Hacker News new | past | comments | ask | show | jobs | submit login
LastPass Extension slows Chrome's responsiveness by up to 50% (twitter.com/_pastelsky)
232 points by pastelsky on Oct 6, 2019 | hide | past | favorite | 72 comments

If you take a look at their extension, it injects a number of separate content scripts on the document_start event for a webpage. This blocks document loading and Google's recommendation is to load content scripts on document_idle which would not block loading.

These scripts that are injected into every page (including all iframes) include this one which is a 25,000 line file:


Things like this can have large impact on performance. My company develops a Chrome extension and we are very focused on optimizing the performance of our content script and minimizing its impact on host pages. We handwrite all the Javascript code in the content script and manually include the very few third party dependencies we have in it. Yes, it would be a lot easier to use NPM with Webpack to build the content script file, but it's important to keep content scripts as slim as possible.

Also their Privacy Policy says they spy on absolutely eveything and share it with anyone and everyone. Just guessing that's what some of those 25k lines do.

Gotta make sure your passwords are nice and safe while selling your data to subsidize your password vault.

I used LastPass for many years until I got tired of the slowness/high CPU, then I saw that Bitwarden had done a lot of work on performance and switched to it.

Never had any issues and I have at least a thousand entries.

And quickly searching passwords is one thing, but Lastpass was slow with filling forms and input fields too. Bitwarden use the same method as 1password[1] for autofill, which works great!

[1] https://github.com/bitwarden/browser/blob/master/src/content...

My main reason for switching away from LastPass was that Bitwarden's UI was much better looking. It's been working great for me since then (even after switching from Chrome to Safari).

I also appreciate the UI more with Bitwarden, it goes straight to the point and is quicker to navigate (less drop-down menus).

Ooh, thanks for the tip. I've been sort of resigned to LastPass, but it's one of those things that strikes me not so much as software as an agglomeration of hacks. It certainly works, but it has so much quirky behavior both in Firefox and Android that I've been expecting them to have a major breach. I'll have to check BitWarden out.

Can you export your passwords from LastPass to bitwarden easily?

As others have commented, yes you can by exporting as a CSV and then importing that into Bitwarden. Even the notes were successfully imported.

During this process, I also cleaned up my vault (some accounts had very long URLs saved as opposed to the base domain; e.g. https://www.foobar.com/signup&method=blah... => https://www.foobar.com) and discovered that a bunch of my entries had either empty usernames or empty passwords.

It's very easy. BitWarden has this listed in their faq. Simply just export LastPass to a CSV file and import it in BitWarden.

Yep - I just did it after reading this post.

Me too.

I am also a former LastPass user. I did have a stint with 1password before finally settling on Bitwarden; it just seems like the most reasonable option.

I semi-annually try most of the popular password managers (Dashlane, 1Password, Lastpass, Enpass, Bitwarden) and I always end up staying with 1Password. Both their desktop and mobile apps are very well thought out and there's all sort of small UX and UI finesses that make them a cut above the competition.

Having said that, you'll have to deal with a high subscription cost and proprietary (but audited) code. They are also unwilling to make a full blown Linux app.

How do you use it on linux? Just a browser extension? I've been on lastpass because the last time I tried, 1password didn't seem that convenient on linux.

If you have the hosted version of 1Password, you can use the 1PX extension which is completely standalone.

This is how I used it. Though to be honest, one of the reasons I left 1P was because it genuinely felt like they only ever support Linux on accident. I guess now there’s a command line tool, but still, I feel much better with Bitwarden or Enpass as someone who runs only Linux both at home and at work.

When I left, there were still lots of things that the extension did not do, that the desktop app did.

Enpass works pretty well on Linux, but you may run into some issues depending on your distro that has to be worked around.

For terminal stuff, 1Password offer a CLI client that you can build around.

You don't have to get the subscription - you can purchase a standalone license.

Do people not like dashlane? I feel like it’s the best of the bunch although does cost some money.

Indeed, at least this is what I have been told by some friends of mine. I also use Dashlane so much that I have convinced some of my family members to try it out over the others and they have never looked back.

I checked out Bitwarden a while back and the mobile app is very sloppy to use compared to Dashlane. The desktop app (Electron) just keeps eating up my Macbook's RAM and it takes a while to auto-fill passwords in other apps. Perhaps the open-ness of Bitwarden may allow compatible alternative password-managers to rival Bitwarden's own clients or even Dashlane.

Right now, I'd rather pay for Dashlane since it does the job better than what I have tried out so far.

I think it looked fine the last time I checked it out but it doesn't really do anything for me that bitwarden does and bitwarden is free and open.

It's too expensive for what it does and don't trust it mostly from its auto password changer does it on their servers.

I am another long time LastPass user (2010ish) to (paid) Bitwarden convert. Simply better in every possible way. The UX/UI of LastPass is so bad, search and copy a password? Almost impossible.

How is searching and copying a password 'almost impossible' in LastPass?

It looks like they updated the extension but previously when you searched for a entry you couldn't easily copy the password, I had to get into the entry, edit, show password and copy it manually, flow that looks to be still in the web version.

Thanks - read the post and just switched to Bitwarden!

another former lastpass premium user who jumped ship here. it felt like switching from abp to ublock.

This is my experience with everything LastPass touches. Chrome, Firefox, Standalone, iOS, same unresponsive nonsense. Thankfully that's limited to only the corporate environment for me, but if you have a choice, 1password has been amazingly slick for me outside of it.

Exactly that. I'm so happy I convinced my manager to let me rollout 1Password company wide. My problems with LastPass were the clunky web UI and the lack of control I had even for enterprise accounts. I wasn't able to do a password reset for a new team member who pasted the wrong password and couldn't login anymore later on. The email address was not usable afterwards anymore. Costs for us were the same, so it wasn't that hard to convince people after they saw the demo.

Funny you should mention the corporate environment. My company has a LastPass subscription and encourages us to use it, but they don’t prevent us from installing extensions, within reason. Given that , are there any good alternatives that are both secure and trustworthy while imposing as small a performance burden as possible?

I signed up for 1passwords Cloud service, because I needed it on just about every OS and browser under the sun. Works great!

It's a shame really then that it continues to be the most popular password manager.


Hint: It's because LP has a free version

I did this same experiment in September of last year. (just checked my orgmode notes)

My conclusion then was that the speedometer 2.0 benchmark is dominated by page load, because it does that a zillion times as it goes through all the different todomvc implementations.

The lastpass performance tax shows up mostly during page load.

The question is, how representative is the speedometer benchark of normal use?

It isn't perfect, and it does penalize LastPass's behaviour more due to its poor startup performance.

But I don't think it is entirely unrepresentative of real world performance.

If your hypothesis is correct — if you have LastPass installed, your pages are probably going to load slower and you'll experience a longer "uncanny valley". The tax paid is worse for pages that are otherwise lightweight.

> uncanny valley

You might want to look up that term sometimes. It means something different than you seem to think.

I was referring to the time between the browser paints your site and when JS execution kicks in.

See https://www.fastly.com/cimages/6pk8mg3yh2ee/3Toq5jWy0EuqG8KU...

I can't find any other source for that definition besides that picture.

Where does it originate if I may ask?

The term isn't very ubiquitous, but the problem it describes is. Some references —



I built a Vue.js component for a Rails form that had tons of hidden fields and we couldn't figure out why it was grinding to a halt and lagging only on my bosses machine.

Turns out it was Lastpass and using their lp-ignore flag didn't do anything since it was loaded after the fact.

We ultimately decided to just have an advisory to tell people to disable Lastpass if it came up. Which involves going to the Account settings page and adding a 'Never URL' https://support.logmeininc.com/lastpass/help/disable-lastpas...

Curious why all the hidden fields though? Seems like an anti-pattern. I haven't used a hidden field in years.

I mean props if using server passed data would easily pass the data to your vue context.

I don't even use <form> tags anymore. just bind everything to a json object and transform the data as needed if combining stuff then send it off to the api on-click. Saves some work because I don't have to use the prevent tag in the form element or worry about the submit button binding.

I just add an @click to a normal button element and use axios w/ some modifications to enable our auth scheme. (Headers and what not).

I'm building very complex B2B software (link to company is in profile) doing phone call tracking and its a large legacy Rails app with standard `form_for` type forms.

On one page there could be hundreds of records because some customers like to create a thousand objects for one marketing 'campaign' and have customers routed (via IVR or geo or other flags from the source website/ad embedded js) to a thousand different sales agents depending on fine-tuned criteria (like if they press 1 to say they are over 50), and from there it could trigger a hundred different conversion triggers (for ex: to do CPA payouts to the traffic sources) and webhooks to various analytics services.

Anyway I'm slowly redesigning each part of the giant forms one-by-one and instead of AJAXing some parts separately I'm injecting the data into hidden fields which get submitted via traditional HTTP form-data along with the old forms.

I built a Vue component that automatically generates Rails friendly forms from any object. Including nested arrays of objects, with any degree of nesting. I plan on publishing it soon OSS as RailsForm.vue.

It sounds crazy but it was actually really simple to do and is only a temporary transitional thing. The only problem is I'm pushing the limits of browser memory/CPU on some customer accounts so I've made some performance optimizations like only rendering the hidden fields once the submit button is pushed.

I had a very similar experience. I couldn't understand why doing certain events was so slow in Chrome, but not in Firefox. After a lot of debuggin I realized that LastPass was the culprit.

If you add and remove a lot of input fields your page is going to slow down considerably, and there `lp-ignore` attribute didn't help at all.

I’ve had chrome extensions slow things down before but never this badly. It was crazy.

You can tell they are using extremely inefficient JavaScript to track form fields. And hire shitty developers who cant figure out a proper flag to add to be ignored.

Very anti internet IMO.

I honestly don’t understand why people use LastPass when everything about it screams poor quality. Is it the lack of taste or alternatives for non Apple platforms?

My feeling is most use Lastpass because it's free and they don't know about Bitwarden, or (for the techies) didn't hear that Bitwarden passed a third-party code audit.

Lastpass also has a bunch of features missing in Bitwarden, but they're largely long tail stuff. My biggest complaint is it doesn't support biometric authentication on desktop.

My speedometer 2.0 tests on Firefox 70b12 win64.

No password addon: 74.5

Bitwarden: 74.0

Lastpass: 39.7

Pretty grim for LP.

Thanks for posting. I figured this issue wasn't just chrome. Been meaning to switch to BW and this might be the kick I needed instead of 'just living with it' anymore.

Every time I read those stories I am happy to be paying for 1Password.

When I was using 1Password a few years ago it was much worse than this LastPass problem: The Windows version of 1Password resulted in a stuttering mouse cursor and completely lagging UI of the whole Windows system every time the CPU was used 100%. Uninstalling 1Password immediately fixed the problem and I could reproduce it on 2 different systems. I never looked at 1Password again.

FWIW, this isn't a Chrome-only issue. One can see similar differences on Firefox as well.

The LastPass standalone program on Windows was unusably slow as well last I tested it (left LastPass some moons ago.)

If you are on iOS, do you see any reason to use 3rd party password managers ? I don’t seem to find any use for them if I am using the built in password manager

I find a password manager is more than just for passwords. I store PIN codes, Code, security questions, important notes, and so many other things.

The only reason I can think of is that Keychain only works with safari. Sometimes I prefer doing dev work in chrome, and then accessing the passwords in Keychain is kind of a pain.

If there's a cross-browser way to access Keychain, I wouldn't use anything but that.

Top on this, LastPass premium prices went from $12/year several years ago to $36/year. Kind of gone to crap now that LogMeIn bought them up.

Can't say this wasn't unexpected given their history with other acquisitions.

Is anyone else happy with the Trezor password manager [1]? After years of using LastPass, I just bought a physical Trezor wallet and its password manager works well enough considering it's a one-time-purchase.

[1] https://wiki.trezor.io/User_manual:Password_Manager

Slow, buggy, and brittle. What is a good replacement for a small team that needs to share logins, passwords, and other secrets?

Bitwarden. You can self-host the bitwarden_rs backend and basically get premium features for free as well.



I just switched from LastPass to BitWarden as suggested by a few comments below. I never realized what it was doing to my browsing experience. I thought it was just my internet connection or VPN slowing down! I wonder if there is an extension to show what other extensions are adding time to your browsing?

I've been wondering why my chromium installation has been feeling slower recently, thanks for the heads up.

Any insight into why LastPass slows everything down so much? It seems like it has a relatively simple job to do.

I've never had a positive experience with LastPass - this news doesn't come as a surprise.

This is why I switched from Dashlane to 1Password a few years back. Dashlane was activating WebVR (pegging a core at 100% in the process), no idea why it was interacting with WebVR.

It might be worth checking if disabling WebVR does the trick in this case (it worked for Dashlane, but I own an HMD).

main reason why i switched from lastpass to 1password

I assume this is caused by having "Autofill" turned on?

This is on a fresh copy of Chrome, with LastPass installed – without me being logged into LastPass, or having AutoFill turned on.

Speedometer does use TodoMVC heavily, and I wouldn't be surprised if this was because of the text input elements.

This is an important reminder that it's important to periodically review default tooling whether they be chrome extensions, desktop apps, phone apps, etc..

Im definitely guilty and glad someone did the research!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact