Is LastPass still top in security, any reason to switch?

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
Topic Author
squirm
Posts: 4239
Joined: Sat Mar 19, 2011 11:53 am

Is LastPass still top in security, any reason to switch?

Post by squirm »

I use LastPass, so our whole life savings of passwords and security depends on the one software. I'm checking in to make sure if LastPass is still the recommended password manager to use. I've read some reviews for paid ones but didn't see a reason to switch. I use two factor with Microsoft authentication when possible btw. I also have Microsoft authenticator ask for my sign in fingerprint when opening it.
gtd98765
Posts: 952
Joined: Sun Jan 08, 2017 3:15 am

Re: Is LastPass still top in security, any reason to switch?

Post by gtd98765 »

https://thewirecutter.com/reviews/best- ... -managers/

Looks like LastPass is still the #2 choice on Wirecutter. As long as you know how to use it and are satisfied, I see no reason to change.
ShadowRegent
Posts: 230
Joined: Sun Jan 04, 2015 11:52 am

Re: Is LastPass still top in security, any reason to switch?

Post by ShadowRegent »

I switched to BitWarden and have been very happy. They are open source and had a third-party security audit at the end of last year-- https://blog.bitwarden.com/bitwarden-co ... 1cc81b6d33.
User avatar
Helo80
Posts: 2125
Joined: Sat Apr 29, 2017 8:47 pm
Location: Unsophisticated Investor

Re: Is LastPass still top in security, any reason to switch?

Post by Helo80 »

My recommendation is to write down financial services (e.g. banks and brokerage firms --- not so much CC companies) passwords in a safe place at home, and use LastPass for everything else.
Thank God for Wall Street Bets.
User avatar
F150HD
Posts: 3926
Joined: Fri Sep 18, 2015 7:49 pm

Re: Is LastPass still top in security, any reason to switch?

Post by F150HD »

Long is the way and hard, that out of Hell leads up to light.
jumbopapa
Posts: 176
Joined: Thu Aug 30, 2018 7:56 am

Re: Is LastPass still top in security, any reason to switch?

Post by jumbopapa »

ShadowRegent wrote: Mon Nov 11, 2019 4:42 pm I switched to BitWarden and have been very happy. They are open source and had a third-party security audit at the end of last year-- https://blog.bitwarden.com/bitwarden-co ... 1cc81b6d33.
This is my recommendation. Bitwarden has worked perfectly, but importing from LastPass was somewhat of a pain because LastPass doesn't properly encode some characters on the export. This has been a year or two ago, so maybe it's fixed.

I feel better using open source software and if you're really concerned you can self-host Bitwarden.
ARoseByAnyOtherName
Posts: 1000
Joined: Wed Apr 26, 2017 12:03 am

Re: Is LastPass still top in security, any reason to switch?

Post by ARoseByAnyOtherName »

I personally use and recommend 1Password.

I would never use LastPass, ever.

As I wrote in a previous thread: "All software has vulnerabilities. But not all password managers have had security breaches where customer data has been exfiltrated. LastPass has. 1Password hasn’t." In addition I find LastPass's interface to be really ugly and clunky.
furwut
Posts: 2123
Joined: Tue Jun 05, 2012 8:54 pm

Re: Is LastPass still top in security, any reason to switch?

Post by furwut »

Helo80 wrote: Mon Nov 11, 2019 4:45 pm My recommendation is to write down financial services (e.g. banks and brokerage firms --- not so much CC companies) passwords in a safe place at home, and use LastPass for everything else.
A lot of financial hacking is the result of family, friends or others with physical access stumbling across written down passwords.
gtd98765
Posts: 952
Joined: Sun Jan 08, 2017 3:15 am

Re: Is LastPass still top in security, any reason to switch?

Post by gtd98765 »

I think this is the most important part of the article:
After discovering the bug, Ormandy privately reported it to Google. Hence, there seems no active exploitation of the vulnerability. Following the report, the latest version of LastPass is out with the patch. Users should ensure updating the product version to LastPass 4.33.0.
All software has bugs. I think it's a good thing that researchers are discovering them and reporting them to the companies concerned.

I do not use Lastpass myself, I use a different password manager. But I would not hesitate to use Lastpass due to security concerns. Any password manager is better than the write-it-down method of maintaining passwords.
User avatar
Ice-9
Posts: 1579
Joined: Wed Oct 15, 2008 12:40 pm
Location: MD

Re: Is LastPass still top in security, any reason to switch?

Post by Ice-9 »

Helo80 wrote: Mon Nov 11, 2019 4:45 pm My recommendation is to write down financial services (e.g. banks and brokerage firms --- not so much CC companies) passwords in a safe place at home, and use LastPass for everything else.
A paper with written passwords presents new vulnerabilities. I recommend a digital record of the passwords separate from the password manager that is kept in an encrypted file or container. Such a spreadsheet can actually be exported directly from LastPass or most other password managers and then placed in an encrypted volume.
siker
Posts: 60
Joined: Tue Aug 14, 2018 3:10 pm

Re: Is LastPass still top in security, any reason to switch?

Post by siker »

I started with 1password because of wirecutters recommendation, but found it too intrusive, so I switched to lastpass. On computers, I prefer its chrome like non intrusive suggestion to save passwords, that I can choose to easily ignore if I want to.
BogleMelon
Posts: 3181
Joined: Mon Feb 01, 2016 10:49 am

Re: Is LastPass still top in security, any reason to switch?

Post by BogleMelon »

Ice-9 wrote: Tue Nov 12, 2019 10:00 am
Helo80 wrote: Mon Nov 11, 2019 4:45 pm My recommendation is to write down financial services (e.g. banks and brokerage firms --- not so much CC companies) passwords in a safe place at home, and use LastPass for everything else.
A paper with written passwords presents new vulnerabilities. I recommend a digital record of the passwords separate from the password manager that is kept in an encrypted file or container. Such a spreadsheet can actually be exported directly from LastPass or most other password managers and then placed in an encrypted volume.
Not sure why would anyone need to back up his passwords. If I lost a password (that is saved in my password manager), I would simply click "forgot password" at the website I want to access and follow the prompts.
"One of the funny things about stock market, every time one is buying another is selling, and both think they are astute" - William Feather
dcabler
Posts: 4543
Joined: Wed Feb 19, 2014 10:30 am
Location: TX

Re: Is LastPass still top in security, any reason to switch?

Post by dcabler »

BogleMelon wrote: Tue Nov 12, 2019 10:32 am
Ice-9 wrote: Tue Nov 12, 2019 10:00 am
Helo80 wrote: Mon Nov 11, 2019 4:45 pm My recommendation is to write down financial services (e.g. banks and brokerage firms --- not so much CC companies) passwords in a safe place at home, and use LastPass for everything else.
A paper with written passwords presents new vulnerabilities. I recommend a digital record of the passwords separate from the password manager that is kept in an encrypted file or container. Such a spreadsheet can actually be exported directly from LastPass or most other password managers and then placed in an encrypted volume.
Not sure why would anyone need to back up his passwords. If I lost a password (that is saved in my password manager), I would simply click "forgot password" at the website I want to access and follow the prompts.
Many sites I use ask a large number of extra security questions of their choosing - I include all of that in lastpass because I can't remember if I entered "Toyota, Toyota Carolla, or just Carolla" :D
User avatar
Ice-9
Posts: 1579
Joined: Wed Oct 15, 2008 12:40 pm
Location: MD

Re: Is LastPass still top in security, any reason to switch?

Post by Ice-9 »

BogleMelon wrote: Tue Nov 12, 2019 10:32 am
Ice-9 wrote: Tue Nov 12, 2019 10:00 am
Helo80 wrote: Mon Nov 11, 2019 4:45 pm My recommendation is to write down financial services (e.g. banks and brokerage firms --- not so much CC companies) passwords in a safe place at home, and use LastPass for everything else.
A paper with written passwords presents new vulnerabilities. I recommend a digital record of the passwords separate from the password manager that is kept in an encrypted file or container. Such a spreadsheet can actually be exported directly from LastPass or most other password managers and then placed in an encrypted volume.
Not sure why would anyone need to back up his passwords. If I lost a password (that is saved in my password manager), I would simply click "forgot password" at the website I want to access and follow the prompts.
In addition to dcabler's response about the security questions, it's also not about one password. I store scores of them in my password manager, they are all unique and purposefully difficult beyond reasonable ability to memorize, and most days I use the password manager to log into more than one. If that password manager suddenly failed for some reason, it would be a huge inconvenience to have to go through the lost password dialogue even for the passwords I might need just for one day, much less ALL of them.
User avatar
Helo80
Posts: 2125
Joined: Sat Apr 29, 2017 8:47 pm
Location: Unsophisticated Investor

Re: Is LastPass still top in security, any reason to switch?

Post by Helo80 »

furwut wrote: Mon Nov 11, 2019 8:34 pm A lot of financial hacking is the result of family, friends or others with physical access stumbling across written down passwords.
Ice-9 wrote: Tue Nov 12, 2019 10:00 am A paper with written passwords presents new vulnerabilities. I recommend a digital record of the passwords separate from the password manager that is kept in an encrypted file or container. Such a spreadsheet can actually be exported directly from LastPass or most other password managers and then placed in an encrypted volume.

So.... solutions..... if you cannot trust the people around you:

Vanguard
Username: BH
Written down Password: DiJI-EblMe&r=yAParA7
Actual Password with fixed offset and word only user knows : DiJI-EblBOGLEHEADSMe&r=yAParA7

Written passwords, done properly, are more secure than LastPass any day of the week. However, LastPass makes it much easier to manage especially if away from home.

You all are free to laugh at me.
Thank God for Wall Street Bets.
ARoseByAnyOtherName
Posts: 1000
Joined: Wed Apr 26, 2017 12:03 am

Re: Is LastPass still top in security, any reason to switch?

Post by ARoseByAnyOtherName »

dcabler wrote: Tue Nov 12, 2019 11:07 am
BogleMelon wrote: Tue Nov 12, 2019 10:32 am
Ice-9 wrote: Tue Nov 12, 2019 10:00 am
Helo80 wrote: Mon Nov 11, 2019 4:45 pm My recommendation is to write down financial services (e.g. banks and brokerage firms --- not so much CC companies) passwords in a safe place at home, and use LastPass for everything else.
A paper with written passwords presents new vulnerabilities. I recommend a digital record of the passwords separate from the password manager that is kept in an encrypted file or container. Such a spreadsheet can actually be exported directly from LastPass or most other password managers and then placed in an encrypted volume.
Not sure why would anyone need to back up his passwords. If I lost a password (that is saved in my password manager), I would simply click "forgot password" at the website I want to access and follow the prompts.
Many sites I use ask a large number of extra security questions of their choosing - I include all of that in lastpass because I can't remember if I entered "Toyota, Toyota Carolla, or just Carolla" :D
Please never, ever answer security questions truthfully. The answers to many (not all) security questions can be found either online, by knowing someone even casually, or via social engineering. Just use a set of random words as the answer to security questions. (All stored in your password manager of course.)
avei
Posts: 7
Joined: Tue Nov 12, 2019 11:18 pm

Re: Is LastPass still top in security, any reason to switch?

Post by avei »

ARoseByAnyOtherName wrote: Tue Nov 12, 2019 9:43 pm
Please never, ever answer security questions truthfully. The answers to many (not all) security questions can be found either online, by knowing someone even casually, or via social engineering. Just use a set of random words as the answer to security questions. (All stored in your password manager of course.)
What Rose said! There have been hacks upon hacks. The most pertinent was the US government Office of Personnel management hack (the security clearance breach). Those forms contain everything the "security" questions might want an answer to. Of course the problem is remembering what you said...which is also added to the pw manager and subject to compromise, or written on a paper also subject compromise.

Let's be careful out there.
dcabler
Posts: 4543
Joined: Wed Feb 19, 2014 10:30 am
Location: TX

Re: Is LastPass still top in security, any reason to switch?

Post by dcabler »

ARoseByAnyOtherName wrote: Tue Nov 12, 2019 9:43 pm
dcabler wrote: Tue Nov 12, 2019 11:07 am
BogleMelon wrote: Tue Nov 12, 2019 10:32 am
Ice-9 wrote: Tue Nov 12, 2019 10:00 am
Helo80 wrote: Mon Nov 11, 2019 4:45 pm My recommendation is to write down financial services (e.g. banks and brokerage firms --- not so much CC companies) passwords in a safe place at home, and use LastPass for everything else.
A paper with written passwords presents new vulnerabilities. I recommend a digital record of the passwords separate from the password manager that is kept in an encrypted file or container. Such a spreadsheet can actually be exported directly from LastPass or most other password managers and then placed in an encrypted volume.
Not sure why would anyone need to back up his passwords. If I lost a password (that is saved in my password manager), I would simply click "forgot password" at the website I want to access and follow the prompts.
Many sites I use ask a large number of extra security questions of their choosing - I include all of that in lastpass because I can't remember if I entered "Toyota, Toyota Carolla, or just Carolla" :D
Please never, ever answer security questions truthfully. The answers to many (not all) security questions can be found either online, by knowing someone even casually, or via social engineering. Just use a set of random words as the answer to security questions. (All stored in your password manager of course.)
Good point and I don't. Point is there is no way I'm going to remember what I answered - hence it's stored, encrypted, and backed up...
ARoseByAnyOtherName
Posts: 1000
Joined: Wed Apr 26, 2017 12:03 am

Re: Is LastPass still top in security, any reason to switch?

Post by ARoseByAnyOtherName »

dcabler wrote: Wed Nov 13, 2019 5:55 am
ARoseByAnyOtherName wrote: Tue Nov 12, 2019 9:43 pm
dcabler wrote: Tue Nov 12, 2019 11:07 am
BogleMelon wrote: Tue Nov 12, 2019 10:32 am
Ice-9 wrote: Tue Nov 12, 2019 10:00 am

A paper with written passwords presents new vulnerabilities. I recommend a digital record of the passwords separate from the password manager that is kept in an encrypted file or container. Such a spreadsheet can actually be exported directly from LastPass or most other password managers and then placed in an encrypted volume.
Not sure why would anyone need to back up his passwords. If I lost a password (that is saved in my password manager), I would simply click "forgot password" at the website I want to access and follow the prompts.
Many sites I use ask a large number of extra security questions of their choosing - I include all of that in lastpass because I can't remember if I entered "Toyota, Toyota Carolla, or just Carolla" :D
Please never, ever answer security questions truthfully. The answers to many (not all) security questions can be found either online, by knowing someone even casually, or via social engineering. Just use a set of random words as the answer to security questions. (All stored in your password manager of course.)
Good point and I don't. Point is there is no way I'm going to remember what I answered - hence it's stored, encrypted, and backed up...
:sharebeer
dcabler
Posts: 4543
Joined: Wed Feb 19, 2014 10:30 am
Location: TX

Re: Is LastPass still top in security, any reason to switch?

Post by dcabler »

ARoseByAnyOtherName wrote: Wed Nov 13, 2019 6:02 am
dcabler wrote: Wed Nov 13, 2019 5:55 am
ARoseByAnyOtherName wrote: Tue Nov 12, 2019 9:43 pm
dcabler wrote: Tue Nov 12, 2019 11:07 am
BogleMelon wrote: Tue Nov 12, 2019 10:32 am

Not sure why would anyone need to back up his passwords. If I lost a password (that is saved in my password manager), I would simply click "forgot password" at the website I want to access and follow the prompts.
Many sites I use ask a large number of extra security questions of their choosing - I include all of that in lastpass because I can't remember if I entered "Toyota, Toyota Carolla, or just Carolla" :D
Please never, ever answer security questions truthfully. The answers to many (not all) security questions can be found either online, by knowing someone even casually, or via social engineering. Just use a set of random words as the answer to security questions. (All stored in your password manager of course.)
Good point and I don't. Point is there is no way I'm going to remember what I answered - hence it's stored, encrypted, and backed up...
:sharebeer
I keep thinking of things like retinal scans - then I remember a movie where the bad guys killed the good guy and pulled his eyeball out and used it for the scanner. :shock:
gd
Posts: 1638
Joined: Sun Nov 15, 2009 7:35 am
Location: MA, USA

Re: Is LastPass still top in security, any reason to switch?

Post by gd »

Curious why KeePass has fallen out of favor; I believe I heard about it from recommendations here.
dowse
Posts: 571
Joined: Tue Sep 10, 2013 3:10 pm

Re: Is LastPass still top in security, any reason to switch?

Post by dowse »

Following with interest. Haven't yet taken the step to use a password manager due to security concerns over software bugs. I currently have a notebook handy with password clues written into it, and a separate list of full passwords kept in a home safe. I have photos of the "clue" pages on my phone. I use 2FA for financial accounts.

Nothing is perfect.
User avatar
ThereAreNoGurus
Posts: 970
Joined: Fri Jan 24, 2014 10:41 pm

Re: Is LastPass still top in security, any reason to switch?

Post by ThereAreNoGurus »

gd wrote: Wed Nov 13, 2019 8:13 am Curious why KeePass has fallen out of favor; I believe I heard about it from recommendations here.
I use KeePass. Works great for me.
Trade the news and you will lose.
User avatar
Quercus Palustris
Posts: 215
Joined: Sun Apr 08, 2018 12:31 pm
Location: N. Virginia

Re: Is LastPass still top in security, any reason to switch?

Post by Quercus Palustris »

gd wrote: Wed Nov 13, 2019 8:13 am Curious why KeePass has fallen out of favor; I believe I heard about it from recommendations here.
I use KeePass on my Linux desktop and KeePass2Android on my phone, syncing the password database via Dropbox. I like it very much but setup was a bit convoluted (mainly to do w/ Dropbox API keys).

DW still uses a notepad for passwords which is fine except when she's away from home (and in an effort to mitigate that, a lot of her passwords are very similar and not super secure). I may see about getting her set up on 1Password or maybe I'll look into Bitwarden (first I'm hearing of it, love that this site teaches me new non-financial things too!).

My main hesitation is not wanting to be tech support for DW if things go wrong, haha. I'd pick 1Password over LastPass because LP seems to keep winding up in the news for stupid, stupid IT mistakes.
ARoseByAnyOtherName
Posts: 1000
Joined: Wed Apr 26, 2017 12:03 am

Re: Is LastPass still top in security, any reason to switch?

Post by ARoseByAnyOtherName »

dowse wrote: Wed Nov 13, 2019 8:51 am Following with interest. Haven't yet taken the step to use a password manager due to security concerns over software bugs. I currently have a notebook handy with password clues written into it, and a separate list of full passwords kept in a home safe. I have photos of the "clue" pages on my phone. I use 2FA for financial accounts.

Nothing is perfect.
Software bugs are definitely a valid concern and as you said nothing is perfect. That said I expect using a reputable password manager would be a security improvement over your current setup. While your setup sounds reasonable a password manager would let you have stronger, totally random passwords and totally ditch the notebook. You could still keep physical printouts in your home safe if you were so inclined.

Also, you and any others considering this move can dip your toes in the water over time. As you all have seen I am partial to 1Password (now is a good time to mention I have absolutely no affiliation with them, other than being a customer). They offer a free trial you could use with a few non-critical websites as a way to get your feet wet.

Ultimately though, using any good reputable password manager is the better than not, for most people in many cases.

EDIT: made it clear that I am a 1Password customer but that I don’t have any other affiliation with them. Sorry if that wasn’t clear at first.
Last edited by ARoseByAnyOtherName on Wed Nov 13, 2019 5:56 pm, edited 1 time in total.
michaelingp
Posts: 936
Joined: Tue Jan 17, 2017 7:46 pm

Re: Is LastPass still top in security, any reason to switch?

Post by michaelingp »

I don't like to use free software for security. The business model sees dicey to me. I pay for a password manager. It was $75 for 5 years, not worth worrying about.
avei
Posts: 7
Joined: Tue Nov 12, 2019 11:18 pm

Re: Is LastPass still top in security, any reason to switch?

Post by avei »

Quercus Palustris wrote: Wed Nov 13, 2019 11:43 am
gd wrote: Wed Nov 13, 2019 8:13 am Curious why KeePass has fallen out of favor; I believe I heard about it from recommendations here.
I use KeePass on my Linux desktop and KeePass2Android on my phone, syncing the password database via Dropbox. I like it very much but setup was a bit convoluted (mainly to do w/ Dropbox API keys).

DW still uses a notepad for passwords which is fine except when she's away from home (and in an effort to mitigate that, a lot of her passwords are very similar and not super secure). I may see about getting her set up on 1Password or maybe I'll look into Bitwarden (first I'm hearing of it, love that this site teaches me new non-financial things too!).

My main hesitation is not wanting to be tech support for DW if things go wrong, haha. I'd pick 1Password over LastPass because LP seems to keep winding up in the news for stupid, stupid IT mistakes.
I use KeePass on FreeBSD, Linux, Mac, iPad and Android. Mrs. Avei uses it on her PC. We do archive the pw files on our private little server. We like it and use it with both a password and a key file on a chip to open it. The chip can be removed and render KeePass unusable.

The biggest problem we have is we do update passwords regularly, we each have separate keepass files, and there is no clear way to sync our separate accounts. If we could, then we could independently update passwords and sync as necessary without the need for coordination. I didn't see a clear way to do this in any of the others pw managers I've looked at.
ARoseByAnyOtherName
Posts: 1000
Joined: Wed Apr 26, 2017 12:03 am

Re: Is LastPass still top in security, any reason to switch?

Post by ARoseByAnyOtherName »

avei wrote: Wed Nov 13, 2019 7:55 pm The biggest problem we have is we do update passwords regularly, we each have separate keepass files, and there is no clear way to sync our separate accounts. If we could, then we could independently update passwords and sync as necessary without the need for coordination. I didn't see a clear way to do this in any of the others pw managers I've looked at.
1Password has the concept of families, which contain one or more user accounts. Accounts in a family have passwords in vaults that only they can access, but accounts can also have shared vaults, and passwords in shared Vaults can be seen and updated by any any of the accounts that have access to the Vault. It’s very handy.

https://support.1password.com/family-sharing/
BusterMcTaco
Posts: 396
Joined: Tue Jul 11, 2017 6:36 pm

Re: Is LastPass still top in security, any reason to switch?

Post by BusterMcTaco »

I have found LP has gone way downhill since they were acquired by logmein, or whoever. The UI is bad, and saved credit cards don't work most of the time. They also tripled the premium price from $12 to $36. I cancelled and am using the free version as long as it continues to suit me well enough.
Speckles
Posts: 107
Joined: Sun Jul 21, 2019 1:36 am

Re: Is LastPass still top in security, any reason to switch?

Post by Speckles »

Is the Apple keychain still a suitable choice or should a security-conscience person upgrade to something better?

I appreciate the discussion on this topic. Thanks for posting OP. Input from others in the field is very helpful
ARoseByAnyOtherName
Posts: 1000
Joined: Wed Apr 26, 2017 12:03 am

Re: Is LastPass still top in security, any reason to switch?

Post by ARoseByAnyOtherName »

Speckles wrote: Wed Nov 13, 2019 8:50 pm Is the Apple keychain still a suitable choice or should a security-conscience person upgrade to something better?
Apple Keychain is a suitable choice. Standalone password managers tend to offer more features, and Keychain is limited to the Apple ecosystem. Overall if it meets your needs it is a good choice.
Speckles
Posts: 107
Joined: Sun Jul 21, 2019 1:36 am

Re: Is LastPass still top in security, any reason to switch?

Post by Speckles »

“A Rose ...”, thank you for the advice. Much appreciated.
3-20Characters
Posts: 717
Joined: Tue Jun 19, 2018 2:20 pm

Re: Is LastPass still top in security, any reason to switch?

Post by 3-20Characters »

TLDR

I’ve been using the free version of 1Password since forever (I don’t think the free version is still available but I’m not sure). I prefer the free over the paid version (I’ll explain why below). I tried lastpass twice but did not like the interface and had plenty of trouble importing data. That was a while ago so maybe it’s better now. I did a cost comparison and it comes out practically identical to 1Password. I’m not sure why it’s so popular among the BH crowd. All around, 1Password is a better choice for me. I’ve tried bitwarden, mSecure, dashlane and enpass. I have looked at the keepass website but I think it’s only for Windows and frankly, the whole idea seems like some heavy lifting for the user. So, not interested.

Of the above, I liked enpass the most but not enough to replace 1Password. With lesser known mangers like bitwarden, mSecure, and enpass, I’d be worried about support/upgrades due to small user base. How much that factors into the decision is up to the individual user.

I prefer a password manager that does not store passwords on their servers. I understand the precautions and encryption involved but would prefer to not have another account to lock down or worry about. Enpass provides this, has a very nice interface, handles autofill well on my Apple devices, and is not a subscription model (this can change in the future, of course). mSecure is also a one time purchase (not subscription but I like enpass better). If I were to dump 1Password, I would choose enpass.

Back to 1Password free version. It’s all I want or need in a password manger. Plus, free! The way the free version works is that you lose a few upscale features but nothing I care about. Otherwise, it works like the paid version on my iDevices. But...it’s hobbled on the Mac. You get all the syncing, so passwords are up to date but rather than autofill, you must copy/paste to website. You cannot add or modify records on the Mac version. This does not bother me as I do almost all my work on an iPad and sync is practically instantaneous. 1Password supports markdown in the notes section and that's nice because I keep a lot of notes and it helps to have them display nicely/clearly! Exporting from 1Password to most other password mangers is very well supported. So if I decide to switch, it should not be a problem. I’ve done some tests with excellent results.

This brings me to the “why use the free version of 1Password.” With the free version, I do not have to use a 1Password account and use their servers. 1Password works locally and uses iCloud for syncing. I like the way Apple has implemented security and 2FA for my iCloud account and I lock down that account very carefully already. Nothing new to do there. I can get into details on how hard it would be for someone to access my encrypted passwords on iCloud but I’ll spare you. I’ll just say that I feel quite secure with my set up and the price is right.

Conclusion: As much as I like enpass and that it’s not a subscription model, if I had to pay, I’d go with a 1Password subscription even though it breaks my rule of not storing data on their servers. I feel as though your choice of password manager is one of most important software decisions and I’d want a robust software, quick updates, good support. These generally need a large user base. Some will choose lastpass or dashlane for good reasons. I choose 1Password (subject to change as the landscape changes).
User avatar
Lacrocious
Posts: 378
Joined: Thu Mar 22, 2007 9:45 pm
Location: Wisconsin

Re: Is LastPass still top in security, any reason to switch?

Post by Lacrocious »

dcabler wrote: Tue Nov 12, 2019 11:07 am ...Many sites I use ask a large number of extra security questions of their choosing - I include all of that in lastpass because I can't remember if I entered "Toyota, Toyota Carolla, or just Carolla" :D
Don't answer correctly - make something up and put it in your password manager of choice. What is the model of your first car? That would be "Purple Soda", or was it "Grumpy Grandpa" or maybe "Baby Beluga Bubblegum". Maybe your answer above was for "What was the name of your favorite high school teacher?", in which case it could be a good answer!

If you have to tell someone the word during a phone call to access your account - you may sound silly - but better that than a truthful answer that is the same on multiple websites.
- L

EDIT - I was behind a bit in reading the forum and see that this was already discussed. All good points!
3-20Characters
Posts: 717
Joined: Tue Jun 19, 2018 2:20 pm

Re: Is LastPass still top in security, any reason to switch?

Post by 3-20Characters »

Lacrocious wrote: Wed Nov 13, 2019 10:24 pm
dcabler wrote: Tue Nov 12, 2019 11:07 am ...Many sites I use ask a large number of extra security questions of their choosing - I include all of that in lastpass because I can't remember if I entered "Toyota, Toyota Carolla, or just Carolla" :D
Don't answer correctly - make something up and put it in your password manager of choice. What is the model of your first car? That would be "Purple Soda", or was it "Grumpy Grandpa" or maybe "Baby Beluga Bubblegum". Maybe your answer above was for "What was the name of your favorite high school teacher?", in which case it could be a good answer!

If you have to tell someone the word during a phone call to access your account - you may sound silly - but better that than a truthful answer that is the same on multiple websites.
- L

EDIT - I was behind a bit in reading the forum and see that this was already discussed. All good points!
My answer to security questions is a six digit pin which I store in the notes section of my 1Password login record.

Example:
Favorite color=956238 (not the actual answer).

Thankfully, less and less sites use security questions any longer.
Tarkus
Posts: 191
Joined: Sun Aug 25, 2013 9:43 pm

Re: Is LastPass still top in security, any reason to switch?

Post by Tarkus »

I've used 1Password, LastPass and Dashlane and I'm currently using KeePass.

I prefer KeePass (specifically KeePassXC, the cross-platform variant) for a couple of reasons:
  • It's open source, thus the code has lots of eyeballs auditing it. I don't really trust closed source software, especially for security.
  • It's cross-platform. Works on Windows, Mac, Linux, Android, iPhone
  • You have complete control over whether your data stays on your computer, or is synced via the cloud (via Dropbox or Google Drive).
  • It works with things other than websites -- for example it autofills desktop applications like Moneydance, Evernote and even terminal-based Unix/Linux credentials.
  • It doesn't use browser plugins to do the "autofill" stuff. The browser integrations are where LastPass has had some security vulnerabilities, and appears to be where much of the risk is. Moreover, I found the 1Password/Dashlane/LastPass autofill only worked about 70% of the time. KeePass uses its own native OS program to provide keyboard input into the websites password fields. For most websites, that means you type {USERNAME}{TAB}{PASSWORD}{ENTER}, and this auto-typing sequence is customizable per website. I can't think of a website that doesn't work (though some websites are a chore to get to work because they ask for usernames/passwords in several different ways).
The drawbacks are that it's got a higher learning curve and isn't really supported by anything except the community.
Topic Author
squirm
Posts: 4239
Joined: Sat Mar 19, 2011 11:53 am

Re: Is LastPass still top in security, any reason to switch?

Post by squirm »

Tarkus wrote: Thu Nov 14, 2019 3:19 pm I've used 1Password, LastPass and Dashlane and I'm currently using KeePass.

I prefer KeePass (specifically KeePassXC, the cross-platform variant) for a couple of reasons:
  • It's open source, thus the code has lots of eyeballs auditing it. I don't really trust closed source software, especially for security.
What exactly does open source mean? I'll admit I honestly don't know. Can't some expert Russian hackers look at the code and insert malicious code and hide it?
User avatar
TimeRunner
Posts: 1939
Joined: Sat Dec 29, 2012 8:23 pm
Location: Beach-side, CA

Re: Is LastPass still top in security, any reason to switch?

Post by TimeRunner »

Switched from Lastpass to Bitwarden a year ago, on Win10, Chromebook and android phone. Super-reliable and doesn't try to fill in fields (wrongly) like Lastpass did. Simple, effective, and free.
One cannot enlighten the unconscious. | "All I need are some tasty waves, a cool buzz, and I'm fine." -Jeff Spicoli
mhalley
Posts: 10432
Joined: Tue Nov 20, 2007 5:02 am

Re: Is LastPass still top in security, any reason to switch?

Post by mhalley »

I don’t like the idea of my passwords being in the cloud, so I use keepass.
ARoseByAnyOtherName
Posts: 1000
Joined: Wed Apr 26, 2017 12:03 am

Re: Is LastPass still top in security, any reason to switch?

Post by ARoseByAnyOtherName »

3-20Characters wrote: Wed Nov 13, 2019 10:57 pm
Lacrocious wrote: Wed Nov 13, 2019 10:24 pm
dcabler wrote: Tue Nov 12, 2019 11:07 am ...Many sites I use ask a large number of extra security questions of their choosing - I include all of that in lastpass because I can't remember if I entered "Toyota, Toyota Carolla, or just Carolla" :D
Don't answer correctly - make something up and put it in your password manager of choice. What is the model of your first car? That would be "Purple Soda", or was it "Grumpy Grandpa" or maybe "Baby Beluga Bubblegum". Maybe your answer above was for "What was the name of your favorite high school teacher?", in which case it could be a good answer!

If you have to tell someone the word during a phone call to access your account - you may sound silly - but better that than a truthful answer that is the same on multiple websites.
- L

EDIT - I was behind a bit in reading the forum and see that this was already discussed. All good points!
My answer to security questions is a six digit pin which I store in the notes section of my 1Password login record.

Example:
Favorite color=956238 (not the actual answer).

Thankfully, less and less sites use security questions any longer.
This is a good strategy for handling security questions.

Another good strategy is to have an answer that is a random sentence. For example if this question is "What street did you grow up on?" your answer would be something like "I didn't know he chair had a lemon dog."

What you want to avoid is answering a security question with a long string of random characters. Long strings of random characters, as long as possible, is what you want for your password, but answering your security questions this way potentially opens you up to a social engineering attack. If an attacker is trying to impersonate you over the phone, and customer service asks them for the answers to your security questions, they could say something like "oh it's just a bunch of nonsense" and try to get around answering. Admittedly it's hard to know how real of a possibility this is, but might as well use one of the strategies above instead.

You also wrote:
is a six digit pin which I store in the notes section of my 1Password login record.
Worth noting that in 1Password, when you're in edit mode, you can create new fields of any type including new password fields. So you could create a new password field where the field label is the security question, and the password entry is the answer. It's a little more structured than dumping this info into the notes field, and makes it faster to copy/paste when needed.
3-20Characters
Posts: 717
Joined: Tue Jun 19, 2018 2:20 pm

Re: Is LastPass still top in security, any reason to switch?

Post by 3-20Characters »

ARoseByAnyOtherName wrote: Thu Nov 14, 2019 8:57 pm
Worth noting that in 1Password, when you're in edit mode, you can create new fields of any type including new password fields. So you could create a new password field where the field label is the security question, and the password entry is the answer. It's a little more structured than dumping this info into the notes field, and makes it faster to copy/paste when needed.
The free version of 1Password (which I use) doesn’t have this feature. Notes work for me. I use mark up to create styled text in order to make it easy to read my notes.
ARoseByAnyOtherName
Posts: 1000
Joined: Wed Apr 26, 2017 12:03 am

Re: Is LastPass still top in security, any reason to switch?

Post by ARoseByAnyOtherName »

3-20Characters wrote: Thu Nov 14, 2019 9:19 pm
ARoseByAnyOtherName wrote: Thu Nov 14, 2019 8:57 pm
Worth noting that in 1Password, when you're in edit mode, you can create new fields of any type including new password fields. So you could create a new password field where the field label is the security question, and the password entry is the answer. It's a little more structured than dumping this info into the notes field, and makes it faster to copy/paste when needed.
The free version of 1Password (which I use) doesn’t have this feature. Notes work for me. I use mark up to create styled text in order to make it easy to read my notes.
Makes sense. :sharebeer
SpaethCo
Posts: 372
Joined: Wed Jan 13, 2016 11:58 pm
Location: Minneapolis

Re: Is LastPass still top in security, any reason to switch?

Post by SpaethCo »

Tarkus wrote: Thu Nov 14, 2019 3:19 pm It's open source, thus the code has lots of eyeballs auditing it. I don't really trust closed source software, especially for security.
I agree in spirit, but open source isn’t magic. OpenSSL still had Heartbleed. Bash had been open source for over 2 decades and you still had ShellShock. Those were massive vulnerabilties.
Tarkus wrote: Thu Nov 14, 2019 3:19 pmIt doesn't use browser plugins to do the "autofill" stuff. The browser integrations are where LastPass has had some security vulnerabilities, and appears to be where much of the risk is.
It has been a source of vulnerabilities, but it’s also a key anti-phishing feature. Unless the URL matches exactly what’s in Lastpass, 1Password, or other password managers with browser extensions, it won’t fill the credentials in the site. If you get accustomed to copying and pasting credentials into websites, the stats aren’t in your favor if you come across a clever phishing campagin.
User avatar
Quercus Palustris
Posts: 215
Joined: Sun Apr 08, 2018 12:31 pm
Location: N. Virginia

Re: Is LastPass still top in security, any reason to switch?

Post by Quercus Palustris »

squirm wrote: Thu Nov 14, 2019 7:40 pmWhat exactly does open source mean? I'll admit I honestly don't know. Can't some expert Russian hackers look at the code and insert malicious code and hide it?
It means anyone can see or use the source code. There's still an "official" or mainline version of the application which is distributed by the maintainers. So any sneaky code would have to pass a code review (hopefully), and anyone looking at the code would wonder why some rando added code sending passwords over the network (so I suppose they'd have to be really sneaky and hide it somehow). The idea is you can't hide things when you're in the open.

I did some experimenting on the Go language libraries for KeePass, so I can say I know the program is encrypting its data the way the authors say it is. LastPass could just be encrypting all my data with password "1234" for all I know (though I have no reason to doubt they aren't doing what they say they are - but it's all on faith).

As SpaethCo says though, open source is no guarantee there aren't bugs (and the bugs could be devastating, or glaringly embarrassing). Open source folks tend to feel it's better to have them open (where anyone could find them, but also figure out fixes). By contrast, you're depending / hoping Apple/MS/Cisco/etc will find and fix vulnerabilities in good faith (there was a recent dust-up between Google and Apple's security teams regarding how long it was taking them to fix vulnerabilities).
Tarkus
Posts: 191
Joined: Sun Aug 25, 2013 9:43 pm

Re: Is LastPass still top in security, any reason to switch?

Post by Tarkus »

SpaethCo wrote: Thu Nov 14, 2019 11:12 pm
Tarkus wrote: Thu Nov 14, 2019 3:19 pmIt doesn't use browser plugins to do the "autofill" stuff. The browser integrations are where LastPass has had some security vulnerabilities, and appears to be where much of the risk is.
It has been a source of vulnerabilities, but it’s also a key anti-phishing feature. Unless the URL matches exactly what’s in Lastpass, 1Password, or other password managers with browser extensions, it won’t fill the credentials in the site. If you get accustomed to copying and pasting credentials into websites, the stats aren’t in your favor if you come across a clever phishing campagin.
This is true. KeePass's autotype system will protect you from accidentally entering your credentials into the wrong site, but it doesn't offer as much protection against a malicious phishing site, especially if the site specifically targeted the KeePass autotype system. The autotype feature is a definitely a convenience and not a security feature.

I can also say that LastPass has once saved me from carelessly entering credentials into a phishing site, so this is perhaps not a trivial issue.
User avatar
Dan-in-Virginia
Posts: 841
Joined: Sat Apr 16, 2011 5:33 am
Location: Virginia

Re: Is LastPass still top in security, any reason to switch?

Post by Dan-in-Virginia »

I have used lastpass since 2012 and have over 400 accounts in there along with secure notes. It’s great. I also use the LastPass Authenticator which is terrific because it backs up to your vault.

I do not, however, enable integration with any web browsers. I mainly use it on my phone with web login as an option. I pay for the family plan. Being able to have a shared “Household” folder or share individual account passwords is nice.
MikeG62
Posts: 5065
Joined: Tue Nov 15, 2016 2:20 pm
Location: New Jersey

Re: Is LastPass still top in security, any reason to switch?

Post by MikeG62 »

I've been using LastPass for several years now as well. Almost 300 individual sites stored in there. It works just fine for me. Don't know how I'd manage without a password manager.
Real Knowledge Comes Only From Experience
Gadget
Posts: 1026
Joined: Fri Mar 17, 2017 1:38 pm

Re: Is LastPass still top in security, any reason to switch?

Post by Gadget »

Gray wrote: Thu Nov 21, 2019 8:11 pm I pay for the family plan. Being able to have a shared “Household” folder or share individual account passwords is nice.
I have and like the family plan for the shared folders too. I suggest you submit a help ticket to add the ability to do the Lastpass security challenge on shared folders. I complained that it only checked non shared folders to find duplicate and bad passwords/etc. They told me that no one else had requested that feature and they would look into it in the future. But it's been like that since they released families and they've never fixed that bug.
Post Reply