to update."

For something that has such a long trail of vulnerabilities, I don't recommend LastPass to family friends and business associates. Use 1Password instead, or pass.

Just one example (this one from 2017) of many: https://bugs.chromium.org/p/project-zero/issues/detail?id=12.... Fundamental architectural flaws.

For more HN references, see https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...

Tavis Ormandy, who discovered the latest and several other Lastpass bugs, has these password manager recommendations:

"KeePass and KeePassX are both good choices. If you really must use an online one, at least LastPass are responsive to researchers and have a competent security team, I would use them."

Asked about the experience he had reporting a 1Password vulnerability, he says:

"Astonishingly bad"

(source: https://twitter.com/taviso/status/1167311357957435392)

Your comment implies that you're no longer changing your credentials?

Perhaps they mean just not all of them Right Now.

Yeah, that and especially not all the nonsense that's stored in there at once. I kind of wanted to migrate away to something local I'd also trust with mail and banking credentials but lastpass is one of those things for me that works just well enough to not push me over the edge to actually change anything.

I have been using enpass, and I'm very satisfied. I was a LastPass user once, but never trusted their security model. Then switched to 1password, but the lack of good multiplatform support and their push to a cloud model made me look for alternatives. What I want is support for Mac, Windows, Linux, and Android; possibly one time payment; and local storage (most important). For syncing I use my own nextpass cloud. Bitwarden is close, but enpass fullfills all.

I’m still using non-cloud 1password but I cant recommend it to anyone else or my employees because of the forced cloud thing

FYI, 1Password doesn’t force you to use their cloud service. Even if you subscribe (as opposed to standalone), you still don’t have to actually use it. I switched from an older standalone version to the current subscription version, but I’m not using their cloud service to sync my vault.

Can you point me to some documentation that describes how to get rid of the subscription cloud service? I just want a one time fee to purchase 1P and then I want to just iCloud sync my 1P vaults.

I've been very disappointed with LastPass in the past year or so. I've had multiple instances where it doesn't actually save a password or secure note that I tried to save. This has caused me a lot of stress the few times it happened, including one login permanently.

Sadly I paid for a 10 year plan and have 4 years to go. Saved me some money, but for what product? I use 1Password for work, and it is MUCH better than LastPass.

I am seriously considering alternatives to LastPass.

Since they moved to a dedicated app instead of just a plugin on Mac, it is borderline unusable for me.

Almost never actually fills in my passwords (often have to click copy password), often thinks I am on a different website than I am, or just gives me an empty white box when I click the LastPass button.

While it's definitely more work to setup, I've been using KeePassXC + NextCloud for syncing. I've got it working on my phone with keepass2android (think that's the name) and also use a yubikey challenge-response key to help ensure that even with a bad password i've got decent protection of my passwords. There's browser extensions for basically every browser out there, and it even supports auto-typing into non-browser based applications (though I can't say I use that feature myself).

I've been using something very similar, though I only have a local keyfile that I independently put on my synced machines rather than the yubikey thing. How do you like the yubikey process? Not too much of a pain?

Not much of an issue at all, it does mean that when i need to unlock my manager or save the database, i have to have my [physical] keys around but it's otherwise not an issue. I've got two duplicated yubikeys for it, a neo with nfc and a 5 with usb-c. I generally use the neo for everything but needed the usb-c one for laptops with no USB-A ports and my tablet which also has no USB-A or NFC. Just the march of progress.

They get used by KeePassXC in yubico challenge-response mode, which I believe works as follows, take the HMAC(KDF(password), nonce) and use it as the challenge to the yubikey, and the response that's returned is the master key for the database. That's why it needs the yubikey whenever you save the database and open it, as it generates a new nonce each time. It's still vulnerable to a playback attack if someone recorded the interaction and had that exact copy of the database but that's also still true of one protected without it. But with that, they have to get both of them at the same time, an old copy of the database can't be attacked by a different challenge/response than the one it was secured with. I used to use the keys in HOTP mode for this with KeePassX before KeePassXC supported this mode, but that made for an easier to attack setup since there needed to be a copy of things to predict what the OTPs being generated would be. This also made syncing a lot harder because there was an additional state file that was re-generated every time the database was unlocked.

Forgot to mention, the syncing is all done via Nextcloud (open source dropbox like system, but also does a lot more).

I moved to 1Password from LastPass a little over a year ago and have no complaints.

If you are only on Apple devices I would stay with Keychain Acess. Multi-platform? Bitwarden for me - if only for the external security audit they've done.

Keychain does not provide 2fa support, which is kind of a deal breaker

It that true? Apple does support 2FA for logging into your Apple ID which AFAIK is the only way to access synced keychain data.

Their approach is somewhat unique though. Once you log into any Apple device with a secure enclave (including all current macbooks, iphones, and ipads) that device becomes a second factor for authenticating future logins (which is prompted via an OS-level popup instead of a separate app or hardware dongle). So your computer itself can be the second factor which means you don't ever notice the 2FA enforcement, unlike most other systems that use a TOTP code or dongle.

Try BitWarden. It's what LP used to be before the bloat and is open source.

> Since they moved to a dedicated app instead of just a plugin on Mac, it is borderline unusable for me.

What do you mean? They still have browser extensions for all major browsers.

Unless I am missing it, the only way to install it on Mac now is to install an App that acts as your vault and it installs the plugins. (if I click "Open my Vault" it opens a dedicated LastPass App on my Mac)

If you mean "the only way to USE it on Mac" is to install an app, I don't think that's true. At least, I've never done it. I use the browser extensions exclusively. Go to the extension store for your browser (example: chrome web store) and search for lastpass[1].

1. https://chrome.google.com/webstore/detail/lastpass-free-pass...

I believe that's only true for Safari, which is moving away from the browser extension model that Firefox and Chrome (Brave, Opera, IE are/will be Chromium-based) use.

I use Firefox and the LastPass extension without needing to use the Mac app.

Keychain on macOS and iOS and keepassXC.

Seems likely that the link will be replaced by a link to Tavis's write-up https://bugs.chromium.org/p/project-zero/issues/detail?id=19..., but media coverage is interesting on its own, so I'll note the link is currently https://www.zdnet.com/article/lastpass-bug-leaks-credentials... / title "LastPass bug leaks credentials from previous site". I won't quote specific passages, it's just interesting to watch attempts to distill a technical issue into something for the general public's consumption.

Password manager recommendations from Tavis Ormandy, who found the bug:

"KeePass and KeePassX are both good choices. If you really must use an online one, at least LastPass are responsive to researchers and have a competent security team, I would use them."

He adds about Lastpass:

"I consider them competent, I've reported some pretty complex issues and found they handle them well. Attack surface is definitely massive, I always recommend KeePass or just use a book if that's too complicated"

(source: https://twitter.com/taviso/status/1167311357957435392)

I've been just using Chrome's built-in password storage feature, though I see a lot of people are still using extensions. Any reason to prefer an extension or third party over just using the built-in Chrome feature?

I like using a third party alternative since it gives me the option to use it outside the google ecosystem. I use Firefox and Chrome regularly so the seamless syncing without depending on any particular browser is important for me.

The other feature I like in dedicated password managers is that they tend to have a lot more options about what kind of password/passphrase you can generate. Some other features that i regularly use is storing non password content like software licenses, sharing certain passwords with my spouse, etc.

Makes it harder to switch to another browser (I do also use the Chrome built-in password storage).

Works outside of browser, I use mine for things on my phone with the LastPass Autofill.

Doesn't tie me to one browser or their security model.

The cool thing about 1Password and similar is that not only do they work in other browsers (Firefox), they also work outside of the browsers (e.g. in iOS I can autofill login boxes with credentials pulled from 1Password)

This feature exists on Android. I can sign in to my chess app with login credentials stored by Chrome (as an example)

For anyone who needs to confirm they have updated Lastpass, this link[0] documents reinstallation / updates.

[0] https://support.logmeininc.com/lastpass/help/how-do-i-enable...

Confused as to why tech people in this thread are giving LastPass flak for a single bug. They've had a pretty good track record for the past half decade or so since I've been using them and they submitted a fix immediately for this bug. Bugs happen, and this is a particularly obscure/esoteric bug. Right?

I disagree that they've had a good track record.




I've seen very few security researchers recommend it, while they will recommend other services.

what is the generally recommended service?

I hope this fixes the issue I have with one of my banking sites where it propoluates the login with my old username and password which aren't stored in LastPass anymore. Really weird that it seems to have them cached somewhere so I have manually select the bank's credentials in order to log in.

I remember my account was locked out completely even though I never did anything. Tried all passwords I knew, but of course you only get limited attempts (Why? If I'm using a brute-forceable password I'm already screwed, I'd rather have unlimited attempts to guess my complex password). I went through all the hoops to get a One-Time Password or whatever it was, tried it on all machines I own, no luck. That's when I decided it wasn't worth it to entrust all of my passwords to an opaque entity like that, it's not ideal, but it's better than losing access to everything I use.

I looked into LastPass and similar options a couple years ago, and ultimately decided on the Chrome password manager (with option for the never-transmitted encryption passphrase). Among other reasons, the Google Security Team seemed bigger and better funded, and I already trust them with my e-mail anyway. I supplement this with a text file that I encrypt/decrypt with the OpenSSL command-line utility, since the latter is available on Linux, Mac, and Windows via Cygwin. So far it’s been a pleasant experience.

I've love to switch away from LastPass. I switched to LastPass Families when it came out due to their "digital contingency plan" so family members (or the trusted family attorney) can get access to passwords rather conveniently if I or another family member passes away. At the time, I didn't see that other offerings made this as easy. Any other good options out there for this use case?

Just store your master password in your spouse's vault and make sure they know where the vault is stored if you use an offline tool/service.

This of course assumes you are comfortable knowing that they could access your accounts while you're still alive if they wanted to, and trusting that they won't.

Allow me to plug my own product: https://padloc.app The new version (currently in beta) has a "Family" plan which is perfect for this. We're also planning to introduce a "dead man's switch" feature that will grant access to selected family members or friends if you haven't logged into your account for a while. Shoot me an email at martin@padloc.app if you're interested in signing up for the beta!

1Password has a Families plan for this.

I will look into this. I do trust certain family members with access to my vault password, but the notification of access and ability to give access to a trusted third party (my lawyer) that is available with LP is very compelling.

1Password allows you to add family members with access to specific values either read-only or read/write. The system for adding access is multi-step so unless you add someone to a vault they shouldn’t see, you have the flexibility to share as little or as much as you want. Since you can name the vaults you can name them things like “Shared with M Toussant (Attorney)” or “Samir Martha and Paul” which can make it easy to determine where to store what secrets. Have been using Business for a few years with some of my companies and Family with my family and have had good experiences. You can initiate recoveries as the administrator as well which has been helpful in both cases.

I use BitWarden for this. If it's just you and a partner, their free version works. If you have a larger set of people you want to share sets of credentials with (up to 5), the family version is $1/mo.

It's not exactly the same as LastPass' "contingency plan" feature (since you're simply sharing some credentials all the time), but it works well enough for me.

1Password is very straightforward after they added cloud vaults. Before that, it was kind of a mess, but it works quite decently now.

As far as I know, 1Password has never suffered any hacks or critical vulnerabilities the way that LassPass has. I have used both in the past; I would never, ever recommend LastPass to anyone. 1Password, however? A nearly perfect product (with great support)

LastPass support is positively abysmal by comparison, good lord does everything suck about that experience.

Haha, lives up to its name. It exposes the last pass used before the current website.

This is why I use pass and browserpass. I can't vouch for browserpass extension, but pass is just a wrapper for GnuPG. The encrypted files can be synced using almost any sync solution or even Git. There are apps for mobile too.

That makes no sense as the point of attack here is exactly the extension. So wrt this type of bug you gain nothing.

You have the option of not using the extension with this method, and the same vulnerability likely doesn't exist with Browserpass due to the communication method.

But you have the same option with lastpass.

Switched from LastPass to KeePass a couple months ago. Glad that I made the move.

When an article states "...the bug relies on executing malicious JavaScript...", why is the bug considered to be in the plugin and not JavaScript?

Using a programming language to exploit something doesn't mean the programming language is flawed.

So, are they using the phrase "malicious JavaScript" correctly? Shouldn't they remove "malicious"?

"malicious code" is code that was written with the express purpose of exploiting a weakness or flaw. they're not saying javascript is malicious. they're saying someone could write malicious javascript code (and then trick a user into executing it) that exploits a flaw in lastpass.

I've been using LastPass for a long time, but I don't understand why they don't support FIDO2 as a MFA option.

Password managers are great, just don't use the browser extension. Don't even use the Grammarly extension.

Care to elaborate?

Generally, I don't enjoy sending every keypress to a spellcheck API. Every extension increases the attack surface area. The browser should remain secure, use the native apps.

I don’t use the browser extensions. I deal with copy paste BS every day, but i rest easier.

This is a good time to remind everyone that if you don't have 2-part authentication to a service, that's because you don't care about other people accessing it.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact