The fix went out less than half an hour after they learned about it, and this HN submission was posted 1 hour ago, so no one learning of the issue by means of this HN submission will have been able to reproduce the problem.
Also, if you've enabled offline access to your vault (which used to be the default IIRC, and would be smart regardless of your password manager of choic) this won't affect you.
In reality (I was affected by this and it’s now fixed), this happened 3 days ago, and I kept watching the status to see if they would identify it.
I had to upgrade to premium support for them to even respond to the issue. I filed the issue on Friday or Saturday, and they got back to me on Sunday. And it looks like they have fixed it now.
This was not a quick response time, don’t give them credit for this one.
The best way is to build small agents to monitor the service you depend on to know whether they truly respect their SLA. In case of LastPass they don't even have an SLA....so good luck with an updated status.
Magic, 100% uptime!
I know there is always the case where "it's just me", but I'm talking about an incident that was widely reported in the media because it was so widespread. While the incident is ongoing, they do provide status updates... but after a couple weeks pass, the global outage that affects everyone silently disappears from their archive. It's quite interesting.
There kind of needs to be a third party SLA escrow of some kind to really make things work.
The problem with this model is that it doesn't allow engineering teams to set realistic goals to improve reliability. Because a customer being down for 3 days doesn't cost the company any money, you can't deploy expensive engineering resources to prevent that sort of thing from happening again. Meanwhile, if you track your SLA accurately, and compensate customers in a way that's commiserate with the inconvenience they experienced (something like "the entire month is free if we're down for 8 hours in a row"), then you can start doing real engineering. You have a clear number that shows where you're at now, and you have a goal for where you want to be, and you have a cost associated with that goal... suddenly you can make intelligent decisions about what to work on. This class of outage costs us $600,000 a year. It would take one engineer at $200,000 a year 3 months to fix it. There's $550,000 of free money. Instead of being a cost center, you're a profit center! And customers get a better product. How is that not a win? I'll never understand.
One thing I liked about working on Google Fiber back in the day is that US-based telephone support was not something that we would compromise on. It was expensive! So when we could eliminate classes of problems that people call in about, like poor WiFi connectivity or bad TV remote Bluetooth pairing, you could directly see the savings in support cost. You could spend a year debugging WiFi, and instead of looking like flushing money down the toilet, it looked like making money. It was a joy to work on. But obviously a very uncommon way of accounting. It's easier to say "everything is perfect, we dare you to cancel" than to invest in engineering. As an engineer, that's sad; we want the world to work better... but it's only possible with resources.
In particular I'd see repeatable problems where they couldn't launch whatever browser X operating system in under 2 minutes (when our tests would time out) and list allocation time as 'elevated' (say, 8s average vs their normal of 3s). If you start believing your own statistics you get into almost as much trouble as believing your own PR.
For an 18 month period where they were particularly bad, I think they only copped to an actual problem one time out of around a dozen cases where our CD pipeline was blocked for half a day or more unless we just turned off e2e tests entirely.
What's a fair way of producing a single number though?
The relationship between client and service is the same irrespective of the number of clients the service has - a number which means exactly nothing to the client.
But more importantly, availability numbers are for informing a client about how much incidents outside their house can affect them, and reasonable courses of action to take when it does.
When using the numbers internally, the fudged number is equally misleading. Unfortunately there exist fewer adversarial relationships internal to an organisation to prevent these short sighted statistical nonsenses.
Office 365 had an issue where their DNS resolutions were fubar and impacted the service for certain customers, but their position was that the service itself was fine.
Their SLAs are short and readable. It is worth reading a few of them, especially if you have a SaaS and are thinking about your own SLAs. Just search Google for [google $product sla] to find them.
Maybe a more scalable solution would be a third-party company that sells this information. I think there’s a lot of money to be made there.
That's my conclusion on what status pages have become. Which of course raises the question: what do I do when I see a service with N problems in their status pages over the last X days? Are they being naive, or was their service so bad that they were forced to write it down?
I agree with you, there is a lot of money to make there. I think there are already a few companies doing that, though.
The article says the issues started on Friday and users told them then. So, it seems to be three days for a fix, not half an hour.
You are trying to conflate 2 different metrics. The first assertion, is from the time the ticket was investigated, not submitted.
It might be useful to talk about expectation of service, since that's what you are getting at. 3 days (over a weekend) is reasonable for a free tier, I would think. For a paid tier, maybe it should be more immediate.
This line of reasoning sounds backwards to me. It is the importance of the service that drives the needed level of reliability and people should expect there to be a cost to match that level of urgency and have guarantees that the vendor understands and will meet those needs.
If LastPass expects user password management (aka consumer access to websites) to require under two 9's, they are wrong. If they can't meet a minimum level of reliability with a free tier, they should not be offering a free tier.
For most services, I'd expect free tiers to be strict subsets of paid tiers. I'd expect them to be running the same code, often on the same servers, as paid tiers. Free tier accounts would for the most part just have different per account settings.
If that is the case, and I was a paid tier user, I would be upset if it takes days to respond to problems on the free tier because if free tier accounts are running into problems there is a good chance paid tier accounts are also running into problems.
Maybe the problem really is one that only affects free tiers--something like, say, a load balancer mistakenly thinking the servers are overloaded and dropping free tier requests to ensure that paid tiers get served.
Perhaps then maybe you can make a case that it is OK to not fix it over a weekend. But even in that case there should be a prompt investigation when the free tier users start reporting problems in order to determine if it is something that will also hurt paid tier users.
If that investigation finds that it won't affect paid tiers, there should then at least be a status update explaining this. Free tier users are going to be Tweeting about, posting to HN and Reddit, etc., where paid tier users are going to see it.
You need to assure your paid tier users that things are fine for them and they aren't going to have their weekend messed up dealing with your outage.
That's doesn't appear to be true. In one of the twitter feeds linked to in the article, "LastPass Support" says they are "actively investigating" reports on the 17th, so they knew something was up at least that far back.
So I also switched over to 1Password, and never looked back. It is such a refreshing and trouble free experience compared to LP, and the few times I needed to ask a question, their support team got right back to me with the correct answer the first time.
I can't comment on the defensive part, but text can often be harder to parse in conversation so perhaps it was that? I generally find our support team to be pretty understanding but I am sorry if our support team didn't properly handle your concerns and feedback.
Feature parity is a tricky one. The Mac (and since it's shared code in a lot of ways, the iOS app) have been around a lot longer. Dating back to just a bit after I started here 8 years ago we started work on 1Password 4 for Mac and iOS.
The Windows app was rebooted completely a few years back and has been playing catch up since.
Feature parity is the ideal, but it isn't something that is going to happen overnight and we're still trying to do a variety of things to make that happen. But without slowing down our Mac team the Windows app will never really reach feature parity. With that in mind I know our Windows team really wants to try to be a lot closer and they're working hard to do it, but we're all sorry it hasn't moved faster than we'd all like.
If you have specific feedback feel free to write into our support and mention me (Kyle) and that your support request be answered by me. Please include a link to this thread just for reference and I'll make sure to look into all of your comments and concerns.
Again, very sorry we haven't met your expectations. Know that our expectations haven't been met either and that we're working hard to try to give everyone what they want on our Windows application.
1Password Security Team
Particularly after the nonsense support LastPass gives, it was a pleasant experience, even if my grumbles hold true.
It's not a perfect product by any means but still light years better than LastPass in usability.
We can't be the tool for everyone and we're always the first to recognize bugs exist. Unfortunately we also aren't able to fix them all just like I'm sure most people around here have backlogged bugs in the applications they work on. But we do try to prioritize based on severity and how many people are impacted.
I do appreciate the kind words though. We're not perfect, never will be, but we can sure try our best and I think that's all anyone really wants out of themselves.
If you ever run into issues feel free to reach out as well. Happy to help however I can!
Overall, I've been quite happy with it and my family has loved it.
I've been using LastPass for 8 years and I've never needed any support, but I only pay for a personal version, not corporate.
I realize that's an anecdote, but what kinds of problems are people having?
That being said, having A password manager is better than having none at all.
And more and more expensive. I used it for 8 years, cancelled this year after I noticed it was $45USD per year (over $50 CAD!). Impossible to justify with so many cheaper or free alternatives.
There's no (non-cloud) syncing, or easy backups. There's no file attachments, or custom fields, or non-website-based accounts. There's no automatic checking for duplicate passwords, or old passwords, or alerts for websites known to have been compromised.
I don't use a web-based password manager like LastPass because I don't really trust it (for either security or reliability), but local password managers are great for storing all kinds of private data. How would I store my driver's license, my storage unit lockbox combo, or my marrow donor registry ID in a web browser?
I've been encrypting my Firefox password store for so many years I can't even remember.
Is that not secure or something?
(Maybe they've fixed this since, I'm not sure. It doesn't seem like security is being taken very seriously in any case.)
What is a PEG?
1password is nice for the polish especially on Mac; Bitwarden is nice to use, open-source, and the free plan is sufficient for most; and KeepassXC is a stable offline solution (that you can sync yourself).
Or you can do what I did and when I reach a site that had an issue, I would just look at the password and there would be an obvious parsing error, e.g "&" is instead "amp&" and would just modify it manually.
Only happened a few times and then all is good.
How does error handling like this even make it to production?
I got an email as well confirming my account deletion and I can no longer log in.
But all in all this clearly does increase my trust in Lastpass's security competence.
So the deletion process has been erroring in that way for at least a month now.
The only thing I have yet to figure out for BitWarden is how to get a little icon to show up next to user/password fields in forms. I just have to right click and go to BitWarden (FireFox) to get there, which it just slightly more work. Still worth it.
Why would I pay $36/year (LastPass) for something that I can control for free?
Hope it helps.
I seriously considered Bitwarden not so long ago when I was looking for a password manager, and then realized I also need to maintain bookmarks across platforms and devices. Sadly Bitwarden doesn't offer that as a feature.
I'm curious if there is a differentiating feature of Bitwarden over Sync
It is especially bad with newspapers where everyone seems to be optimizing only for subscribers, not for sale of individual news items or even single day access.
Consequently I don't buy (except one local and one national one.)
The Guardian seems to be the winner in my case. They accept donations and get $10 for each thing I read there it seems :-]
My only fault with it is that it's missing the "icon" in the inputs to click-and-fill as LastPass has, but I believe that's on the BitWarden backlog.
Still, I'd take having to press Cmd+Shift+Y over not being able to see access keys or er... any of my passwords.
However, I imagine spending an hour of your time is more than that $10 budget.
Also, I've never run a Pi for more than a few years without the SD card failing. Even when logging to a ram disk, something seems to fail eventually, and it is sometimes not found until the unit is rebooted.
Of course, I have a backup of the important data as well.
I always find this a weird way to judge things. Are people actually spending the time they'd be earning money to set these kinds of things up?
More info here - https://blog.bitwarden.com/premium-access-for-families-organ...
After reviewing what you actually get from a family plan, I'm not needing to be sharing enough credentials to make it worth the cost. I opted for a premium plan instead so that I can make use of yubikeys.
There's also some other stuff like our Wifi password, etc so that she doesn't have to write it down.
Bitwarden sync can sometimes be a little slow but on the whole I am very pleased with it and would highly recommend it.
What if that person gets run over tomorrow and nobody knows the password for the AWS account. Imagine how long it'll take for somebody get around the huge code base on their own.
Now I think there is a scenario where the maintainer gets bussed and bitwarden later goes down after some months resulting in lost passwords.
Luckily I'm technically minded, so it's not too hard to manage my GPG keys or manage syncing the git repo every now and then.
What it lacks in swish UI and automagically-configured browser extensions it gives in configurability, privacy, control over data, and freedom.
When combined with a yubikey set to decrypt only on touch this setup has a very low attack surface compared to other browser password managers.
I since switched to a separate on-device key for "low value" passwords and keep the interesting stuff (e-mail pwds) under the yubikey protected key (which does requires touch).
Did you find a better solution?
Apparently there is a new "cached" option for the touch settings "Touch is cached for 15s after use (valid from 4.3)." Which would work for your use case but also neglect some/most? of the security advantages.
any recommendations for OS X? is it worth building from source and/or getting it working outside of brew?
From memory I think autocomplete worked for pass once I started using antigen.
I have the following plugins in my .zshrc
and also run antigen with user bundles for
Some magic somewhere in the above provided autocomplete for me with pass.
I hope it helps.
Then whenever you insert something into the `pass` database (which is just a directory tree full of encrypted plaintext files) the tool uses the public key to encrypt the password (or anything else):
pass generate --no-symbols shopping/ebay 16
pass shopping/ebay 16
A quick web search brought up a gist  which shows how to quickly get up and running on a single machine.
If you want to use it on another laptop/desktop/*nix-like machine you'll need to export both your public and private gpg keys and then import them on the other machine.
When using a phone you have to do something similar. The Android clients were fairly straightforward, but Pass for iOS had a very, very clunky way of getting the keys across.
Regardless, it boils down to this: get the gpg keypair on all of the devices and then get them all using the same git repo for pass.
However, The Register is usually technically correct and regularly breaks important news (good journalism). Minor technical (or grammatical) errors will be lambasted in comments.
Essentially, the style meshes well with it’s target readership, and they are very happy that anyone that doesn’t like the style auto-excludes themselves from the readership/community.
Basically all mainstream journalism coming out of the UK is garbage (FT & economist excluded I guess). Even the BBC has been showing some partisan leanings lately
Lastpass (like pretty much all of these online password managers) will work offline, so if the service goes down, you can still access your data locally.
Google(Drive) at least I trust to have the engineering resources to keep data secure, perhaps not from government secret services but at least random hackers
You do need to trust them enough that they will never sniff your master password (AFAIK even the web vault is local only) but eg. the command-line client is open source, so you can at least verify their protocol.
That said, I might switch to bitwarden at some point purely because it can be self-hosted.
All the downsides of online services are mitigated by:
1) Keeping a local backup of your passwords
2) Using a service which only stores encrypted vaults which are decrypted on your device with a locally stored password.
Lastpass was really buggy and had a confusing UI. Dashlane also had odd limitations.
1password had a good UI but the "master key" system is difficult for users to use. It was also more expensive.
I ended up recommending Bitwarden. Surprisingly the open source option had a great UI and great clients, with the bonus of being open source on both ends.
Unsurprising, and at the same time it makes 1password's security scheme much more bullet proof.
You need that piece of information to identify the client, and even 1password doesn't have it, which means that when inevitably one of these cloud services gets attacked with success, it will less likely be them. Plus they can't see your stuff, that's a plus.
Security is not free.
Am I talking about the same thing as you when I call this password the “master key”? I feel like I must be as this is flat-out the thing that makes 1Password easy to use.
1. The team address <team>.1password.com
2. Your login name (email usually)
3. Your 'secret key'
4. Your 'master password'
I suspect GP is talking about item #3 being the point of confusion.
Edit: I do not mean browser localStorage
However, in the year before I left LP, they went down three times, at most for about 4 hours. Each time, I could not access my local vault, not through the browser extension, not through the Android app, and certainly not through the website; no matter what I did, it was nothing but errors, and their support was useless. It just would not work. That was enough to spook me and get me off their service.
I was complacent, thinking that no matter what, I could always see my vault, regardless of network status, until it actually hit the fan. I'm currently with 1Password, which is quite slick (their change on 2FA is what actually got me to give them a try), but I've killed network access to my devices and was able to access my vaults.
Just in case, though, I have KeePassXC as well. You never know.
Security is a battle of convenience, and we still haven't struck gold for the layman to have decent enough security hygiene.
I've been using them the better part of a decade, I've never had an issue and find calling it a 'crappy product' to be shocking.
What sort of issues have you had?
- constantly managed to lose newly generated passwords
- consistently failed to register new passwords with the Safari extension
- failed to autofill credentials on many websites
I had used LP for years, but these problems never went away despite these being a failure of core functionality. After I finally switched to an alternative password manager, I was pleasantly surprised at how well everything seemed to work in addition to a much nicer UI.
In LP's defense, it's great that they offer such an important service for free, but I'd really prefer my password manager to be of more higher quality.
For additional security, you can manually copy the database between devices as well. Or keep a separate manually copied database with your most secure logins.
Or is there something else going on that corrupted the users' local copies?
If the system is properly secure (i.e. data is encrypted and verifiable with the user's password-derived key) this shouldn't be possible, right?
* My airplane-mode test passed both on my mobile device and browser (1password X).
* The team is aware of the situation with LP and wrote a very thoughtful response: https://discussions.agilebits.com/discussion/comment/544136/...
* From the response above, 1password is SOC2 certified, so availability is taken very seriously.
I have been using Safeincloud https://www.safe-in-cloud.com/en/ for I feel like forever. The dev is quick to add new features, like autofill on android, and windows hello on windows.
It's a one time payment on android and IOS, Desktop apps are free.
I know that 1password is prob better and more secure, but I can't afford the monthly rate.
1) Drop your device(s) into a muddy puddle (destroying them).
2) Slip in said puddle so you hit your head. On waking up you're absolutely fine, but are entirely incapable of remembering your passwords or encryption keys.
3) Can you get your cloud data back?
If you can, then it's not actually secure.
- non-subscription version available
- multi-platform (IOS, Android, MacOS, Linux, Windows)
- offline access (local DB)
- sync via non-Enpass servers (eg use dropbox, google drive, iCloud, box etc)
- actively maintained
I have been using for ~3 years on a revolving door of devices and have never experienced any issues - just works.
(Not affiliated in any way with Enpass)
It's what I've been using for Windows-running non-savvy relatives for decades.
The Register article makes gives no indication as to the number of users having trouble with the current issue.
My single issue with LastPass is that they don't offer an APK download options separate from the Google Play store, so my slow and steady migration will require, at some point, migrating to a different password manager.
I made a trouble ticket regarding this issue and they informed me they have no plans to offer a separately downloadable APK.
(I work for an IAM SI/consultancy and we use and implement SAASPASS for IAM needs including enterprise password management, 2FA, directory services and SAML-based single sign-on).
The ability to host it yourself is a big kudo to me, then we are no longer constrained by LastPass like this case here.
Is this generally considered to be not viable?
Then you're not qualified to be discussing software or the tech industry, frankly.
When faced with a link to an article on The Register, searching for the source it's been copied from is a good first step.
It's not the best option, of course, but certainly better than weak and reused passwords, right?
After using a password manager: I'm using long (generally 64 characters), unique passwords, and if one is compromised, it's a 30s job to change it on all of my devices.
Convenience _enables_ security. I could probably roll my syncing solution, but I would _not_ be convinced it is secure (I don't have that level of expertise), and I would probably end up using a third party anyway (Dropbox/Digital Ocean). I'm not going to sync it manually to the 6 or so devices I regularly use, plus others I use less frequently (it may be more secure, but it's not practical). Because it's low friction, I end up using it more, so it's a _net_ gain in security, even if it isn't perfect.
Lastpass had a bug that affected a small percentage of users. They identified and fixed the bug within several days. What more do you want?
Is there really a competing product out there that guarantees NO BUGS? So, then, why the extreme nod to #CancelCulture for what appeared to be just a temporary issue?