Why would LastPass let you "unsubscribe" from critical security emails like "hey you're gonna be locked out"? Or have they tied critical emails to marketing garbage emails in their communication preferences?
Hate to say it but these remaining users were and are fools for not having jumped ship like yesterday. This is not a serious + competent password manager product/company. Hopefully they had backups or they are in for a world of hurt dealing with the worse mess of being stuck in such an absurd loop.
It does require effort though.
Migrating the passwords is a thing in the process, but there is also finding a good alternative first, that integrates well the softwares one uses, getting used to new UI, new shortcuts, new bugs, etc.
All in all, it does take (much) more than 30 minutes.
I hear you, and generally you are correct, but migrating from LastPass to BitWarden (and setting up the extension to work exactly the way I liked LastPass to work) truly did take 30 minutes. I wasn't expecting 100% feature parity but it's there. What took the longest was discovering CTRL+SHIFT+L is the shortcut to auto-populate username/password in forms. Pressing it again will cycle to the next account in the vault.
It’s great on iOS! It integrates into the password manager just like LastPass did, so you get the “Passwords” button or the account name. If you have faceID or touchID set up, it’ll auto auth you and autofill the password. Bitwarden is seriously almost a drop in replacement. The biggest difference is the extension settings in browsers don’t autofill by default in the same way as LastPass. Also you can self host bitwarden (what I do).
Any shortcuts used by extensions based on the WebExtensions API are changeable. If you're on Firefox, press Ctrl+Shift+A (or go to about:addons), open the gear menu, and click "Manage Extension Shortcuts".
You don't have to achieve all at once. First migrate to a competent service before getting locked out of your secrets. Then you should change all passwords just in case there is a LP dev db leaking somewhere. Then you can investigate what that particular service does for you in terms of workflow and migrate later if you find one that better suits your needs.
That happened to me only because I imported the file twice or three times, thinking records would be overwritten when they completely matched. Oh, and because it also imported deleted (but not flush/emptied out) entries, which in hindsight I found it to be a good practise. Aside from that, importing was straightforward and categorizing the many uncategorized entries a breeze compared to LastPass.
Glad you had an easy go of it. It messed a lot of things up for me and I had to ultimately cobble together a bunch of scripts that would find the mistakes so I could go in and manually correct each one (with like three extra clicks than necessary for each operation because Bitwarden's UI is trash). I think people who only used really basic LastPass features may not have had those problems. But I had LastPass Family with sharing and folders and it was a massive mess because the LastPass export was buggy and then incomplete. And Bitwarden is not able to iterating on fixing imports so you're stuck manually correcting import errors and duplicates. Not to mention that editing and updating in Bitwarden is a real pain in the ass because bulk operations are missing. I was really shocked at how shitty Bitwarden's database tools are when I actually had to try and use them.
It took me 30 minutes to do this process as well. Then it took days and weeks to find a bunch of corner cases that Bitwarden missed. At the same time it took me a few weeks to realize that I just don't like Bitwarden's UX. Their mobile app is just bad. Its slower than competitors, common actions take more button clicks, and the UI doesn't look good (it looks like it was built by programmers for programmers). Combining that altogether meant I couldn't move my family onto Bitwarden and my migration was a wasted effort.
BitWarden didn’t lose any of my passwords (which is what I assume you meant by “corner cases”), and their UX on Chromium and iOS are about on par with LastPass, so I’m not quite sure the difficulties you may have experienced. And while BitWarden’s iOS app isn’t well optimized, considering its a FOSS solution I am more than happy with that minor trade-off. I also haven’t had any trouble moving others onto it, even the more tech-illiterate people in my life.
It’s certainly not perfect, but I’m not quite sure these issues are consistent enough to be indicative of BitWarden’s quality. I mean if its lost your passwords I would assume that’s something worth making an issue about on their GitHub?
LastPass' CSV export can't handle certain characters so the exported password is wrong. I doubt they've fixed that. It was in the product during the 10-12 years I used LastPass.
Worse than that, LP notes are multi line which makes importing a bloody nightmare! Especially if you have any CSV characters in the note.
I had to modify the native CSV with some vim magic to add a line delimiter for each record so it allowed for spanning over multiple lines in order to successfully import each entry - which also required the importer to allow for an additional EOR marker.
Even then there wasn't a 1:1 column match between pw apps.
Without this step though all sorts of hell breaks loose, and if you don't notice the columns got out of sync during import because a note had a few commas in it what good is it to you really. It's a hell of a mess that you may not notice until its too late.
There should also be a verify feature for any import that can query the original source via some API calls - or use that to do the import. Of course nobody is going to provide that because it means users can leave their ecosystem too easily - but the other thinking is customized backups to a PGP destination suitable for direct import via the sale API calls.
That's because you don't have or don't know about all those custom fields that don't get exported by LastPass, which turns real migration from 30min to many hours
Also it'd be wise to change passwords during the migration as well given all the hacks, which is another set of hours
Once you hit 300+ sites, with attachments and custom fields, it starts to be one of those ‘I am going to pretend this will app work out if I ignore it’ things rather than an easy afternoon project.
I have more than 400 websites in mine, but not a single one has custom fields or attachments and I can't think of a single reason why that would be necessary.
Some services use usernames for login instead of an email address, so I keep the per service email address in another field. Or I use a different name & birthday for a service etc.
If one does any of the following and wants to keep track of it in a structured way, it might require custom fields in some password managers:
* Use a different name for each account
* Use different "personal information" (date of birth, etc.) for every account
* Track "security" questions and randomly-generated answers for each account, for services that still use that terrible approach
* Track which phone number is associated with each account, for services that uses SMS MFA codes
* Attach list of one-time recovery codes to accounts that use those
* Attach source of credential information when credentials were sent by someone else for e.g. testing
There's six reasons off the top of my head. I'm sure there are more.
I have a few that require custom fields. I don't really have a lot of passwords saved either. Maybe 50 tops.
Custom ones are usually all banking sites. One does not use standard field names so bitwarden does not detect it. Another has an extra field for user . (Bank customer company id, password then particular user's name).
BitWarden has custom fields too, though if LP doesn't export them, then yes that's a pickle. I don't know about attachments, but notes do transfer though they're stored a few clicks deeper in the "vault".
I would argue if password updates are required because of LP's insecurity, that's really not a migration issue, that's just a LP issue.
> I've never required a password manager, maybe I'm just good at remembering passwords.
How is this possible? I must have at least 50 passwords I use with some regularity and many more I use once a year or so. All my passwords are at least 16 characters long and totally random. Are you able to remember that without compromises like repeat passwords or patterns used for generating them (including website name in password or similar)?
If you can remember your passwords I have a strong suspicion that you’re using weak passwords and/or re-using them. All my passwords are 12+ (whatever the site max is) random alphanumeric+symbols and don’t get re-used across sites - there is no possible way I could remember them all.
Using a quick back-of-the-napkin calculation, you get roughly this amount of entropy from 1password's wordlist when compared to random alphanumeric strings [a-zA-Z0-9]:
- 5 words ≈ 12 chars
- 6 words ≈ 14 chars
- 7 words ≈ 17 chars
- 8 words = 19 chars
If we take 5 words as the minimum you'd want to use on a web service:
- halvers persia dutiful manes party
- append medalist society duke disobey
- acoustic halo assuage upkeep dexter
- area theist motile align trespass
As a non-native English speaker (which should be obvious from my strained speech), I'd say it's rememberable enough.
My 1Password has 1000 passwords/license keys/ssh keys/api keys stored for me, along with the associated username + 2fa code. There's no way I'm going to be able to remember more than a handful of those.
> And why would you even trust a cloud based product.
1Password's security model sounds pretty reasonable to me. The convenience of having my Passwords backup and synced to my devices is worth the tradeoff in security in my case.
I’m sure we won’t talk you out of this, so I won’t try.
Anyone else reading this: do not just remember your passwords. Unless you’re Lord Nikon, if you can remember more than a handful of passwords, it’s because they’re weak enough to be memorable. Or worse, used in more than one place!
Genuine question: why are there still LastPass users?
I mean, if you have a password manager, it means that you somehow care about your passwords. If you have LastPass, it means that you chose something that was not the default Google Wallet or Apple whatever-it-is-called.
Are there so many LastPass users who haven't followed the news in the last 2 years?
It’s such an important lesson for informed people, and tech people, especially, to learn: our context is absolutely not the common one. Things that are obvious and clear to us are a world away for most others.
Okay. But how is a typical person supposed to effectively judge the relative risk of LastPass against alternatives such that it justifies the hassle of switching?
The core problem with the LastPass breach was their response to it, not necessarily that they were pwned in the first place. Like, the whole point of password protected vaults is to make this situation less harmful.
People don't know about the ability to export and import passwords, though. Modern interactions are so much "everything is locked behind this branded app" that it's a miracle people still remember they can email to other domains.
What they do know is how annoying it was to have to set up LastPass, entering each and every password, dealing with accounts and setup and recovery keys, and the process of getting used to it.
Unless LastPass adds a button that says "click here to switch to a competitor", I doubt their remaining customers will ever leave the problem.
I am pretty tech savvy, read HN often and still use it.
Partially, laziness, partially hard to change flows, partially hard to migrate, partially I don’t believe that it’s THAT bad, though the last one is the one I’m least sure.
I'm a developer by profession and I almost didn't switch from LastPass after their breach last year.
Simply put, after all the reports of last year's breach, I assessed how vulnerable I am. First, my LastPass settings were such that I shouldn't be too affected by their breach; among other things in their self-assessment report, I had the "new" healthy default of 600K iterations. Also, the three most important accounts forming the basis of my online identity were never on LastPass and had unique passwords.
(And yeah, I understand that the security issue isn't purely on technical merit but also a social question of LastPass' reputation as a company. But on a personal level, I didn't really care that much. Moving on...)
Hence, on a personal basis, I didn't see much reason to switch out. The alternative would be the hassle of evaluating a new password manager, exporting data from LastPass, setting up the new password manager on my devices, importing my pre-existing vault, tweaking the new password manager so it behaves as I expected, etc. I know I'm playing the world's smallest violin with this grievance but that's really how it was. I think there was also a confluence of other factors why I didn't want this hassle on my plate at the time (e.g., I remember this was end of last year and I'd rather focus on my holiday arrangements).
I did reach out to family members whom I might've recommended LastPass to in the past though, and advised them to switch out. I didn't believe they could make the same self-assessment that I did.
In the end, I did switch to Bitwarden though. I did go through the hassle as I thought I would but articles like this make me glad I did. The decisive factor for why I did it anyway was that I realized that I might have some passwords/keys in my vault that I use professionally so, out of professional prudence, I switched. Were I not a developer, I might not have had this factor at all.
It's not about the leak itself, but the lax of their operational policies that resulted into it, the low level of ownership they demonstrated in communication through the incidents, the weird design decisions that were made to leave parts of wallets unencrypted, that you would never know of since it's all a black box (1pwd for example opensourced some of their designs).
The problem, IMHO, is that selling a password manager is about selling trust. It is okay to have an incident (to some extent of course: "we got hacked and somebody stole our database, which was not encrypted" is pretty bad), but it is not okay to lose trust.
Given how it has been going with LastPass, I don't see how one would still trust them with their passwords.
Good question. I cannot even 100% remember why i left a couple of years ago. IIRC it was a compromised cache / logon on a device i didn't control anymore and the general uneasyness of having my digital identities stored on a foreign service that could be hacked / could lock me out any time.
Keepass plus syncthing works for me; Keepass' autotype is great.
I exported my LastPass vault (yeah I used to be on LastPass...) and imported it into Bitwarden. Maybe I was lucky, but I was amazed by how simple it was. It took like 2 minutes, and it just worked.
Unless you also changed every password for every account you store in your password manager, you still have the original security issues of Lastpass to deal with, as well as any potential issues from your new password manager.
1. The main competitor everyone knows about, 1Password, has its own problems. (I gave up on it a couple years ago after learning that you can't quit the goddamn MacOS application when it's logged out. It literally requires you to be logged in to make use of a super-secret-strong quit that doesn't leave some daemon on the system. Which is incredibly irritating when you're trying to just run a software update but instead you have to type your super long and secure password manager password.)
2. Transitioning passwords is hard even once you find a good alternative. One should change passwords after a breach, but there are basically three options: (a) use the automated password changing within the old password manager. But if you don't trust your password manager after a breach, it's probably a bad idea to use the automated password changing feature of said password manager and end up with your new passwords in the insecure service. (b) import everything to a new password manager and change from there. But if you have a lot of passwords, there's a good chance the new password manager won't be able to automatically change them all, and then you'll either have to carve out a huge amount of time to do it all at once, or have a mixture of secure and insecure passwords in the new password manager, which seems very problematic. (c) gradual transition: move the mission critical passwords first and change them on the spot, then as you use a less important service, change the password for that and move it to the new service as you go. Which makes sense, but means you'll still be using the shitty old one for a while.
Bitwarden still doesn't have as good a multi-account workflow as LastPass does. They finally added multi-account support late last year, that was a full blocker for me, as I need access to both my personal and work vaults on my devices. Now that they have multi-account support, it's better, but they still are significantly worse than the LP approach. If they get multi-account search working as requested here, I might finally switch over:
I've been involved in switching users in a corporate environment from one password manager to another.
You want to irritate non-technical people? Tell them that they need to use a password manager.
You want to irritate even technical people? Tell them that the password manager you had to force them to use is going to be replaced by a new one, and _they_ have to do the export/import steps -- despite the fact that their boss is breathing down their neck for four projects that are late, half of which they have no control over.
I'm glad I don't have to worry about the Lastpass breach, but I can absolutely commiserate with anyone who has to care about password managers for other people.
You want irate non-technical people? Tell them they need to come up with something better than Password123.
People hate passwords. You can explain to them why passwords are important, how people from the outside can do all kinds of nasty things if you pick weak ones, but people will ignore all that because they never need to deal with the fallout.
When these people eventually get hacked, they will blame their computers, their antivirus, their browsers, the websites they use, and most likely also the most recent person who touched the computer.
Password security is like herding toddlers. This is why I'm looking forward to a future where physical keys and passkeys are supported essentially everywhere. We don't even need them as 2FA because they work fine as a first factor in most cases, though 2FA would be much better of course.
And to be honest, whoever manages normal people's IT is probably partially to blame for the hate most people have for passwords. Things like monthly password resets, session tokens that last less than a work day, separate passwords with slightly different usernames across different applications, and all kinds of other useless limitations are why people hate passwords so much: using a password manager once or twice is fine, but having to use it to copy/paste passwords every other hour is tedious and terrible.
Companies unable or unwilling to fix their terrible password setup should invest into something like Yubikeys to at least make the process less frustrating. The difficult part is getting a backup when people lose their keys, but you can probably use passwords as a fallback until a new key can be arranged.
NIST's recommendation of passphrases that don't expire except when cracked is better, because it avoids <employer name>fall2023. But now you have to pay for the audit (whether it's internal or external) and then explain why their TV quote/book title/whatever is easy to guess.
And whether it's passphrases or passkeys, we still haven't solved the problem of the gajillion other accounts people will have to log into to do work that are nowhere near that standard.
As a technical user faced with the most absurd of password complexity policies I totally understand non technical user frustration given my much higher bar of ability etc, so I don't think it's entirely fair to blame them, sure they could do with making more of an effort but most people just don't care or aren't aware of the ramifications...
When there's segregation between passwords that the organization can see and passwords that only the employee can see, then each user has to run the import/export.
Probably mostly companies stuck with long-term contracts.
The global company I work at uses it, they have an enterprise-wide contract. Migrating to something else is just a massive PITA, extra costs & sure downtime.
> the default Google Wallet or Apple whatever-it-is-called.
It’s just called “Passwords”. Consistent with “Mail”, “Notes”, “Reminders”, “Calendar”, but it doesn’t have a dedicate app like the others (it’s inside System Settings).
The entire website is written in PHP. I have nothing against the language, but it's a major red flag when you would expect it to be using Java instead like most bank and government websites do.
I dont know that a website running Java gives me warm and fuzzy feelings only because its on Java. I care mire that whatever the underlying website is powered by is not easily exploitable by bad actors.
The language you use matters very little. It's how you use it. PHP's not at fault here, even if they used Java or another language their incompetence would still be the issue.
I know this is a troll comment, but, a website being written in Java screams "this was subcontracted to junior devs" to me, which is not precisely a green flag.
I am completely over the idea of storing secrets inside of one of these 3rd party systems. I've currently got a team member writing an internal secret storage app for our organization.
Creating a SQL schema with a "Secrets" table and maybe some audit logging and organizational extras should take a seasoned developer ~30 minutes. Throwing a CRUD web app on top of this and making it accessible to your employees - maybe another day or 2.
I really don't know why you'd risk this sort of stuff with a 3rd party. It just boggles my mind. What are they doing that you can't do? Even a 3 person startup can probably find time around a weekend to knock this out once and for all.
Edit: clearly I missed an important point. We don't care about browser integration. I am not going for 1:1 feature replacement. If you seriously believe "a safe place to keep internal text" is an extremely hard problem that absolutely must be outsourced, I don't know why you would even be involved in technology.
All of that within the first 30 minutes though!
I would probably take that long to stand up a DB for testing locally, re-learn $DB's table creation syntax, and connect to it from $lang.
I've wondered why so many software companies have so extremely many engineering employees. SaaSes raising a 9-figure Series D and hiring thousands of devs for a customer support app. I just never got it, I wondered about this for years.
But now, thanks to your comment, I finally understand.
Browser and phone integration: autofill, autoupdate. You can do that too, but it’s not a trivial effort. It’s important because otherwise users will sacrifice security for convenience.
Lastpass also knows how to autochange for some sites. It was hard to lose when I left.
LastPass hasn't been doing proper cryptography, so that part may be a fair bet.
If you use Django's default hasher, for example, you get more hashing rounds in the default config and they increase those periodically (the latter part that LastPass is struggling with, per the article).
Why would you spend dev time on this when you can set up something like Bitwarden across the org and have all the same benefits without wasting precious dev time on it?
FWIW I’m on 1Password and it hasn’t had any of these issues, either. I would not spend dev time on this as a startup/software company founder.
Self-hosting Bitwarden (edit: or Vaultwarden) may be a better approach. I'd recommend checking your feature list against Bitwarden to see what you forgot about. There's a lot of usability concerns that quickly become security-critical in a tool like this. Also review the security fixes that have been applied to BW, a rewrite will need to avoid these mistakes as well.
why not use an existing self-hostable option like bitwarden (possibly using one of the easier to setup up servers like vaultwarden)? Then your estimates might actually be accurate.
I do not understand why people need to use these things, maybe they make it easier and more secure for Cell Phones ? I never use my Cell Phone for anything Finance or Medical Related.
But for me, I keep an encrypted text file and get the passwords my using emacs or vim. I generate passwords using:
What's with these comments who can't possibly conceive why a certain product is popular and in use. Convenience, sharing, application integration, recovery, 2FA, passkey, SSH agent integration, the list goes on. LastPass is kind of bad considering their avoidable security snafus, but there are more reputable vendors out there.
Yes, you can roll your own, but that's not a scalable solution if you're an org or have requirements that lay outside using a Textfile.
Agreed. I've used vim for decades, and also use a password manager. I have a laptop and phone, and routinely use multiple web browsers. I want to sync encrypted passwords across devices, and auto fill in when I visit a a website... and websites infuriatingly vary.
1Password and Bitwarden help with this. Your use case might be different and that's fine.
It's probably safe to say that 99% of people using this sort of password manager don't know what emacs and vim are, and additionally use their cell phone for most of their online computing.
If you look at it from the opposite perspective the value is clear - this isn't a tool for people who can generate and store their own passwords, it's a tool for people who got their Facebook hacked because they used the same password for everything for years and hey, this app can help avoid that mom, let me show you how.
"people" don't know what is Emacs, vim, tr or urandom for any reasonable definition of "people".
I work for a company that makes a password manager, and at least one clear benefit, versus copy/pasting from somewhere, even for tech savvy users is phishing resistance (the password manager browser extension should not fill your password on a website which doesn't match the website associated with that credential) which is how password gets stolen in practice when they are not reused (not re-using is the main benefit of a PM, but your home-made system does solve that issue too)
They are other benefits more on the convenience side (mobile as you mentioned and even not having to switch app each time you need to grab a password...) which matters more for most people than security (or so they believe at least)
> I never use my cell phone for anything finance or medical related
Do you realize that 99.99% of the population in the world, including maybe 99% of the people here, don't do that? Similar to those comments that say "I don't use a cell phone", sorry what is your point? You realize that your very unique way of living and your life experience don't apply to others, and your comment is meaningful to just about nobody but you? Do you actually expect people to read your comment from there?
Just chiming in to say a text file encrypted with vi storing passwords is a heck of a lot more common than you seem to think. I know at least one team who use this method and there is a reasonable chance you’re interacting with some of their infrastructure secured by this method right now.
It’s about as secure as anything (esp after the swap file issue was resolved).
> The forced logout + MFA resync events are taking place as we increase all customer's password iterations.
Typically you just need to wait for a user to log in, then validate the password against the old hash and create a new stronger replacement hash. Ending all sessions is a good way to log everyone out and force that. But I'm confused.
If weak password hashes were leaked, then the passwords need to be changed too. Increasing the rounds doesn't prevent attacks on the previously leaked weak hashes. Maybe they expect everyone already did that but some people did it before they increased the hash rounds?
The MFA reset shouldn't be related to the increase in hash rounds, those are unrelated. So they must suspect the MFA seeds were also stolen, but aren't saying it, right?
> If weak password hashes were leaked, then the passwords need to be changed too. Increasing the rounds doesn't prevent attacks on the previously leaked weak hashes. Maybe they expect everyone already did that but some people did it before they increased the hash rounds?
I assumed they were just increasing the rounds as a general good practice. The best time to plant a tree was ten years ago, the second best time is now, and all that.
If it is just a regular rounds increase, why force an immediate re-auth on all users? It would be way more user-friendly to just wait 6 months or so for natural re-auths to occur, and only do a forced re-auth on the few remaining users afterwards.
From an user experience perspective, this would be the way.
At some at the company I work for, we decided to changing hashing algorithms and we did it on the fly when user authenticated again. Users were happy, we were happy.
But as someone already said here, there's a high probability that the OTP seeds were stolen so that's why they are doing this forced reset for MFA re-enrollment.
> The MFA reset shouldn't be related to the increase in hash rounds, those are unrelated. So they must suspect the MFA seeds were also stolen, but aren't saying it, right?
They were stolen but weren't very clear about it.
From their summary of their latest security incident[1] it says attackers stole:
> Backup of LastPass MFA/Federation Database – contained copies of LastPass Authenticator seeds, telephone numbers used for the MFA backup option (if enabled), as well as a split knowledge component (the K2 “key”) used for LastPass federation (if enabled). This database was encrypted, but the separately-stored decryption key was included in the secrets stolen by the threat actor during the second incident.
This summary links to a page[2] with more information, but actually on this page they give less information, saying only:
> [Customer Secrets accessed includes] Multifactor Authentication (MFA) seeds - MFA seeds assigned to the user when they first registered their multifactor authenticator of choice to authenticate to the LastPass vault.
That just means that you have such a small number of passwords that you are much more unsafe that someone using a compromised password manager. I guarantee you your passwords have been leaked in individual website's breaches and that has exposed all your other accounts using the same credentials.
Possible, however: My personal strategy, much like i have a "junk email" address for signing up for random BS and a personal one for actually using is that i have a "junk password" that i sign up for unimportant services, and i guarantee it has been leaked many times. My important banking / amazon / etc passwords are indeed (slightly) unique and backed up by an digitally impenetrable firewall: pen and paper.
Granted, this is just for personal use, and i can totally see a use case for a password manager in a company / corporate environment.
Your password store is a single file, it can be encrypted, backed up (or not), distributed/synchronized between your devices (or not). It belongs to you, not to a third party.
The inevitable rejoinder is, "what happens if someone gets that file?" Well, what happens if someone gets your piece of paper?
> Well, what happens if someone gets your piece of paper?
Considering it's in my house there is short list of suspects, unlike exposing it to the entire world VIA TCP/IP, but yeah i get your point.
> Will you ever use a password manager.
Not for personal matters and that is a personal choice. My way ain't broke and i ain't fixin it. A password manager smells like something that could break, get compromised, or go out of business at any time without any warning and i don't like the smell of it.
I also code with Notepad++ with none of that autofill suggestion crap and doesn't take 8 smoking cores to fucking type a sentence if that tells you anything about my personality. Get off my lawn!!!
They're a random string of text unique to each site, I wouldn't even class them as 'my' passwords, just a derirative. Password Managers are a godsend (happy 1password user).
Ok. I'll take the advice here. I am a time-constrained Lastpass user. I'm aware of the issues but not thw seriousness. I will abandon the platform now, but I could use your help:
1- is industry gold standard 1password or bitwarden ? Key requisite: edge or FF browser extension. (I dont use mobile password management apps and will never do so)
2 - in light of the LP breaches. Do I change all my pw accounts, the master LP account, or both??
Bitwarden is fantastic IMO, vaultwarden if you like to self host.
Out of an abundance of caution, it would be prudent to change the passwords for the most critical accounts in your life initially. Things like your bank, email, Google. Accounts that losing control of would immediately make you go "oh shit, I can't do X that I need for daily life". Then slowly over time change the less critical ones.
Caveat, bitwarden-cli isn't supported last I checked. They also only implement a subset of bitwarden features. Not to knock it vaultwarden, I've used it for years and have no plans to migrate anytime soon.
The bitbetter project[0] shims bitwarden licensing for personal use. It might be better if you're looking for complete feature parity and client support.
What parts of the cli doesn't Vaultwarden support? The cli client works fine for me when it comes to basic password operations.
I'm aware that the backend doesn't implement every API Bitwarden has but I've also never noticed any missing features. It did take some time before Bitwarden Send was implemented, but I can't fault the devs for that. I also expect the upcoming BW passkey support to take a while to make it to Vaultwarden.
Personally, the whole organisations thing is only a nice to have when it comes to hosting Bitwarden. The standard Bitwarden installation eats up gigabytes of memory for (I assume) optimizations for large installations that most self hosters probably don't really need.
> They also only implement a subset of bitwarden features.
Any idea what's missing?
Vaultwarden does add TOTP support, which the free official server didn't last time I checked, so while it may be missing features, it also unlocks features you wouldn't have without paying.
Bitwarden is also moving towards a unified docker image [0] that allows using SQLite or Postgres instead of the earlier mess of containers. Working pretty well for me and avoids have to trust an additional 3rd party.
1Password is probably the best kept secret when it comes to password managers. I don’t understand why not more IT professionals advocate this software.
+1 Made the switch this quarter. It's practically the same price, incredibly easy to switch, comfortably similar if you've used lastpass before... And as I went through this process I also discovered despite breaches and insecurity, my LP account actually had some hardening issues remaining that they fixed for new signups, but failed to do so for long time customers. So fuck them. (I've since rolled many of the most important credentials btw)
Seconded. I’ve used Lastpass at work a few times and I have zero idea why they still exist - 1password is much better and othet competitors exist, too.
Cost. Get a quote for a few thousand users from each vendor. Bitwarden and LastPass will come in around $50k, where 1Password will quote you $75k and have no flexibility to be competitive on their pricing. LastPass will probably drop to $40k later in your decision process to entice you to pick them.
LastPass has known issues and IT departments can make an understandable recommendation to the business to pick Bitwarden even with a slight cost premium. There is nothing to justify the insane premium 1Password demands. I have seen them lose multiple contract opportunities because of this.
Note: The dollar quotes are made up numbers, but the percentage differential is real. 1Password is often 50% higher in total cost.
the blame the user responses reported in this story are just hopeless. Also, as far as I can tell, untrue: I cancelled my lastpass subscription after the last horrific breach and migrated to a new password manager while changing my critical passwords, but every once in a while I have to use lastpass to dig up an old unimportant password for something that didn't make the list for immediate changes... and I've never seen any kind of message about resetting MFA.
I jumped ship to Bitwarden at the beginning of the year, and haven't logged into LastPass in some time, although I forgot to delete my vault and account.
I suppose there's some assurance that if I'm indefinitely locked out of the account then at least hackers are, too?
I genuinely don't know why people don't use offline databases like keepass. The conveinance of online password management is not worth the hassle they can cause. All be it lastpass appears to be tge worse!
Because I have four devices I need my passwords on, on three different OSs, and no admin on one.
All of my banks use a mobile app for confirming transactions, which requires me to login. Sometimes that requires reauth not just biometrics. I'm not going to go home and try and type a 20-30 character password into a phone when trying to pay for car parking.
Back when 1Password honored its offline, non-subscription license we bought, we could store the encrypted vault in a cloud storage service like Dropbox (or your own server) and simply set up other instances of the 1Password client to use the vault on that folder.
Exactly what I'm doing with my keepass database. I have an offline keyfile that's never in the cloud for added security. I've found this to be the best solution.
First a password manager would never store a key unencrypted on the cloud.
When implemented correctly a password manager storing the database shouldn't have any information (keys) to decrypt the database. Only the user & the client knows this information, and it never leaves the client.
There is still the matter of authenticating to the password manager service to retrieve the database. There's a couple of ways to do it, but usually a strong password hash (least desirable and I think this is what LastPass uses) or a Password Authenticated Key Exchange (PAKE) in which the service keeps an authenticator to verify your password/credentials but the authenticator cannot be reversed or attacked to determine the password (similarly observing the PAKE transaction over the wire or MITMing it won't allow any attack to find the password).
Even if the authentication aspect fails and someone could download all the databases, the database should be protected with at minimum a slow password hash, so a dictionary attack should be very slow. I believe LastPass has stuffed this up in the past. On the other hand, 1Password took a proactive stance despite a hit to the UX by requiring a password + "secret key" which is I believe at least a 128-bit secret that's mixed together to come up with a high entropy password that is used to encrypt the database - so an attacker will have a hard time with any 1P database.
Put bluntly, as a 1P user I'm the least bit concerned that the database is stored in the cloud. I guess the only thing I have to worry about is a surreptitious version of 1Password being distributed to my machine which may capture/exfil my password & secret key. I guess not being open source is a net negative here. So I do place some trust and faith in AgileBits to protect their supply chain and software distribution. Their reputation depends on the security of the service after all.
I use "pass" with a yubikey and happily use it from Windows, Linux, Android.
It syncs via git and syncthing.
I think I've been using this longer than BitWarden gas existed and will be using it after something happens with BitWarden and triggers another migration.
Once again, a one-time learning and cost of setup has saved me countless headaches and time not spent migrating over the years.
I agree. If you don't totally own your password manager, you are at the mercy of the company that does.
I use password store (pass command-line utility) at its core it's GPG encrypted files in a local git repo, with a convenient command-line utility to manage them. It's cloud-free, runs on my local machine. If you need to sync, you can use git push/pull to do that.
I don't use it from mobile as I do very little on my phone that requires a password, but if you need that there are options:
I've been using Bitwarden for a very long time without any hassle. It just works. Technology-wise it's effectively the same thing as KeePass+Dropbox, just bundled. It's even open source, so I could export my data and self-host it if needed.
I would be careful about judging the experience of all online password managers based on LastPass.
Can the DBs get merged or are they subject to conflict race conditions?
A years ago experienced hassle and data loss (not of passwords) due to local-first sync solutions such that I’m very wary of them now.
Race condition? In the context of my usage that's not possible and I'm only the only user, and am accessing the data on one device at a time. Even less so since I'm essentially using sneakernet rather than cloud storage for "sync".
It happens sometimes [1] [2]. Reduced malware and quick removal is all you can hope for.
I have an app in the Play Store and received some unsolicited requests to install (and get paid for!) adding some extra jar file to my app and hosting someone else's apps in my account. Attackers put in a lot of effort to sneak in.
Having fewer malware would still be a worthy goal. That said, I’m not defending the App Store. It’s still riddled with junk, ads, casinos for children in the form of free-to-play games, and adult casinos disguised as children’s games.
I think this is partially true. LastPass has offline support so the LastPass servers temporarily being inaccessible doesn't need to be an issue. But you're right, it's not "offline first".
There's lots of reasons not to use LastPass but I don't think this is high on this list.
Your setup sounds great. You might find it interesting that it's also very close to what 1Password does.
1Password apps store local state in an SQLite database. They then package up that database and encrypt it with your chosen master password and a randomly generated password. (The random password is only to protect users who picked a weak master password against a server breach, so it's stored in plaintext on your computer). That encrypted file is uploaded to their server.
There is also an android (and iOS) app. If you edit independently conflicts are merged.
> Your passwords need to be with you, not rely on a server.
Pretty much all password managers including Lastpass do store the vaults on your device and you can access them offline. The issue here is the borked MFA reset.
Why anyone would continue to use their service after their amateur hour
operation was revealed is beyond me. That's not to say their competitors are guaranteed to be better. Really, you shouldn't depend on any offsite service for password management. Use something like Pass (https://www.passwordstore.org/), self-hosted bitwarden or at worst, GPG encrypted text files (which is essentially what Pass does).
No matter how many compromises, how many DoS events / lockouts, or how many other times internet-based password managers royally screw up, it never ceases to amaze me how people continue to trudge back to these sorry services.
"It's so convenient!"
"I don't like having to manually sync between devices with <100% local password manager>!"
Convenience addicts making excuses for their next hit of convenience... no matter how severely convenience harms them.
I hate to say it but convenience is king. If I need to log into accounts on my phone and computer there are two options 1. Use a crappy password that I can remember 2. Use a syncing password manager. If the password manager doesn't sync it doesn't provide enough convenience to be useful to me and I will fall back to 1.
Convenience has long been an underrated aspect of security. If you make the secure option as convenient (or even more convenient) than the insecure option people will do it. Of course security is always in opposition to convenience to some degree (otherwise we wouldn't have passwords at all, just type in your username to log in, we trust you completely), but minimizing the inconvenience is key to making the system secure in practice. If you make the system too inconvenient people will just work around it no matter how secure it is in theory.
I think we are beginning to understand this and things are improving, but many legacy systems still suffer. For example NIST guidelines have accepted this and now recommend against time-base password rotation[1] but many organizations still enforce it.
Secret security isn't a common use case, as it has an uncommon but critical property - it's binary - either the credential is leaked / stolen or it isn't.
If "convenient + good" isn't good enough and your credential is compromised, your solution fails completely, 0% score.
If "inconvenient + better" does prevent the compromise of your credential, then it is an absolute success, 100% score.
Prioritizing convenience over security while selecting your password manager is like prioritizing keyless entry over functioning brakes while shopping for a used car - it's clearly a stupid decision even from the perspective of a layperson.
I'll shed zero tears as I play the world's smallest violin when people who've made such decisions have their identity stolen, home forclosed, and savings drained because "muh convenience!"
People who study this for a living say that you’re wrong on balance. For example, it would be great if every changed their password every time they logged into every service they used. Forget TOTP for 2FA — let’s make one-time passwords for everything!
But in practice, making people change their passwords regularly ends up with them inventing convenient workarounds to avoid the mental overhead of having to learn a new password constantly. “Last month I used `Passw0rd!23`. This month I’ll use `Passw0rd!24`.” And then when their password DB is inevitably breached, an attacker has a pretty great guess as to what their password will be next month.
In a perfect world where everyone perfectly followed perfect instructions to the letter, convenience isn’t critically important. In the one we actually live in it, is. And it’s not just me saying this.
"In a perfect world where everyone perfectly followed perfect instructions to the letter, convenience isn’t critically important. In the one we actually live in it, is. And it’s not just me saying this."
Is this your polite, roundabout way of saying "A number of users are literally so stupid that they're incapable of making rational decisions in their own password management practices"?
I would tend to disagree. I think most people have the capability to follow instructions and act responsibily, when they want to. We really shouldn't be letting the general public drive 3-ton SUV's capable of rapidly accelerating to 120+ mph (200+ kmh) if that weren't true, right?
Option 3. Use a secure password manager on device 1, make a second encrypted database with only the needed credentials of device 2, move the encrypted database to device 2.
• Pros - actually secure
• Cons - takes about 18 seconds longer and teeny tiny bit of cognitive effort
Options 1 and 2
• Pros - Caters to NPCs and other entities incapable of thought, effortless
• Cons - horrific and lengthy track record of brutally failing to perform the SINGLE necessary function, keeping passwords secure.
Syncing and managing passwords can be handled just fine by two separate applications. I switched from LP to Syncthing + KeePassXC several years ago, and besides the initial setup it has been exactly the same level of convenience. And the only thing that was more difficult with the set up is that I had to install two applications on my machines instead of one.
I recently had to start using Lastpass for work and I am absolutely mind-boggled at what an all-around terrible piece of software it is. I have my complaints about 1Password but those are peanuts compared to the mile long list of show-stopping bugs and UX problems I experience every day with LP. Irredeemable garbage.
I don't use a password manager. You shouldn't, either, probably, unless you want to share passwords with a group or something.
I have a file of hints which are only meaningful to me. Even if a malefactor got hold of the file, it wouldn't help them. (no, I'm not going to give examples; if you can't think of some combinations of characters that only you can remember, then fine, use a password manager). I'm always thinking of new ones, too.
You don't need a unique one for every site, either. Having 15 or 20 that you choose at random means that an invalidated one doesn't affect everything you do.
Occasionally, the Hint file has an actual gibberish password with no hint, where I have to copy/paste it. I think this is fine once in a while.
All I really have to remember is the password for the place where that file is stored, and my email's. Often it happens that my stored hint doesn't work (maybe I forgot to update it), but every site has a Forgot Password link.
Counterpoint: Use a password manager and unique passwords for every site, and be mad about the terrible authentication UX, just like the vast majority of experts in the field recommend.
More vulnerable to phishing, a good password manager checks the URL programmatically and won't fill a different domain, human validation of domains is weak, we forget and can be tricked.
These are all weak. "Phishing protection" consists of not clicking on URLs someone sends you, particularly the "is this you in the photo?" messages on Facebook.
"human validation of domains" : not sure what you mean here but I think it's a theoretical problem, not a real one.
If you're afraid of misspelling your bank's name and landing on some malware, you can enter the bank name in your search engine.
> "human validation of domains" : not sure what you mean here but I think it's a theoretical problem, not a real one.
It’s a very real and not theoretical problem. For example, someone sends you a link to a Google Doc. You open it and the page looks exactly like the real deal, but the domain is `signin.googledocs.com` or `login.googgle.com`. Even a technical user could not be paying attention and be fooled by that, manually entering their email and password. Because a password manager would only auto-fill your password on the correct domain, you have an extra reason to be suspicious and note something is amiss.
But you do realise non-technical people (i.e. most of the world) will click those links, don’t you? Password managers have a convenient and secure solution to the problem and you’re offering an alternative which requires teaching and convincing everyone to act differently in a very specific situation to prevent a situation that rarely happens but is potentially catastrophic when it does.
Exactly. Which is why it’s a good thing password managers exists. It means people don’t need to read specific advise about not clicking links, which is their purpose, on tech forums.
So some news site you read on gets hacked and they install malware that means when you move to another tab, it changes the tab to look like a log in screen for say, google, and when you go back, you log in. This has been seen in the wild, and it is very hard for a human to catch, we assume we had a tab open and log in. A password manager will refuse to do it because it isn't the right domain.
Yes, of course all of these kind of attacks can be avoided by "just don't do anything dangerous", but in the real world we are all flawed and mess up. No human can be perfect, and relying on never making a mistake makes you vulnerable. Anyone serious about security makes it hard to do the wrong thing.
Hardware security keys are an even better solution, but not every site supports them. Both is by far the best option.
Seems like you do, in the form of a hints file. You even protect it with a password. You’re using a bespoke solution, sure, but you’re still using something to manage your passwords. You could do all that trickery with an off-the-shelf password manager.
You don't have to store passwords in an off-the-shelf password manager; you can store secure notes and files. In other words, you could continue to use your current method of hints but with more organisation.
Point being that what you’re doing is not meaningfully different from using a password manager, you just manage your passwords in an uncommon manner.
It is not mandatory for password managers to fill in passwords. Turning that on is often an extra step because you need to install their browser extension. Everyone is free to not do so.
And there are plenty of free (and open-source) password managers.
It’s fine that you don’t want to use an off-the-shelf password manager, but if you’re not familiar with how they work in practice, perhaps you should not advise people to not use them. Your system is a way to manage passwords and from your description seems to be more complicated than most people (especially non-technical users) would bear.
"more complicated" on the contrary. It's a homebrew system like people have used since before computers. And since it's a one-off, it's not worth cracking.
Edit: what do you consider "complicated"? Compared to all the inevitable complications of a PW manager and browser extensions? Not to mention screwups like the LastPass one.
> You don't need a unique one for every site, either. Having 15 or 20 that you choose at random means that an invalidated one doesn't affect everything you do.
But it does mean that if one of those passwords gets leaked and the service that leaked it takes a while to notice, you now have X other services that are compromised and you don't even know it.
There are breaches on haveibeenpwned for my email that I was never notified of. If I were reusing passwords, each of those would represent a possible security breach in unrelated accounts.
I'm not going to give examples here, but: there are tons of sites that no one is ever going to bother impersonating you on. They can't use them to buy, sell, move money, or ruin your reputation.
Maybe they're like diseases you have that aren't any threat to your health.
If some site is really important, then yes: you do need a unique password for it.
I still use my licensed 1Password version from like 10 years ago. I share passwords over Dropbox to my other computers and I cut and paste passwords. It’s not hard at all and I don’t have to pay a subscription.
210 comments
[ 3.8 ms ] story [ 245 ms ] threadWe know they do, since they got their backups stolen not even a year ago lol.
Also I use 1Password at work and find it a bit doddery compared to LP, which is no speed daemon itself.
https://bitwarden.com/help/import-from-lastpass/
All in all, it does take (much) more than 30 minutes.
Any shortcuts used by extensions based on the WebExtensions API are changeable. If you're on Firefox, press Ctrl+Shift+A (or go to about:addons), open the gear menu, and click "Manage Extension Shortcuts".
I have over 300 passwords, multiple cards. Multiple notes. All synced flawlessly.
It’s certainly not perfect, but I’m not quite sure these issues are consistent enough to be indicative of BitWarden’s quality. I mean if its lost your passwords I would assume that’s something worth making an issue about on their GitHub?
I had to modify the native CSV with some vim magic to add a line delimiter for each record so it allowed for spanning over multiple lines in order to successfully import each entry - which also required the importer to allow for an additional EOR marker.
Even then there wasn't a 1:1 column match between pw apps.
Without this step though all sorts of hell breaks loose, and if you don't notice the columns got out of sync during import because a note had a few commas in it what good is it to you really. It's a hell of a mess that you may not notice until its too late.
There should also be a verify feature for any import that can query the original source via some API calls - or use that to do the import. Of course nobody is going to provide that because it means users can leave their ecosystem too easily - but the other thinking is customized backups to a PGP destination suitable for direct import via the sale API calls.
This was for LP to KeePass BTW.
Do we know that considering how they handle iframes and how lax they seem about it?
If you're still using LP, and haven't been bitten by this, do it now. Do the migration.
Once the migration is done, start rotating passwords as soon as you can.
That's because you don't have or don't know about all those custom fields that don't get exported by LastPass, which turns real migration from 30min to many hours
Also it'd be wise to change passwords during the migration as well given all the hacks, which is another set of hours
* Use a different name for each account * Use different "personal information" (date of birth, etc.) for every account * Track "security" questions and randomly-generated answers for each account, for services that still use that terrible approach * Track which phone number is associated with each account, for services that uses SMS MFA codes * Attach list of one-time recovery codes to accounts that use those * Attach source of credential information when credentials were sent by someone else for e.g. testing
There's six reasons off the top of my head. I'm sure there are more.
Custom ones are usually all banking sites. One does not use standard field names so bitwarden does not detect it. Another has an extra field for user . (Bank customer company id, password then particular user's name).
I would argue if password updates are required because of LP's insecurity, that's really not a migration issue, that's just a LP issue.
And why would you even trust a cloud based product. If I can't see the hosted source code storing the password then I'm not trusting it regardless.
How is this possible? I must have at least 50 passwords I use with some regularity and many more I use once a year or so. All my passwords are at least 16 characters long and totally random. Are you able to remember that without compromises like repeat passwords or patterns used for generating them (including website name in password or similar)?
https://www.eff.org/deeplinks/2016/07/new-wordlists-random-p...
https://www.eff.org/dice
This generator uses a different wordlist with about 18000 words.
https://1password.com/password-generator
Using a quick back-of-the-napkin calculation, you get roughly this amount of entropy from 1password's wordlist when compared to random alphanumeric strings [a-zA-Z0-9]:
If we take 5 words as the minimum you'd want to use on a web service: As a non-native English speaker (which should be obvious from my strained speech), I'd say it's rememberable enough.> And why would you even trust a cloud based product.
1Password's security model sounds pretty reasonable to me. The convenience of having my Passwords backup and synced to my devices is worth the tradeoff in security in my case.
I've got close to 1500 stored passwords. How does one even start to remember those?
Anyone else reading this: do not just remember your passwords. Unless you’re Lord Nikon, if you can remember more than a handful of passwords, it’s because they’re weak enough to be memorable. Or worse, used in more than one place!
Use a password manager. Always. For everything.
Nor are my passwords weak. Okay; seeing as one of my passwords expired lately.
U0ptz#^7--9
You zero pee tee zee hash up-thinggy 7 dash dash nine
Another:
L0@!tF..9w&
Lel zero at metal-gear-solid-noise tee follow dot dot nine walks and
I find that stuff very easy to remember. I just make a fantasy story based on the password.
L9d£5"s
Little 9 ducks cost 5 said sir.
HNr!##@t
Hacker News really can suck balls at times.
I mean, if you have a password manager, it means that you somehow care about your passwords. If you have LastPass, it means that you chose something that was not the default Google Wallet or Apple whatever-it-is-called.
Are there so many LastPass users who haven't followed the news in the last 2 years?
It’s such an important lesson for informed people, and tech people, especially, to learn: our context is absolutely not the common one. Things that are obvious and clear to us are a world away for most others.
I had already left by then but I would have otherwise.
I can imagine a security professional explaining to a random person everything they ought to do to be secure. Not gonna happen.
The core problem with the LastPass breach was their response to it, not necessarily that they were pwned in the first place. Like, the whole point of password protected vaults is to make this situation less harmful.
What they do know is how annoying it was to have to set up LastPass, entering each and every password, dealing with accounts and setup and recovery keys, and the process of getting used to it.
Unless LastPass adds a button that says "click here to switch to a competitor", I doubt their remaining customers will ever leave the problem.
Partially, laziness, partially hard to change flows, partially hard to migrate, partially I don’t believe that it’s THAT bad, though the last one is the one I’m least sure.
Simply put, after all the reports of last year's breach, I assessed how vulnerable I am. First, my LastPass settings were such that I shouldn't be too affected by their breach; among other things in their self-assessment report, I had the "new" healthy default of 600K iterations. Also, the three most important accounts forming the basis of my online identity were never on LastPass and had unique passwords.
(And yeah, I understand that the security issue isn't purely on technical merit but also a social question of LastPass' reputation as a company. But on a personal level, I didn't really care that much. Moving on...)
Hence, on a personal basis, I didn't see much reason to switch out. The alternative would be the hassle of evaluating a new password manager, exporting data from LastPass, setting up the new password manager on my devices, importing my pre-existing vault, tweaking the new password manager so it behaves as I expected, etc. I know I'm playing the world's smallest violin with this grievance but that's really how it was. I think there was also a confluence of other factors why I didn't want this hassle on my plate at the time (e.g., I remember this was end of last year and I'd rather focus on my holiday arrangements).
I did reach out to family members whom I might've recommended LastPass to in the past though, and advised them to switch out. I didn't believe they could make the same self-assessment that I did.
In the end, I did switch to Bitwarden though. I did go through the hassle as I thought I would but articles like this make me glad I did. The decisive factor for why I did it anyway was that I realized that I might have some passwords/keys in my vault that I use professionally so, out of professional prudence, I switched. Were I not a developer, I might not have had this factor at all.
Given how it has been going with LastPass, I don't see how one would still trust them with their passwords.
Keepass plus syncthing works for me; Keepass' autotype is great.
Password managers have a stickyness to them. Moving is hard. There are import/export functions, but I found all of them have issues.
Moving needs to be fast and seamless enough that I can move my entire family without hassle. Thats why I'm stuck.
I did change them. Very quickly for the important ones, more slowly for the others.
1. The main competitor everyone knows about, 1Password, has its own problems. (I gave up on it a couple years ago after learning that you can't quit the goddamn MacOS application when it's logged out. It literally requires you to be logged in to make use of a super-secret-strong quit that doesn't leave some daemon on the system. Which is incredibly irritating when you're trying to just run a software update but instead you have to type your super long and secure password manager password.)
2. Transitioning passwords is hard even once you find a good alternative. One should change passwords after a breach, but there are basically three options: (a) use the automated password changing within the old password manager. But if you don't trust your password manager after a breach, it's probably a bad idea to use the automated password changing feature of said password manager and end up with your new passwords in the insecure service. (b) import everything to a new password manager and change from there. But if you have a lot of passwords, there's a good chance the new password manager won't be able to automatically change them all, and then you'll either have to carve out a huge amount of time to do it all at once, or have a mixture of secure and insecure passwords in the new password manager, which seems very problematic. (c) gradual transition: move the mission critical passwords first and change them on the spot, then as you use a less important service, change the password for that and move it to the new service as you go. Which makes sense, but means you'll still be using the shitty old one for a while.
https://community.bitwarden.com/t/implement-multi-account-se...
You want to irritate non-technical people? Tell them that they need to use a password manager.
You want to irritate even technical people? Tell them that the password manager you had to force them to use is going to be replaced by a new one, and _they_ have to do the export/import steps -- despite the fact that their boss is breathing down their neck for four projects that are late, half of which they have no control over.
I'm glad I don't have to worry about the Lastpass breach, but I can absolutely commiserate with anyone who has to care about password managers for other people.
People hate passwords. You can explain to them why passwords are important, how people from the outside can do all kinds of nasty things if you pick weak ones, but people will ignore all that because they never need to deal with the fallout.
When these people eventually get hacked, they will blame their computers, their antivirus, their browsers, the websites they use, and most likely also the most recent person who touched the computer.
Password security is like herding toddlers. This is why I'm looking forward to a future where physical keys and passkeys are supported essentially everywhere. We don't even need them as 2FA because they work fine as a first factor in most cases, though 2FA would be much better of course.
And to be honest, whoever manages normal people's IT is probably partially to blame for the hate most people have for passwords. Things like monthly password resets, session tokens that last less than a work day, separate passwords with slightly different usernames across different applications, and all kinds of other useless limitations are why people hate passwords so much: using a password manager once or twice is fine, but having to use it to copy/paste passwords every other hour is tedious and terrible.
Companies unable or unwilling to fix their terrible password setup should invest into something like Yubikeys to at least make the process less frustrating. The difficult part is getting a backup when people lose their keys, but you can probably use passwords as a fallback until a new key can be arranged.
And whether it's passphrases or passkeys, we still haven't solved the problem of the gajillion other accounts people will have to log into to do work that are nowhere near that standard.
At least for a personal account, the 1password import tool worked flawlessly (as far as I can tell after about a month switched) .
Does it not work for enterprise? Or perhaps each would have to run it?
The global company I work at uses it, they have an enterprise-wide contract. Migrating to something else is just a massive PITA, extra costs & sure downtime.
It’s just called “Passwords”. Consistent with “Mail”, “Notes”, “Reminders”, “Calendar”, but it doesn’t have a dedicate app like the others (it’s inside System Settings).
Creating a SQL schema with a "Secrets" table and maybe some audit logging and organizational extras should take a seasoned developer ~30 minutes. Throwing a CRUD web app on top of this and making it accessible to your employees - maybe another day or 2.
I really don't know why you'd risk this sort of stuff with a 3rd party. It just boggles my mind. What are they doing that you can't do? Even a 3 person startup can probably find time around a weekend to knock this out once and for all.
Edit: clearly I missed an important point. We don't care about browser integration. I am not going for 1:1 feature replacement. If you seriously believe "a safe place to keep internal text" is an extremely hard problem that absolutely must be outsourced, I don't know why you would even be involved in technology.
Security seems to be missing entirely from the requirements, for one thing. Access control as well.
But now, thanks to your comment, I finally understand.
Browser and phone integration: autofill, autoupdate. You can do that too, but it’s not a trivial effort. It’s important because otherwise users will sacrifice security for convenience.
Lastpass also knows how to autochange for some sites. It was hard to lose when I left.
I highly doubt your engineer is doing proper cryptographic handling of data like they do.
If you use Django's default hasher, for example, you get more hashing rounds in the default config and they increase those periodically (the latter part that LastPass is struggling with, per the article).
https://github.com/django/django/blob/650ce967825aa192222391...
FWIW I’m on 1Password and it hasn’t had any of these issues, either. I would not spend dev time on this as a startup/software company founder.
No it would take a junior developer 30 minutes; a seasoned developer would look at you sideways and recommend self-hosting something like Bitwarden.
But for me, I keep an encrypted text file and get the passwords my using emacs or vim. I generate passwords using:
tr -cd "[:alnum:]" < /dev/urandom | fold -w 16 | sed 10q
and with the result I may replace 1 character with what they call a "special character". To me that avoids a lot of worry.
Similarly government services gimp the web interface of tax, medical, etc. and try to push you onto mobile apps.
I can't fight this trend. Good for you that you can opt out of this nonsense.
Yes, you can roll your own, but that's not a scalable solution if you're an org or have requirements that lay outside using a Textfile.
1Password and Bitwarden help with this. Your use case might be different and that's fine.
If you look at it from the opposite perspective the value is clear - this isn't a tool for people who can generate and store their own passwords, it's a tool for people who got their Facebook hacked because they used the same password for everything for years and hey, this app can help avoid that mom, let me show you how.
I work for a company that makes a password manager, and at least one clear benefit, versus copy/pasting from somewhere, even for tech savvy users is phishing resistance (the password manager browser extension should not fill your password on a website which doesn't match the website associated with that credential) which is how password gets stolen in practice when they are not reused (not re-using is the main benefit of a PM, but your home-made system does solve that issue too)
They are other benefits more on the convenience side (mobile as you mentioned and even not having to switch app each time you need to grab a password...) which matters more for most people than security (or so they believe at least)
Do you realize that 99.99% of the population in the world, including maybe 99% of the people here, don't do that? Similar to those comments that say "I don't use a cell phone", sorry what is your point? You realize that your very unique way of living and your life experience don't apply to others, and your comment is meaningful to just about nobody but you? Do you actually expect people to read your comment from there?
It’s about as secure as anything (esp after the swap file issue was resolved).
Typically you just need to wait for a user to log in, then validate the password against the old hash and create a new stronger replacement hash. Ending all sessions is a good way to log everyone out and force that. But I'm confused.
If weak password hashes were leaked, then the passwords need to be changed too. Increasing the rounds doesn't prevent attacks on the previously leaked weak hashes. Maybe they expect everyone already did that but some people did it before they increased the hash rounds?
The MFA reset shouldn't be related to the increase in hash rounds, those are unrelated. So they must suspect the MFA seeds were also stolen, but aren't saying it, right?
I assumed they were just increasing the rounds as a general good practice. The best time to plant a tree was ten years ago, the second best time is now, and all that.
At some at the company I work for, we decided to changing hashing algorithms and we did it on the fly when user authenticated again. Users were happy, we were happy.
But as someone already said here, there's a high probability that the OTP seeds were stolen so that's why they are doing this forced reset for MFA re-enrollment.
They were stolen but weren't very clear about it.
From their summary of their latest security incident[1] it says attackers stole:
> Backup of LastPass MFA/Federation Database – contained copies of LastPass Authenticator seeds, telephone numbers used for the MFA backup option (if enabled), as well as a split knowledge component (the K2 “key”) used for LastPass federation (if enabled). This database was encrypted, but the separately-stored decryption key was included in the secrets stolen by the threat actor during the second incident.
This summary links to a page[2] with more information, but actually on this page they give less information, saying only:
> [Customer Secrets accessed includes] Multifactor Authentication (MFA) seeds - MFA seeds assigned to the user when they first registered their multifactor authenticator of choice to authenticate to the LastPass vault.
1: https://blog.lastpass.com/2023/03/security-incident-update-r...
2: https://support.lastpass.com/help/what-data-was-accessed
Granted, this is just for personal use, and i can totally see a use case for a password manager in a company / corporate environment.
Your password store is a single file, it can be encrypted, backed up (or not), distributed/synchronized between your devices (or not). It belongs to you, not to a third party.
The inevitable rejoinder is, "what happens if someone gets that file?" Well, what happens if someone gets your piece of paper?
Considering it's in my house there is short list of suspects, unlike exposing it to the entire world VIA TCP/IP, but yeah i get your point.
> Will you ever use a password manager.
Not for personal matters and that is a personal choice. My way ain't broke and i ain't fixin it. A password manager smells like something that could break, get compromised, or go out of business at any time without any warning and i don't like the smell of it.
I also code with Notepad++ with none of that autofill suggestion crap and doesn't take 8 smoking cores to fucking type a sentence if that tells you anything about my personality. Get off my lawn!!!
1- is industry gold standard 1password or bitwarden ? Key requisite: edge or FF browser extension. (I dont use mobile password management apps and will never do so)
2 - in light of the LP breaches. Do I change all my pw accounts, the master LP account, or both??
Out of an abundance of caution, it would be prudent to change the passwords for the most critical accounts in your life initially. Things like your bank, email, Google. Accounts that losing control of would immediately make you go "oh shit, I can't do X that I need for daily life". Then slowly over time change the less critical ones.
The bitbetter project[0] shims bitwarden licensing for personal use. It might be better if you're looking for complete feature parity and client support.
[0] https://github.com/jakeswenson/BitBetter
I'm aware that the backend doesn't implement every API Bitwarden has but I've also never noticed any missing features. It did take some time before Bitwarden Send was implemented, but I can't fault the devs for that. I also expect the upcoming BW passkey support to take a while to make it to Vaultwarden.
Personally, the whole organisations thing is only a nice to have when it comes to hosting Bitwarden. The standard Bitwarden installation eats up gigabytes of memory for (I assume) optimizations for large installations that most self hosters probably don't really need.
Any idea what's missing?
Vaultwarden does add TOTP support, which the free official server didn't last time I checked, so while it may be missing features, it also unlocks features you wouldn't have without paying.
[0] https://bitwarden.com/help/install-and-deploy-unified-beta/
1. Comb through your last pass, and delete cruft
2. Signup for 1password https://1password.com/switch/
3. use their auto import tool to pull from lastpass
4. Profit for ~3 months just for safety
5. Delete each item in last pass (who know if they do hard or soft delete?)
6. Request account deletion https://lastpass.com/delete_account.php
I can have an offline password manager that just works, for free, and I don't have to worry about backdoors or hackers or incompetence.
I can't see how any business would allow secrets to be stored on hardware they don't control
Earlier versions allowed the store to be on other sites like dropbox for syncing or on your own servers or a mix.
Note I do use 1password as I don't need any corporate secrets at the moment. It allows me to use other browsers than Safari and also Windows and macOS
If businesses can't trust any of that, then we wouldn't have any online businesses.
LastPass has known issues and IT departments can make an understandable recommendation to the business to pick Bitwarden even with a slight cost premium. There is nothing to justify the insane premium 1Password demands. I have seen them lose multiple contract opportunities because of this.
Note: The dollar quotes are made up numbers, but the percentage differential is real. 1Password is often 50% higher in total cost.
I suppose there's some assurance that if I'm indefinitely locked out of the account then at least hackers are, too?
All of my banks use a mobile app for confirming transactions, which requires me to login. Sometimes that requires reauth not just biometrics. I'm not going to go home and try and type a 20-30 character password into a phone when trying to pay for car parking.
It's not like I don't store in the cloud, since my database is in the cloud. Why would I store the keyfile next to the database?
When implemented correctly a password manager storing the database shouldn't have any information (keys) to decrypt the database. Only the user & the client knows this information, and it never leaves the client.
There is still the matter of authenticating to the password manager service to retrieve the database. There's a couple of ways to do it, but usually a strong password hash (least desirable and I think this is what LastPass uses) or a Password Authenticated Key Exchange (PAKE) in which the service keeps an authenticator to verify your password/credentials but the authenticator cannot be reversed or attacked to determine the password (similarly observing the PAKE transaction over the wire or MITMing it won't allow any attack to find the password).
Even if the authentication aspect fails and someone could download all the databases, the database should be protected with at minimum a slow password hash, so a dictionary attack should be very slow. I believe LastPass has stuffed this up in the past. On the other hand, 1Password took a proactive stance despite a hit to the UX by requiring a password + "secret key" which is I believe at least a 128-bit secret that's mixed together to come up with a high entropy password that is used to encrypt the database - so an attacker will have a hard time with any 1P database.
Put bluntly, as a 1P user I'm the least bit concerned that the database is stored in the cloud. I guess the only thing I have to worry about is a surreptitious version of 1Password being distributed to my machine which may capture/exfil my password & secret key. I guess not being open source is a net negative here. So I do place some trust and faith in AgileBits to protect their supply chain and software distribution. Their reputation depends on the security of the service after all.
It syncs via git and syncthing.
I think I've been using this longer than BitWarden gas existed and will be using it after something happens with BitWarden and triggers another migration.
Once again, a one-time learning and cost of setup has saved me countless headaches and time not spent migrating over the years.
I use password store (pass command-line utility) at its core it's GPG encrypted files in a local git repo, with a convenient command-line utility to manage them. It's cloud-free, runs on my local machine. If you need to sync, you can use git push/pull to do that.
I don't use it from mobile as I do very little on my phone that requires a password, but if you need that there are options:
https://www.passwordstore.org/#other
I would be careful about judging the experience of all online password managers based on LastPass.
I use keypass, it stores all passwords in a file, encrypted. The file can be stored in Onedrive/Dropbox/ etc.
But the point is, if all the aervers in the world go down, I have all my passwords in a local copy. There is also an android app.
You can even edit the database file independantly on desktop and on mobile and it will be able to merge two cobflicting files
https://keepass.info/download.html
What's the point of all that garden-walling and 30% tax and hoops you have to jump through if there's still malware?
I have an app in the Play Store and received some unsolicited requests to install (and get paid for!) adding some extra jar file to my app and hosting someone else's apps in my account. Attackers put in a lot of effort to sneak in.
[1] https://www.wired.com/story/apple-app-store-malware-click-fr...
[2] https://www.reddit.com/r/KeePass/comments/13o0s0q/ioskeepass...
Having fewer malware would still be a worthy goal. That said, I’m not defending the App Store. It’s still riddled with junk, ads, casinos for children in the form of free-to-play games, and adult casinos disguised as children’s games.
https://soyacincau.com/2021/04/17/ios-app-games-for-children...
There's lots of reasons not to use LastPass but I don't think this is high on this list.
[1] https://support.lastpass.com/s/document-item?language=en_US&...
1Password apps store local state in an SQLite database. They then package up that database and encrypt it with your chosen master password and a randomly generated password. (The random password is only to protect users who picked a weak master password against a server breach, so it's stored in plaintext on your computer). That encrypted file is uploaded to their server.
There is also an android (and iOS) app. If you edit independently conflicts are merged.
Pretty much all password managers including Lastpass do store the vaults on your device and you can access them offline. The issue here is the borked MFA reset.
"It's so convenient!" "I don't like having to manually sync between devices with <100% local password manager>!"
Convenience addicts making excuses for their next hit of convenience... no matter how severely convenience harms them.
Convenience has long been an underrated aspect of security. If you make the secure option as convenient (or even more convenient) than the insecure option people will do it. Of course security is always in opposition to convenience to some degree (otherwise we wouldn't have passwords at all, just type in your username to log in, we trust you completely), but minimizing the inconvenience is key to making the system secure in practice. If you make the system too inconvenient people will just work around it no matter how secure it is in theory.
I think we are beginning to understand this and things are improving, but many legacy systems still suffer. For example NIST guidelines have accepted this and now recommend against time-base password rotation[1] but many organizations still enforce it.
[1] https://pages.nist.gov/800-63-FAQ/#q-b05
If "convenient + good" isn't good enough and your credential is compromised, your solution fails completely, 0% score.
If "inconvenient + better" does prevent the compromise of your credential, then it is an absolute success, 100% score.
Prioritizing convenience over security while selecting your password manager is like prioritizing keyless entry over functioning brakes while shopping for a used car - it's clearly a stupid decision even from the perspective of a layperson.
I'll shed zero tears as I play the world's smallest violin when people who've made such decisions have their identity stolen, home forclosed, and savings drained because "muh convenience!"
But in practice, making people change their passwords regularly ends up with them inventing convenient workarounds to avoid the mental overhead of having to learn a new password constantly. “Last month I used `Passw0rd!23`. This month I’ll use `Passw0rd!24`.” And then when their password DB is inevitably breached, an attacker has a pretty great guess as to what their password will be next month.
In a perfect world where everyone perfectly followed perfect instructions to the letter, convenience isn’t critically important. In the one we actually live in it, is. And it’s not just me saying this.
Is this your polite, roundabout way of saying "A number of users are literally so stupid that they're incapable of making rational decisions in their own password management practices"?
I would tend to disagree. I think most people have the capability to follow instructions and act responsibily, when they want to. We really shouldn't be letting the general public drive 3-ton SUV's capable of rapidly accelerating to 120+ mph (200+ kmh) if that weren't true, right?
• Pros - actually secure
• Cons - takes about 18 seconds longer and teeny tiny bit of cognitive effort
Options 1 and 2
• Pros - Caters to NPCs and other entities incapable of thought, effortless
• Cons - horrific and lengthy track record of brutally failing to perform the SINGLE necessary function, keeping passwords secure.
I'm with GP. Something's are worth taking a modicum of effort and doing right. Especially for this, especially for this audience.
I have a file of hints which are only meaningful to me. Even if a malefactor got hold of the file, it wouldn't help them. (no, I'm not going to give examples; if you can't think of some combinations of characters that only you can remember, then fine, use a password manager). I'm always thinking of new ones, too.
You don't need a unique one for every site, either. Having 15 or 20 that you choose at random means that an invalidated one doesn't affect everything you do.
Occasionally, the Hint file has an actual gibberish password with no hint, where I have to copy/paste it. I think this is fine once in a while.
All I really have to remember is the password for the place where that file is stored, and my email's. Often it happens that my stored hint doesn't work (maybe I forgot to update it), but every site has a Forgot Password link.
or is that a hint that's only meaningful to you? /s
"human validation of domains" : not sure what you mean here but I think it's a theoretical problem, not a real one.
If you're afraid of misspelling your bank's name and landing on some malware, you can enter the bank name in your search engine.
It’s a very real and not theoretical problem. For example, someone sends you a link to a Google Doc. You open it and the page looks exactly like the real deal, but the domain is `signin.googledocs.com` or `login.googgle.com`. Even a technical user could not be paying attention and be fooled by that, manually entering their email and password. Because a password manager would only auto-fill your password on the correct domain, you have an extra reason to be suspicious and note something is amiss.
Any less sophisticated user needs to be told that. If you go to some classes for new computer users, I'm pretty sure that'll be in the first hour.
Anyhow, HN readers don't fall in that group.
Yes, of course all of these kind of attacks can be avoided by "just don't do anything dangerous", but in the real world we are all flawed and mess up. No human can be perfect, and relying on never making a mistake makes you vulnerable. Anyone serious about security makes it hard to do the wrong thing.
Hardware security keys are an even better solution, but not every site supports them. Both is by far the best option.
Seems like you do, in the form of a hints file. You even protect it with a password. You’re using a bespoke solution, sure, but you’re still using something to manage your passwords. You could do all that trickery with an off-the-shelf password manager.
You don't have to store passwords in an off-the-shelf password manager; you can store secure notes and files. In other words, you could continue to use your current method of hints but with more organisation.
Point being that what you’re doing is not meaningfully different from using a password manager, you just manage your passwords in an uncommon manner.
As far as I know. Maybe someone does do that?
Anyhow, password managers cost money. This doesn't.
And there are plenty of free (and open-source) password managers.
https://en.wikipedia.org/wiki/List_of_password_managers
It’s fine that you don’t want to use an off-the-shelf password manager, but if you’re not familiar with how they work in practice, perhaps you should not advise people to not use them. Your system is a way to manage passwords and from your description seems to be more complicated than most people (especially non-technical users) would bear.
Edit: what do you consider "complicated"? Compared to all the inevitable complications of a PW manager and browser extensions? Not to mention screwups like the LastPass one.
But it does mean that if one of those passwords gets leaked and the service that leaked it takes a while to notice, you now have X other services that are compromised and you don't even know it.
There are breaches on haveibeenpwned for my email that I was never notified of. If I were reusing passwords, each of those would represent a possible security breach in unrelated accounts.
Maybe they're like diseases you have that aren't any threat to your health.
If some site is really important, then yes: you do need a unique password for it.
Hope people don't fall for the stupid thing that Google/Apple et al are trying to do, either.