Hacker News new | past | comments | ask | show | jobs | submit login
LastPass stores passwords so securely, not even its users can access them (theregister.co.uk)
257 points by jbredeche 28 days ago | hide | past | web | favorite | 256 comments



The article went up an hour and a half ago, at the exact same time as https://status.lastpass.com/ updated to say they were investigating. In under an hour, they acknowledged, identified, fixed, and verified the issue.

The fix went out less than half an hour after they learned about it, and this HN submission was posted 1 hour ago, so no one learning of the issue by means of this HN submission will have been able to reproduce the problem.

Also, if you've enabled offline access to your vault (which used to be the default IIRC, and would be smart regardless of your password manager of choic) this won't affect you.


That’s bullshit.

In reality (I was affected by this and it’s now fixed), this happened 3 days ago, and I kept watching the status to see if they would identify it.

I had to upgrade to premium support for them to even respond to the issue. I filed the issue on Friday or Saturday, and they got back to me on Sunday. And it looks like they have fixed it now.

This was not a quick response time, don’t give them credit for this one.


It's a nice trick that many companies use.

The best way is to build small agents to monitor the service you depend on to know whether they truly respect their SLA. In case of LastPass they don't even have an SLA....so good luck with an updated status.


I learned another nice trick from GCP the other day; Stackdriver log ingestion was down, at least for me and a number of people on Twitter, and they simply put a yellow warning at the top of status.cloud.google.com while fixing it instead of making an official incident.

Magic, 100% uptime!


This isn't as bad as Slack, where they will acknowledge an incident, but then if you go back and look at their status history a week ago it ends up being understated and they update the uptime to 100%.

I know there is always the case where "it's just me", but I'm talking about an incident that was widely reported in the media because it was so widespread. While the incident is ongoing, they do provide status updates... but after a couple weeks pass, the global outage that affects everyone silently disappears from their archive. It's quite interesting.


Yeah slack has some very shady SLA practices. I don’t think we can trust companies to self report uptimes.

There kind of needs to be a third party SLA escrow of some kind to really make things work.


Yeah, I've always encountered resistance when wanting to report accurate SLAs. I have found that typically SLAs are based on what the marketing team thinks sounds good, not what the technology can provide, so the goal is to hide outages and write legal documents that say "when we say uptime is guaranteed, what we mean is that we'll give you some insignificant amount of money when you're down for several days." So everything is legally in the clear, but customers assume some sort of reliability that doesn't exist. What this means is that it's a race to the bottom; if one company claims 100% uptime, the next company either has to explain why that's bullshit (and people react negatively to negativity, even when it's true), or do the same thing. The result is that everyone now has 100% uptime.

The problem with this model is that it doesn't allow engineering teams to set realistic goals to improve reliability. Because a customer being down for 3 days doesn't cost the company any money, you can't deploy expensive engineering resources to prevent that sort of thing from happening again. Meanwhile, if you track your SLA accurately, and compensate customers in a way that's commiserate with the inconvenience they experienced (something like "the entire month is free if we're down for 8 hours in a row"), then you can start doing real engineering. You have a clear number that shows where you're at now, and you have a goal for where you want to be, and you have a cost associated with that goal... suddenly you can make intelligent decisions about what to work on. This class of outage costs us $600,000 a year. It would take one engineer at $200,000 a year 3 months to fix it. There's $550,000 of free money. Instead of being a cost center, you're a profit center! And customers get a better product. How is that not a win? I'll never understand.

One thing I liked about working on Google Fiber back in the day is that US-based telephone support was not something that we would compromise on. It was expensive! So when we could eliminate classes of problems that people call in about, like poor WiFi connectivity or bad TV remote Bluetooth pairing, you could directly see the savings in support cost. You could spend a year debugging WiFi, and instead of looking like flushing money down the toilet, it looked like making money. It was a joy to work on. But obviously a very uncommon way of accounting. It's easier to say "everything is perfect, we dare you to cancel" than to invest in engineering. As an engineer, that's sad; we want the world to work better... but it's only possible with resources.


Saucelabs are kings of the "100% outage for 5% of our users = 95% availability" status update.

In particular I'd see repeatable problems where they couldn't launch whatever browser X operating system in under 2 minutes (when our tests would time out) and list allocation time as 'elevated' (say, 8s average vs their normal of 3s). If you start believing your own statistics you get into almost as much trouble as believing your own PR.

For an 18 month period where they were particularly bad, I think they only copped to an actual problem one time out of around a dozen cases where our CD pipeline was blocked for half a day or more unless we just turned off e2e tests entirely.


> the "100% outage for 5% of our users = 95% availability" status update

What's a fair way of producing a single number though?


Per user guarantee levels. i.e 100% outage for 1 user is equivalent to a 0% availability guarantee.

The relationship between client and service is the same irrespective of the number of clients the service has - a number which means exactly nothing to the client.

But more importantly, availability numbers are for informing a client about how much incidents outside their house can affect them, and reasonable courses of action to take when it does.

When using the numbers internally, the fudged number is equally misleading. Unfortunately there exist fewer adversarial relationships internal to an organisation to prevent these short sighted statistical nonsenses.


All providers do this where they can.

Office 365 had an issue where their DNS resolutions were fubar and impacted the service for certain customers, but their position was that the service itself was fine.


If the service is down for a limited amount of individuals I consider it still up. This does beg the question of how many constitutes "down". I think the nature of the problem and quantity of users affected is important.


I disagree. The SLA ought to be made on a per-customer basis. 1% of users affected would mean 1% of users would be entitled to refunds/remedies that the SLA prescribes.


GCP has different SLAs for each product, but the ones I've seen are per-customer. The details vary by service, but they generally define downtime, like x% errors for y% amount of time, and then have financial penalties for z% downtime[1]. There are sometimes clauses requiring retries with exponential backoff[2].

Their SLAs are short and readable. It is worth reading a few of them, especially if you have a SaaS and are thinking about your own SLAs. Just search Google for [google $product sla] to find them.

[1] https://cloud.google.com/stackdriver/sla

[2] https://cloud.google.com/datastore/sla


I did not realize there is tracking of uptime for individual agreements. I think the status.cloud.google.com from the commenter I was responding to is a general uptime status for all users, correct? I checked out the GCP SLA and see that it is tracked on a monthly basis which affects billing(as antoncohen points out)


I think this is an artifact of how SLAs are tied to billing. Anyone who had ever billed a corporation knows how they will jerk you around. It’s obvious that you won’t get a straight answer if you go and ask a company how much they owe you. That’s what a status page is. It’s the company’s first offer in the negotiation on how much they owe you for the outage. You need to calculate your own number in response.

Maybe a more scalable solution would be a third-party company that sells this information. I think there’s a lot of money to be made there.


Well, then what's the point in keeping a status page ? Ah, right. Marketing.

That's my conclusion on what status pages have become. Which of course raises the question: what do I do when I see a service with N problems in their status pages over the last X days? Are they being naive, or was their service so bad that they were forced to write it down?

I agree with you, there is a lot of money to make there. I think there are already a few companies doing that, though.


I think when a service provides its own status page, the customers are less likely to build their own status monitoring, so the service can get away with more downtime.


I also have been having the problem in a browser since last Friday. Fortunately, lpass command line tool kept working without issues, so I never bothered to report. The problem is fixed now. Maybe it was related to the MFA as I have been prompted for it today. FWIW, this was with Firefox and FreeBSD.


> The fix went out less than half an hour after they learned about it,

The article says the issues started on Friday and users told them then. So, it seems to be three days for a fix, not half an hour.


> it seems to be three days for a fix, not half an hour.

You are trying to conflate 2 different metrics. The first assertion, is from the time the ticket was investigated, not submitted.

It might be useful to talk about expectation of service, since that's what you are getting at. 3 days (over a weekend) is reasonable for a free tier, I would think. For a paid tier, maybe it should be more immediate.


> 3 days (over a weekend) is reasonable for a free tier, I would think. For a paid tier, maybe it should be more immediate.

This line of reasoning sounds backwards to me. It is the importance of the service that drives the needed level of reliability and people should expect there to be a cost to match that level of urgency and have guarantees that the vendor understands and will meet those needs.

If LastPass expects user password management (aka consumer access to websites) to require under two 9's, they are wrong. If they can't meet a minimum level of reliability with a free tier, they should not be offering a free tier.


They're obviously meeting a minimum reliability level for the free tier or else no one would be using it because they would find it too unreliable. The argument is about whether their resolution time for the free tier is acceptably fast which can be measured by how many people left the service because of this event. Paying money gets you better service is the other idea in what you quoted, it's hard to imagine why you wouldn't give people better service for paying money unless you were getting more value off them through practices such as data collection. But privacy activists hate the poor so it's pretty hard to thoroughly monetize the free tier without someone trying to start a boycott to make their world a better place.


That's one opinion. I'm happy with free and occasionally down rather than paid and always up.


> 3 days (over a weekend) is reasonable for a free tier, I would think. For a paid tier, maybe it should be more immediate.

For most services, I'd expect free tiers to be strict subsets of paid tiers. I'd expect them to be running the same code, often on the same servers, as paid tiers. Free tier accounts would for the most part just have different per account settings.

If that is the case, and I was a paid tier user, I would be upset if it takes days to respond to problems on the free tier because if free tier accounts are running into problems there is a good chance paid tier accounts are also running into problems.

Maybe the problem really is one that only affects free tiers--something like, say, a load balancer mistakenly thinking the servers are overloaded and dropping free tier requests to ensure that paid tiers get served.

Perhaps then maybe you can make a case that it is OK to not fix it over a weekend. But even in that case there should be a prompt investigation when the free tier users start reporting problems in order to determine if it is something that will also hurt paid tier users.

If that investigation finds that it won't affect paid tiers, there should then at least be a status update explaining this. Free tier users are going to be Tweeting about, posting to HN and Reddit, etc., where paid tier users are going to see it.

You need to assure your paid tier users that things are fine for them and they aren't going to have their weekend messed up dealing with your outage.


It’s common to use free tier as a canary deploy. Cloudflare, for instance, is quite public about this.


A lot of times spliting the groups make sense resource-wise.


As a user of paid LastPass and many other SaaS products, for me part of the value proposition is that I’m benefiting from the QA provided by free users. I expect bugs to be fixed quickly even if I don’t personally make a bug report. I’m especially unlikely to make a report if I already saw other people publicly complaining about the bug. Since most users don’t report bugs, software companies need to behave as though bugs are more common than reported.


> The fix went out less than half an hour after they learned about it

That's doesn't appear to be true. In one of the twitter feeds linked to in the article, "LastPass Support" says they are "actively investigating" reports on the 17th, so they knew something was up at least that far back.


Life is so good that we are re-using brain structures evolved to avoid being eaten by lions to complain about buggy software.


Nowdays its more probable that one dies because of buggy software (Boeing MCAS) than get eaten by lions.


If you find out about a bug in MCAS, you definitely should complain about it.


So glad I switched to 1Password, haven't had an issue since. They provide an easy transfer of your passwords from LastPass, you can just follow their guide and be done in 5 minutes: https://support.1password.com/import-lastpass/


I was a longtime LastPass customer, but the service just kept getting worse and worse, to the point where a year ago I realized I was spending more time fighting the user interface than it was saving me. And their support was absolutely useless.

So I also switched over to 1Password, and never looked back. It is such a refreshing and trouble free experience compared to LP, and the few times I needed to ask a question, their support team got right back to me with the correct answer the first time.


Long time Lastpass user here - good god their UI is terrible. It really feels like a first pass to get the functionality working and then they just gave up. Kept up hope for the last like 5 years that it would get better. I should probably just start looking at alternatives at this point. Only reason I haven't is that my vault is a mess and I'm not looking forward to organizing when I finally move it.


I still use it but their support gets super defensive if you have any criticism about it. Their "new" 1pass X still sucks and recently has been going backwards in terms of usability. They keep promising feature parity between windows/mac too but this new browser plugin seems to be their fallback excuse. If I wasn't so heavily invested in it I'd switch in a heartbeat. I need something that works across ios/mac/windows and ideally without copying passwords to clipboard, that's pretty insecure.


Hi, I work for AgileBits, makers of 1Password.

I can't comment on the defensive part, but text can often be harder to parse in conversation so perhaps it was that? I generally find our support team to be pretty understanding but I am sorry if our support team didn't properly handle your concerns and feedback.

Feature parity is a tricky one. The Mac (and since it's shared code in a lot of ways, the iOS app) have been around a lot longer. Dating back to just a bit after I started here 8 years ago we started work on 1Password 4 for Mac and iOS.

The Windows app was rebooted completely a few years back and has been playing catch up since.

Feature parity is the ideal, but it isn't something that is going to happen overnight and we're still trying to do a variety of things to make that happen. But without slowing down our Mac team the Windows app will never really reach feature parity. With that in mind I know our Windows team really wants to try to be a lot closer and they're working hard to do it, but we're all sorry it hasn't moved faster than we'd all like.

If you have specific feedback feel free to write into our support and mention me (Kyle) and that your support request be answered by me. Please include a link to this thread just for reference and I'll make sure to look into all of your comments and concerns.

Again, very sorry we haven't met your expectations. Know that our expectations haven't been met either and that we're working hard to try to give everyone what they want on our Windows application.

Kyle

1Password Security Team


Kyle, for what it's worth as a counterpoint, I've grumbled a couple of times about bugs and the 1P team has not come across as defensive at all to me.

Particularly after the nonsense support LastPass gives, it was a pleasant experience, even if my grumbles hold true.

It's not a perfect product by any means but still light years better than LastPass in usability.


Hey, thanks!

We can't be the tool for everyone and we're always the first to recognize bugs exist. Unfortunately we also aren't able to fix them all just like I'm sure most people around here have backlogged bugs in the applications they work on. But we do try to prioritize based on severity and how many people are impacted.

I do appreciate the kind words though. We're not perfect, never will be, but we can sure try our best and I think that's all anyone really wants out of themselves.

If you ever run into issues feel free to reach out as well. Happy to help however I can!

Kyle

1Password Security Team


I switched my entire family to 1Password about a month ago after being on LastPass for several years. Overall, it's been a much better experience. But I have found that the 1Password X extension is quite limiting. There's basic functionality that is either part of the Mac app or has been part of LastPass for years that really slows me down. And, as a new user, it's extremely confusing trying to figure out what extension or app the company is actually wanting people to use.

Overall, I've been quite happy with it and my family has loved it.


When you say, "Service kept getting worse and worse..." it means you contacted them multiple times. Yikes!

I've been using LastPass for 8 years and I've never needed any support, but I only pay for a personal version, not corporate.

I realize that's an anecdote, but what kinds of problems are people having?


LastPass was also acquired by LogMeIn, which is notorious for really bad software (I'm looking at you GoToWhatever). I switched over to 1P two years ago and haven't looked back. I don't trust LastPass/LogMeIn for as far as I can throw.

That being said, having A password manager is better than having none at all.


>but the service just kept getting worse and worse

And more and more expensive. I used it for 8 years, cancelled this year after I noticed it was $45USD per year (over $50 CAD!). Impossible to justify with so many cheaper or free alternatives.


My version of Lastpass is free.


had a brief stint with lastpass and hated my life. 1Password is just infinitely better, no contest.


I've never used LastPass, why do people use it (or other password managers) instead of the built in browser password manager?


Every built-in browser password manager I've seen seems to be just a password-protected list of (URL, name, password) tuples. They're the most bare-bones possible implementation.

There's no (non-cloud) syncing, or easy backups. There's no file attachments, or custom fields, or non-website-based accounts. There's no automatic checking for duplicate passwords, or old passwords, or alerts for websites known to have been compromised.

I don't use a web-based password manager like LastPass because I don't really trust it (for either security or reliability), but local password managers are great for storing all kinds of private data. How would I store my driver's license, my storage unit lockbox combo, or my marrow donor registry ID in a web browser?


Until not so long ago, the browsers' password storages provided absolutely zero security. They are better now, but still password managers offer some advantages. For me the most important is the ability to use multiple browsers. But there's other stuff: random password generator, ability to store custom key/value pairs, 2FA, etc.


> provided absolutely zero security.

I've been encrypting my Firefox password store for so many years I can't even remember.

Is that not secure or something?


Yes, actually. https://palant.de/2018/03/10/master-password-in-firefox-or-t...

(Maybe they've fixed this since, I'm not sure. It doesn't seem like security is being taken very seriously in any case.)


Having a password manager on mobile is needed, so I need multi-device support. I was really happy with the password manager support the last iOS included. Password entry and persistence are streamlined.


I use multiple browsers, and store credentials for things other than websites.


Bitwarden is also very good


LP to Bitwarden as well here. The only issue I've found so far is MFA doesn't seem to be working on the (Linux) Firefox plugin, this could be a user error issue as I've not had time to look into it yet (only noticed it this morning).


MFA is working fine for me with Firefox on both Ubuntu and Fedora.


Just had a quick dig it appears that it will ask for MFA when logging in for the first time or if you log out and then back in but not when just unlocking the vault which is a little disappointing but not the end of the world.


Looks good, except I'm surprised by 'pay more to a third company to use MFA' in the enterprise offering. I'd expect MFA to be part of the enterprise offering and not require me to trust another company.


Also switch to Bitwarden. Never had any issues. Open source and free.


I went from LastPass to Bitwarden and really like it also.


Same here. very happy paying for customer as well


Same. I switched after their thanksgiving 2018 outage and haven't looked back. Just about everything about 1Password is better than LastPass.


Same. I switched to 1Password a few years back after one of the lastpass security issues. I’ve been incredibly happy with the service and quality of software.


1Password is excellent, been using them for years, but don't be surprised if they take a dip in quality in the coming years: a PEG invested a large amount of money in them late last year. Was really upset when I saw that.


> a PEG invested a large amount of money in them late last year.

What is a PEG?


I believe it stands for Private Equity Group.


Which password manager would you say has the brightest future, for someone looking to start using one with no prior experience besides Chrome account sync?


Honestly it doesn't matter that much, it's fairly easy to change.

1password is nice for the polish especially on Mac; Bitwarden is nice to use, open-source, and the free plan is sufficient for most; and KeepassXC is a stable offline solution (that you can sync yourself).


I'm more than a decade in on my 1Pwd journey. Loved it the whole time!


I tried that once but ran into so many errors for passwords that contained characters like ", or ;" that I gave up. Is there a way around this other then copying every entry manually?


Yes, the lastpass exporter has an issue. You can do a search and replace.

Or you can do what I did and when I reach a site that had an issue, I would just look at the password and there would be an obvious parsing error, e.g "&" is instead "amp&" and would just modify it manually.

Only happened a few times and then all is good.

https://github.com/bitwarden/help/blob/master/_articles/impo...


I did the same switch like 5 years ago, and I remember having to `sed` (i.e. global find + replace) the LastPass output .csv to fix special characters before importing it into 1Password. Sadly I don't remember any more detail than that, but yes, there may be some manual massaging required. YMMV.


You can edit the password recipe for websites that suck and don't allow certain characters.


BitWarden


So in response to this story I decided to delete my (premium) account with them. After confirming multiple times (good thing), I was shown this error: https://i.imgur.com/4dpn6d5.png

How does error handling like this even make it to production?

I got an email as well confirming my account deletion and I can no longer log in.

But all in all this clearly does increase my trust in Lastpass's security competence.


I got the same error while deleting my account over a month ago when it was announced that their parent company LogMeIn had been bought by private equity: https://www.zdnet.com/article/logmein-sells-to-private-equit...

So the deletion process has been erroring in that way for at least a month now.


I got that same error when killing off my account after moving to Bitwarden. It really made me laugh as it encapsulated everything wrong with the service in a succinct error message.


Reading this post reminded me of my LP account so I went to delete it and had the exact same experience than you...


Yup, I switched after the company was sold recently. I got that error as well. I moved to 1password


I actually have a bone to pick with them too. I tried canceling my families accounts recently. Despite two confirmation emails I was still charged. Their site makes it very hard to find support.


If you are looking for an alternative I highly recommend Bitwarden (not affiliated with the company). I switched over from Lastpass around a year and a half ago and am very happy with the service. All of the clients and the server are 100% open source plus you can self host if you want to.


Switched from LastPass to BitWarden over the weekend. I have 1,200+ passwords, and the transition was seamless. I even set up BitWarden on one of my web servers so that I can control my data -- even that took less than 30 minutes, thanks to BitWardenRS docker container.

The only thing I have yet to figure out for BitWarden is how to get a little icon to show up next to user/password fields in forms. I just have to right click and go to BitWarden (FireFox) to get there, which it just slightly more work. Still worth it.

Why would I pay $36/year (LastPass) for something that I can control for free?


With BitWaden FF, you can use Ctrl+Shift+L to auto fill your most recently used account for the current website.

Hope it helps.


If you have Bitwarden in Firefox's toolbar the icon will also display a number indicating the number of available credentials, and clicking the icon to open it and then clicking any of the entries autofills.


Given you use Firefox, have you considered using the built in Sync service and companion Lockwise mobile app:

https://hacks.mozilla.org/2018/11/firefox-sync-privacy/

I seriously considered Bitwarden not so long ago when I was looking for a password manager, and then realized I also need to maintain bookmarks across platforms and devices. Sadly Bitwarden doesn't offer that as a feature.

I'm curious if there is a differentiating feature of Bitwarden over Sync


I'm not the parent comment, but I did consider Lockwise but the inability to store anything else than passwords is a dealbreaker. I have some software license keys and their receipts stored securely, as well as some network accounts that are not web-based.


LastPass is $36/year now!? It used to be $12/year (prior to their acquisition by LogMeIn, which is when I bailed).


Is there an exporter available for BitWarden then? I'm guessing your 1,200 password had a seamless transition because of some tooling the project provides? Is that correct? Cheers.


Not the person you're asking but you can export your passwords to CSV from LastPass and BitWarden can import the CSV. The only issue is that the LastPass export can be a bit sketchy and have a few errors you need to manually fix.


I suppose seamless may have been an oversell. I consider it seamless because BitWarden provides the import functionality for a variety of competitors' exports (XMLs, CSVs, etc), so all I had to do was export my LastPass passwords to my desktop and then import it into BitWarden via the web interface. HTH


BitWarden is one of the few things I pay for even though I don't have to simply because I really want it to keep existing.


Same. And at 10$/year, its not like its un-affordable. Its probably my 3-4th most used piece of software, after win10, firefox, and thunderbird.


I just wish I could donate. I don't need the premium features, and I don't need yet-another-subscription-plan to worry about.


I subscribe to Bitwarden but this is a real issue with a lot of things: subscription overload.

It is especially bad with newspapers where everyone seems to be optimizing only for subscribers, not for sale of individual news items or even single day access.

Consequently I don't buy (except one local and one national one.)

The Guardian seems to be the winner in my case. They accept donations and get $10 for each thing I read there it seems :-]


Yep, I saw this and immediately felt vindicated for the move to BitWarden.

My only fault with it is that it's missing the "icon" in the inputs to click-and-fill as LastPass has, but I believe that's on the BitWarden backlog.

Still, I'd take having to press Cmd+Shift+Y over not being able to see access keys or er... any of my passwords.


If you have a Raspberry Pi lying around, there's a docker image for the excellent bitwarden_rs server available that makes it a snap to get up and running: https://github.com/dani-garcia/bitwarden_rs/wiki/Which-conta...


The cost of electricity and my time is probably more than $10 a year.


I hear "the cost of electricity" thrown out a lot for self running a small service. A Pi uses ~2W. At $0.11/kWh, running that constantly is ~$1.93 a year. Of course electricity rates vary, but I usually find the cost of electricity to be overblown when it comes to compute. Power can be very cheap.

However, I imagine spending an hour of your time is more than that $10 budget.


Yes, my time is worth more than $10/hour.

Also, I've never run a Pi for more than a few years without the SD card failing. Even when logging to a ram disk, something seems to fail eventually, and it is sometimes not found until the unit is rebooted.


Have you looked into alternatives? I'm about to swap out a Pi 3 for something a bit faster and without an SD card, but I'm not sure what. I was thinking NUC but they probably aren't nearly as efficient. Efficiency at idle, more than compute efficiency, is really what I'm seeking.


Running a Pi with a SSD over USB seems to be the best option at the moment. There are other SBCs with m.2 storage options which look neat as well but are obviously not nearly as well supported as the Pi line.


You can make the Pi boot over USB, I do that with more important stuff with a SATA SSD attached over USB.

Of course, I have a backup of the important data as well.


> However, I imagine spending an hour of your time is more than that $10 budget.

I always find this a weird way to judge things. Are people actually spending the time they'd be earning money to set these kinds of things up?


Worse, it's my free time that I value far more than my work time.


Any time they spent is time they could have spent earning money instead. They may not have wanted to earn money with their free time, but did they want to set up a password manager with their free time either? It's not exactly a leisure activity for most users


Bitwarden is free anyways if you just need username and password stored


The argument for self-hosting Bitwarden is about privacy and security, not cost.


Forgive my ignorance, and possibly laziness, but if the Pi SD card dies do your passwords go with it?


If you care about Pi reliability then don't have the root partition on an sd card.


Yes but for something like this backups (NAS, google drive, even a usb) are a must


I'm 3 years into Bitwarden and have never looked back. I backed the kickstarter that failed some while back, but it seems he/they ended up managing without it. I should probably subscribe even if I don't need the extra features.


I second Bitwarden. I have >130 120-character auto generated passwords stored and can rotate / regenerate my passwords with little hassle. Also love having the self hosting option available.


The "Premium" service offers 2-step login (Yubikey) but is only one account. Is there a "Family Premium" ?


Yes. It's called "Premium Access Addon". They charge additional cost of $40 /year.

More info here - https://blog.bitwarden.com/premium-access-for-families-organ...


Thanks!

After reviewing what you actually get from a family plan, I'm not needing to be sharing enough credentials to make it worth the cost. I opted for a premium plan instead so that I can make use of yubikeys.


There is. If you plan on sharing some credentials with only one more person, you can make an "organization" for free and put some credentials in there. My Netflix account is in there for my wife, so if I decide to rotate the password she'll have access to it.

There's also some other stuff like our Wifi password, etc so that she doesn't have to write it down.


Both the teams and enterprise options also allow you to share any credentials within an organization/team, though the default for any new credential is no sharing. I assume that's exactly how the family plan works as well?


I switched from LastPass to Bitwarden after LastPass started trying very hard to use the same password for every website I tried to generate one for.

Bitwarden sync can sometimes be a little slow but on the whole I am very pleased with it and would highly recommend it.


I really like the idea of Bitwarden but haven't used it yet. I think it will probably eventually be my go-to recommendation in this space, having fought with some of the other non-foss offerings.


Doesn't it worry you that Bitwarden is essentially maintained by one person [0]?

What if that person gets run over tomorrow and nobody knows the password for the AWS account. Imagine how long it'll take for somebody get around the huge code base on their own.

[0] https://github.com/bitwarden/server/graphs/contributors


You could easily export your passwords if needed and leave bitwarden in that case.

Now I think there is a scenario where the maintainer gets bussed and bitwarden later goes down after some months resulting in lost passwords.


I keep an offline, encrypted backup of my Bitwarden data in a safe place. If something happens I can quickly spin up a bitwarden-rs instance, or go back to KeePass.


Also check out this Bitwarden-compatible server written in Rust[0]. I've been using it for 2 years now and had exactly 0 problems with it.

[0] https://github.com/dani-garcia/bitwarden_rs


It's also much cheaper than LastPass. I was going to convert over to BitWarden the last time I was up to renew LastPass but that means I also have to retrain my family on how to use it. I'm gunning for sometime in the next year though.


I continue to use `pass` [0].

Luckily I'm technically minded, so it's not too hard to manage my GPG keys or manage syncing the git repo every now and then.

What it lacks in swish UI and automagically-configured browser extensions it gives in configurability, privacy, control over data, and freedom.

[0]: https://www.passwordstore.org/


For Firefox there is https://addons.mozilla.org/en-US/firefox/addon/passff/ which I'm quite happy with.

When combined with a yubikey set to decrypt only on touch this setup has a very low attack surface compared to other browser password managers.


This used to be my approach, but it prevented grepping through my password store (you have to touch the yubikey to decrypt each password separately)

I since switched to a separate on-device key for "low value" passwords and keep the interesting stuff (e-mail pwds) under the yubikey protected key (which does requires touch).

Did you find a better solution?


No. But i don't have an need for mass access so the basic case works fine for me. I keep a backup key on a separate yubikey that does not require touch for key maintenance.

Apparently there is a new "cached" option for the touch settings "Touch is cached for 15s after use (valid from 4.3)." Which would work for your use case but also neglect some/most? of the security advantages.


Yup... also very happy with pass, with the addition of ansible's passwordstore plugin, qtpass, dpass and various other pass-addons. All my passwords are gpg-encrypted and versioned in git.


i love pass on GNU/linux but occasionally have to use OS X for a particular sponsor. the brew impl of pass using zsh does not seem to be autocompleting. i believe i have installed the correct autocompletions and mucked with .zshrc (.zshenv does not seem to be respected on OS X).

any recommendations for OS X? is it worth building from source and/or getting it working outside of brew?


I had the same issue at some point. I now have autocomplete working on my pass with .zshrc

From memory I think autocomplete worked for pass once I started using antigen.

I have the following plugins in my .zshrc plugins=( zsh-syntax-highlighting git iterm2 dotenv osx zsh-autosuggestions )

and also run antigen with user bundles for zsh-autosuggestions zsh-syntax-highlighting zsh-completions

Some magic somewhere in the above provided autocomplete for me with pass.

I hope it helps.


I really want pass or something like it, but the two times I've tried, I got stuck trying to figure out the gpg part. I suppose I should go and learn that properly anyways, since in spite of its UX it's still an extremely widely used and powerful tool, but it's a lot higher barrier to entry compared to "type in password, unlock vault".


The gist of it is that you need a keypair (a public and private key), which GPG can generate for you.

Then whenever you insert something into the `pass` database (which is just a directory tree full of encrypted plaintext files) the tool uses the public key to encrypt the password (or anything else):

    pass generate --no-symbols shopping/ebay 16
Later, when you want to read a password, you ask pass to decrypt the file using the private key from your keypair:

    pass shopping/ebay 16
The difficulty is really all in managing the keys, which can be quite a faff to set up and then manage. If you're only using gpg for `pass`, IMO it's easiest to copy the keypair (which gpg generated) to all your other machines.

A quick web search brought up a gist [0] which shows how to quickly get up and running on a single machine.

If you want to use it on another laptop/desktop/*nix-like machine you'll need to export both your public and private gpg keys and then import them on the other machine. When using a phone you have to do something similar. The Android clients were fairly straightforward, but Pass for iOS had a very, very clunky way of getting the keys across. Regardless, it boils down to this: get the gpg keypair on all of the devices and then get them all using the same git repo for pass.

[0]: https://gist.github.com/flbuddymooreiv/a4f24da7e0c3552942ff


Thank you:) That gist does look like what I need; I'll have to try it out!


I would recommend Keepass. There are a variety of clients available for lots of platforms.


I'm currently using keepassx(c) currently, actually:) That's mostly a good system for me, but I'm hitting some issues, mostly around syncing; syncthing is great, but it kinda sucks at taking care of conflicts, which pass (git) very much should manage nicely.


With the dmenu wrapper (passmenu) or something similar for rofi there is almost no need for a browser extension.


I assume this approach doesn't auto-fill forms?


Pass changed my life. I cannot recommend it highly enough!


On a side, am I the only person that doesn't like The Register write style, especially the headings? Yeah, irony and fun all that you want, but it ends up looking like a gossip/tabloid magazine


It is very “British” with wit, puns, long running silly gags, in-jokes, smart headlines, sarcasm, and self-deprecating jokes.

However, The Register is usually technically correct and regularly breaks important news (good journalism). Minor technical (or grammatical) errors will be lambasted in comments.

Essentially, the style meshes well with it’s target readership, and they are very happy that anyone that doesn’t like the style auto-excludes themselves from the readership/community.


Didn't mean to question the story quality, but even given the British humour, I still don't like The Register style.


"Biting the hand that feeds IT"


>The Register write style, especially the headings

Basically all mainstream journalism coming out of the UK is garbage (FT & economist excluded I guess). Even the BBC has been showing some partisan leanings lately


With that sort of bar, pretty much all journalism would be classed as “garbage”, UK or not. Which might well be true, I’m just saying it’s hardly a British phenomenon.


Not at all the only person.


Why one shouldn't use cloud-based services. I'm sticking to keepass. (I'm syncing the keepass file over a cloud, but I still have a local copy on all my devices against cases like these)


I'm sorry, what is your justification for not using cloud-based services?

Lastpass (like pretty much all of these online password managers) will work offline, so if the service goes down, you can still access your data locally.


Not the OP and personally less radically against cloud-based services... But storing something as critical as passwords with a SAAS company which is obviously going to be target of attack and may or may not have the engineering resources to provide a reliable quality of service... seems like a bad idea.

Google(Drive) at least I trust to have the engineering resources to keep data secure, perhaps not from government secret services but at least random hackers


They don't really store your passwords, just an encrypted blob that's openable with your master password (more accurately, a key that is derived from it using an expensive operation so that brute-forcing is unfeasible.)

You do need to trust them enough that they will never sniff your master password (AFAIK even the web vault is local only) but eg. the command-line client is open source, so you can at least verify their protocol.

That said, I might switch to bitwarden at some point purely because it can be self-hosted.


I just don't want to store my passwords in exactly the same way everyone else does. I'm not a high value target, so my threat model is a 3rd party getting screwed / screwing us. Just a little bit of customization should be enough to throw off whatever tools attackers will build to mass harvest.


It depends on what plan you are on. Afaik, the enterprise plans have key escrow and an option to recover your account if you forgot your password.


I've been wondering why people keep saying this. Do they not understand how password managers work??? LastPass and 1Password both work offline, the cloud is just for sync. Oy.


does 1pass have a desktop client?


For passwords, fully agree. This is how I make incremental backups of my keepass database (synced via Google Drive) so I accidentally bork a login in the file, I can go back to a previous version... https://gist.github.com/harryf/d23a1ceda84806a099782558fc317...


I had been on keepass for years. My wife never liked it. Last month, I switched to self-hosted bitwarden, hosted on digital ocean with automatic snapshots. The experience is so much better. Easy password management on multiple devices and now my wife actively uses it. Highly recommend.


A big part of why I use a password manager is so I can easily share passwords between devices and with my wife. While you can do this with a local service, it's a PITA.

All the downsides of online services are mitigated by:

1) Keeping a local backup of your passwords 2) Using a service which only stores encrypted vaults which are decrypted on your device with a locally stored password.


Same, I encrypt my KeePass into VeraCrypt container and sync with dropbox, seems fairly secure to me for my use case.


Some alternatives:

  * https://keepass.info/
  * https://bitwarden.com/
  * https://1password.com/


I evaluated a bunch of team password managers last year.

Lastpass was really buggy and had a confusing UI. Dashlane also had odd limitations.

1password had a good UI but the "master key" system is difficult for users to use. It was also more expensive.

I ended up recommending Bitwarden. Surprisingly the open source option had a great UI and great clients, with the bonus of being open source on both ends.


> 1password had a good UI but the "master key" system is difficult for users to use. It was also more expensive.

Unsurprising, and at the same time it makes 1password's security scheme much more bullet proof.

You need that piece of information to identify the client, and even 1password doesn't have it, which means that when inevitably one of these cloud services gets attacked with success, it will less likely be them. Plus they can't see your stuff, that's a plus.

Security is not free.


It’s surprising to me that the “master key” system on 1Password proved difficult for your users. For me, this is one of the simplest things about it: you remember one password that unlocks everything else.

Am I talking about the same thing as you when I call this password the “master key”? I feel like I must be as this is flat-out the thing that makes 1Password easy to use.


There are four bits of information you need with 1Password teams

1. The team address <team>.1password.com

2. Your login name (email usually)

3. Your 'secret key'

4. Your 'master password'

I suspect GP is talking about item #3 being the point of confusion.


Ah, that might be it - I was talking as an individual user rather than imagining a team deployment.


They are talking about the "Secret Key" that is used in addition to your "Master Password." It was previously called an "Account Key."

https://support.1password.com/secret-key-security/


I think I may have read your review (did you make an article online?) and I'm now happily using Bitwarden. I just signed up for premium, not because I want the features, but because I want to support what they're doing.


Which enterprise password managers did you evaluate? Did you get a chance to take a look at SAASPASS? Is there a link to it? And what were your evaluation criteria?


I'd recomend the more modern looking and cross-platform by design, KeePassXC, over the original KeePass.

https://keepassxc.org/


Keepass is very difficult to use in an automated way and the open-source clients are buggy. I had to search for hours for an ancient Perl script which amazingly works with both 1.x and 2.x Keepass databases (still the only library I've found that does so), then write a custom app to convert the output into something else.


I help maintain a library called pykeepass which you might be interested in.


Yeah they'll never go down. Why don't these systems support local storage as well? Is there greater security risk in syncing to a local device?

Edit: I do not mean browser localStorage


My understanding of LastPass (I am a user) is that you _do_ in fact have offline access to your vault. Your Master Password is also the encryption key. Did I miss something?


I was a paid user of LastPass for about a decade. I don't mind a subscription-based model, especially if there's cloud-syncing involved (I've evaluated the amount of risk I'm comfortable with, and cloud syncing is fine for my use case). Part of the benefit for a paid account is the ability to access your passwords when there's a network outage.

However, in the year before I left LP, they went down three times, at most for about 4 hours. Each time, I could not access my local vault, not through the browser extension, not through the Android app, and certainly not through the website; no matter what I did, it was nothing but errors, and their support was useless. It just would not work. That was enough to spook me and get me off their service.

I was complacent, thinking that no matter what, I could always see my vault, regardless of network status, until it actually hit the fan. I'm currently with 1Password, which is quite slick (their change on 2FA is what actually got me to give them a try), but I've killed network access to my devices and was able to access my vaults.

Just in case, though, I have KeePassXC as well. You never know.


1Password does support local storage, cloud is used for syncing to local storage so obviously in case of an outage you wouldn’t be able to sync updates. But you would be able to access and modify locally and then it would push when things came back online.


It also lets you sync via alternative services like Dropbox/Mega.


Keepass does support storing the database file locally. It is the default way it works.


A local-only storage solution with your own syncing is by far the best way. Also, storing low security passwords (eg Netflix) in chrome / iOS keychain seems like a pretty safe trade off to me.


I'm still having issues convincing friends/family that the initial friction of a password manager and replacing all of your reused passwords is worth it at all.

Security is a battle of convenience, and we still haven't struck gold for the layman to have decent enough security hygiene.


Bitwarden is open source for both its clients and its server. I haven't tried it but it appears you can set it up for yourself at home and not use their cloud.


Bitwarden can be hosted locally.


+1 for Bitwarden


LP has a history of problems, but my company forces us to use that crappy product. I've complained about it for years. I use keepassx for personal, 1password for work, and lastpass for anything that I need to share with coworkers. I always wondered who got the kickback from LP.


>LP has a history of problems, but my company forces us to use that crappy product.

I've been using them the better part of a decade, I've never had an issue and find calling it a 'crappy product' to be shocking.

What sort of issues have you had?


LastPass is riddled with problems, and the quality has dropped precipitously since their acquisition by LogMeIn. For a sampling of their problems I suggest searching this site for their name.

https://hn.algolia.com/?q=lastpass


I’ve used them for a long time. I noticed zero change in the service.


Ok man if it works for you then keep on keeping on. I have chosen to leave the service due to a huge drop in reliability and several major security and service incidents.


Before I switched to another password manager, LP has:

- constantly managed to lose newly generated passwords

- consistently failed to register new passwords with the Safari extension

- failed to autofill credentials on many websites

I had used LP for years, but these problems never went away despite these being a failure of core functionality. After I finally switched to an alternative password manager, I was pleasantly surprised at how well everything seemed to work in addition to a much nicer UI.

In LP's defense, it's great that they offer such an important service for free, but I'd really prefer my password manager to be of more higher quality.


LastPass' UI is so clunky, confusing and under performant that storing passwords securely is the least path of resistance for end users. I dread using it daily at the office.


Been using LastPass for years. Couldn't imagine living without it, with the gazzilon of passwords we have to handle. There's other services of course, but I've never felt compelled to leave. But I'd much prefer to not have to deal with any passwords at all in any service;


KeePass/KeePassXC on each device. Complex keyfile manually copied to each device (never in the cloud). Password database protected by the keyfile and a memorable complex password stored in your cloud folder of choice synced to your devices. You now have a free, open source, secure, cloud synced password service.

For additional security, you can manually copy the database between devices as well. Or keep a separate manually copied database with your most secure logins.


OK but can you tell my 80 year-old mom how to do this?


You can set it up for a non-techie and then just let it do its thing. I've set this up for a few people who don't have a clue what a key file is.


Wait, are they saying that the clients don't store a local copy? Or that the local copy is inaccessible without the servers working?? That seems incredibly irresponsible and I can't imagine a single reason for doing that.

Or is there something else going on that corrupted the users' local copies? If the system is properly secure (i.e. data is encrypted and verifiable with the user's password-derived key) this shouldn't be possible, right?


I switched to Bitwarden after certain grievances with LastPass which I don't even recall what they were now.


The final straw for me was LastPass being very late on going WebExtension for Firefox. Not having a working password manager was not an option and the move to Bitwarden was very smooth.


Security breaches?


keepassxc (just a simple encrypted password file) + syncthing (copies that file to all your devices) has been working pretty well for me on Linux/Android. I believe there's still no syncthing client for iOS unfortunately.

[0] https://keepassxc.org/

[1] https://syncthing.net/


This will probably get buried, but this story had me shudder at the possibility of being locked out of my 1password vault in a similar scenario. In case anyone is in the same boat:

* My airplane-mode test passed both on my mobile device and browser (1password X).

* The team is aware of the situation with LP and wrote a very thoughtful response: https://discussions.agilebits.com/discussion/comment/544136/...

* From the response above, 1password is SOC2 certified, so availability is taken very seriously.


I never see the app I am currently using for my password manager on HN password manager threads so I will recommend it now.

I have been using Safeincloud https://www.safe-in-cloud.com/en/ for I feel like forever. The dev is quick to add new features, like autofill on android, and windows hello on windows.

It's a one time payment on android and IOS, Desktop apps are free.

I know that 1password is prob better and more secure, but I can't afford the monthly rate.


Not actually related to the article, but the headline makes me think of the "Muddy Puddle Test" for crypto, which goes like this:

1) Drop your device(s) into a muddy puddle (destroying them).

2) Slip in said puddle so you hit your head. On waking up you're absolutely fine, but are entirely incapable of remembering your passwords or encryption keys.

3) Can you get your cloud data back?

If you can, then it's not actually secure.


This is what paper keys stored in a secure location are for.


What about biometrics?


Biometrics are good for usernames but not passwords. It's much harder for someone to get something out of your head than cutting off your thumb. - and as playeren says, it's impossible to change it.

http://news.bbc.co.uk/1/hi/world/asia-pacific/4396831.stm


Don't use biometrics for anything but convenience type features. You can't change your fingerprint if bad actors gets a hold of it.


Given the possibility of software failure, would it be wise to use multiple password managers? I have the feeling this is a .45 vs 9mm question that doesn't have a real answer. More software exposes risk of data being exposed vs redundancy. I do not use software managers. I use a password protected spreadsheet(100 passwords). I hope they are safely encrypted.


A seccond PW manager? Not necessary, an offline backup? Great idea. Most PW managers allow you to export in some way shape or form. Doing so and encrypting said file is a great idea, but also something that's hard to do enough for most people that I don't have a good solution.


Excellent points.


I like Enpass (enpass.io):

- non-subscription version available

- multi-platform (IOS, Android, MacOS, Linux, Windows)

- offline access (local DB)

- sync via non-Enpass servers (eg use dropbox, google drive, iCloud, box etc)

- actively maintained

I have been using for ~3 years on a revolving door of devices and have never experienced any issues - just works.

(Not affiliated in any way with Enpass)


Mobile free version limited to 25 items. That's not really free for 99% of people.


Not even a mention of Password Safe?

https://en.wikipedia.org/wiki/Password_Safe

It's what I've been using for Windows-running non-savvy relatives for decades.


I have been using and paying LastPass since it launched with no serious issues and a few minor ones.

The Register article makes gives no indication as to the number of users having trouble with the current issue.

My single issue with LastPass is that they don't offer an APK download options separate from the Google Play store, so my slow and steady migration will require, at some point, migrating to a different password manager.

I made a trouble ticket regarding this issue and they informed me they have no plans to offer a separately downloadable APK.


I feel like there have been enough incidents with LastPass that no one should be using them. Am I biased due to reporting, or is it the case that they can't be trusted?


I've been using them the better part of a decade, I've never had a single issue and am quite surprised to see so many people complaining about them/mentioning issues in this thread.


As an alternative, lately, I've been using Passfindr. It's web-based but they have an offline solution so that as long as you have made a backup. This kind of crap won't shut you down. It will read out of the backup file through the browser. And I use it for a lot more than passwords. I pretty much use it for any kind of access. Works good.


SAASPASS personal password manager and Authenticator works offline (with cloud syncing options). You can also use it for teams or companies (online and offline options set by admin) and it is by default protected by 2FA.

www.saaspass.com

(I work for an IAM SI/consultancy and we use and implement SAASPASS for IAM needs including enterprise password management, 2FA, directory services and SAML-based single sign-on).


What’s the best (translation: easiest) password manager for non-technical users with Windows and iOS devices? I’m trying to find a good solution to help protect the accounts of my older parents. I use a legacy non-subscription 1Password version for myself so I’m not up to date about the subscription model or product changes of recent versions.


I moved myself and the whole family to the often-mentioned Bitwarden 3 years ago. It's been fantastic.


My recommended alternative to LastPass: Bitwarden at https://github.com/bitwarden/server

The ability to host it yourself is a big kudo to me, then we are no longer constrained by LastPass like this case here.


Based on this news, I just looked around and discovered that LastPass has a way to export a CSV file of all the passwords in plaintext. I just did that and have a PGP'd archive of my passwords stored locally. Not a bad thing to do with any password manager.


I think I did this once with one password service and was surprised that they don't even send a warning email to inform me, that that just happened... very scary.


Am I the only one using Google's own password manager? Ideology aside I can't think of someone with more engineering resources to prevent hickups and breaches. Are there any benefits of other pw managers I'm missing out on?


What is unclear is if it was an application bug or server bug. In the first case it is not so bad. Since you can downgrade. In the second case it may be disturbing that LastPass requires server connection at all...


Yeah I will never trust a third party password system. Writing down on paper works great. For most unimportant accounts use oauth or make up a random password and forget it - if you need it again reset the password.


I'm sorry but that is just ridiculous and time prohibitive.


You can use a manager that stores an encrypted database locally and prints it out for backup.

Is this generally considered to be not viable?


An alternative to avoid electronic systems entirely: https://www.tindie.com/stores/russtopia/


One of the best things I've done in my personal software life recently is getting off LastPass. The only other piece of software I have seen decay in quality so rapidly and markedly is PocketCasts.


Ugh, they ruined PocketCasts when they bought it and did that major 'update'. Fortunately I found Podcast Republic the day mine updated and haven't looked back.


Another open-source, open-pgp based password manager worth mentioning is https://www.passbolt.com/


I'd rather be locked out for a while, than to have my passwords stored unencrypted. I've been using LastPass as a paid user for about 5 years.


I've migrated to Bitwarden. LastPass has been lacking in quality for a while and this outage was the last straw.


I was just thinking, it may be a good idea for me to print out my vital passwords and put them in my safe....


A lot of people here are saying this is why you shouldn't trust cloud services for password management. And I agree. I use Keepass myself, however, that is not a viable solution for most of my family and friends. They need something dead simple, which is what cloud services like LastPass, Bitwarden etc. offer. I think the LastPass user interface is horrible, though...


I'm shocked to see a post of such low quality on hacker news. It reads like an instagram post or twitter replies. I'm not familiar with "theregister.co.uk" but I honestly think it's the lowest quality article I've ever seen on this website


> I'm not familiar with "theregister.co.uk"

Then you're not qualified to be discussing software or the tech industry, frankly.


Or we're in an era where that sneering prototype for clickbait blogs is being rightly consigned to the dustbin of history.

When faced with a link to an article on The Register, searching for the source it's been copied from is a good first step.


I never go out of my way to look for their articles, but their shtick is mildly amusing and they seem like an institution. As long as they are at least a bit different from the rest of the tech press, something would be lost if they went away.


You seem toxic with this completely unnecessary gatekeeping attempt. I bet working with you is a joy. Let me put it to you this way, if your concept of competency in this industry is driven by knowledge of tabloids and not actually skill and talent in engineering, then I'm willing to bet you lack the latter two and rely on the former to fake it.


Does anyone here use LessPass? I've been using it for a while now and am very happy. No storage needed. One master password to generate reproducible passwords based on the site's domain.


Longing for the day that passwords become obsolete.


Let's put our passwords on a remote server which convinces us they're secure. How did we even get here that such information leaves our control?


In theory they can do more security, than you get when you just store a keepass file on a server. Things like temporarily blocking access when GeoIP information for the client changes, or a lot of secrets are accessed in bulk. The keepass file, you only lose once and the attacker has years (or up to your next rotation) to crack it.


Most people access services from more than one device and are not capable of rolling, managing, and securing their own synchronized password database. That's how.

It's not the best option, of course, but certainly better than weak and reused passwords, right?


Is convenience more important than security? That's what you're saying here.


Before using a password manager: I'm using short, memorable (often repeated) passwords that are rarely, if ever, changed.

After using a password manager: I'm using long (generally 64 characters), unique passwords, and if one is compromised, it's a 30s job to change it on all of my devices.

Convenience _enables_ security. I could probably roll my syncing solution, but I would _not_ be convinced it is secure (I don't have that level of expertise), and I would probably end up using a third party anyway (Dropbox/Digital Ocean). I'm not going to sync it manually to the 6 or so devices I regularly use, plus others I use less frequently (it may be more secure, but it's not practical). Because it's low friction, I end up using it more, so it's a _net_ gain in security, even if it isn't perfect.


Convenience is security.


No. I'm saying that the vast majority of people are not capable of doing this, and that it's a better option than weak passwords.


Keepass - choose your own way of syncing, can never go down, works without the internet etc etc.

Cloud services...lol


I’ll never forget when I was issued a new computer at a new job with LastPass installed. It kept popping up a modal dialog (modal to the entire browser) with some inscrutable network error message. I never even bothered trying to use it after that.


The reactionary nature of the typical HN poster is on full display here.

Lastpass had a bug that affected a small percentage of users. They identified and fixed the bug within several days. What more do you want?

Is there really a competing product out there that guarantees NO BUGS? So, then, why the extreme nod to #CancelCulture for what appeared to be just a temporary issue?


Probably because of the way the handled it (or didn't for a few days, as was the case here). Just guessing.


They've been circling the toilet for a while now. Quality matters.


Applications are open for YC Summer 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: