How is it a PITA to move off lastpass? I switched to Bitwarden and it was a piece of cake. Exported all passwords. Imported all passwords. Pretty much all password managers can import/export as a CSV or similar.
I tried migrating from LP to BW and got import errors. Bitwarden's error message was very vague (along the lines of "sorry, something went wrong") and I haven't been able to track down what entries were causing the issue. I've tried 3 or 4 times including trying to reproduce with subsets of the full collection but it's too much of a pain with hundreds of accounts and I so far haven't been motivated enough to manually transfer them or to write a selenium script to do it automatically.
Moving to vaultwarden (the open bitwarden server implementation) was also really easy. Just installed the package in Arch, setup the vhost in nginx, put the vhost into my local DNS and slightly adjusted the vaultwarden config file. Now I use bitwarden clients everywhere and point them to my server.
Since I don't feel 100% comfortable having my self hosted things on a public IP, I put it only on my LAN. For remote access (e.g. phone) I use wireguard.
Just check your data after re-importing the passwords. LastPass sometimes has issues with the export (see elsewhere in this thread) and does not export attachments at all. You have to move attachments manually.
You can't export all the passwords, some extra fields are not exported by LastPass, so there is your PITA when some site asks a security question you had an answer to in that unexported field
It's really not. As the quality of their software declined severely starting around 4-5 years ago, I put off moving because I assumed it would be a huge hassle. It turned out to be surprisingly easy. I have since deleted my LastPass account and wouldn't trust that company to mop my floors.
I don‘t think the quality of the product was any better previously; they were the first to offer cloud hosted password management as far as I remember and that, plus being cheaper than 1Password last time I compared, are their only benefits in my opinion.
How smooth is the hotkey autofill experience? Does it identify websites and fill out login forms properly? (I prefer not to rely on sites' "remember me" boxes or ephemeral cookies).
In Android, I use Keepass2Android Password Safe app by Philip Crocol. As far as my experience goes, it is quite smooth and for the most part it is able to fill out the login form properly.
I'm using keepass2android offline on Android, with the password file synced using syncthing. Works great.
It also has autofill that comes up in any supported app when it recognizes a password field that it can autofill. Quite seamless.
It also took a little mucking around to install it's custom keyboard and I had to run some adb command to give it permission to auto-switch keyboards, but now it's setup it's pretty good.
You can open an entry in keepass2android, then it will auto-activate the keyboard and you get buttons so you can auto-type any field from that entry into anything.
On Windows I'm using KeepassXC and the KeepassXC browser extension. It hasn't been perfect, I had to manually enable simple http auth for that to work, and sometimes it seems to miss login fields.
Also I had to manually add the URL for some existing sites (I was using KeePassDroid only on Android before so the URL entries weren't filled).
There's no way I could find to go to a site, then I would like to just click a button and choose an existing entry to fill into it.
But once I've manually added the URL entries, it's pretty seamless and auto-recognizes that there are entries that it can fill.
> We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.
Sure sounds like they found passwords or keys in the development environment breach back in August, and nobody bothered to change those after knowing they were hacked.
Password managers are a huge security antipattern and this will probably have to happen a couple dozen more times before infosec bloggers with affiliate marketing deals stop promoting them.
No one who uses unique passwords can remember them forever. It's a compromise of post-it notes vs managers. Either that or do account recovery every time you need to do your taxes (SOL for encrypted files though).
I sadly write passwords down, but dream of a better option.
Post-It notes are a safer option than password managers. And it's absolutely outrageous to say this: But not every single account you have needs a unique password. Just ones which can actually allow someone to impersonate you meaningfully, cost you money, or gather sensitive data about you.
Response to @palata because of rate-limiting: The problem is people tend not to only put unimportant accounts in their password managers. They also put their bank and email passwords in there, and to my true horror: People have started storing their TOTP tokens in their password managers, which effectively reimplements single-factor authentication!
I do post-it notes and a couple of master passwords for things I don't care about, so I don't disagree. I need to make 2 points though. 1, enough 'non-sensitive' data can eventually become sensitive when taken as a whole, and 2 post-it notes are less secure if they are at a place of employment, think teachers.
Maybe the best option is one of those physical access password managers like KeePass
KeePass on something normally-offline like a thumb drive is probably a decent compromise where needed, but I'd still encourage people to keep their most sensitive passwords either undocumented or partially/incorrectly documented.
Definitely not where you store your passwords! In my case, since I don't store my passwords on my phone, I have my TOTP app there, and then for backup, I print the QR codes when I set up TOTP and secure them in the physical world. Restoring my 2FA setup to a new phone is easy: I just scan through the stack of paper!
> People have started storing their TOTP tokens in their password managers, which effectively reimplements single-factor authentication!
The thing is that many services are now requiring TOTP in places where I don't want it, since I was already using a strong/unique password, and the TOTP requirement is effectively just to protect the service from having to deal with users who get their passwords stolen. If you're going to make me use TOTP where I don't want it, I'm going to automate its input.
I think you'd be drastically better off not wasting effort with a strong/unique password on places you "don't want" MFA, in favor of using MFA, which is always better at defeating an attacker than any password.
I don't use them, but my conclusion is that at least one major cloud password manager has been hacked already without any disclosure. If they disclose it, the company should logically be dead. Thus, the incentive would just be to cover it up.
Can you elaborate more? Which? Why do you think this? I also agree with you and I think it’s one that rhymes with shome paus werd. But I think it happened early in their “cloud” journey
They will at some point. A whistleblower, the attackers themselves, the leaked data showing up somewhere on a forum and getting picked up by reporters, etc. etc. At the scale at which any of the popular passwords managers operate, IMO it would be impossible to keep it a secret for long. So taking the risk of jail time only delaying the inevitable... doesn't make sense.
Most of them are build without having decrypted passwords or keys for them on server, so attacker would need to get to the point where they can craft malicious update to the client (or exploit the client)
This is a good point, but on the other hand, couldn't any application be hijacked in the same way to include a keylogger/upload plaintext password DBs stored locally by browsers/etc? Somehow this hasn't happened on a mass scale that I'm aware of.
Not exactly, because the JavaScript code can change and be delivered at ANY time. No code signature verification is involved.
An offline password manager is updated a few times a year, and will go through OS repository distribution, with verification of the signature for changes. Or you can download the software from the source website and check the signature.
Extension has the passwords so just need to suck them through a straw. Getting a keylogger on someones machine probably requires getting them to run an executable or a zero-day exploit.
This kind of thing has already happened. Chinese hackers got into the Juniper VPN source code and replaced a key pair with their own. They even updated the tests so that it would pass. This went unnoticed for years.
The core problem is really that passwords suck and should never be the entirety of authentication. Time for hardware tokens! (admittedly there are some big problems when people lose tokens, but at least that's not a problem of insecurity ;-))
Depends on how you define "insecurity". Availability is one of the pillars of security, so even your joke falls apart.
Several years ago the trendy thing to do for security was to get a USB-A security dongle and lock your important accounts with it. Nowadays, laptops from several major manufacturers no longer ship with a USB-A port, so if you need to log in again and don't have a USB-C dock handy, you're locked out until you can find one.
Isn't availability usually from the service still being accessible in a technical sense? Password lockout policies will also result in people being locked out often until manual review or the use of some (hopefully secure) second factor. With hardware tokens there just needs to be an established - and efficient - process to replace them or allow access on an ad-hoc basis for exceptional cases (a bit iffy perhaps but also possibly necessary given practicalities). There's no dispute that passwords mean you don't have to worry about things like what USB ports your laptop has, but that's mainly because of the fact they're just strings that you type in which is also their entire issue for phishing/hacking etc.
Either way, availability can be compromised by a hack due to passwords being phished and I think I'd prefer dealing with hardware tokens than the fallout of being phished or otherwise suffering credential compromise. That said at this point I probably wouldn't issue hardware tokens en masse until proper processes are in place to manage them (and their loss/breakage/etc) - it's certainly not solved to my satisfaction yet.
Sure it’ll result in a lot of issues for minor sites, but most critical services mandate 2FA. So just don’t keep your password and 2FA in these services.
There were rumors a couple years ago that this already happened to one of them.
My layperson's armchair guess is that a successful attacker would probably seek to keep it quiet.
If you were a bad person, and you got access of tons of credentials from one of the major trust-us password managers, would you:
1. Focus on finding and looting big-payout cryptocurrency stashes, as quietly as you can (so you can keep doing it longer, before news gets out of how)?
2. Sell to a state actor to use for probably high-value purposes, while keeping it quiet?
3. Something else, and would that involve keeping it quiet, or making a big noisy mess?
Most hacks, these days, seem to fall into one of three categories:
1. State actors
2. For profit criminals
3. Teens for lulz and street cred
I guess the first group would probably keep it pretty quiet. The second would keep it quiet until they've abused the data as much as they want to, then sell the remainder on the dark web. The third would make a big noisy mess right away.
How do you keep track of phony answers to security questions if they are different for each site? If it is the same phony answer for every site, it is not any safer to use real answers to the security questions.
Yup. You pretty much have to do this. I love signing into my bank's bill payment system. "You appear to know your password and possess your second factor. But what's your favorite book? <all lowercase favorite book> WRONG YOUR FAVORITE BOOK IS ACTUALLY <starts with an uppercase book> NOW YOUR ACCOUNT IS LOCKED."
Even if you're using real answers, you will be locked out of your account if you don't treat them like passwords. Eventually.
Worse yet, real answers are just weaker passwords. Mother's maiden name? Childhood friend? Elementary / high school? For a targeted attack, against most people, this is very insecure in the all information online age. Nobody needs to know your 20 character password if they have your social media page.
I generate the password and stored them in my password manager under the notes. 1Password added functionality seemingly recently to add security questions and generate a random word string that I use these days.
My work provides me with a 1Password subscription (for both work personal use) that I take advantage of that is pretty good. I think they only require you to reauthenticate with your master password once every two weeks or something. I use a PIN, biometrics, or my Apple Watch to unlock it when it timeouts in between that two week period, and I've had no problems syncing between several of my devices.
Note that you should not generate a random password like D27fX$0f7RyD for your security questions. These are designed to give to a human operator on the other end of a phone. If an attacker calls up the account recovery line, gets asked for a security question, and just says "heh, I think it was a string of random characters", there's a decent chance the human operator will let them into the account. As you say, use an actual word string (passphrase) generator, which is a bit less susceptible to this attack.
Yep, if you can choose the question, choose something like "What was your first pet's name?" and then make up something silly like "Mister Poopy Eyes" (a conceivable child-given pet name).
I used to do something like this. I avoid it now, and use a pass phrase of a few words as answers to these questions, stored as a password.
It was clear to me after I had to read such a security question answer over the phone to unlock an account the CSR was perfectly happy with "gibberish over the phone == gibberish in front of me", meaning my attempt to secure things made it less secure in the end.
Pick your three favorite movie characters for which there is a lot of information about them (name, town where they grew up, age, dog with a name, etc.). Rotate through these three. Append the name of the service. Dog's name? buddylastpass
There will be no reuse, because for Facebook it would be buddyfacebook or dugfacebook, or something else… but you will always be able to guess it in three tries. A computer system doing some kind of pentest isn't going to parse out the "facebook" or "lastpass". A human might, but that's why you rotate through three names. At the point where you have a human targeting your account and actually thinking about your inputs you are probably !@#$ed anyway.
I have a small orange password book… oddly. If that gets stolen I think I’d be in big trouble. However it doesn’t have my email address in it. Answers to those inquisitions of a password reset nature are within.
Same. I use random passwords for any required security questions. It is funny when you call customer support and they ask you to verify a security question though.
I haven't tried, but I am not on the phone with support much as I go to great lengths to avoid calling haha. The one time I had to verify my security question, I told the representative that its a long, random character string and they waited for me to open up my password manager to read it out to them.
I've certainly heard people speculate that would be the case. I always just put together 2-3 words unrelated to the question, e.g. my first grade schoolteacher is "Antique Campfire".
I've done something like this with my bank, I tell them it's a bunch of nonsense because the security question recovery is just a variation of a weak password so we'll need to validate me some other way. They always can
I was on a first date and forgot my wallet so the first place we went was the bank. I had to repeat all my info 3x. I leveled with them and pointed to my date and said I need $100. They gave me the $100.
Anecdotally I've heard of this type of social engineering working. It's probably better to use some randomly generated real words. Another poster suggested diceware.
I didn't even have to try. I was prepared to read off the random string, and the operator went with some other piece of information from my profile instead.
I think the best way to do this is to use a passphrase so that it's clear that it's not just gibberish but you have the benefit that it's random text. Obviously at the end of the day, it all comes down to the person on the other end of the phone but I suspect they'd be more suspicious of someone saying "it's a bunch of gibberish" when they can see "grumpily siberian pampers panorama unroll aloof masculine mandatory" versus "YpZVpyQHsmPATt1P" (also the former is much easier to read over the phone).
I have had this problem, and failed the security check when I told them I had to look it up. Which was a little silly because I just hung up and called back and did it again with the list in front of me.
> I ran into one once that a 6 character minimum length for the answer
This is a problem too, but at least it works if you manage to talk to a living person - even if you don't remember exactly how did you wrote something you can prove you know the answer for the security question. With 'cp359-qreor-534wej' as an answer you have no chance.
As someone who forges security questions, and at the risk of playing No True Scotsman, we keep these answers in the database with our passwords
And yeah, if we lose the database I guess we're screwed, but tbh, after ample backups, the risk of the database being leaked is way higher than the risk of losing it despite replication.
Years ago for my university student account, you were allowed to provide the question.
I figured I would never need to use it, so I set the question to "Dicks?". I was very immature and thought that was funny.
A few years later after the semester break I forgot my password. I had to email IT to reset it, and they replied "Please provide the answer to your security question: Dicks?". And I had to reply "Yes no problem, the answer is Dicks". It was an awkward email exchange, but in my defence I had immediately remembered the answer so it served its purpose.
For most people, non-technical people in particular, their biggest exploit risk is they re-use the same username and password everywhere, one website gets popped and their creds get in the open, and then people use those creds to get into everything else.
Anything that gets them to use unique, strong passwords for everything vastly improves their general security, even if they are using a third party, commercial organization.
Yep. I fell in the trap of using repeat passwords because I was lazy. One of them leaked and someone overseas started using my personal Plex server. I setup LassPass the next day and changed everything to unique strong passwords. LastPass is cross platform and the convenience is worth what the risk for personal use.
There are lots of enterprise tech stacks where you have a single (or single-as-possible) centralized secret store… it’s far from uncommon, I.e., Hashicorp Vault, AWS Secrets Manager, Google Cloud KMS.
What percentage of the population even thinks about "tech stacks"? That's the group of people who probably already is using something else. Everyone else is still catching up to not having a password that's just "password1234"
People get their credential compromised via shared passwords way more than compromises of Lastpass or Chrome or 1Password. Sure, it's a bigger risk if your manager is compromised, but for most people it's as much "eggs in one basket" as people only having one bank account which is probably true of nearly everyone.
Wiki says that some companies agree[1] that "123456" and "qwerty" are the most popular. "password" seems to generally be in the top 10.
What's interesting on these lists is the presence of Dragon and Monkey - am I mistaken or is it due to CJK users entering a Chinese character that got translated somehow? Wouldn't that mean some of the most popular passwords out there are single unicode characters? Surely not...
The alternative is spreading your eggs all over the farm, with no way to keep track of where they all are. Many will be put somewhere, then forgotten about.
For many, the ease of setup and maintenance is worth the risk.
The general population is not going to setup their own open source password manager solution. So going with an easy to use commercial password manager is better than not using one at all.
1. Have people manage their own secrets storage? Most people don't have the time or ability do this securely either. I'd rather pay someone else to secure infra, code, distribution, encryption, backups, etc. for me.
2. Reuse the same password on every site? One site gets hacked and now you're screwed.
3. Memorize a unique, long password for every site? Not feasible.
Third-party/commercial password managers are the best solution for most people, practically speaking.
It is a hard one because the only computing/memory device you have with you at all times, requires no batteries and not connected to any networks (yet) and not vulnerable to probing/observation (yet) is your brain! But memory is too unreliable unless everyone trains for it.
Crypto keys are great but you can lose them and once shared they are keys to you kingdom.
Specific security devices are great but you need to remember to have them with you. They can get lost or broken so you need backups.
Google authentication is convenient but they can ban you. It is also a 3rd party to trust.
Passwords suck but might be the best of the worst. Advantages: password managers can be used to make password useless for other sites and people conceptually understand it.
The alternative to fully cloud-based solutions would be a local, open source kdbx client (Keepass, KepassXC, etc) with the password database situated on a cloud storage (Dropbox/Google Drive/etc). This way, one gets the best of both worlds.
This can be a nice compromise, but it's not without downsides. Personally, 99% of the authenticated software I use is in my browser, and the usability of an extension that has a little badge to tell me I have an account on this site and autofill capabilities is really tough to pass up. Further, because it's an extension, it can know what site I'm on, which all but eliminates my risk of falling prey to phishing attempts.
I've never used password managers, partly because I don't trust them and partly because I've found an alternative that I feel is secure enough and more convenient. I split my passwords into two parts, one secure part that is memorized but reused and one weak part that is written down but not reused.
The main ways people are hacked are re-use of passwords and writing passwords down. If someone gets access to one of my passwords, trying it in other sites won't work. If someone finds the written parts of my passwords, that won't work either as they would need to know the secure part of the password that I memorize. I can even easily take the written part of my password with me if I want to use a password on a different computer.
The only issue with this technique would be if someone finds multiple passwords of mine, they might be able to figure out the scheme and brute force other passwords, but if someone already has multiple passwords of mine and is taking the time and effort to go after me individually then I figure I am probably screwed any which way.
Then what should folks do? The alternative is having to "run your own encryption" by running your own Password manager on your own infra or re-using passwords
Exactly what I thought too but there appears to be a lot of dislike for LastPass on HN and I’m not seeing any evidence to back it up, perhaps it’s just a dislike for cloud based solutions
Just a reminder: if you are deciding to migrate from LastPass to something else, the password export malfunctions for unknown reasons. If you have memos, it could be a character in the memo.
You must make sure the exported CSV file has everything!
This is years ago now, but every ampersand in my passwords came across wrong. I can't recall if it was missing or url encoded, but even passwords weren't safe.
I want to as well, but annoyingly there are many sites that insist on a "special" character because their strength measure says "low" for the 20 character alphanumeric string I generated %-}
My favorite is when they actually limit what special characters you can use. Must include 1 of x special characters. Why? I always just assume they baked their own password storage and couldn't figure out how to handle the whole set of special characters
Multiple times I've found that this is caused by a web application firewall that is intended to mitigate SQL injection attacks. So they disallow the characters that would commonly be used in those attacks.
On those sites, I generally insert the same fixed uppercase-and-symbol string on my zbase32ed-entropy passwords. Zbase32 tends to produce numbers already, and that combo tends to satisfy the silly sites.
This really hurt me last year, when I migrated away. I didn't realize at the time how much didn't come with, so I've been playing the reset / recovery game since.
I feel your pain. I switched to KeePassXC, and will never use an online password manager again.
For a password management company, they can't even be bothered to fuzz their export functionality. QuickCheck works unreasonably well on `import(export(a)) == a`.
But maybe it's intended to be buggy, in order to keep you in their walled garden. Clearly the sync between devices works, so they have solved this problem.
> Clearly the sync between devices works, so they have solved this problem.
Presumably they don't use CSV to sync, they're using a saner json/etc. data structure that they're not letting us export ourselves. Seriously, being limited to CSV in this day and age...
Also if you try to export multiple times it will start spitting out exports full of duplicates. Only safe way is to export right after a fresh session login.
I moved to 1password a few years ago and haven't regretted it for a second. I still have Lastpass installed, but it's probably getting to the point I can delete it.
I moved to BitWarden a year ago after a billing problem with LastPass that their support handled badly. I haven't had any problems with the migrated data and I finally deleted my LastPass account last month.
* custom "items", so instead of "Password", I also have my own
* attachments, which I know 100% are not exported. There is a CLI app to help with that, but still horrible
* I have large notes with weird characters, which makes me concerned if they will be exported properly
* Last time I checked, the CSV seemed very broken (not respecting the standard), I'd be surprised if it imports properly
That's the reason why I haven't moved.
I'd move to bitwarden, but the lack of tags is too much for me. I use tags everywhere, I don't want to deal with directories anymore, so 1Password it is.
As today I attempt to perform the migration, their export to CSV outputs a CSV with 2 lines of my 700+ passwords.
The HTML in the page shows a lot of items, but if I save directly from there, it's poorly formatted, it won't import anywhere.
Last I checked, they still didn't have a useful Content-Security-Policy header on their Web Vault (which would prevent XSS), and also didn't have a way to separate "being logged into the extension" from "being logged into the Web Vault".
It’s the worst desktop software I’ve used in several years. The UX makes no sense, it’s full of bugs, it performs badly, they’ve had multiple breaches. I can’t think of a single thing it does that’s even approaching average, let alone good.
Well, this completely explains where one of my Truecrypt volume passwords disappeared to after migrating away from LastPass years ago. Too bad the account has long since been deleted.
1Password. The largest feature disparity is 1password is designed and built by competent engineers. The history of breaches and technical mistakes Lastpass has made over the years is amazing for a tech company let alone a password manager.
How is the user experience though? "Designed and built by competent engineers" is reassuring in the face of security breaches, but often means it's less convenient to interact with on a day-to-day basis.
1Password has the best UI/UX of any that I've used. It's clean, pretty, and solid in my experience. Honestly it's a joy to use which I prioritize in the software I choose to use daily.
Used BitWarden for years, happy with it. Recently switched to Nord Pass, also happy with it. Not sure about feature disparity though, just mentioning some ideas in case you're researching alternatives.
My wife and I switched from Lastpass to Bitwarden early this year. Glad we did, considering all the news! Password sharing is different, since you have to make a group/organization and share the password in there. But once that was figured out, it's been a better experience with less bugs. It doesn't look slick, but it's more functional.
I just exported my own vault with the latest version, it was ok for me. I have plenty of passwords with all kinds of special characters. Still, be sure to review the CSV file. If anything looks weird, double check that the password is the same in your LastPass vault. As with all backups/exports, you should always do a sanity check of the data.
One issue I ran into: the CSV file that "downloaded" in the browser didn't have all of my passwords, only about ~20 of ~400. I had to copy and paste the CSV text in the browser to a new CSV file with a text editor. But upon reviewing that, the format of the passwords was fine.
I had a problem not with the password data but with the content of some notes (or whatever it is called in LastPass)
I have been a paying customer of Lastpass for about 15 years. I moved to Bitwarden for all sorts of reasons. I work in technical information security so it was also for that teason (but not only)
Maybe I lucked out? I migrated to Bitwarden early this year and so far all of my passwords have worked. I also made sure to compare the site entries in both. One thing that can't transfer were attachments in LastPass secure notes. So I had to download each one individually and upload them to Bitwarden.
Yeah, in any migration—if you can—it's good practice to run both simultaneously for a while until you're convinced you've checked everything and you're ready to drop the old for the new without much downtime.
Kudos to the CEO for disclosing this as it's happening and writing the post. This disclosure post is direct, forthright about what's known, specific about engaging help, and explicit about notifying people as more happens. Hacking sucks, but the CEO's post is IMHO on the right track.
Ridiculous take. Absolutely zero kudos because it was obvious to everyone that this was the most likely outcome way back in August. Back in August the company issued a bullshit statement that they'd ruled out that the intruder accessed customer data. Now they are saying they did lose customer data.
They known enough to say "We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information."
I'd want to know what information they have gained access to.
I used to be a lastpass customer a few years ago, until I switched to Bitwarden. Can you tell me that you actually delete users data when they delete their account? Or do you keep backups which were also hacked? i.e. are your ex-customers also affected?
The one where you can just launch chrome and click the eyeball icon to see what the password is? Or does chrome have something fancier I am not aware of?
I’m disappointed, but I can’t say I’m surprised. I once tried to contact their support team after getting effectively locked out of my account, only to have the support form return a 5XX error upon submission. I dropped them right then and there.
I'm not sure if they fixed it, but in the past any process that was running in your user account or admin on your PC could dump the plaintext of this trivially, for many years.
Reply to @jeffbee: You basically have to have that threat model, because ordinary users are running dozens of untrustworthy processes on their machines. Real world security has to assume the user is not a security expert.
A process running as my user or admin on my PC can also just inject input events to transfer money out of my bank account. You cannot have a useful threat model that models yourself as a threat.
If you're a lastpass user, might be wise to avoid logging into lastpass until they update with a resolution - if the attackers got into the build server they could craft attacks that would exfiltrate passwords after user decrypts
LastPass is architectured so that your master password is never sent to their servers. Decryption of your vault happens locally on your device. Maybe such an attacker might get your email address (username).
Is there a web UI ? If yes - I guess an attacker can just send "bad" JS to the client and steal the master password no? Or inject a malicious update. Most people probably have auto updates?
Yes, this is one of the concerns. In theory a browser addon should take a while for the bad guys to update and publish, but are the existing addons downloading and using server-provided JS? One would hope not, but that's hardly a safe assumption these days. I know Mozilla takes a pretty hard stance against this sort of thing, but it's not all caught in review. And then there's the electron style apps - those should be static too, right? right?? Also not a safe assumption. And yes, there is a pure-web UI where the code is downloaded from their servers.
> are the existing addons downloading and using server-provided JS? One would hope not, but that's hardly a safe assumption these days
This reminds me of a very brief security review I did of a 3rd-party browser extension that was being installed on everybody's laptop at a previous job. The extension itself had very little code, it was just something that bootstrapped with code from the company's servers. There was no real way to review it or freeze a reviewed version.
The kicker was that the server-provided JS was being loaded over plain http (and no, nothing was checking signatures or anything like that).
I think I misread the initial comment. Yes, if the build server is compromised code could be injected into the next build/release cycle to pilfer your master password. Not only that, but also anything else in the vault since it is decrypted locally and visible to the extension.
Still, local decryption is more secure than sending the master password to the server (so, just compromising the server holding your vault wouldn't be enough to steal your password). I think I will switch to BitWarden which uses the same approach, LastPass seems to be getting hacked alot nowdays.
Are you certain bitwarden has not? I read a thread here some time ago where 1password was bragging that they have never been breached, and someone basically commented back "they have never been breached that they are aware of".
I am concerned at some level on the lastpass breaches, but I am less affected so far than I have been by the equifax, target, and t-mobile breaches. I have had years of free credit monitoring since each one of those handed out enough data to compromise my identity several times over.
Wouldn't the devs know if a malicious LoC had been built into the client and distributed to take master passwords from the browser? Idk much about browser extensions, but I think they would have been able to figure out if something malicious went out to last pass clients, no?
Fuck. If you're a lastpass user, you kind of don't have a choice. I can't log into accounts I use for socializing, work, banking, etc. without lastpass
I just spent a couple of hours resetting my most important passwords and writing them down on paper.
Won’t be touching LastPass again except offline, while I figure out where to go from here. I had been putting off finding a better password manager, but this is the last straw.
Basically the entire password manager space is the result of "security fatigue". Telling everyone that every single unimportant website they log into requires a unique high security password makes people use bad solutions that make their security worse, like storing all their passwords in a cloud-based single point of failure.
when you have an employee leave your company can you reroll or disable all their work account passwords in keepass? (no; this is good for the user and not useful for the org, but that’s the use case.)
Yes. Because their passwords should be linked only to their own work accounts and not be shared passwords. Even if you used lastpass at work, nothing stops an employee from storing it again somewhere else.
That's not far enough outside the bubble. People just reuse passwords, or add a suffix to a base password, or forget their passwords and email reset each login.
Time for hardware tokens based on DNA, so that nobody gets online unless they are exactly and uniquely who they are, and fully trackable from all points of contact. To get in, you must have the token. Bad actors lose access similar to jail time. Unless they can hack their DNA to be unique again, they don't get back in except on parole or after punishment.
My guess is this way of solving old problems may create new ones due to that pesky problem called human nature.
DNA is easier to lift from unsuspecting victims than it is to hack your alphanumeric code. Thought theft at scale with DNA based systems would be hard. Unless, you’re the government, in which case, good luck.
"This comes just months after LastPass confirmed that hackers had stolen some of its source code in August and had access to LastPass’ internal systems for four days before getting detected. It looks like this new attack is connected, as Loubba says it determined that hackers gained access to user data “using information obtained in the August 2022 incident.”"
Just read it looking for that extra info and not seeing it? the blog post and this article seem to have the identical information in them. The blog post is in a series, so for background on the "four days in august" you can scroll down.
it's certainly not acceptable that all they are saying is "certain elements of our customers’ information." very unacceptable, if it's credit card numbers or home addresses, they have to reveal that. the current language makes it look like they want to hide some kind of very bad news which is worse. Also their August post indicated that the developer account that was compromised had no access to customer data, so why exactly was that wrong.
Perhaps the attacker determined how the software interacts with customer information, by reading the source code, and was able to exploit the information somehow.
The current update fits pretty well exactly on my screen, so I saw no hints that it was a series. After seeing the usual corporate speak and signoff, I assumed that was it.
I went looking in their history of posts for more information on the August incident but couldn't find anything, as the older installments do not show up individually.
These probably won't replace password managers, just result in passkey managers... Dashlane already supports passkeys & 1password just announced intent to support soon.
You get some form of cross-platform sync. Apple, Google, and so on each have syncing, but in their ecosystem only. You can break out with the QR codes, but this might not be the preferred solution to some.
They're essentially certificates, so most implementations will only store them on-device, and most implementations I've seen seem to favor the phone as the device you use.
It really depends on the platform - but in short you'll either need a phone, or be locked into an ecosystem (browser, OS, etc) making using them on multiple devices & browsers difficult or impossible. A password manager supporting passkeys makes this easy as you can 1-click generate a passkey, and 1-click sign-in to services from any device or browser.
Given that Apple and Google (at least) are collaborating on a shared standard, shouldn't lock-in to an ecosystem not be a thing?
And: does using a third-party passkey manager open up passkeys to the same security issues as password managers? Specifically, more than remaining within the Apple-or-Google-supplied system?
It's shared standard in the sense that all implementations will be the same, AFAIK passkeys you generate on iOS systems aren't easily used on windows ones, etc. Or they'd require scanning a QR code from a phone which IMO sucks when a password manager has it in the browser already.
Also what security issues with password managers? There's some potential concerns with extension-based over OS based systems, but if your device is compromised where someone can actually access memory then they'd both be equally void to some extent, AFAIK there's nothing seriously concerning security wise on a password manager vs keychain, etc.
I feel like passwords can be way too sensitive to entrust to a third party. Even if you can verify that it is secure, you could still find yourself in a jam if their service goes down or is otherwise inaccessible.
You don't have to worry about any of this with a KeePass database. You just have to deal with the very mild inconvenience of keeping your database synchronized across devices.
> You just have to deal with the very mild inconvenience of keeping your database synchronized across devices.
Which is pretty easy with SyncThing. Other services like Dropbox are also fine if you have a sufficiently high entropy password. The danger isn't in the "online", but a third party being able to decrypt your passwords.
"Other services like Dropbox are also fine if you have a sufficiently high entropy password"
That's why you add that binary key file to the mix that you liberally distribute to all your devices. But that you carefully keep far off your sync platform. The danger of a weak password is when a device falls into the wrong hands, a compromised sync platform is much less of a concern (if the file is in the mix).
This, very much so. I use KeepassXC (Strongbox on iOS) with Seafile to sync the database files. It's only gotten better over the years, and I'd rather see my donation money go directly to the developers than get slurped up into some SaaS that doesn't care about me or security anyway.
Does your sync setup work in realtime in the background? Earlier this year I was evaluating iOS devices and a showstopper was the apparent inability to have keepass database updates push-synced: the closest I got was a scheduled copy of the file at a given time daily, but my nightmare was making a change on one device, needing that change on the iOS device, having it not be there, and not having network to go fetch it. It'd be neat if you've got a way to make this work more like Syncthing on Android.
No, that's a limitation in the setup but it's something I am willing to live with. I can make edits on my computer and "pull" them onto my phone, but not the other way around.
However I think this is a limitation of the app itself more than a limitation of the system in principle. As far as I can tell, the developer decided to only support a couple of the most popular cloud sync platforms. Maybe guess there is no consistent API for that sort of thing in iOS.
I use a combination of a local only solution for the "master list" of passwords that I backup to cloud storage (which is not synced to my phone) in conjunction with the saved passwords & sync capabilities of Firefox for accessing it on my phone. Occasionally I'll be in a position where I'm on my phone and Firefox doesn't happen to have my latest password saved, so I just initiate a password reset for whatever that service is, set it to a new password, and then circle back later when I'm back on my machine to update my local only storage solution. It's not the most streamlined and user friendly, but it works well enough.
As mentioned throughout this thread, Syncthing can seamlessly sync between Android phones and Windows/Linux hosts. There are apps for iOS as well, but they can be a bit more finicky due to Apple's app sandbox implementation.
I haven't touched KeePass in a while(especially since it always had its quirks outside of Windows, being .NET), but KeePassXC which started as a merger of all the various patches to KeepassX(the QT implementation), has been very active. It has a more secure browser integration than the original had, although it's worth noting that nothing ever came close to the accuracy of 1Password when it comes to website quirk integration[1]. There's also TouchID, OTP, better encryption and Yubikey integration of the top of my list.
I'd suggest using it in conjunction with Keepass2Android and KyPass(on iOS, someone mentioned Strongbox), although the Keepass2Android syncs and merges properly and the iOS does not.
> you could still find yourself in a jam if their service goes down
This is true for many password managers that sync with the cloud. I use 1Password and I've made sure that I install apps on at least a couple of devices because the apps a local copy of the password data that can be accessed offline.
I've done that with another password manager that I used in the past too.
I used KeePass in the past and would likely still be using it if I didn't get 1Password free (free family account if your employer has a business account) and if I didn't need to have secure sharing with my wife.
Let me know if you know of a secure, convenient way to share password entries with another person using KeepPass that doesn't involve you sharing the your whole password database. I know you can have yet another password database that only contains shared records... but that definitely fails the convenience factor.
Yes, if you can keep your password local it's still the best option.
Sadly, once your use case becomes complicated and you need to share between devices, and potentially have partial sharing between people (e.g. your spouse, your parents etc.), it becomes a nightmare to manage. In particular trying to explain how sync is supposed to work with a third party on iOS is just pain.
I'm eyeing at self-hosted BitWarden instances, but then I kinda fear to someday be the one shooting myself in the foot and nuking everyone's literally life critical credentials...
586 comments
[ 2.6 ms ] story [ 377 ms ] threadThis is frustratingly vague. This incident started 4 months ago, and you can't provide any details?
If it wasn't such a PITA to move off LastPass, I would do so. They got me.
Convincing my wife and colleagues to all switch simultaneously isn't feasible unless this data fiasco gets worse.
Since I don't feel 100% comfortable having my self hosted things on a public IP, I put it only on my LAN. For remote access (e.g. phone) I use wireguard.
It's really not. As the quality of their software declined severely starting around 4-5 years ago, I put off moving because I assumed it would be a huge hassle. It turned out to be surprisingly easy. I have since deleted my LastPass account and wouldn't trust that company to mop my floors.
Any compatible Android app?
Several, I personally like KeePassDX but Keepass2android is also there, possibly others I don't know about.
It also has autofill that comes up in any supported app when it recognizes a password field that it can autofill. Quite seamless.
It also took a little mucking around to install it's custom keyboard and I had to run some adb command to give it permission to auto-switch keyboards, but now it's setup it's pretty good.
You can open an entry in keepass2android, then it will auto-activate the keyboard and you get buttons so you can auto-type any field from that entry into anything.
On Windows I'm using KeepassXC and the KeepassXC browser extension. It hasn't been perfect, I had to manually enable simple http auth for that to work, and sometimes it seems to miss login fields.
Also I had to manually add the URL for some existing sites (I was using KeePassDroid only on Android before so the URL entries weren't filled).
There's no way I could find to go to a site, then I would like to just click a button and choose an existing entry to fill into it.
But once I've manually added the URL entries, it's pretty seamless and auto-recognizes that there are entries that it can fill.
Overall I'm very happy with the whole setup.
Sure sounds like they found passwords or keys in the development environment breach back in August, and nobody bothered to change those after knowing they were hacked.
I sadly write passwords down, but dream of a better option.
Response to @palata because of rate-limiting: The problem is people tend not to only put unimportant accounts in their password managers. They also put their bank and email passwords in there, and to my true horror: People have started storing their TOTP tokens in their password managers, which effectively reimplements single-factor authentication!
Maybe the best option is one of those physical access password managers like KeePass
The thing is that many services are now requiring TOTP in places where I don't want it, since I was already using a strong/unique password, and the TOTP requirement is effectively just to protect the service from having to deal with users who get their passwords stolen. If you're going to make me use TOTP where I don't want it, I'm going to automate its input.
https://www.reddit.com/r/1Password/comments/lkfg5p/what_happ...
Now that's not to say that something can't be sneaked into other work! But the bar is a bit higher than "take over a dependency"
2. Inject code in build to export user's passwords to remote server after update is installed
An offline password manager is updated a few times a year, and will go through OS repository distribution, with verification of the signature for changes. Or you can download the software from the source website and check the signature.
Several years ago the trendy thing to do for security was to get a USB-A security dongle and lock your important accounts with it. Nowadays, laptops from several major manufacturers no longer ship with a USB-A port, so if you need to log in again and don't have a USB-C dock handy, you're locked out until you can find one.
Either way, availability can be compromised by a hack due to passwords being phished and I think I'd prefer dealing with hardware tokens than the fallout of being phished or otherwise suffering credential compromise. That said at this point I probably wouldn't issue hardware tokens en masse until proper processes are in place to manage them (and their loss/breakage/etc) - it's certainly not solved to my satisfaction yet.
My layperson's armchair guess is that a successful attacker would probably seek to keep it quiet.
If you were a bad person, and you got access of tons of credentials from one of the major trust-us password managers, would you:
1. Focus on finding and looting big-payout cryptocurrency stashes, as quietly as you can (so you can keep doing it longer, before news gets out of how)?
2. Sell to a state actor to use for probably high-value purposes, while keeping it quiet?
3. Something else, and would that involve keeping it quiet, or making a big noisy mess?
1. State actors
2. For profit criminals
3. Teens for lulz and street cred
I guess the first group would probably keep it pretty quiet. The second would keep it quiet until they've abused the data as much as they want to, then sell the remainder on the dark web. The third would make a big noisy mess right away.
(I may be mistaken, but I do know it was absolutely the last time I gave a company true information for security questions).
Even if you're using real answers, you will be locked out of your account if you don't treat them like passwords. Eventually.
!%!%example.com%!%!
It was clear to me after I had to read such a security question answer over the phone to unlock an account the CSR was perfectly happy with "gibberish over the phone == gibberish in front of me", meaning my attempt to secure things made it less secure in the end.
There will be no reuse, because for Facebook it would be buddyfacebook or dugfacebook, or something else… but you will always be able to guess it in three tries. A computer system doing some kind of pentest isn't going to parse out the "facebook" or "lastpass". A human might, but that's why you rotate through three names. At the point where you have a human targeting your account and actually thinking about your inputs you are probably !@#$ed anyway.
…apparently.
could not login into the customer portal because he lost/forgot the password
could not perform the password recovery procedure because his answer for the security question is some nonsense like 'blade-purge-satin-dash'
*shrug_emoji*
I ran into one once that a 6 character minimum length for the answer.
> I ran into one once that a 6 character minimum length for the answer
This is a problem too, but at least it works if you manage to talk to a living person - even if you don't remember exactly how did you wrote something you can prove you know the answer for the security question. With 'cp359-qreor-534wej' as an answer you have no chance.
A few years later after the semester break I forgot my password. I had to email IT to reset it, and they replied "Please provide the answer to your security question: Dicks?". And I had to reply "Yes no problem, the answer is Dicks". It was an awkward email exchange, but in my defence I had immediately remembered the answer so it served its purpose.
Anything that gets them to use unique, strong passwords for everything vastly improves their general security, even if they are using a third party, commercial organization.
that's why it's baffling. The convenience is outweighed by the possible loss.
People get their credential compromised via shared passwords way more than compromises of Lastpass or Chrome or 1Password. Sure, it's a bigger risk if your manager is compromised, but for most people it's as much "eggs in one basket" as people only having one bank account which is probably true of nearly everyone.
it's even worse than that. The world's most common password is... password.
What's interesting on these lists is the presence of Dragon and Monkey - am I mistaken or is it due to CJK users entering a Chinese character that got translated somehow? Wouldn't that mean some of the most popular passwords out there are single unicode characters? Surely not...
[1] https://en.wikipedia.org/wiki/List_of_the_most_common_passwo...
Do you really think that’s safer?
The general population is not going to setup their own open source password manager solution. So going with an easy to use commercial password manager is better than not using one at all.
1. Have people manage their own secrets storage? Most people don't have the time or ability do this securely either. I'd rather pay someone else to secure infra, code, distribution, encryption, backups, etc. for me.
2. Reuse the same password on every site? One site gets hacked and now you're screwed.
3. Memorize a unique, long password for every site? Not feasible.
Third-party/commercial password managers are the best solution for most people, practically speaking.
Crypto keys are great but you can lose them and once shared they are keys to you kingdom.
Specific security devices are great but you need to remember to have them with you. They can get lost or broken so you need backups.
Google authentication is convenient but they can ban you. It is also a 3rd party to trust.
Passwords suck but might be the best of the worst. Advantages: password managers can be used to make password useless for other sites and people conceptually understand it.
It is quite a hard problem!
Obviously doesn't work for many sites cause people are still convinced passwords are good.
The main ways people are hacked are re-use of passwords and writing passwords down. If someone gets access to one of my passwords, trying it in other sites won't work. If someone finds the written parts of my passwords, that won't work either as they would need to know the secure part of the password that I memorize. I can even easily take the written part of my password with me if I want to use a password on a different computer.
The only issue with this technique would be if someone finds multiple passwords of mine, they might be able to figure out the scheme and brute force other passwords, but if someone already has multiple passwords of mine and is taking the time and effort to go after me individually then I figure I am probably screwed any which way.
You must make sure the exported CSV file has everything!
oh wow, what a surprise.
For a password management company, they can't even be bothered to fuzz their export functionality. QuickCheck works unreasonably well on `import(export(a)) == a`.
But maybe it's intended to be buggy, in order to keep you in their walled garden. Clearly the sync between devices works, so they have solved this problem.
Presumably they don't use CSV to sync, they're using a saner json/etc. data structure that they're not letting us export ourselves. Seriously, being limited to CSV in this day and age...
https://news.ycombinator.com/item?id=15756044
I want to move but I'm terrified of the export process
* custom "items", so instead of "Password", I also have my own * attachments, which I know 100% are not exported. There is a CLI app to help with that, but still horrible * I have large notes with weird characters, which makes me concerned if they will be exported properly * Last time I checked, the CSV seemed very broken (not respecting the standard), I'd be surprised if it imports properly
That's the reason why I haven't moved.
I'd move to bitwarden, but the lack of tags is too much for me. I use tags everywhere, I don't want to deal with directories anymore, so 1Password it is.
I... would definitely not recommend them, no.
They seem to have a CLI to export attachments!
One issue I ran into: the CSV file that "downloaded" in the browser didn't have all of my passwords, only about ~20 of ~400. I had to copy and paste the CSV text in the browser to a new CSV file with a text editor. But upon reviewing that, the format of the passwords was fine.
I have been a paying customer of Lastpass for about 15 years. I moved to Bitwarden for all sorts of reasons. I work in technical information security so it was also for that teason (but not only)
There was some apparently compatible rust implmementation in PostgreSQL tho...
I self host it for a year or two and it is a single container. The BW officer docker distribution is a nightmare.
Add to that a proxy with caddy and you get a great solution.
EDIT to correct: Thanks to the link posted by u/voganmother42, this is indeed related!
I'd want to know what information they have gained access to.
Reply to @jeffbee: You basically have to have that threat model, because ordinary users are running dozens of untrustworthy processes on their machines. Real world security has to assume the user is not a security expert.
Anyway - it's not a good position to be in.
This reminds me of a very brief security review I did of a 3rd-party browser extension that was being installed on everybody's laptop at a previous job. The extension itself had very little code, it was just something that bootstrapped with code from the company's servers. There was no real way to review it or freeze a reviewed version.
The kicker was that the server-provided JS was being loaded over plain http (and no, nothing was checking signatures or anything like that).
Still, local decryption is more secure than sending the master password to the server (so, just compromising the server holding your vault wouldn't be enough to steal your password). I think I will switch to BitWarden which uses the same approach, LastPass seems to be getting hacked alot nowdays.
I am concerned at some level on the lastpass breaches, but I am less affected so far than I have been by the equifax, target, and t-mobile breaches. I have had years of free credit monitoring since each one of those handed out enough data to compromise my identity several times over.
Edit: hadn't considered that addons also autoupdate by default when back online.
Won’t be touching LastPass again except offline, while I figure out where to go from here. I had been putting off finding a better password manager, but this is the last straw.
My guess is this way of solving old problems may create new ones due to that pesky problem called human nature.
If so, at least bad actors won't have the incentive to cut off your finger or pull an eye out as with the other biometric authentication options :')
And to the OP, any shared secret that you cannot change in case of compromise is kind of a bad idea.
"This comes just months after LastPass confirmed that hackers had stolen some of its source code in August and had access to LastPass’ internal systems for four days before getting detected. It looks like this new attack is connected, as Loubba says it determined that hackers gained access to user data “using information obtained in the August 2022 incident.”"
https://www.theverge.com/2022/11/30/23486902/lastpass-hacker...
it's certainly not acceptable that all they are saying is "certain elements of our customers’ information." very unacceptable, if it's credit card numbers or home addresses, they have to reveal that. the current language makes it look like they want to hide some kind of very bad news which is worse. Also their August post indicated that the developer account that was compromised had no access to customer data, so why exactly was that wrong.
The current update fits pretty well exactly on my screen, so I saw no hints that it was a series. After seeing the usual corporate speak and signoff, I assumed that was it.
I went looking in their history of posts for more information on the August incident but couldn't find anything, as the older installments do not show up individually.
It really depends on the platform - but in short you'll either need a phone, or be locked into an ecosystem (browser, OS, etc) making using them on multiple devices & browsers difficult or impossible. A password manager supporting passkeys makes this easy as you can 1-click generate a passkey, and 1-click sign-in to services from any device or browser.
And: does using a third-party passkey manager open up passkeys to the same security issues as password managers? Specifically, more than remaining within the Apple-or-Google-supplied system?
Also what security issues with password managers? There's some potential concerns with extension-based over OS based systems, but if your device is compromised where someone can actually access memory then they'd both be equally void to some extent, AFAIK there's nothing seriously concerning security wise on a password manager vs keychain, etc.
I feel like passwords can be way too sensitive to entrust to a third party. Even if you can verify that it is secure, you could still find yourself in a jam if their service goes down or is otherwise inaccessible.
You don't have to worry about any of this with a KeePass database. You just have to deal with the very mild inconvenience of keeping your database synchronized across devices.
Which is pretty easy with SyncThing. Other services like Dropbox are also fine if you have a sufficiently high entropy password. The danger isn't in the "online", but a third party being able to decrypt your passwords.
Is SyncThing available for iOS? I thought it wasn’t but I’d love to be wrong.
But maybe I misunderstand the situation.
That keeps the whole database file synchronized, sure. But KeePass synchronizes at the level of each entry.
That's why you add that binary key file to the mix that you liberally distribute to all your devices. But that you carefully keep far off your sync platform. The danger of a weak password is when a device falls into the wrong hands, a compromised sync platform is much less of a concern (if the file is in the mix).
However I think this is a limitation of the app itself more than a limitation of the system in principle. As far as I can tell, the developer decided to only support a couple of the most popular cloud sync platforms. Maybe guess there is no consistent API for that sort of thing in iOS.
That said I agree with you I would never use a cloud-only store for passwords!
It is not fun having to type a 30+ character password consisting uppercase+lowercase letters, numbers and special characters on a mobile device.
But it has helped me to keep my phone clutter free, so maybe there's an upside to it too :)
I find that it's much faster to type an all lowercase password that's a bit longer to get the same strength.
For HN crowd that is likely easy. (I also use that solution)
I'd suggest using it in conjunction with Keepass2Android and KyPass(on iOS, someone mentioned Strongbox), although the Keepass2Android syncs and merges properly and the iOS does not.
[1] https://keepassxc.org/project/
In my comment I used KeePass to refer to the database and not the specific application I use to manage it.
This is true for many password managers that sync with the cloud. I use 1Password and I've made sure that I install apps on at least a couple of devices because the apps a local copy of the password data that can be accessed offline.
I've done that with another password manager that I used in the past too.
I used KeePass in the past and would likely still be using it if I didn't get 1Password free (free family account if your employer has a business account) and if I didn't need to have secure sharing with my wife.
Let me know if you know of a secure, convenient way to share password entries with another person using KeepPass that doesn't involve you sharing the your whole password database. I know you can have yet another password database that only contains shared records... but that definitely fails the convenience factor.
Sadly, once your use case becomes complicated and you need to share between devices, and potentially have partial sharing between people (e.g. your spouse, your parents etc.), it becomes a nightmare to manage. In particular trying to explain how sync is supposed to work with a third party on iOS is just pain.
I'm eyeing at self-hosted BitWarden instances, but then I kinda fear to someday be the one shooting myself in the foot and nuking everyone's literally life critical credentials...