[HN Gopher] LastPass appears to be holding users' passwords hostage
___________________________________________________________________
LastPass appears to be holding users' passwords hostage
Author : tytso
Score : 311 points
Date : 2022-01-11 18:03 UTC (4 hours ago)
(HTM) web link (alternativeto.net)
(TXT) w3m dump (alternativeto.net)
| acheron wrote:
| The export works fine, I just did it about a week ago.
|
| Lies, on Reddit? Shocked pikachu face.
| johnmarcus wrote:
| LastPass has become garbage since it was purchased by LogMeIn (or
| whatever parent garbage company owns them these days). I can't
| comprehend why anyone would use them.
|
| I can only personally recommend Bitwarden instead - it's open
| source and can never decrypt your passwords on prem. Browser
| plugin, mobile app, enterprise versions, etc. It has it all, and
| hasn't been a cunt to it's users from day 1.
|
| Also, unlike LastPass, they haven't been hacked multiple times. I
| can not comprehend why anyone trusts them with their passwords -
| the company I work for included I'm afraid.
| JackMcMack wrote:
| Root cause of this issue: export is only possible from the
| desktop browser plugin, but lastpass locks free users to either
| desktop or mobile. If your account is locked to mobile, you can't
| export your passwords.
|
| I have another related issue: it is not possible to export your
| TOTP seeds from lastpass authenticator.
|
| I contacted the lastpass/logmein dpo, which (in my case at least)
| got forwarded to their generic support-by-email. They were slow
| to respond, and eventually claimed they could not export my one
| time passwords because they are encrypted. This is obviously
| false, they can decrypt the data just fine (I actually switched
| to a new phone, authenticator data got synced as you would
| expect). And other apps such as Google Authenticator allow you to
| export your data.
|
| I filed a gdpr complaint with my national Data Protection
| Authority, which after a long response time got accepted, and is
| now forwarded to the Irish DPA.
|
| If you want to assert your rights, contact Lastpass/Logmein at
| privacy@logmein.com or via their support page [0] (from their
| privacy page [1]), and demand access to your data. If they
| refuse, or do not respond within 30 days, file a complaint with
| your DPA [2], with proof that you requested your data but got
| denied.
|
| [0] https://support.logmeininc.com/contactus
|
| [1]
| https://www.logmein.com/nl/legal/privacy/international#right...
|
| [2] https://edpb.europa.eu/about-edpb/about-edpb/members_en
| zerof1l wrote:
| That's why I never used LastPass and never will. KeePass ftw!
| zucked wrote:
| This is going to turn into a thread full of recommendations for
| PW managers before long, so here's my plug for Bitwarden.
| mfer wrote:
| The last time I checked, Bitwarden would fill a password into
| an iframe even if the iframe is for a different domain than the
| parent. This came up in one of their security audits and
| changing it was argued against.
|
| This has security implications and what cautioned me against
| it.
|
| Other password managers don't do this and look at iframe
| domains before filling them in.
|
| Am I missing something?
| kiwijamo wrote:
| Can you give an example of a well known site that does this?
| Curious to try this out for myself.
| ScoutOrgo wrote:
| Do you have experience with it working on android? It seems
| Lastpass is only semi reliable with how android allows
| auotfilling fields in.
| khimaros wrote:
| i especially recommend vaultwarden, the community developed
| self hosted backed.
| bentcorner wrote:
| I use Keepass + Onedrive sync (Windows + Android). It's been
| working well for many many years and I see no reason to switch.
|
| If I had to recommend a pw manager to someone I'd probably
| suggest they just save them in-browser, and use the same
| browser (Chrome/FF/Edge) across all their devices. Chrome has a
| pretty good password suggestion feature. Other browsers are
| probably not far behind.
| otachack wrote:
| Same, though I use Resilio Sync instead. Can also use
| SyncThing.
| nicoburns wrote:
| Doesn't chrome store passwords in plain text? Also, a proper
| password has the advantage of working outside of the browser
| on android/iOS.
| ceph_ wrote:
| They did at one point but not anymore. But either way any
| password filling is as secure as plaintext since it's
| pasted as plaintext, and you can just edit the DOM after
| it's filled.
| bentcorner wrote:
| As the sibling comment states, it's not stored as plain
| text.
|
| You're right that external storage lets you use it
| elsewhere, but IMO using keepass has a lot of friction I
| personally don't mind but wouldn't initially recommend to
| most people. Browser password storage fills 99% of most
| people's needs.
| nicoburns wrote:
| Bitwarden is good for this. I use the browser extensions
| on desktop and the apps on mobile. It's my go-to
| recommendation.
| ukyrgf wrote:
| I switched. Bitwarden just seems easier to use. Everytime I
| install Keepass on a new computer I have to spend 15 minutes
| remembering where all the options are to configure it.
| Bitwarden feels more like a vault of information while
| Keepass seems like you gotta fight it to be anything other
| than URL-username-password.
|
| To be honest though I'm still not 100% moved over, and may
| never be. I doubt I'll need to transfer the login to the
| public library from a town I lived in 10 years ago.
| at-fates-hands wrote:
| Came here to say the same thing. Been using Keepass for years
| without any issue and won't switch. I started it using quite
| a while ago after someone on here recommended it and haven't
| looked back since.
| somewhat_drunk wrote:
| LinuxBender wrote:
| Something that I believe should be added to this thread would
| be utilities that can take the LastPass export and transform it
| into structures that other pw managers can easily recognize and
| import.
|
| Here [1] is an example of migrating passwords from LastPass to
| KeePassXC. Does anyone have more examples like this for other
| pw managers?
|
| [1] - https://blog.paranoidpenguin.net/2018/12/migrating-from-
| last...
| jamespwilliams wrote:
| When I migrated from Lastpass to Bitwarden, I was able to
| import the Lastpass export without any transformation needed,
| if I recall correctly.
| ravar wrote:
| I use pass. The provided password manager in linux. passmenu
| provides a great workflow for inputting the passwords.
| encryptluks2 wrote:
| I really like how pass saves passwords as a gpg file, so when
| you sync with a cloud provider you can see specifically what
| passwords are being synced. When you store everything as a
| single database file, not only does sync not show you
| differences, but you have to resync the entire DB file each
| time you change something.
| gspr wrote:
| Pass, the piece of software that, per line of code it
| possesses, has improved my digital life more than any other.
| A true gem!
| torstenvl wrote:
| KeePass and pass use fully open database formats. (I like
| MacPass, KeePassHTTP Connector, and Keepassium.) Enpass uses a
| well-documented database format based on SQLCipher/SQLite
| (albeit not fully open, you have to piece it together from the
| white paper and forum posts). They are all local-first, so you
| _own_ your password information.
|
| I have no reason to believe BitWarden _would_ try to hold my
| passwords hostage. But I prefer the solution where they _can
| 't_.
| jabbany wrote:
| Gonna put a vote in for KeepassXC (and in general the Keepass
| family of local-first PW managers).
|
| You get full control over how to handle multi-device
| synchronization because it doesn't attempt to do this at all...
| turblety wrote:
| > If this is true, they are in major violation of Article 20 of
| the GDPR.
|
| I honestly have no idea how the GDPR got implemented. A true
| policy that actually benefits the citizens of Europe, in a world
| where most policies are to screw over everyone but the rich.
| zucked wrote:
| Here's a hint: non-compliance is basically a finger wag,
| perhaps a slap on the wrist in the most extreme case.
| lb1lf wrote:
| -Well, Amazon got a EUR750M ($850M) slap on their wrist,
| which while not sufficient to put them out of business surely
| must have hurt someone's feelings (not to mention their
| bonuses...)
| lixtra wrote:
| Look at the examples yourself, to form an opinion:
| https://www.enforcementtracker.com/
| efitz wrote:
| When LastPass was acquired a few years back, I saw the writing on
| the wall and changed to 1Password. Thank goodness I dodged this
| bullet.
| cassac wrote:
| 1Password is moving in a direction just as bad. A few months
| ago they took away features for legacy single paid users and
| started hiding them behind the monthly paywall.
| petarb wrote:
| Just curious, what were some of those features?
| prdonahue wrote:
| The newest version removed the ability to use a local repo
| (on iCloud, etc.) and they force you to use their monthly
| cloud service vs. buying outright.
|
| See here for more details:
| https://news.ycombinator.com/item?id=28145247.
| l30n4da5 wrote:
| I moved to Bitwarden. Solid choice, as well.
| halfmatthalfcat wrote:
| I moved to 1PW after the _first_ LastPass leak, was the best
| decision I ever made.
| jwineinger wrote:
| I switched after the ~thanksgiving multi-day outage a few
| years ago. I've been happy with that decision as well
| TAForObvReasons wrote:
| 1Password is another proprietary SaaS password manager. You
| "dodged this bullet" but shouldn't you also be concerned that
| 1P will do the same thing in the future?
| Xylakant wrote:
| 1password explicitly say what happens if your subscription
| lapses; your account will be frozen and placed in a read only
| state: https://support.1password.com/frozen-account/
|
| Now, the question is "why would I trust this?" to which I
| answer: I trust them to safeguard my passwords.
| Qub3d wrote:
| > Now, the question is "why would I trust this?" to which I
| answer: I trust them to safeguard my passwords.
|
| Isn't that tautological?
|
| I trust 1Password more than LastPass simply because you
| _must_ pay for it. Freemium upsells are a dark pattern, and
| the temptation to monetize data on free users is much
| greater than paid.
| TAForObvReasons wrote:
| > I trust 1Password more than LastPass simply because you
| _must_ pay for it
|
| The ultimate problem with this whole logic is that you
| trust that other individuals and companies are not
| tempted to "double-dip" by monetizing data on paying
| users. A comment in the reddit thread referenced in the
| article summarizes the problem neatly:
|
| > These SaaS cloud services are completely unregulated
| and answer to no one except their own profits. They can
| and will hold your data hostage the moment they think
| they can do so profitably on a large scale. It doesn't
| matter whether you're paying for the service or not.
|
| https://old.reddit.com/r/software/comments/s053t3/lastpas
| s_i...
| Closi wrote:
| > The ultimate problem with this whole logic is that you
| trust that other individuals and companies are not
| tempted to "double-dip" by monetizing data on paying
| users. A comment in the reddit thread referenced in the
| article summarizes the problem neatly:
|
| I don't think the logic is wholly broken - there will be
| a lower incentive for paid companies who can generate a
| profit with subscription fees to "double-dip" than there
| is for free companies to "single-dip" (who need to dip to
| survive).
|
| It's all about relative risk between those two models -
| if company A has a business model that can work _without_
| doing shady shit, and company B has a business model that
| can _only work if_ they do shady shit, then company B
| will be more likely to do shady shit in reality.
| specialp wrote:
| There is nothing wrong with a proprietary SaaS password
| manager if: 1. You can export all of your data easily 2. They
| cannot see your data (E2E encryption with you holding the
| key)
|
| You get the benefits of people making money off this service
| and thus keeping up to date clients and plugins. If it
| becomes bad you dump your data and go somewhere else.
| the_snooze wrote:
| I quite like the fact that 1PW has a very simple business
| proposition: I give them money, and they safeguard my
| passwords. And if I don't like their service, I can easily
| export my stuff and not renew my subscription. There are no
| growth hacks involved.
| bcrosby95 wrote:
| My #1 priority is a manager that my family can easily figure
| out how to use it. The alternative is easily hackable
| passwords.
| smoldesu wrote:
| Which is easier to use: LastPass or
| CorrectHorseBatteryStaple?
| otherme123 wrote:
| This happened to me: I forgot a password (site was
| ThompsonReuters, so not a tiny company we-dont-know-
| better), and requested a restore via email. The mailed me
| the password in plain text: "Your password is
| CorrectHorseBatteryStaple, you can change it at
| url.com/change".
|
| So imagine you use CorrectHorse, and some site stores
| passwords in plain text or weakly hashed, and then the DB
| is compromised (if they do badly the storage, chances are
| the DB is also weak), and boom, a cracker has your email,
| password, and the name of your first pet.
|
| But if I use KeepPass, I don't care if my password leaks
| from that site or the other, or if they store in plain
| text. That password is only used in one site.
| kingnothing wrote:
| LastPass, unless you're able to memorize 200 different
| unique, complex passwords. Using a password "scheme" per
| site (like CorrectHorseBatteryStapleHN,
| CorrectHorseBatteryStapleReddit) is not safe.
| mttjj wrote:
| A password manager. A much as I like
| CorrectHorseBatteryStaple, it would be impossible to use
| on every account I have (hundreds). I use CHBS for the
| few (5 at most) accounts that I log into all day, every
| day. Everything else gets a long, random string of
| garbage and stored in my password manager.
| admax88qqq wrote:
| LastPass
|
| Cause most services still require arcane rules like "must
| have a number, an upper and lowercase letter, and 2
| symbol but not on Thursdays"
| mrtranscendence wrote:
| I use the CorrectHorseBatteryStaple format, but with a
| short string of digits/symbols at the end to satisfy
| picky rules. This generally seems to work. But since I
| use a different password for every website I don't see
| how I could _not_ use a password manager of some sort ...
| making passwords easier to type and remember doesn 't
| mean I'm _going_ to remember them all.
| function_seven wrote:
| LastPass (or password managers in general).
|
| CorrectHorseBatteryStaple will fail for a lot of sites.
| It doesn't have special characters, it's too long, it
| doesn't have numbers, it contains dictionary words, etc.
|
| And you still have to remember the unique phrase you
| chose for each site. If you have a couple dozen logins,
| can you remember 24 different phrases? What about when a
| site forces you to change your password?
| [deleted]
| mplewis wrote:
| > When LastPass was acquired
|
| Maybe, if someone acquires 1Password?
| InGoodFaith wrote:
| The company vision can change even without acquisition.
|
| Having an open source and self-hsotable alternative (that
| also has a SaaS equivalent if you so choose) seems to be
| the more prudent choice.
| joconde wrote:
| 1Password on desktop stores items in a standard SQLite
| database, in an open format:
| https://support.1password.com/1password-
| security/#transparen...
|
| They also store regular copies of your vault in a backup
| folder. If Satan buys them and they try to lock you out, just
| decrypt your backups and move somewhere else.
| mrtranscendence wrote:
| My girlfriend has been using 1Password for years without any
| issue, so I think it must be a decent service, at least in her
| book. The built-in password management on iOS and macOS has
| been good enough for me, though.
| mijoharas wrote:
| Doing the same was on my TODO list for a long time, and I just
| migrated a couple of weeks ago. Very glad I finally got around
| to it!
| stelonix wrote:
| I don't know, maybe I'm old-fashioned, but I never used and never
| will use a password manager. I can't think of a reason to let a
| business know all my passwords while also making it my single
| point of failure.
| nvarsj wrote:
| It's just terribly insecure. Humans are really bad at making
| unique passwords. I have around 500 unique passwords in my
| password manager. No way I could do that manually.
| tomjakubowski wrote:
| How do you manage your credentials then? Before using a
| password manager, the best thing I could manage was variations
| on a similar password. But sites with arcane password
| requirements tend to break this.
|
| I was _really_ disappointed when 1password dropped support for
| Dropbox sync and pushed everyone onto their storage. I'm
| uncomfortable, like you, with the truly single point of failure
| this way: I would much rather diffuse the storage and master
| credentials to separate parties.
| stelonix wrote:
| I do like you said, small variations. Things get difficult
| once there are bizarre requirements, but then I just login by
| "forgot my password". Another commenter replied (s)he has
| over 400 credentials; I don't think I have even 100 let alone
| 400 logins.
| wintermutestwin wrote:
| >I don't think I have even 100 let alone 400 logins.
|
| And the real question is: how many of these logins require
| max level of security?
| dahart wrote:
| Why is that the real question? The advantage of a
| password manager is you can default to max security with
| no more effort than poor security. Many of my accounts
| have changed over time, it's not uncommon to add payment
| to a trial account, or for personal information to
| accumulate. There are plenty of good reasons to always
| use maximum security in order to lower your risk and
| prevent future accidents.
| satysin wrote:
| > let a business know all my passwords
|
| You don't. Password managers like Bitwarden are basically cloud
| storage for an encrypted blob that happens to contain your
| passwords wrapped up with a nice UI/UX and handle all the
| syncing for you between your devices. They don't "know" your
| passwords. They sync that blob and then all encryption and
| decryption is done on your device.
|
| Not to mention with Bitwarden you can run _your own_ server if
| you are comfortable doing so and don 't want to rely on their
| servers.
|
| > making it my single point of failure
|
| So maintain backups of your encrypted vault. Also Bitwarden
| (which is what I use) doesn't require an internet connection to
| unlock your vault so even if you're stuck somewhere with no net
| access you can still access all your data. Export it, etc. It
| is 100% offline for use, internet connection is only needed to
| sync the encrypted blob.
|
| ---
|
| IMHO the benefits of a good password manager with nicely
| integrated password management, history, generation, MFA, etc.
| far outweigh the drawbacks of your account being hacked.
|
| I have over 300 logins in my password manager.
|
| I only have to remember a few actually important passwords in
| my brain which makes life exponentially easier when logging in
| to so many different services each day.
| dahart wrote:
| Fwiw, most good password managers don't necessarily let the
| business know your passwords, the passwords are encrypted
| before transport, and the business has no access to your data.
| All decryption can be client side only. You pay for storage and
| hosting of encrypted data, i.e., access from anywhere, and
| browser+mobile apps.
|
| This means losing the master password is dangerous, so some
| people still choose to allow a host-side override where the
| business has some access, in order to enable account recovery
| in the case of a lost password.
| [deleted]
| ifyoubuildit wrote:
| I feel that way about online password managers, but an offline
| open source password manager is a huge quality of life (not to
| mention security) improvement when all of your accounts have
| different passwords. I'd highly recommend giving it a shot.
| ww520 wrote:
| Use one that stores locally and never shares the data with
| anyone.
| rcoveson wrote:
| What's your alternative? If it's just memorizing a huge set of
| passwords plus the ability to add to that set whenever you
| need, that's awesome.
|
| But if you're doing what most people do instead of a password
| manager, which is just re-use two or three passwords for
| everything, then you don't just have a single point of failure.
| You have dozens of points of failure. You're not letting "a
| business" know all your passwords, you're letting _many_
| businesses know your password, singular.
|
| Also, password managers don't only come from "businesses". I
| use pass[0], which just gpg encrypts passwords in a git repo.
| If you're willing to set up sshd, git, and gpg on your devices,
| you can use pass.
|
| That said I still recommend that people coming from the "old
| way" use something like 1Password or LastPass if self-hosted is
| not for them. I share your distaste for giving the keys to the
| kingdom to a single business, but it's better than the
| alternative. I trust LastPass more than I trust the weakest
| member among a random set of other businesses.
|
| 0. https://www.passwordstore.org/
| jiveturkey wrote:
| I'm afraid you don't understand how password managers work
| then. You do not reveal your passwords to LastPass, and used
| properly it is not a SPOF.
|
| That said, the model is generally broken and LastPass is near
| the bottom of the heap.
| selfhoster11 wrote:
| You don't need to let a business know anything. Run your own
| self-hosted instance via a dedicated server or WebDAV, or use
| the password database totally offline. SaaS is not the only
| option here (and IMO, I wouldn't even consider using a password
| manager unless I could do so without involving any other
| companies).
| the_snooze wrote:
| The reality is that it's unreasonable to expect users to
| maintain passwords that are both unique and memorable. My
| password manager tells me I have over 400 credentials saved.
| There's no way I can keep track of that in my head.
|
| To solve this, you can drop either one of the "memorability" or
| "uniqueness" requirements. Most people naturally drop
| "uniquness" and reuse the same passwords everywhere. Or you can
| use a password manager and drop the "memorability" requirement.
| It's safer and more usable to do the latter. Even writing it
| down in a physical notebook is an improvement over reusing the
| same password.
| zqfm wrote:
| I highly recommend keepass + syncthing. Avoid some third party
| having access to your password store while keeping it backed up
| wherever you need it to be.
| jrm4 wrote:
| Thank you.
|
| If you or they are not technically inclined, write them down on
| a piece of paper, stored safely.
|
| If you are, encrypt a file or volume on your computer and use
| that.
|
| I've done and advised this forever and each little story like
| this leaves me convinced that these ways, while not perfect,
| definitely beat _all_ the others.
| otherme123 wrote:
| Keepass does that, and is a password manager. Put the
| encrypted db in some path tracked by Dropbox or similar, and
| you have a fine setup.
| connicpu wrote:
| I'll never use a centralized one like that. I use a password
| manager that keeps my vault file locally and is synchronized
| through any cloud storage provider of my choice. I chose
| OneDrive, but if I was more insistent on absolute privacy it
| could also synchronize to a WebDAV server I set up myself.
| navjack27 wrote:
| That's what I do. KeePass vault. Google drive and onedrive
| sync. Local. Works on all my devices. Simple
| wintermutestwin wrote:
| >while also making it my single point of failure
|
| This is my concern as well. The whole idea of my passwords
| being in a black box that is tied to my hardware seems like a
| recipe for disaster if I am traveling and my hardware gets
| stolen, lost or destroyed.
|
| (maybe there is something that I am failing to understand, but
| I've watched several videos that attempt to explain how a PW
| manager works and I've not found an answer)
| joconde wrote:
| In 1Password:
|
| - the master key derives from 1. your password, and 2. a
| long, random key that you type manually on each new device
| (so you can't brute-force the password just from the server's
| data, and you can't decrypt the data just from your hard
| drive without the master password),
|
| - none of these keys ever leave your devices (encryption and
| decryption happen client-side),
|
| - the key is deleted from RAM, locking the vault, if you're
| inactive for too long.
|
| That makes some attacks hard. It will be defeated if malware
| can get 1. your secret key and 2. your master password. But
| in that case, your login cookies and what you type in login
| forms are vulnerable too, so there isn't much difference.
| anm89 wrote:
| So happy I jumped shipped to a different password manager and got
| away from this dumpster fire
| pleonasticity wrote:
| I just tried exporting my LastPass database without any issue.
| pmlnr wrote:
| Keepassxc + syncthing. Password managers are too important to
| rely on someone else's computer.
| staticassertion wrote:
| I just exported all of my passwords using only the extension.
| gruez wrote:
| The reddit post specifically mentions this
|
| >- Only making the export function available via the desktop
| browser plugin, despite locking peoples accounts to either
| Desktop or Mobile after 3 switches between these platforms.
| staticassertion wrote:
| Oh, I misunderstood that statement. The browser extension
| works perfectly fine on my computer, which is not what I
| would call a "desktop browser plugin", especially for
| software that at one point actually _did_ have a desktop
| browser plugin but, afaik, does not anymore.
| wiether wrote:
| When they were acquired by LogMeIn a few years ago, the thread on
| HN about it was recommending switching to Bitwarden. Which I did.
| In a few weeks, I'll have to pay $10 to renew it. Meanwhile,
| since December we have those kind of worrying news from LastPass
| which is almost 4 times more expensive than Bitwarden.
| laurent92 wrote:
| The only thing important about a password manager is the amount
| of the bug bounty. In economic theory, it should be higher than
| the assets you protect with the password manager.
| SV_BubbleTime wrote:
| I wanted to use BW. Even had a talk with their lead engineer
| and CEO about switching my company over. Seems like a good
| product but at least two years ago their commercial offering
| was abysmal, basically no way to run a managed system with user
| accounts for their personal things and work entires that I
| could control or deploy.
|
| Lastpass Enterprise has issues, but it does allow the above.
| GekkePrutser wrote:
| As an employee I would definitely not like to mix my personal
| things in my work password manager :)
|
| However for those who are so inclined I can see the value.
| SV_BubbleTime wrote:
| No, that was the point. I want accounts for personal that I
| can access or reset, and I want a work account I can.
|
| Lastpass does this and allows you to link them for your
| visibility, not mine. So users get a single log in the
| morning or whatever and they can do whatever they like.
| It's a convenience that helps our less security minded
| users still have good habits.
| mkdirp wrote:
| > _basically no way to run a managed system with user
| accounts for their personal things and work entires that I
| could control or deploy._
|
| Could you elaborate on this?
|
| I'm not an enterprise user, however, as a happy commercial
| Bitwarden user, I was annoyed that the company I worked for
| moved to LastPass relatively recently. I'd love to know what
| may have made them choose LP over Bitwarden.
| Macha wrote:
| Lastpass lets you (possibly with a large enough enterprise
| account?) give free personal accounts to your employees,
| seperate to their business accounts, that the employees can
| link with the business accounts. This gives the employees a
| single interface to access their business and personal
| passwords, while giving the company a business account it
| can see stats (but not passwords) of, and terminate to cut
| off access to without locking a user out of their personal
| passwords (the personal account gets downgraded to a free
| account).
|
| Personally I don't use that as I have bitwarden set up for
| my personal accounts and would rather trust that.
| SV_BubbleTime wrote:
| See the post above this one. Lastpass allows me to deploy
| enterprise then link you can link personal that I can't
| access. The user gets a single sign on to work and
| personal. It's nice.
|
| There was something else that BW wasn't interested in doing
| for enterprise. I think that came down to recovery. They
| weren't willing to trade some security feature on
| commercial accounts for a required IT feature. I wish it
| would have worked out with them, I'd switch from LP in a
| second if they solved those issues.
|
| They were very upfront to me that their focus was consumer
| first.
| boringg wrote:
| What about 1Password?
| SV_BubbleTime wrote:
| I don't want the hate for it, but I really hated my demo
| with it. I wish I could remember why! All I remember is
| that I couldn't do basic enterprise level things I
| expected. It may have come down to linking personal
| accounts or recovery or cloud. Sorry, don't really
| remember. I think it just rubbed me the wrong way.
| u2077 wrote:
| Any subscription based password manager is holding your passwords
| hostage. Not sure why this is news.
| Havoc wrote:
| One more to add: Not only do they limit switching between phone
| and desktop, if you request desktop site on a phone you get a css
| render salad.
|
| Got mine exported during the recent scare without too much pain.
|
| But yeah - going to move away from Lastpass. Everything about
| them seems to be going sour fast
| dahart wrote:
| > If this is true, they are in major violation of Article 20 of
| the GDPR.
|
| Is this reasonable, or trying to whip up resentment based on
| speculation? It partly feels questionable because the author is a
| US resident, and the company is a US company - of course that's
| no reason not to discuss/comply with GDPR - but paired with the
| lack of specifics and the explicit speculation with words like
| "appears" and "likely knowingly" that have no accompanying proof,
| it feels like more hit piece than valid legal concerns.
|
| There may be real, valid, and large reasons to have resentments
| here, I have no opinion on that. But LastPass doesn't necessarily
| "have" everyone's passwords, because many are encrypted and
| LastPass can't decrypt them.
|
| Does article 20 really apply to data encrypted such that the
| company has no access? That seems unlikely. Article 20 might
| require that LastPass export someone's user profile and credit
| card information, but it was not designed as way for people to
| demand UI features they want or force companies to offer service
| for free, right?
| the8472 wrote:
| If they're storing the encrypted data on your behalf then they
| should be able to provide that, plus instructions how to
| decrypt it.
| dahart wrote:
| Sure, but are they truly compelled by EU law to do this for
| people in the EU, to export encrypted data? GDPR applies to
| PII, and encrypted data the company can't access is not
| personally identifiable information, and the company doesn't
| necessarily "have" the unecrypted data. It seems like Article
| 20 does not automatically apply here. (This all aside from
| the question of whether GDPR applies to Americans using
| American services.)
| komadori wrote:
| The problem I had with LastPass is that if you have any billing
| problem then you're immediately kicked down with to the free tier
| with all the problems that entails, including loss of access to
| regular support. Worse, they had a bug that prevented me
| upgrading back to premium with new payment details. The special
| contact form for billing support was non-obvious and they were
| not especially prompt or helpful. I've since migrated to
| BitWarden. No problem exporting, thank goodness, but it wouldn't
| have suprised me!
| hcurtiss wrote:
| I recently exported to Microsoft Authenticator/Edge without any
| trouble at all.
| AlexandrB wrote:
| Neither a bug nor an intentional ploy would surprise me. When I
| last used LastPass (2018) the web UI was quite buggy and
| difficult to use. Since then they have been acquired[1] by a PE
| firm and are about to be spun off again[2] as an independent
| company. Heaven knows who's steering the ship over there.
|
| [1] https://www.ghacks.net/2019/12/18/logmein-lastpass-to-be-
| acq...
|
| [2] https://www.theverge.com/2021/12/14/22833319/lastpass-
| indepe...
| OptionX wrote:
| Glad I dropped them as soon as they made the change to limit the
| number of connected clients behind a paywall. Changed to
| bitwarden. Same functionality (at least for my uses) free and
| with the option of you spinning up your own server for your
| personal use (versus the cloud option).
| 4ec0755f5522 wrote:
| I use Firefox / Safari built-in password management. I do not
| know how secure they are but no issues in 10+ years and I
| certainly have access to all passwords in my keychain/account.
| Not locked behind some corporate service. They are saved locally.
|
| Both easily generate long random passwords, etc.
|
| For me this is a solved problem (until Firefox's service is
| hacked, of course) to the point that my real pain point is
| remembering the random strings I use for "security question"
| answers. For that I use a KeepPass database. But I wish FF/Safari
| would see the need and add security questions fields to their
| management.
|
| No way am I giving real information for those. Why yes my
| mother's maiden name is cd559b1085b94b2dad32bb9e458e2422 so sorry
| to hear it was leaked, SONY.
|
| https://en.wikipedia.org/wiki/2011_PlayStation_Network_outag...
| qvrjuec wrote:
| I use a password manager(Bitwarden) to:
|
| 1. avoid vendor lockin (if I want to switch browsers I can, or
| switch from iOS to Android) 2. enable portability, with
| passwords not just being available locally requiring manual
| migration to other devices
|
| Do you have problems/qualms with the above just using browser
| password managers?
| daveidol wrote:
| Isn't this difficult to manage passwords in apps other than a
| browser though? Plus, I use 1Password to store other sensitive
| data like SSN etc.
| bwat48 wrote:
| not really, on desktop I can just go to firefox menu |
| passwords and search/view/copy any of my saved passwords
|
| on android, firefox can autofill passwords in any app
| lini wrote:
| I had issues exporting my LastPass database to a CSV file a
| couple of weeks ago from a browser (no plugin installed). They
| seemed to render the CSV data inside a <pre> tag in an HTML page
| (I have no CSV browser plugin installed). I had to copy the text
| manually from the HTML source and paste/import it in another
| password manager.
| SavantIdiot wrote:
| I've been paying for one license of LastPass to use on multiple
| computers and phones since 2012. Never any problems. What the
| heck are y'all doing with it that makes it so unreliable for you?
|
| The only problem I have is that my iPhone 7 doesn't always detect
| my USB-C UbiKey NFC, but I think that's a UbiKey or iPhone
| problem.
| rodmena wrote:
| I don't understand why people should use LastPass while there is
| this robust multiplatform and totally free "BitWarden" is
| available. Marketing power.
| staticassertion wrote:
| LastPass has been around for a very long time. I'm still using
| it because I haven't had much reason to migrate and I installed
| it probably a decade or more ago.
| jscohn85 wrote:
| Here is my reason, at least:
| https://community.bitwarden.com/t/custom-fields-and-automati...
| Qub3d wrote:
| They have added custom fields at some point, because my AWS
| is autofilling the account ID with one:
| https://i.imgur.com/Ark4XH9.png
| isoskeles wrote:
| Lack of information. LastPass was also relatively decent
| software for a while. I only stopped using it two years ago,
| but also noticed at the time that they have significant
| marketing efforts compared to the competition.
|
| It seems like LastPass is angling to become the AOL of password
| managers, and by that I mean they want a bunch of old customers
| who never bother to switch to something better.
| misnome wrote:
| I switched to BitWarden when they dropped the subscription
| requirement for mobile, continued charging for my subscription
| for over a year and then announced they'd start charging again.
|
| It's... fine, but many areas of integration with browser and on
| iOS are significantly less polished and pleasant to use. Things
| like credit cards are entirely manual on iOS. It's definitely a
| worse experience on the convenience side.
|
| That, and even though it's relatively easy to migrate, it's
| even easier to not spend the effort reworking your workflows
| and ways you use password tools.
| camtarn wrote:
| > it's even easier to not spend the effort reworking your
| workflows and ways you use password tools.
|
| Yeah, this. I've been using LastPass since 2012 - four years
| before BitWarden even existed. BitWarden actually looks
| excellent and I'm tempted to switch, but the easiest thing is
| just to not do anything.
| barreira wrote:
| Although I understand your point from a psychological point
| of view, in my experience switching from LP to BW was an
| easy task.You can create a temporary CSV to export your
| Lastpass vault and import it in Bitwarden. It takes 2
| minutes maybe. The rest is just switching which app you use
| to fetch your passwords.
|
| Although that was prior to the shenanigans this post's
| article talks about.
| nacs wrote:
| I thought it would be time consuming too but it's literally
| just 1 minute to sign up for an account, export from
| Lastpass and a 2 click import into Bitwarden.
|
| It transferred EVERYTHING -- passwords, notes, credit cards
| etc. It's super easy.
| elric wrote:
| I have quite a few gripes with Bitwarden, but I've never used
| LastPass so don't take this as a comparison.
|
| 1. Their auditing ("Event Logs") feature is unusable. It refers
| to items by some magical identifier which does not correspond
| to the name in the vault, e.g. "Viewed password for item
| ebabefac".
|
| 2. Payments by anything other than Credit Card are a mess,
| which is a serious pain if you have a lot of users. It took us
| weeks and many support interactions to get something as trivial
| as a bank transfer sorted.
|
| 3. It's still (!) lacking a feature to actually send people
| passwords ... as in sysadmin creates some account for a user,
| presses a magical button in BW, and it ends up in the user's
| vault (or maybe they get a message and are asked to import it,
| whatever). BW recommends you use the "Send" feature, which is
| basically a glorified pastebin.
|
| 4. The UX is .... not great. Organization vs Personal
| Collection view is confusing. Every time we onboard a new user
| we get questions about how they should store personal
| passwords.
|
| It works well enough, but I don't think the enterprise plan is
| worth the 60/user/year price tag.
| creshal wrote:
| > 1. Their auditing ("Event Logs") feature is unusable. It
| refers to items by some magical identifier which does not
| correspond to the name in the vault, e.g. "Viewed password
| for item ebabefac".
|
| Names and all other identifiers can be changed freely, so
| Bitwarden refers to passwords by their unchangeable UUID, so
| you can keep track of an entry across any such changes.
|
| What bitwarden lacks is an easy way to search for passwords
| by UUID, but that's a rather minor UX improvement.
|
| > It's still (!) lacking a feature to actually send people
| passwords ...
|
| Yeah, that surprised me as well. Back in 2014 or so we added
| magic password://uuid links to our internal password
| management tool, you can just send people the link, and when
| they clicked it, it opened that particular password, as long
| as they had access. I would've expected the competition to
| have picked up on it ages ago, but c'est la vie.
|
| For exchanging passwords with external users, Send is
| reasonable enough IMO.
|
| > The UX is .... not great.
|
| Agreed. But given that everything else is solid and open
| source, I'll take it over any competitors, or continuing
| maintenance of our own tool, which quickly gets a whole lot
| more expensive...
| Qub3d wrote:
| I wonder, if you are self-hosted, have you tried the rust
| implementation? https://github.com/dani-garcia/vaultwarden
|
| It may have better auditing (though I confess I just pay for
| hosted so I can't say for sure).
| creshal wrote:
| It has no auditing capability at all currently, cf.
| https://github.com/dani-garcia/vaultwarden/issues/246
| teej wrote:
| "Totally free" is not a benefit. I want a transactional
| relationship with a company that will compel them to help me
| when things go wrong.
| blakesley wrote:
| Previous commenter should have said "freemium" instead
| GekkePrutser wrote:
| You have the option of paying for BitWarden if you prefer :)
|
| But everyone that I know that uses it, hosts their own anyway
| (I don't agree with Moxie's thing of "people don't want to
| host their own servers and never will - clearly not true for
| some people). But that was beside the point anyway, open
| server design means you can choose _who_ runs your server for
| you.
| Cort3z wrote:
| They have compelling premium plans fairly cheap. In my
| opinion it's a more trustworthy relationship because their
| software is open source and is fairly straight forward to
| host yourself if they start misbehaving. No such option on
| most alternatives.
| Closi wrote:
| Try 1Password - Great app and I can vouch that they help you
| when things go wrong (because things went wrong for me and
| they went above and beyond to help).
| mpalczewski wrote:
| You can also grab a raspberry pi and self host.
| leokennis wrote:
| At any rate there is no reason to use LastPass. There must be
| tens of password managers all geared towards a different kind
| of user and all better than LastPass.
| alfiedotwtf wrote:
| vi ~/.passwords.txt
|
| ... problem solved
| tiku wrote:
| I was removed from a team account, after that I could no longer
| access my account until the company reinstated me temporarily.
| Very weird behavior because it was a private account first..
| alar44 wrote:
| If you used the same email account I think that's expected
| behavior.
| jmrm wrote:
| Watch out! Another "bug" of the LastPass happens when you export
| your accounts.
|
| I have exported all my accounts via the web interface, and the
| three times I've done that it export a truncated CSV file with
| about 30 lines, while printing the whole file content in the web
| page you access. That means the CSV you downloaded probably is
| not complete and you have to copy some lines from the web.
|
| I was lucky to investigate a weird warning, about some missing
| fields in the last row, that SQLite gave me after importing all
| the accounts to a database.
| jrockway wrote:
| I did this a few months ago and didn't run into that problem. I
| basically did a "make before break" migration. I kept LastPass
| available for several months after importing the database into
| 1Password, while using 1Password day to day. I never needed to
| refer to LastPass, so I finally unsubscribed and deleted my
| account.
|
| I have read some others on HN describe stories where it didn't
| go so well. Private Notes not exported (I saw this on HN before
| I cancelled, but mine all came over), incomplete exports (I got
| everything), etc.
|
| But yeah... do be careful and give yourself a grace period.
| gilbetron wrote:
| As a LastPass user, I'm getting a bit nervous. I've looked
| through various other threads on suggestions, but, since it is
| inevitable - what do people recommend and why? I'd prefer only
| answers from people that have been using their solution for at
| least a couple of years, and even better, people that have been
| using theirs for even longer and through multiple iterations of
| "weird things happened to password manager X" cycles :)
| coderintherye wrote:
| BitWarden. Have been using for 3+ years now (Prior used
| LastPass).
|
| BitWarden:
|
| * Open-Source
|
| * Affordable pricing
|
| * Good, working browser extensions and desktop app
| tailspin2019 wrote:
| I've used 1Password for around 8 years (maybe longer) and I
| believe them to be a pretty safe bet currently.
|
| I wasn't a huge fan of their move to a hosted model but I went
| with it and even so, I have to say that their service is good,
| reliable and instilling of confidence.
|
| If I was starting from scratch I'd probably look more closely
| at Bitwarden (likely to use their hosted service but knowing I
| have the option later to self-host).
|
| I would suggest that most people would likely be served well by
| either of these solutions at this point in time.
| pkulak wrote:
| Same here. If I was starting from scratch, I'd consider
| Bitwarden, but 1Password has been so flawless for me over the
| decade and a half I've used it (off and on) that I can only
| lose by moving.
| jspash wrote:
| I've used 1PW since it's inception, happily moving
| whichever way they went. However, the latest iteration
| (electron?) is an absolute mess. I _blinkin_ hate it!
| Shortcuts work, then they don 't. Search rarely works.
| Multiple overlapping modals appear. Modals position
| themselves over the input boxes. It's really awful after
| the change. Sadly I didn't find this out until I had
| already paid for the monthly subscription or I would have
| dropped it like a hot potato. I'll stick it out for a few
| months more, but if things don't improve I'll be in the
| market for something (anything) better.
| foxfluff wrote:
| I've been using pen & paper for a decade. So far it has not
| been affected by any CVEs, company acquisitions, bugs, quirky
| updates, outages, mandatory subscriptions or arbitrary account
| limits, leaks, or other compromises. It's airgapped and works
| fully offline too. Even if all my computing devices got filled
| with malware, they would only log the passwords that I actually
| type in.
| pkulak wrote:
| I could never trust credentials to my hand writing. :D
| yumaikas wrote:
| If you're going to be paying a subscription anyway, I've been
| using 1Password for 2.5ish years pretty successfully.
|
| It's also recommended by Troy Hunt, who has a reputation at
| stake in all of this, since he runs stuff like
| https://haveibeenpwned.com
| the_printer wrote:
| Former LastPass user (2+ years) and current 1Password user (2+
| years).
|
| There's no looking back. LastPass was buggy and the UI ugly.
| That was fine when it was free but when they went to fee based
| for cross platform support we switched the whole family over to
| LastPass. Everything works, is pleasant to use, and no slimy
| tactics.
| cianmm wrote:
| I've been on 1Password for many many years - looks like I
| bought it first in 2008, and I've bought every major version
| since, and then moved to subscription within weeks of it
| launching. I couldn't be happier with the product, or their
| customer support. $3 per month for bulletproof password
| management that integrates so well into iOS and Mac OS isn't
| even something I think about when renewal time comes along. I'm
| watching their move to Electron for their apps with caution,
| but they have such a long track record of shipping great
| product that I'm not too worried.
| iudqnolq wrote:
| I don't love electron, but I do like they now have a Linux
| client with good platform integration (such as pop up mini
| window).
|
| They previously had a cli for Linux. It was designed to
| provide everything you'd need to build a nice ui but since it
| was a little low-level it didn't have great ux.
| function_seven wrote:
| Another vote for BitWarden. I used LastPass for many years, and
| jumped ship when they were acquired. I've been using Bitwarden
| for a few years now and really like it.
|
| Importing from LastPass was easy.
| moonshinefe wrote:
| Exactly my experience as well
| slock83 wrote:
| I used LastPass for a while too, but I then switched to
| KeePass, using syncthings to have a single db. At first that
| was great, but after a few save mistakes, and a slight change
| in need, I've switched to a hosted bitwarden (using
| vaultwarden).
|
| I've not had a single issue with it since, it's fully
| compatible with the official bitwarden app (which works rather
| well), and is much easier to use when other people in your
| household also need to manage their passwords.
|
| Point of note : the android app syncs the database locally, and
| can be accessed/used/exported even offline, which is very, very
| reassuring in case of server/network failure
| codazoda wrote:
| I use KeyPass and then several different UI's, based on the
| platform. I store the KeyPass in my favorite cloud drive so I
| can use it from wherever.
| wintermutestwin wrote:
| Where do you store the password for your "favorite cloud
| drive?"
| Lukineus wrote:
| Same, but I switched a while ago to using Syncthing for the
| database instead of cloud storage.
| nerdponx wrote:
| I am having a great experience with KeepassXC and KeepassXC-
| browser. I sync my password database via Seafile, which is
| hosted by Your Secure Cloud. And I use Strongbox on iOS.
| riffic wrote:
| bitwarden seems to be the favorite so far - open source, self-
| hostable if needed, and pretty easy to use.
|
| There's a free reimplementation of its server which also seems
| to be highly recommended:
|
| https://github.com/dani-garcia/vaultwarden
| impalallama wrote:
| Second Bitwarden, I moved from Lastpass to it last year and
| the process was painless. iOS and Browser support were at a
| parity that I just uninstalled one installed the other and
| was ready to go.
| mattwad wrote:
| Been using bitwarden and love it! I don't think it offers
| 2-factor but you can replace that with Authy or Google
| Authenticator
| sliken wrote:
| Vault warden (the recently renamed bitwarden compatible
| implementation in rust) supports 2fa as well. The providers
| mentioned are Auth/Google Auth, Yubico, Duoa, WebAuthn, and
| email.
| karmanyaahm wrote:
| It does have 2-factor in the paid plan.
| lstmemery wrote:
| I'd like to recommend Aegis Authenticator, which is FOSS.
| It also encrypts tokens at rest, has password protection
| and the ability to export tokens.
|
| Lastpass Authenticator does not do that, so I spent an hour
| yesterday manually resetting all my 2FA.
| cycomanic wrote:
| I'm using keepassxc, synchronized over pcloud (but Box,
| Dropbox, gdrive etc would all work just as well). There's an
| excellent browser plugin, I use keepass2android on my phone and
| it also functions as my ssh-agent and I use it as my secret-
| provider for my Linux desktop (essentially a replacement for
| gnome keyring or kwallet). I'm not sure what reason there would
| be to use a SAAS.
| futhey wrote:
| Confirmed working 10:46am PST:
|
| Sign in to LastPass web -> Advanced Options -> Export -> Verify
| export by email -> Advanced Options -> Export (again) -> List of
| passwords in CSV format.
| pedalpete wrote:
| I don't pay for lastpass, and I was able to export, but I've
| also been a user for a LONG time, so perhaps grandfathered in.
| tytso wrote:
| The problem is if you aren't a paying customer, and you are
| locked to the mobile app, it doesn't have the password CSV
| option. So if you can access the desktop web option, sure, it
| works. But that's not true for all users.
| sucrose wrote:
| I pay for LastPass Premium and it exports just fine in the
| latest Chrome on Windows 10 x64.
| [deleted]
| jmrm wrote:
| Have you checked this thing I commented? Just to know if it's
| just a personal problem or it is global:
| https://news.ycombinator.com/item?id=29896882
| jonathanlb wrote:
| I wasn't able to reproduce the error. I got a CSV that seems
| complete.
| dadjoker wrote:
| Same here. I pay for LastPass, and I was able to export w/o a
| problem.
| withinrafael wrote:
| Same, cannot reproduce. CSV export was easy and appears to be
| error-free. <shrug!>
| bborud wrote:
| Confirmed broken. CSV file contained barely a dozen entries.
| Real list is hundreds.
|
| I guess Bitwarden secured itself a test-run.
|
| _edit: for clarity, the downloaded csv was defective, the csv
| shown seems complete. This is a problem_
| bborud wrote:
| So a company that requires users to trust them decides to be
| sneaky and untrustworthy.
|
| I just got a strong incentive to check out the competition.
| iratewizard wrote:
| I'm glad I can point to things like this after years of telling
| people to drop logmein jr
| riffic wrote:
| This company is so rotten. Just look at their recent track record
| showing pure user hostility. Why is anyone still using them?
| foxtrottbravo wrote:
| Probably because they make it hard enough to leave so that the
| majority of end-users just swallow the pill
| tablespoon wrote:
| > This company is so rotten. Just look at their recent track
| record showing pure user hostility. Why is anyone still using
| them?
|
| Inertia. Lastpass still works, and frankly it's not high on my
| list of priorities to research and switch to a new password
| manager. Some people have time to obsess over this stuff, I
| don't anymore.
|
| And frankly, data export barriers wouldn't be a difficulty for
| me (I wouldn't mind re-keying stuff if that's what it took, and
| that's what I did to get my passwords _into_ LastPass).
| Deciding on a direction is way more work, and that 's the real
| barrier.
|
| Also, it's kind of pointless. The alternatives will almost
| certainty be some open source thing with major UX friction and
| personal maintenance burden, or some for-profit service that
| will eventually be corrupted in exactly the same way as
| LastPass has.
| andybak wrote:
| > Just look at their recent track record showing pure user
| hostility. Why is anyone still using them?
|
| Because I've managed to miss any news damning enough to make me
| decide to switch.
|
| It's possible that either:
|
| a) I've overlooked something
|
| b) You and I have different priorities
|
| c) You're being hyperbolic.
|
| I genuinely don't know which but your phrasing and tone makes
| me lean towards (c)
|
| The internet is full of people shouting "God. [Company] is the
| worst!" - if you want to be persuasive then it's probably
| better to not sound like them.
| riffic wrote:
| You can lean towards C all you want and I admit my phrasing
| and tone will come across a certain way, but the track record
| isn't hard to dig up if you just take a cursory look.
|
| Let me give you this own site's experiences with the company.
|
| https://www.google.com/search?q=lastpass+site:news.ycombinat.
| ..
| londons_explore wrote:
| All it takes is for someone to write a little chrome extension to
| export everything and import it into competing software...
| tablespoon wrote:
| > All it takes is for someone to write a little chrome
| extension to export everything and import it into competing
| software...
|
| Though it would be foolish to trust such an extension, given
| the existence of practices like extension hijacking. I'm sure
| someone could make a lot of money with a "secretly export
| LastPass passwords to attacker" extension.
| bostik wrote:
| I can say with full confidence that this at least has nothing to
| do with their hostage situation:
|
| > _Having no formal support channel_
|
| When I last had to deal with their so-called support, all contact
| details were very efficiently hidden. Once you found a page with
| a phone number, and the hours you could call them, there was one
| final surprise:
|
| "The phone number you are trying to reach is not in use". The
| only contact that works reliably at LastPass is their billing
| department. Make of that what you will.
| [deleted]
| suifbwish wrote:
| Possibly in order to prevent social engineering they have
| simply sought to make it impossible.
| hffftz wrote:
| I usually use this website to find companies' phone numbers:
| https://gethuman.com/phone-number/LastPass
|
| It tells you that it is a credit monitoring service when you
| call, but it is indeed the password manager service....
|
| 800-830-6680 and then press 3 (the other 2 options disconnect
| you)
| frenchyatwork wrote:
| > It tells you that it is a credit monitoring service when
| you call, but it is indeed the password manager service
|
| That actually sounds like it might be a business model (at
| least in places where the proletariat don't get too uppity).
| You run a password manager service and calculate data on
| people's password strengths and the number of duplicated
| password they use, and then feed this data to some sort of
| credit check system.
| hffftz wrote:
| Even better, they can login to your bank accounts, amazon
| account, etc...
| techdragon wrote:
| While it was harder than it should have been to reach them. The
| one support interaction I've ever needed to have with them
| (domain name change went badly with master password email
| account re-verification before I added a secondary email) was
| amazing. They had a thorough security checking, identification
| confirmation process that would make it more difficult for
| social engineering, they were able to fix up the email over the
| course of a 45 minute phone call (I did mention it was
| thorough)
| SV_BubbleTime wrote:
| You guys did better than me, I gave up trying to find a phone
| number and used their ticket system... it was not good. Issue
| was eventually resolved but wow, what a mess.
| Reubachi wrote:
| Ah, the Jagex method.
| jcranberry wrote:
| I vaguely remember eventually figuring out how to lodge some
| kind of issue or something because the UI of their credit
| monitoring was completely broken. It was impossible to use the
| service at all.
|
| I think I eventually figured out some methodology of opening
| some graphical element in a new frame or something that got it
| working partially but that was what made me cancel everything
| and switch to BitWarden. Ridiculous.
| whitepoplar wrote:
| Last time I checked (a couple years ago), the only seemingly
| trustworthy password managers were 1Password and pass. Has this
| changed?
| RupertHandjob wrote:
| How is 1Password more trustworthy than opensource and "audited"
| Bitwarden?
| whitepoplar wrote:
| Members of the security community whom I trust gave their
| recommendation to those two products and went out of their
| way to suggest _not_ using other products. I trusted that
| advice and picked 1Password. Also, AFAIK, even though
| 1Password is closed source, it has been audited.
| msoad wrote:
| I use iCloud Keychain because Apple is not in business of making
| money off a password manager. They charge me more via their
| hardware sales scheme but at the end of the day it's a good
| experience overall
| halfmatthalfcat wrote:
| Can you share passwords with iCloud Keychain? I ask because I
| heavily use the family vaulting in 1PW to share common
| passwords amongst family.
| msoad wrote:
| Sharing is available only via AirDrop. You can copy the
| password too. But no "shared password".
| Someone1234 wrote:
| A solution that isn't cross-platform at all. Non-starter for
| me.
| mrtranscendence wrote:
| I see your point, and if I were (say) a Linux user I of
| course wouldn't use iCloud. But as someone whose entire
| digital life is on iOS and macOS, it doesn't bother me that
| it may not work (or work as well) on other platforms.
| msoad wrote:
| They have a Windows app. I only have iPhone, iPad and Mac so
| not sure how good it is.
|
| https://support.apple.com/guide/icloud-windows/set-up-
| icloud...
| mdavis6890 wrote:
| Strange - the fact that Apple is not trying to make money from
| passwords seems like a good reason NOT to use it. Though I
| don't have much experience with keychain so I can't comment on
| that specifically. (I do have a lot of Apple devices I like
| though).
|
| I feel more comfortable when a company is trying to earn my
| money by delivering a good product with good service. Of course
| that doesn't always work out, but I feel it's a better shot.
| mrtranscendence wrote:
| Well, Apple isn't directly making money from selling
| subscriptions to the iCloud Keychain, but it's a fairly
| important factor in making iOS and macOS straightforward to
| use for many people (including me). So the indirect business
| case for keeping it around and performing well is pretty
| sound.
| thomascgalvin wrote:
| The older (and busier) I get, the more I'm willing to put up
| with a walled garden that just works.
|
| Apple is not (always) a good actor; they've been caught
| intentionally degrading the performance of older hardware, in
| order to increase sales of new hardware. _But_ , they seem very
| keen on maintaining the privacy and safety of their users,
| which is true of essentially no other tech company on the
| planet.
|
| I'm still not all-in on the Apple ecosystem, but stuff like
| this always makes me pause.
| yoav wrote:
| This is exactly why I switched to another password manager when
| they announced LogMeIn had bought them.
|
| Same gross tactics and lock in. IIRC LogMeIn refused to let me
| delete my credit card details or cancel my plan and their
| "support contact" was completely unresponsive.
|
| Can't remember if I just used fake card details or blocked the
| transaction by locking/cancelling the credit card but it was a
| real nightmare.
| kabdib wrote:
| I had ten years prepaid premium on LastPass, being an early
| adopter (it was a good product and a good price at the time).
|
| After they were acquired, LogMeIn was quite happy to charge my
| credit card for the premium service, for several years running.
| Never did get a refund.
___________________________________________________________________
(page generated 2022-01-11 23:01 UTC)