The threat scenario described by the article: If someone within LastPass wanted to gain access to your passwords (e.g. rogue employees, or via court order) there is a way that the extension could be made to upload your vault key back to LP if you click on certain things within the extension, namely some parts of the preferences, or something like that. Any such change would be publicly detectable, but could theoretically be targeted to avoid widespread notice. So in other words, the vault itself is not fundamentally flawed, but the design of the current extension doesn't proactively firewall against LastPass turning into a bad actor.
My $.02: Given that all the cloud-based password managers have their own phone (and even desktop) apps, this seems like a moot point since a bad actor could push out an app update that does anything with your keys anyway.
As a long-time LastPass user I appreciate this kind of analysis, but this is just not something I have enough cycles in the day to let bother me. BTW the last time I opened my preferences was 3 years ago. LastPass is quite open to scrutiny and what's important is how responsive they are to new findings -- very responsive, from everything I've ever seen. Including many findings from the author of the article.
By far the biggest problem with LastPass is that it sometimes just doesn't apply (or misapplies) the password or username to the appropriate form entries, and I have to go find it and copy it. Occasionally it also misses the saving of a new password (that it generated) and I have to put it in the vault by hand. I suspect this is a really hard problem given the massive variety of forms out there, but would be curious to hear if other password managers never have these issues.
The user experience declined slightly after lastpass got acquired.
For a year or two, lastpass for Firefox didn't have the copy option for usernames and passwords. I had to edit, show password, then copy.
The autofill problem became pronounced after the acquisition as well probably through no fault of the new owner. Many sites like Google and Microsoft have switched to a multi-step login process where username is entered first and password is entered on a different page
Also a proof of sites abusing autofill & hidden forms to steal passwords probably influenced the current situation.
Two years ago I submitted a ticket asking them to add the "copy password" option to SSH key type entries. A simple and obvious feature. They said they'd look in to it, then nothing. Meanwhile in that time all I've seen them change has been the animations in the menu.
It was because of changes to Firefox's extension system. That said, communication about this was suboptimal. I would have liked for the UI to inform me of the binary option to get back that functionality.
I have LastPass with binary component installed and copying passwords doesn't work on Ubuntu 16.04 LTS with LP support confirming the issue without ETA.
Lastpass icon changes to show you have an entry. Click the icon, click "Show matched sites." Hover over the entry and you'll see three buttons: Copy username, Copy Password and More options.
I'm assuming these buttons don't work for you. Right-click instead on the entry and you should see a menu with the following items: Autofill, Copy username, Copy password, Copy URL, Go to URL, Edit, Delete.
Try the copy password entry. Hope it works for you.
LogMeIn is where products I genuinely loved go to die.
Years ago it was Hamachi (the LAN-over-internet software). Then it was LastPass and via it XMarks (itself acquired by LastPass shortly before). XMarks suffered much more grievously than LastPass — I suffered data losses on multiple occasions before finally throwing in the towel.
I found my perfect ux with password-store, xmonad, and xmonad-contrib's pass prompt module. It takes a bit of time setting up but it pays for itself. I don't store any passwords in my browser and filling in passwords is super quick with fuzzy completion.
password-store uses git+gnupg so backing them up is a matter of distributing the git repo. My git repo lives on each of my laptops and I have a 'central' host of it...so it's backed up via distribution.
For getting passwords to my phone I use a homemade Android app + small web app that sends them to my phone encrypted on-demand from my laptop or desktop. There are Android apps for using password-store but you have to put your GnuPG keys on your phone for that and I prefer not to do that.
Yup, it's just git. Passwords are files in a git tree so you usually do not run into any conflicts unless you manage to change the same password on both ends, which also should be easy to resolve.
I'm pretty sure this is fixed in the latest version. I can copy the user/pass directly from the extension menu. It also works fine on Microsoft and Google.
Also switched to Bitwarden the other day and it's far superior. None of the irritating bugs Lastpass extensions/integrations had, works perfectly on Firefox, Android, 'web' etc. In general it feels a lot less clunky and it's Firefox addon for instance has many more quality of life features.
The things that Bitwarden lacks for me is a global hot key to search my vault and the ability to only have the app running my menu bar so I don’t have to see it in my alt-tab options. Haven’t looked into Bitwarden enough to see if there is an API to write an Alfred workflow or something to search the vault.
My one issue is that their desktop app takes a long time (several seconds) to open on my Mac, possibly because it uses Electron. And, I wish they had a bookmarklet like LastPass does, for rare situations where I can't use an extension.
But overall, yeah, it has been better than LastPass.
>By far the biggest problem with LastPass is that it sometimes just doesn't apply (or misapplies) the password or username to the appropriate form entries, and I have to go find it and copy it. Occasionally it also misses the saving of a new password (that it generated) and I have to put it in the vault by hand. I suspect this is a really hard problem given the massive variety of forms out there, but would be curious to hear if other password managers never have these issues.
Agreed, ambiguously named form input fields cause all kinds of havok, I helped our UX team track down one in our application because it was breaking my lastpass =)
For the second issue, I've just adjusted my workflow to accommodate LastPass's peculiarities. I just click "Generate Secure Password", copy it to the clipboard and fill the form myself. Then I have a copy of the password on the clipboard should LP miss adding the site properly.
While it's a slight pain to work around that particular issue, it's far better than what I used to do with regards to password reuse.
LastPass recently made a change to how they save generated passwords, it'll prompt you right after filling it instead of waiting for the login to succeed.
If you're within the same session, the Generate Password popup likely has a down-arrow next to it that will show you a list of recently generated passwords. This has been useful occasionally.
> LastPass is quite open to scrutiny and what's important is how responsive they are to new findings -- very responsive, from everything I've ever seen. Including many findings from the author of the article.
That is nice, but it is not sufficient mitigation for the issue to be dismissed.
There are more concerns in this article than the title issue, and it seems that in the past, LastPass has made some questionable design decisions that did turn out to have problems that needed to be fixed. I hope and assume that, prior to adopting these design choices, LastPass analyzed the risk and concluded that it had avoided creating any vulnerabilities, but nevertheless, there were some that it had overlooked.
If you continue in this manner, you are increasing the risk of creating a zero-day vulnerability that gets exploited, and I would guess that a central repository of passwords would be a particularly attractive target for bad actors. I would much prefer a security company to stay away from questionable design choices, rather than have rather complex and more-or-less tendentious arguments that the way they are doing it is safe, especially when there have been cases in the past where their arguments were not sound.
> This is just not something I have enough cycles in the day to let bother me.
Another reason to prefer KISS. If the vendor had refrained from making questionable choices that require complex analysis (such as the decision to fall back to server-provided pages for parts of the browser extension functionality), trying to figure out whether it matters to you would be less of a problem -- to the point, maybe, where you don't fall back on an "I can't be bothered" attitude.
This logic sounds like "I've heard that if your car falls in a river, wearing a seat belt makes it harder for you to get out. I don't have time to worry about whether that's a real problem, so I just don't wear my seat belt. Too much complexity."
I use a few different versions of keepass on two laptops and an android, and they all share a keyfile through dropbox. I get most of the same functionality that my wife does through LastPass. It's convenient enough that I don't see any reason to migrate to LastPass, despite their much more polished user experience.
KeePass is more secure than LastPass, not less. I've tried a couple different password managers, but always come back to KeePassXC with a simple auto-type workflow. My reasons:
A. The auto-fill extensions don't work on enough sites to make it annoying (maybe ~20%). Auto-type is a more consistent workflow for me.
B. Lastpass (and friends) browser extension doesn't do anything for desktop apps, SSH sessions, or anything outside the browser. You have to copy and paste one at a time.
C. I like all my passwords to be a particular format because it frequently happens that I have to type them in manually (Phone, vCenter console, BIOS, etc.) and I just like that to be easy. (I use 5 groups of 4 lower case separated by periods, with one number and one upper case letter in the last group. Still very strong but also manageable to type into an iPhone).
D. I like to record more than just passwords (the email I used, answers to security questions (always random, but legit looking), bank and credit card details, stuff like that). The KeePass UI for keeping those kinds of notes is just so much cleaner, simpler, and better than anything else.
E. KeePassXC has first class support for Yubikeys.
This strategy makes you more susceptible to phishing, which is a much more common attack and requires vigilance to avoid. I think the reduced phishing vulnerability for browser extensions is worth it.
>This strategy makes you more susceptible to phishing
One mitigation is to use Firefox account containers.
If I navigate to what claims to be Bank of America, but the tab doesn't open in my "Banking" container, that's a huge red flag.
Also, as another poster mentioned, Lastpass sometimes fails to autofill. Unless a manager can achieve 100% error free operation (unlikely), even autofill managers will also have a risk of phishing.
I don't think there's one correct answer. For me, as an expert who's confident about my security posture (2FA, verbal passwords for vendors that can reset 2FA, backup codes stored securely offsite), I value the simplicity of Keepass.
I use KeePass too, great little program. It isn't as "mobile" but I don't really see the benefits of online solutions. It certainly isn't added security.
The website from the service in question also suffers from severe JS-errors on their page (FF 66).
KeePass here too. On Android, it is absolutely terrible paired with Dropbox. I'm not sure who to blame, but the database will not stay up-to-date and I have to click and re-open my key file _every_time_. On a fresh install, it stays good for several months, then it will get out of sync and I'm not sure how to get it back to in sync.
The Android (and iPhone) apps have always been more trouble than their worth, IMO.
I always manage my passwords on my computers, and type in on phones as needed. Simpler and just works.
To easy the pain of typing passwords, I always follow a consistent format that's easier. Example:
7,#/T8z%FS%zht6S
ctaq.zwjd.qnbu.ut1A
The first one is terrible to type on a little Android keyboard whereas the second is a breeze, and still perfectly respectable as far as password strength goes.
Fair enough. I just noticed down below someone was using keepass2android or similar. I'm using keepassdroid, and I noticed they have an issues page. Filed one. I might investigate bitwarden if I get bored[1]. Thanks btw, it really did not occur to me actually that there would be other versions.
[1]something that will not likely happen between family, work, and chores around having a large property
> My $.02: Given that all the cloud-based password managers have their own phone (and even desktop) apps, this seems like a moot point since a bad actor could push out an app update that does anything with your keys anyway.
I respectfully disagree that apps are the same as webpages. The big difference is that apps are signed, so if things are done properly, you only have to trust the devs of the app and whoever operate their CI.
Web pages on the other hand have no such security (yet), which means you also need to trust the cloud provider, the CDN, the fact that the website was not hacked, the ops team of the password manager, and probably anyone who is able to make a valid SSL certificate and might do MITM...
Disclosure: I work for a company that makes a cloud-based password manager.
> Given that all the cloud-based password managers have their own phone (and even desktop) apps, this seems like a moot point since a bad actor could push out an app update that does anything with your keys anyway.
This seems to me like a great argument to avoid all cloud based providers and their mobie apps. Especially when opensource, time tested, self-hosted solutions exist.
You seem to be more concerned about UX than security. Compromising security for better comfort is not a very good strategy.
> You seem to be more concerned about UX than security. Compromising security for better comfort is not a very good strategy.
From my practical observation: People will go to great length to avoid dealing with a crappy UX. That can include falling back to "YOLO, I'll just use the same password everywhere" if the password management process is sufficiently atrocious. So I'd say good UX is part of the security concept, bad UX will compromise it.
For me, the UX of maintaining an improved security posture is quite an important part of these products success, I get improved security and the product doesn’t make me think. The only way it could be better for me as a long term LastPass customer is if I had a good/safe tool to synchronise with the macOS keychain for improved redundancy and providing myself a future “exit strategy”, I rarely have to think about my use now that its integrated into the native iOS password prompt.
> You seem to be more concerned about UX than security. Compromising security for better comfort is not a very good strategy.
People are reusing passwords and writing passwords down on post-its specifically because they haven't found sufficiently UI friendly options of password management. Regardless if that is out of ignorance of available options, UI not being friendly enough for them, or some other technical hinderance.
A compromise isn't weighing between an ideal scenario and your current situation. A compromise is finding an optimum between value extremes in acceptable real world scenarios. An ideal security extreme is a disconnected system, but that's never something you can compromise towards since the comfort/usability reaches 0.
You're trying to move security up by getting users away from pass reusage and post-its. In this case added comfort happens to also be increased security.
> Compromising security for better comfort is not a very good strategy.
This approach is exactly why the vast populace has essentially no security. I'd be glad if my parents were to switch to last-pass, as it is so much better then weak password re-use schemes.
I'd say that compromising security for comfort is a given, its guaranteed to happen. The best strategy here is to make sure that users will have the most security after the compromise.
The open-source, "time tested," self-hosted solutions do not check that the website you're trying to paste a password onto is the website you should be pasting the password onto. That is a real and serious security risk, and the fact that the open-source solutions don't attempt to solve it does not mean it should not be solved.
I think a lot of people feel uncomfortable giving a proprietary product access to their passwords, and feel more comfortable doing the copy-and-paste themselves. But compromising security for better comfort is not a very good strategy.
>The open-source, "time tested," self-hosted solutions do not check that the website you're trying to paste a password onto is the website you should be pasting the password onto
Keepass has a third party Firefox extension that does this. Bitwarden is open source and has their own extension that does the same.
The main annoyance I've had is that for some sites it tries to save 2FA one-time passwords as the new password. Accidentally click "ok" and you have to go through password recovery.
Lastpass' password history saved my wife from losing multiple accounts. (Chrome's password autofill was overwriting Lastpass and thus messing up certain sites)
> My $.02: Given that all the cloud-based password managers have their own phone (and even desktop) apps, this seems like a moot point since a bad actor could push out an app update that does anything with your keys anyway.
I think this is a good argument against cloud-based or auto-updating password managers in general.
With respect to the password-creation problem, I find the entropy of the passwords LP creates too low in any case, so I create them from /dev/urandom + base64. I've never had LP fail to recognise these hand-generated passwords.
> I find the entropy of the passwords LP creates too low
What do you mean? How are you measuring that? How do you think that would make a password of the same length and character set less secure in a practical way?
You can change the password length to whatever you want... and your link says it uses window.crypto functionality which appears to be supported in every single browser including back to IE11. [1]
So it seems like LastPass-generated passwords are fine?
Probably. But in the link I posted, did you notice the qualifier "as secure as your browser's implementation of the Web Cryptography API"? Also, AIUI, Webkit implements no PRNG so some Webkit-based browsers might have stupid implementations of the SubtleCrypto object.
The thing is, there is a chain of things you have to trust wrt the LP generator: Has the OS implemented the backend API correctly? Were there issues in the browser build that mess up the entropy derived from the OS seed? Has the Javascript done anything stupid?
In comparison, I have complete confidence in the entropy of the passwords I generate via CLI.
Wrt. password length: yes you can change it. But the dialog is a bit of inconvenience that tilts away from the hassle of switching to my terminal and typing "suggest-password". And I have something of a moral objection to password generators that default to insufficient entropy.
Regarding your issue with LastPass, I use Dashlane and those issues used to plague me when I first started using it (~2 years ago). I recently noticed though that it's gotten way better.
My $.02: Given that all the cloud-based password managers have their own phone (and even desktop) apps, this seems like a moot point since a bad actor could push out an app update that does anything with your keys anyway.
As a long-time LastPass user I appreciate this kind of analysis, but this is just not something I have enough cycles in the day to let bother me. BTW the last time I opened my preferences was 3 years ago. LastPass is quite open to scrutiny and what's important is how responsive they are to new findings -- very responsive, from everything I've ever seen. Including many findings from the author of the article.
By far the biggest problem with LastPass is that it sometimes just doesn't apply (or misapplies) the password or username to the appropriate form entries, and I have to go find it and copy it. Occasionally it also misses the saving of a new password (that it generated) and I have to put it in the vault by hand. I suspect this is a really hard problem given the massive variety of forms out there, but would be curious to hear if other password managers never have these issues.