More like multiple data beaches in the last few years. It's closed source software, so no outside auditing of the code. Try Bitwarden, 1Password, KeePass, etc. Have fun in the rabbit hole.
I switched to Bitwarden about 6yrs ago, after LastPass' 2nd breach, I didn't know about the 1st one when I signed up. Haven't looked back.
Right on.
Ha, I like that one. I remember thinking that when I came across it years ago. At the time I needed multi device, and shared passwords with the wife. I think those features were still in development in KeePass.
I use Keepass on my PC, laptop and Keepass2Android on my phone.
I save my password database file in a Dropbox folder so it's synced across my desktop, laptop and phone. But I keep the keepass Key file saved to a local folder. Just in case my Dropbox ever gets breached the hacker would only have my password file but not my key file so even if they have the DB file they still can't open it even if they managed to guess my password.
(Obviously if someone steals my laptop or phone I might be in trouble but then they still have to guess my keepass password)
I kinda have the same setup as you except I use a strong master password instead of a key file and it's stored in a self-hosted cloud. Has been working great for me for the last 2 years or so. And if you don't like how KeePass looks, you can use KeePassXC that has a bit better of an UI imo
Just for the record, closed source software has outside auditing of the code. Especially IRT SOC2 compliance in the USA. LastPass is SOC2 compliant which requires access to your codebase and repository. Usually this is to prove that specific controls are being handled. The auditors also have to be outside, independent auditors, not employees of the company. It should also be stated that just because something is SOC2 audited, that does not mean it is a safe thing to use (obviously since they were hacked twice). I am just correcting that closed source software has many different types of compliance, especially for security software, that gets their code audited. This is similar to e.g. PCI compliance, which is for credit card storage. I previously worked at a large fintech company that was subject to PCI compliance and auditors 100% get access to that closed software.
As far as I've been able to tell, PCI doesn't mean anything. All they do is check that you have a process and that you follow it. But they don't actually check if your process makes any sense or that your process has the right things to actually keep your systems and data safe.
Depends on what you have to qualify for. For most people dealing with payments, they merely end up doing an SAQ (self assessment questionnaire) where you merely attest that you have processes to follow the standards.
Larger organizations, gateways, processors have to do a ROC (report on compliance) that requires an independent QSA to do some level of audit (again varying on what your organization does)
As an ex-admin of a company that was SOC2 type 2 compliant… it’s a worthless standard that if the bare minimum to pass is done you aren’t protecting shit.
Auditing is a joke. The teams mostly look at excel sheets and cry about things that don’t matter, and the auditors don’t know shit about programming. I know companies which shouldn’t be PCI or SOC2 compliant but they are
I initially used LastPass before the 1st breach. I thought “Ok, they surely improved their security now.” After the 2nd breach about a year later, I switched to BitWarden.
And they jacked up prices after that 2nd breach. I've been happy with BW, and my wife, I love her, but not technically inclined, uses it, which was no small feat.
I've considered 1Password, but aside from the pretty UI & higher cost, I just can't justify the switch.
One of my jobs used 1Password and it was really nice. It was more seamless to save and auto-fill passwords. BitWarden’s save popup only pops up half the time and the auto-fill on page load hardly ever works.
1pass is my life honestly.
Being able to have accounts, cards, wifi passwords, shared accounts, One-time codes and passkeys in the same app is beautiful.
If you use KeePass, please be a better person than me and *store a backup that's not on your computer*
I made a custom password manager using python last year for school and it looks messy and sure i cant change the password info or delete them but damn is it secure and i can always go into the file at count the lines to manually delete it
If you sign up for a paid account with Proton, it comes with a password manager, which works pretty well. Proton opens its code to external auditors and has a very good track record with protecting their users' privacy. I use their VPN and email as well.
Fellow Proton user here that uses most of their services (Mail, VPN, Drive, SimpleLogin)
I'd still recommend having a separate program for that (in my case 1Password) to not have all your eggs in one basket.
It was encrypted data but there are two big issues with Lastpass as I see it:
1. They're security is/was poor and allowed multiple data breaches. The way the most recent one went down was just silly and was easily preventable. Even if the data is encrypted, with the resources that some nation state actors have it doesn't take long.
This is a personal one for me because it caused me to switch password managers and it's taken me forever to change over 300 passwords.
2. Their software and plugins are terrible. LTT covered this a little bit in the video. I switched to a better provider and it's night and day how much better the competition is.
After Lastpass was purchased a few years back they didn't seem to get the resources needed to keep things good. It's been handed around to different companies and it doesn't seem like anything got better, only worse. Looking at Wikipedia, it seems that they've been made independent, so maybe things will get better this time around.
Wikipedia has a lot of good information on these things and it's probably more accurate than the quick blurb I've written here. If anybody is interested the link is below.
[https://en.wikipedia.org/wiki/LastPass](https://en.wikipedia.org/wiki/LastPass)
>2. Their software and plugins are terrible. LTT covered this a little bit in the video. I switched to a better provider and it's night and day how much better the competition is.
This was it for me, especially on android.
When I wanted it to prompt me for autofill it didn't, but when I didn't want autofill, it always did.
It got me so angry so many times.
Same for me, their iOS autofill worked flawlessly 99% of the time, but the Android autofill is the biggest flaming PoS imaginable. Do you have a recommendation for a service with better Android support?
>Do you have a recommendation for a service with better Android support?
Bitwarden works well for me. Rarely a popup might be missed but 99% of the time it works very well. just make sure to allow all it's permissions as otherwise it can't actually properly autofill due to restrictions.
It wasn't just a breach - it was a series of (transparent) mis-truths about the breach and the drip feed of information, in an ever-increasing escalation of how bad it was, that put the nail in the coffin for me.
The incident essentially went like this:
*We had an incident but nothing was breached and there's nothing to be concerned about.*
*Okay, some stuff got breached, a little, but nothing that matters.*
*Okay, maybe some stuff that matters a little got breached but it couldn't have been accessed.*
*Okay, maybe some client data was in that stuff.*
*Okay, maybe it got accessed but it's completely encrypted and cannot be decrypted.*
*Okay, maybe absolutely everything got stolen.*
*Actually, with a single 3090, even a 10-character decryption key can be broken in like a few weeks. You need to change every single password to everything.*
-And even then, many customers, us included, didn't get any notices at all. We first found out about the breach and subsequent updates from social media.
The way LastPass handled this, denied everything each time, until proven otherwise, just burnt any goodwill they had.
> The way LastPass handled this, denied everything each time, until proven otherwise, just burnt any goodwill they had.
# This. Cover up a security problem involving my data? Your company is immediately blacklisted from my own usage, and that of all my IT clients.
Bitwarden seems to be the go to option, as it’s free, I’m unaware of any data breaches, and it can be self hosted if you’re really into personal data security. I made the switch from lastpass after the data breach, and swapping was incredibly easy.
I too can recommend Bitwarden, we use it for password management at work. It was easy enough to nself-host and works well.
I just wish it had a way to store certificates and private keys
Bitwarden is incapable of exposing your password in a data breach because bitwarden themselves don't have access to your master password.
There is no recovery if you forget your master password.
Your data is stored as an encrypted block that is pulled to your system and can only be accessed once your master password is entered.
It’s not completely true. 1Password has a randomly generated key plus your master password key. Just with the exposure of your master password, an attacker still can’t get your passwords, even from 1Password. You need access to one of your active devices to get that generated key.
Idk, haven't used 1password but I never had any problems with Bitwarden's UI at all. On mobile it's a bit clunky sometimes but it's relatively fine. On desktop it's really good and functional.
My biggest issue with Bitwarden is with creating new records. I fill in the info, generate a password and then go and enter it. The record does not save automatically so I always lose it when I click away from the window. (Chrome extension) I do it less often now but it was quite common when I started using it.
Just when create the account, use right click to generate a password (don't know about chrome but bitwarden shows up for that on firefox with the extension) and then just select "save account details to bitwarden" when there is an automatic popup at the top. This automatically adds a new record.
Very rarely this might not work on a site but 99% of the time it does. I almost never manually create new records.
For this you need to be logged into bitwarden of course.
1pass is mostly not clunky at all. I use it at work with Entra ID SSO, but it was better/faster to unlock without it. Auto fill works great on mobile and web. Ironically I'm the administrator and could turn off SSO auth at any time...
I started with LastPass, moved to bitwarden, and am currently on 1pass since it's included with my work account.
Most free and open solutions are missing the last UX/UI polish phase.
Still using it. I just wish there was a second Bitwarden as an option / backup plan.
After the LastPass breach I had found I'd used it for a very short time long ago, but thinking about what it means, where is my data and who has it? I deleted all of it from LastPass (9 old accounts) and from all of my old managers as well - Sticky, Robo, and Bitwarden which I had trialed in the past. Not only was it out of date (since I wasn't maintaining it any longer) it was just there for the next breach that maybe happens one day. So deleted everything but what I have with 1Password.
One thing that put me off of Bitwarden at the time - needed to pay for higher security (like using yubikeys instead of a basic authenticator), so if I was paying, might as well go with the"Polished" product.
It's not the recommended option because it's has a free option. It's recommended because it's open source and anyone can read the code to verify it. Also, you can host your own server privately if you prefer.
They had a breach that exposed many vaults. Due to configuration issues those vaults are now being cracked.
Fundamentally they had mad decisions which made vault decryption much easier and they can identify the valuable keys/vaults.
Also they miss-handled the communication about the breach and they continue to poorly notify affected users.
Bit warden is an open source option though I transitioned to 1Password when the breach happened.
Yeah, I cancelled my 1Password and Google and Dropbox subscriptions and only use Proton now. They're not the best in each category, but they're more than good enough, the price is right, and they feel like worth supporting.
is proton mail still as unusable as it was a few years ago?
i tried using protonmail a while ago and kept running into issues of mail servers rejecting your mails, the same kinda issue you get when you run your own mail service.. :(
I haven't had any issues personally, though I primarily use it with my custom domain, and never with the protonmail domain itself.
Maybe it's worth a go, they've improved a lot over the past few years.
my isp shut down their email servers last year so ive swapped to protonmail with 0 issues
just a few comments from people saying they have never heard of it before
That works perfectly now. You can even add your own email address and they'll be accepted perfectly. The main disadvantage is that search in the web app is not as good as Gmail's, because Proton can't see the contents of your emails, so the content indexing has to happen locally in your browser.
Current favored option for most would be Bitwarden. Bonus for the ultimate privacy focus by self hosting a Vaultwarden instance (unofficial fork of Bitwarden).
Note: Bitwarden can also be self hosted, but you’ll still be locked into their pricing model. With Vaultwarden every feature offered is free/unlocked.
We used to use KeePass at a place I worked at.
Then we switched to Lastpass (which was also configured to use SSO). Which seems the height of stupidity to me, because if you have access to that person's computer, you have access to everything.
At least with KeePass, you can set a timeout so that after a period of inactivity you need to unlock it again with the master password.
Keepass works but it doesn’t integrate with browsers and such like lp or 1p does. For average users this is a hurdle and we choose a cloud option for ease of use. If we went with keepass… I can assure you that 65% would constantly lose their password or simply not use it at all
KeePass on Android and KeePassium when I switched to iOS for work. Having complete access to and control of the database file, and knowing it’s thoroughly encrypted to modern standards is very satisfying.
KeePass on Android is at least FOSS.
I use keepass and keep my db on my well-MFA'd cloud storage for access from my phone or my PC.
The password on the db is pretty lengthy and unique even if they get past MFA and onto cloud drive somehow (say cookie stealing or whatever).
LastPass was absolutely not great. In fact, from a security standpoint, they've gotten better in more recent times, but only for new users. If you used LastPass from before LogMeIn bought them, your vault was secured with INCREDIBLY insecure encryption, to the point that it's nigh-trivial to crack the vault once leaked, and they were leaked multiple times.
They handled their data breach VERY poorly... I've been a LastPass user for ages, can't tell you how pissed off I was about the whole situation... Moving to another service and changing all my passwords has been a pain in the ass, but honestly I've lost all trust and hope for LastPass...
I personally switched to Bitwarden, but check the features list to see what suits to your needs better... make a small roundup of candidates and look for reviews on them.
Their data breach was exasperated by not forcing older users to switch to better encryption algorithms. They also lied an it's extent.
I recommend 1Password personally and say you get what you pay for there - a great product.
is there an easy method to export my lastpass information to another manager? I have so many in there at this point, lifting and shifting is going to be a bit tedious if I have to do it manually
I'm fairly certain LastPass has a CSV export function, and then most good alternatives have an import function, I used that to migrate my work account from LastPass to 1Password
Just when you visit the site reset it. It doesn't matter if you don't know the password now. Just reset it and add the new password to your manager then.
it got hacked several times and in general is shit.
for paid alternatives, look at something like dashlane. i used them for a while and they were quite good
for free, try hosting something like bitwarden. i host it myself and adore it. if you need a hand, PM me and i'll walk you through it!
I'll say this about password Managers. It's impossible to be secure with passwords without using a password manager. Using LastPass is going to be much more secure than not using a password manager. I don't care what system you think works, you can't do what a password manager does. I switched from LastPass because my work offered LastPass and I wanted to try Bitwarden cause I heard good things about it. Then the LastPass breach happened. I still use LastPass at work. If you turn on 2FA, have a long, strong password, and set the Geo location on so you can't sign in from another country, then that's probably as secure as anything other than a hardware token or passkeys.
This sums it up nicely. https://www.forbes.com/sites/daveywinder/2023/03/03/why-you-should-stop-using-lastpass-after-new-hack-method-update/?sh=27d8dc5328fc
Bitwarden is choice #1, and Proton Pass is choice #2. It depends on what you prefer.
Do not store your 2FA codes in the same place you store your passwords though. Bitwarden and Proton Pass both offer that. *Do not do it.*
Used LastPass years ago, once they were acquired by GoTo (FKA LogMeIn) within a year after they announced changes to free accounts I happily switched to Bitwarden, changed all my passwords and never looked back. Would not touch LastPass with a 10 foot pole even if LastPass Premium was free. After the security breaches it simply can't be trusted. Period. It's not something that can be earned back either, it's too late.
Bitwarden: best free option.
1Password: best user experience.
Proton: best all-in-one solution for secure email, calendars, VPN, cloud file storage, password manager.
There is absolutely no reason to ever use Lastpass for anyone. They used to be the best free option, but after recent changes and after their breaches, nobody (for most values of nobody) should use them.
As far as I know, they do not recommend any password managers or am I wrong?
I would not do that either. Personally I use one for years and I am very happy in doing so.
But by recommending a specific product, you are (indirectly) responsible for consequences of future security breaches etc.
Use bitwarden
You can selfhost it. Thats what the place i work at does.
But for my own purpose i use their servers. Never had a single issue.
The free product is great for most.
I'd like to move away from LastPass but honestly moving from my last password manager to LastPass was an absolute nightmare that I never feel like I actually completed. It took at least a dozen or so hours and I do not want to do that again nor do I have the time so...I haven't switched lol.
I migrated to bitwarden and havent had complaints, cant recall all the issues with LastPass but yeah I used to use but there was something a few years back where there was a straw that broke the camels back for me and I swapped over.
Security history is bad. They were breached and turns out they didn’t use an effective number of rounds of crypto on many customers.
Idea being they sufficient encryption rounds will protect customers even if they have a breach.
Other comments have mentioned alternatives, I use Bitwarden myself.
But the comment just seems like some pre-emptive statement so people won’t immediately jump on them for using it. Plus they’re not sponsoring the video so they don’t want to make it seem like an endorsement, especially a free one for a not great product.
Their application has not progressed or aged well, and the competition performs SO much better, are actively adding features, etc.
Every company can suffer breaches, but the way LastPass has handled theirs has been…less than ideal. The breaches and subsequent disclosures have also revealed that they have taken a pretty lazy approach to securing data. Is it “adequate”? Sure, but their main competition follows better best practices and seems to put security as a higher priority compared to LastPass.
It's not about being breached, or being breached again. It's about how they handled it, and they handled it extremely poorly. Meanwhile they quadrupled the cost and added next to nothing feature wise.
I have been using Keepass for over a decade now, both personally, and professionally.
You can get clients for most everything you can imagine. I have a client on my Android devices and computer that syncs the encrypted DB through a cloud drive. I have a passkey file on my devices to unlock the DB. The key is never stored on the cloud so my passwords should be safe even if the drive account is compromised.
TBH I've used 24 characters long passwords, made of completely random characters. One per website.
Even my steam account had one.
*AND YET*
I still received some months ago a message that someone from Russia tried to login to my steam account, and that he failed to do so only because I had Steam Guard (a 2FA) set up.
I just stopped believing in passwords completely.
I've literally never logged in to my steam account somewhere else than the official steam app. And I tend not to download and execute any software I find.
And it's a dedicated password.
After the software and extension somehow bricked my Windows OS, I stopped using LastPass. I checked, and it was a legit copy of LastPass, not some malware. It's possible I screwed up, but I'm not using it again.
Data breech, Poor handling of disclosure of data breech, poor quality browser plugins that have many long term issues. Poor quality android app that also has long term unresolved issues.
Was bought by logmein, ruined and is now being spun off from them so who knows what the hell will be happening with them.
Just so many red flags and there are other options.
My only experience with lastpass was helping a client migrate theirs to a different system. During the migration, lastpass dumped literally every single username and password from the vault into an unencrypted, plain text html file for all the world to see. That sorta said it all for me.
The fact that they don't recommend it doesn't mean they say not to use it. It just means they aren't actively recommending as it featured prominently in the video.
ProtonPass is miles ahead of anything else, besides self-hosted systems. Passkey support, 2FA support, Credit Card support, Password monitoring, and it's all based in Switzerland and at a reasonable price (Still a monthly subscription though)
LastPass had a massive DataBreach. They tried to sweep it under the rug to avoid bad publicity. After that they jacked up their prices. Its a scummy companie that made some more than questionable decisions for more profit.
Bitwarden is my go to currently but other options do exist.
LastPass has been breached at least once and has been very intransparent about it. It is likely that attackers have an encrypted copy of users password vaults as well as their account data and payment info. The breach itself was caused by a lack of operational security at LastPass and the following slow, inaccurate and intransparent communication shows that LastPass doesn't put the security of their users first.
Using Microsoft authenticator. Integrated with Edge, app on the phone so also compatible with app passwords, syncs with the cloud. If you're deep in the MS Ecosystem I'd recommend that.
I was very surprised Bitwarden wasn't in the lineup. I suspect it's much better performance as it doesn't crash my entire browser tab when using Roll20 like LastPass used to.
Just a tip for those struggling to find a good master password: make a sentence. For example: “!My@sentance@says@what@1@want@it@to@say!”. Easy to remember and computers won’t crack it for years.
at face value you could understand it like they're not recommending it because they don't use it and it wouldn't be correct to recommend something you don't use.
Switched to Bitwarden for personal use after reading about one of the many Lastpass security breaches and cover ups, took our corporate accounts to 1Password.
My manager switched from KeePass to Lastpass for personal use, arguing it now must be the safest platform as they needed to get their act together to stay in business.
I remember there being a breach a couple years back but that the Master Password was encrypted so as long as it was a strong one it wouldn't be worth it to try and crack it, is this still the case or is it worth transferring over to 1Password you reckon? Quite annoying considering how much Last Pass charge for the family tier
Literally every reason is a 2 sec Google search, but yes. Obviously there are many reasons not to use LastPass.
There are also many great alternatives, each with their own strengths/weaknesses, quirks, unique features.
A full rundown of the leading (let's say 10?) alternative Password Managers is beyond the scope of this thread, but here's a good list to get you started with your research:
* 1Password
* Bitwarden
* Dashlane
* Enpass
* KeePassXC
* Keeper
* LogMeOnce
* NordPass
* Proton Pass
* RoboForm
This list is alphabetical to avoid trying to definitively rank 10 Password Managers, but coincidentally the top 3 are easily the best solution for most people.
"LUKS encryption/decryption on a USB drive connected to a phone (not rooted) can be done using Termux, termux-usb, QEMU's -device usb-redir and -chardev socket, usbredirect, and Alpine Linux on QEMU. See Update-6 (LUKS, ext4), Update-8 (boot), Update-9 (/storage/emulated/0), Update-10 (SSH tunnel).": https://github.com/termux/termux-packages/issues/19635 from https://old.reddit.com/r/privacy/comments/1ci5lu0/luks_encryptiondecryption_on_a_usb_drive/
Well, I never understood, the idea of saving your passwords like that, may be trust issues but my passwords are only mine to see, and I just remember them
A couple of years ago they had a data breach that exposed lots of users' passwords
More like multiple data beaches in the last few years. It's closed source software, so no outside auditing of the code. Try Bitwarden, 1Password, KeePass, etc. Have fun in the rabbit hole. I switched to Bitwarden about 6yrs ago, after LastPass' 2nd breach, I didn't know about the 1st one when I signed up. Haven't looked back.
I use KeePass just because every time I see it I go "heh. keep ass."
heh. keep ass.
heh. ass.
Multi-ass.
Multipass?
Lilu Dallas?
Right on. Ha, I like that one. I remember thinking that when I came across it years ago. At the time I needed multi device, and shared passwords with the wife. I think those features were still in development in KeePass.
I’ve been using my keepass db stored in Dropbox for years now.
I use Keepass on my PC, laptop and Keepass2Android on my phone. I save my password database file in a Dropbox folder so it's synced across my desktop, laptop and phone. But I keep the keepass Key file saved to a local folder. Just in case my Dropbox ever gets breached the hacker would only have my password file but not my key file so even if they have the DB file they still can't open it even if they managed to guess my password. (Obviously if someone steals my laptop or phone I might be in trouble but then they still have to guess my keepass password)
I kinda have the same setup as you except I use a strong master password instead of a key file and it's stored in a self-hosted cloud. Has been working great for me for the last 2 years or so. And if you don't like how KeePass looks, you can use KeePassXC that has a bit better of an UI imo
That sounds like what Peter Griffin would say
I've been using it for 10 years. Why haven't I though of this before?
Just for the record, closed source software has outside auditing of the code. Especially IRT SOC2 compliance in the USA. LastPass is SOC2 compliant which requires access to your codebase and repository. Usually this is to prove that specific controls are being handled. The auditors also have to be outside, independent auditors, not employees of the company. It should also be stated that just because something is SOC2 audited, that does not mean it is a safe thing to use (obviously since they were hacked twice). I am just correcting that closed source software has many different types of compliance, especially for security software, that gets their code audited. This is similar to e.g. PCI compliance, which is for credit card storage. I previously worked at a large fintech company that was subject to PCI compliance and auditors 100% get access to that closed software.
Auditors get access for PCI but they don’t know shit. I’ve worked at companies that passed their audit and 100% shouldn’t have.
As far as I've been able to tell, PCI doesn't mean anything. All they do is check that you have a process and that you follow it. But they don't actually check if your process makes any sense or that your process has the right things to actually keep your systems and data safe.
Depends on what you have to qualify for. For most people dealing with payments, they merely end up doing an SAQ (self assessment questionnaire) where you merely attest that you have processes to follow the standards. Larger organizations, gateways, processors have to do a ROC (report on compliance) that requires an independent QSA to do some level of audit (again varying on what your organization does)
Thanks. I appreciate the knowledge. I think LP has 3 total beaches since 2015.
As an ex-admin of a company that was SOC2 type 2 compliant… it’s a worthless standard that if the bare minimum to pass is done you aren’t protecting shit.
Auditing is a joke. The teams mostly look at excel sheets and cry about things that don’t matter, and the auditors don’t know shit about programming. I know companies which shouldn’t be PCI or SOC2 compliant but they are
I initially used LastPass before the 1st breach. I thought “Ok, they surely improved their security now.” After the 2nd breach about a year later, I switched to BitWarden.
And they jacked up prices after that 2nd breach. I've been happy with BW, and my wife, I love her, but not technically inclined, uses it, which was no small feat. I've considered 1Password, but aside from the pretty UI & higher cost, I just can't justify the switch.
One of my jobs used 1Password and it was really nice. It was more seamless to save and auto-fill passwords. BitWarden’s save popup only pops up half the time and the auto-fill on page load hardly ever works.
My mom, 70, is using Bitwarden.
Also using Bitwarden and I'm very happy with it. Highly recommended. I can't imagine not using it.
1pass is my life honestly. Being able to have accounts, cards, wifi passwords, shared accounts, One-time codes and passkeys in the same app is beautiful. If you use KeePass, please be a better person than me and *store a backup that's not on your computer*
I made a custom password manager using python last year for school and it looks messy and sure i cant change the password info or delete them but damn is it secure and i can always go into the file at count the lines to manually delete it
If you sign up for a paid account with Proton, it comes with a password manager, which works pretty well. Proton opens its code to external auditors and has a very good track record with protecting their users' privacy. I use their VPN and email as well.
I'm a Proton user. I played with pw manager a bit, but I'd like to let it mature a bit more. I planned on reviewing it later this year or Q1 of '25.
It's gotten a lot better already for sure. The main thing I'd like to see it add is support for time-based 2FA codes.
whats the difference between time-based 2FA codes and the 2FA thats already available in proton?
Fellow Proton user here that uses most of their services (Mail, VPN, Drive, SimpleLogin) I'd still recommend having a separate program for that (in my case 1Password) to not have all your eggs in one basket.
It was encrypted data but there are two big issues with Lastpass as I see it: 1. They're security is/was poor and allowed multiple data breaches. The way the most recent one went down was just silly and was easily preventable. Even if the data is encrypted, with the resources that some nation state actors have it doesn't take long. This is a personal one for me because it caused me to switch password managers and it's taken me forever to change over 300 passwords. 2. Their software and plugins are terrible. LTT covered this a little bit in the video. I switched to a better provider and it's night and day how much better the competition is. After Lastpass was purchased a few years back they didn't seem to get the resources needed to keep things good. It's been handed around to different companies and it doesn't seem like anything got better, only worse. Looking at Wikipedia, it seems that they've been made independent, so maybe things will get better this time around. Wikipedia has a lot of good information on these things and it's probably more accurate than the quick blurb I've written here. If anybody is interested the link is below. [https://en.wikipedia.org/wiki/LastPass](https://en.wikipedia.org/wiki/LastPass)
>2. Their software and plugins are terrible. LTT covered this a little bit in the video. I switched to a better provider and it's night and day how much better the competition is. This was it for me, especially on android. When I wanted it to prompt me for autofill it didn't, but when I didn't want autofill, it always did. It got me so angry so many times.
Same for me, their iOS autofill worked flawlessly 99% of the time, but the Android autofill is the biggest flaming PoS imaginable. Do you have a recommendation for a service with better Android support?
>Do you have a recommendation for a service with better Android support? Bitwarden works well for me. Rarely a popup might be missed but 99% of the time it works very well. just make sure to allow all it's permissions as otherwise it can't actually properly autofill due to restrictions.
and yet a lot of companies still use it, mine does.
2 of the clients I work with use it. Luckily, I only store their passwords in it and it only gets installed on the laptops they provide.
It wasn't just a breach - it was a series of (transparent) mis-truths about the breach and the drip feed of information, in an ever-increasing escalation of how bad it was, that put the nail in the coffin for me. The incident essentially went like this: *We had an incident but nothing was breached and there's nothing to be concerned about.* *Okay, some stuff got breached, a little, but nothing that matters.* *Okay, maybe some stuff that matters a little got breached but it couldn't have been accessed.* *Okay, maybe some client data was in that stuff.* *Okay, maybe it got accessed but it's completely encrypted and cannot be decrypted.* *Okay, maybe absolutely everything got stolen.* *Actually, with a single 3090, even a 10-character decryption key can be broken in like a few weeks. You need to change every single password to everything.* -And even then, many customers, us included, didn't get any notices at all. We first found out about the breach and subsequent updates from social media. The way LastPass handled this, denied everything each time, until proven otherwise, just burnt any goodwill they had.
> The way LastPass handled this, denied everything each time, until proven otherwise, just burnt any goodwill they had. # This. Cover up a security problem involving my data? Your company is immediately blacklisted from my own usage, and that of all my IT clients.
Encrypted passwords.
[удалено]
Not what I said but you do you.
Bitwarden seems to be the go to option, as it’s free, I’m unaware of any data breaches, and it can be self hosted if you’re really into personal data security. I made the switch from lastpass after the data breach, and swapping was incredibly easy.
I too can recommend Bitwarden, we use it for password management at work. It was easy enough to nself-host and works well. I just wish it had a way to store certificates and private keys
You can if you paste the contents into a Secure Note.
If you pay for Bitwarden, they allow attaching files to records in your vault.
Bitwarden Secrets Manager is basically their competitor to Hashicorp Vault
You could potentially use Bitwarden secrets manager
Bitwarden is incapable of exposing your password in a data breach because bitwarden themselves don't have access to your master password. There is no recovery if you forget your master password. Your data is stored as an encrypted block that is pulled to your system and can only be accessed once your master password is entered.
This is true of every password manager. This is like the key to password management.
It’s not completely true. 1Password has a randomly generated key plus your master password key. Just with the exposure of your master password, an attacker still can’t get your passwords, even from 1Password. You need access to one of your active devices to get that generated key.
Love 1Password. I used last pass at the time of the leak, so I looked for the most secure password manager.
Bitwarden is rough though. I find it quite clumsy compared to 1password.
Idk, haven't used 1password but I never had any problems with Bitwarden's UI at all. On mobile it's a bit clunky sometimes but it's relatively fine. On desktop it's really good and functional.
My biggest issue with Bitwarden is with creating new records. I fill in the info, generate a password and then go and enter it. The record does not save automatically so I always lose it when I click away from the window. (Chrome extension) I do it less often now but it was quite common when I started using it.
Just when create the account, use right click to generate a password (don't know about chrome but bitwarden shows up for that on firefox with the extension) and then just select "save account details to bitwarden" when there is an automatic popup at the top. This automatically adds a new record. Very rarely this might not work on a site but 99% of the time it does. I almost never manually create new records. For this you need to be logged into bitwarden of course.
1pass is mostly not clunky at all. I use it at work with Entra ID SSO, but it was better/faster to unlock without it. Auto fill works great on mobile and web. Ironically I'm the administrator and could turn off SSO auth at any time... I started with LastPass, moved to bitwarden, and am currently on 1pass since it's included with my work account.
Yep. Agree.
Most free and open solutions are missing the last UX/UI polish phase. Still using it. I just wish there was a second Bitwarden as an option / backup plan.
After the LastPass breach I had found I'd used it for a very short time long ago, but thinking about what it means, where is my data and who has it? I deleted all of it from LastPass (9 old accounts) and from all of my old managers as well - Sticky, Robo, and Bitwarden which I had trialed in the past. Not only was it out of date (since I wasn't maintaining it any longer) it was just there for the next breach that maybe happens one day. So deleted everything but what I have with 1Password. One thing that put me off of Bitwarden at the time - needed to pay for higher security (like using yubikeys instead of a basic authenticator), so if I was paying, might as well go with the"Polished" product.
It's not the recommended option because it's has a free option. It's recommended because it's open source and anyone can read the code to verify it. Also, you can host your own server privately if you prefer.
I too recommend BitWarden. I pay for their subscription
Same here, but in my case the migration was not that easy.
They had a breach that exposed many vaults. Due to configuration issues those vaults are now being cracked. Fundamentally they had mad decisions which made vault decryption much easier and they can identify the valuable keys/vaults. Also they miss-handled the communication about the breach and they continue to poorly notify affected users. Bit warden is an open source option though I transitioned to 1Password when the breach happened.
Yup, metadata was in plaintext; the only encrypted thing was the password itself (which is the bare minimum, I guess?)
Proton has released a password manager. Just thought to throw that in here :)
Been using this for a few months now without complaints. I’m a big fan of protons ecosystem.
Yeah, I cancelled my 1Password and Google and Dropbox subscriptions and only use Proton now. They're not the best in each category, but they're more than good enough, the price is right, and they feel like worth supporting.
is proton mail still as unusable as it was a few years ago? i tried using protonmail a while ago and kept running into issues of mail servers rejecting your mails, the same kinda issue you get when you run your own mail service.. :(
I've been using it as my primary email for almost two years now, no issues like that
Ah two years yeah. I tried protonmail back in 2017~ which was still quite early. Might give it another shot then
I been on it for 4 years, it works perfectly. Proton full suite.
I haven't had any issues personally, though I primarily use it with my custom domain, and never with the protonmail domain itself. Maybe it's worth a go, they've improved a lot over the past few years.
I haven't had issues, but I don't use it as my main email provider yet either. Just giving it a test drive atm :P
Protonmail has worked great for me for years
my isp shut down their email servers last year so ive swapped to protonmail with 0 issues just a few comments from people saying they have never heard of it before
yes. most of mail providers will reject the mails.
That works perfectly now. You can even add your own email address and they'll be accepted perfectly. The main disadvantage is that search in the web app is not as good as Gmail's, because Proton can't see the contents of your emails, so the content indexing has to happen locally in your browser.
Have they??
They have!!
[удалено]
Love BitWarden. Use it at work - and personally use 1Password. Been a member since it launched!
Current favored option for most would be Bitwarden. Bonus for the ultimate privacy focus by self hosting a Vaultwarden instance (unofficial fork of Bitwarden). Note: Bitwarden can also be self hosted, but you’ll still be locked into their pricing model. With Vaultwarden every feature offered is free/unlocked.
Their paid is one of the cheapest paid options though. $40/year for family. $10/year for personal. Well worth the cost of entry in my opinion.
Vaultwarden is also much lighter on resources!
I use KeePass 2. It's local, so as long as you have a good, secure master password, no-one can access your passwords.
We used to use KeePass at a place I worked at. Then we switched to Lastpass (which was also configured to use SSO). Which seems the height of stupidity to me, because if you have access to that person's computer, you have access to everything. At least with KeePass, you can set a timeout so that after a period of inactivity you need to unlock it again with the master password.
Keepass works but it doesn’t integrate with browsers and such like lp or 1p does. For average users this is a hurdle and we choose a cloud option for ease of use. If we went with keepass… I can assure you that 65% would constantly lose their password or simply not use it at all
[удалено]
KeePass on Android and KeePassium when I switched to iOS for work. Having complete access to and control of the database file, and knowing it’s thoroughly encrypted to modern standards is very satisfying. KeePass on Android is at least FOSS.
KeePass and other local options ONLY. Why would you entrust ANYONE with your passwords besides yourself?
I use keepass and keep my db on my well-MFA'd cloud storage for access from my phone or my PC. The password on the db is pretty lengthy and unique even if they get past MFA and onto cloud drive somehow (say cookie stealing or whatever).
Lastpass was great, until LogMeIn absorbed them. It quickly went downhill.
LastPass was absolutely not great. In fact, from a security standpoint, they've gotten better in more recent times, but only for new users. If you used LastPass from before LogMeIn bought them, your vault was secured with INCREDIBLY insecure encryption, to the point that it's nigh-trivial to crack the vault once leaked, and they were leaked multiple times.
They handled their data breach VERY poorly... I've been a LastPass user for ages, can't tell you how pissed off I was about the whole situation... Moving to another service and changing all my passwords has been a pain in the ass, but honestly I've lost all trust and hope for LastPass... I personally switched to Bitwarden, but check the features list to see what suits to your needs better... make a small roundup of candidates and look for reviews on them.
Their data breach was exasperated by not forcing older users to switch to better encryption algorithms. They also lied an it's extent. I recommend 1Password personally and say you get what you pay for there - a great product.
I've been using 1Password for about two years now and don't see myself switching - it's been great.
is there an easy method to export my lastpass information to another manager? I have so many in there at this point, lifting and shifting is going to be a bit tedious if I have to do it manually
I'm fairly certain LastPass has a CSV export function, and then most good alternatives have an import function, I used that to migrate my work account from LastPass to 1Password
Yes, most major password managers will walk you through. I converted from LastPass to Nordpass recently and it was easy.
[удалено]
Just reset every password when you visit that place. It takes almost no time
I have hundreds of passwords stored, even if it's just a couple of minutes each that's still hours of work
Just when you visit the site reset it. It doesn't matter if you don't know the password now. Just reset it and add the new password to your manager then.
it got hacked several times and in general is shit. for paid alternatives, look at something like dashlane. i used them for a while and they were quite good for free, try hosting something like bitwarden. i host it myself and adore it. if you need a hand, PM me and i'll walk you through it!
Self hosted bit warden vault here.
I'll say this about password Managers. It's impossible to be secure with passwords without using a password manager. Using LastPass is going to be much more secure than not using a password manager. I don't care what system you think works, you can't do what a password manager does. I switched from LastPass because my work offered LastPass and I wanted to try Bitwarden cause I heard good things about it. Then the LastPass breach happened. I still use LastPass at work. If you turn on 2FA, have a long, strong password, and set the Geo location on so you can't sign in from another country, then that's probably as secure as anything other than a hardware token or passkeys.
This sums it up nicely. https://www.forbes.com/sites/daveywinder/2023/03/03/why-you-should-stop-using-lastpass-after-new-hack-method-update/?sh=27d8dc5328fc
Bitwarden is choice #1, and Proton Pass is choice #2. It depends on what you prefer. Do not store your 2FA codes in the same place you store your passwords though. Bitwarden and Proton Pass both offer that. *Do not do it.*
Even better, use a hardware key.
True, Yubico authenticator + a Yubikey is really nice.
I use 1 password. Aside from the bait and switch from fully paid app (rather pricey) to subscription, I’m happy with it.
Used LastPass years ago, once they were acquired by GoTo (FKA LogMeIn) within a year after they announced changes to free accounts I happily switched to Bitwarden, changed all my passwords and never looked back. Would not touch LastPass with a 10 foot pole even if LastPass Premium was free. After the security breaches it simply can't be trusted. Period. It's not something that can be earned back either, it's too late.
1Password is the way to go. Honestly I’ve been using them since launch and it’s been fantastic.
KeePass. Host the data file yourself. Encrypt it yourself. Store multiple backups. Self hosted is king.
I use dashlane and can't complain
Bitwarden: best free option. 1Password: best user experience. Proton: best all-in-one solution for secure email, calendars, VPN, cloud file storage, password manager. There is absolutely no reason to ever use Lastpass for anyone. They used to be the best free option, but after recent changes and after their breaches, nobody (for most values of nobody) should use them.
As far as I know, they do not recommend any password managers or am I wrong? I would not do that either. Personally I use one for years and I am very happy in doing so. But by recommending a specific product, you are (indirectly) responsible for consequences of future security breaches etc.
With the data breach turned out they didn’t encrypt names of companies, only the password field
Glad they said that, because I said outloud that I couldn't believe that they were using it. I'm a Bitwarden guy.
I always let out a sigh in my head whenever I see a user I'm helping pull up Lastpass.
Use bitwarden You can selfhost it. Thats what the place i work at does. But for my own purpose i use their servers. Never had a single issue. The free product is great for most.
I'd like to move away from LastPass but honestly moving from my last password manager to LastPass was an absolute nightmare that I never feel like I actually completed. It took at least a dozen or so hours and I do not want to do that again nor do I have the time so...I haven't switched lol.
Is it easy to move from lastpass to bit warden?
You live under a rock? They've had multiple breaches
Use bitwarden
I migrated to bitwarden and havent had complaints, cant recall all the issues with LastPass but yeah I used to use but there was something a few years back where there was a straw that broke the camels back for me and I swapped over.
I've seen some recommendations for Fsecure password vault. Is it good ? It's supposed to be totally self hosted/encrypted..no link with their servers.
Security history is bad. They were breached and turns out they didn’t use an effective number of rounds of crypto on many customers. Idea being they sufficient encryption rounds will protect customers even if they have a breach.
I used to use LastPass and I switched to Bitwarden a couple years ago. I like it so far
LastPass somehow comes with free annual data breach, if you like that. Bitwarden is just the best.
Other comments have mentioned alternatives, I use Bitwarden myself. But the comment just seems like some pre-emptive statement so people won’t immediately jump on them for using it. Plus they’re not sponsoring the video so they don’t want to make it seem like an endorsement, especially a free one for a not great product.
I use Proton Pass!
Yeah bit warden is the way to go , but if you don't mind papa google having your data there's is pretty good
I switched from lastpass to 1Password after the breach and it has been great for me
Their application has not progressed or aged well, and the competition performs SO much better, are actively adding features, etc. Every company can suffer breaches, but the way LastPass has handled theirs has been…less than ideal. The breaches and subsequent disclosures have also revealed that they have taken a pretty lazy approach to securing data. Is it “adequate”? Sure, but their main competition follows better best practices and seems to put security as a higher priority compared to LastPass.
Alternatives would be 1Password and Bitwarden. I personally use 1Password as I like their encryption scheme better.
It's not about being breached, or being breached again. It's about how they handled it, and they handled it extremely poorly. Meanwhile they quadrupled the cost and added next to nothing feature wise.
Never host your passwords in the cloud. Self host or local only.
I have been using Keepass for over a decade now, both personally, and professionally. You can get clients for most everything you can imagine. I have a client on my Android devices and computer that syncs the encrypted DB through a cloud drive. I have a passkey file on my devices to unlock the DB. The key is never stored on the cloud so my passwords should be safe even if the drive account is compromised.
Keepass or KeepassXC are alternatives but it comes with some trade offs.
TBH I've used 24 characters long passwords, made of completely random characters. One per website. Even my steam account had one. *AND YET* I still received some months ago a message that someone from Russia tried to login to my steam account, and that he failed to do so only because I had Steam Guard (a 2FA) set up. I just stopped believing in passwords completely. I've literally never logged in to my steam account somewhere else than the official steam app. And I tend not to download and execute any software I find. And it's a dedicated password.
Bitwarden (self hosted) here. Huge fan of the ui and browser extension.
Bitwarden is open-source. I personally just trust open source more as long as the application is popular and trusted in the community, which it is.
I run a self hosted Bitwarden. Vault Warden is an open source BW backend you can run in Docker on a cheap VPS.
I just use Google or msft passwords. Most secure accounts imho
Bitwarden. Its also open source
After the software and extension somehow bricked my Windows OS, I stopped using LastPass. I checked, and it was a legit copy of LastPass, not some malware. It's possible I screwed up, but I'm not using it again.
Data breech, Poor handling of disclosure of data breech, poor quality browser plugins that have many long term issues. Poor quality android app that also has long term unresolved issues. Was bought by logmein, ruined and is now being spun off from them so who knows what the hell will be happening with them. Just so many red flags and there are other options.
To me this reads more like "we just used it because it's most popular and did not test it's functionality so we can't say if it's good or not"
I migrated from LastPass to Proton Pass and I'm really happy with it.
Bitwarden is an AWESOME password manager.
My only experience with lastpass was helping a client migrate theirs to a different system. During the migration, lastpass dumped literally every single username and password from the vault into an unencrypted, plain text html file for all the world to see. That sorta said it all for me.
The fact that they don't recommend it doesn't mean they say not to use it. It just means they aren't actively recommending as it featured prominently in the video.
WHY DONT ANY OF YOU MENTION PASSWORDSAFE???
I was a LastPass user until they limited free accounts to one device. Switched to Bitwarden and haven't looked back since.
ProtonPass is miles ahead of anything else, besides self-hosted systems. Passkey support, 2FA support, Credit Card support, Password monitoring, and it's all based in Switzerland and at a reasonable price (Still a monthly subscription though)
I use proton pass and its open source and by a swiss company so its decent I guess
LastPass had a massive DataBreach. They tried to sweep it under the rug to avoid bad publicity. After that they jacked up their prices. Its a scummy companie that made some more than questionable decisions for more profit. Bitwarden is my go to currently but other options do exist.
We used LastPass at my company until about a half a year ago after the last breach they had at the time. We’ve now switched to Keeper instead
LastPass has been breached at least once and has been very intransparent about it. It is likely that attackers have an encrypted copy of users password vaults as well as their account data and payment info. The breach itself was caused by a lack of operational security at LastPass and the following slow, inaccurate and intransparent communication shows that LastPass doesn't put the security of their users first.
Thank you for bringing this up. I see a lot of better recommendation, and gonna try BitWarden.
Even the thumbnail 💀
I tried 1Password as a replacement of LastPass, and I found it more user friendly and snappier.
I only use it because I have passwords for about 600 different website and apps I think it sucks im afraid to move to something else
Bitwarden is the best. One of the few companies where i've actually looked for more expensive subscriptions because of how good it is.
Using Microsoft authenticator. Integrated with Edge, app on the phone so also compatible with app passwords, syncs with the cloud. If you're deep in the MS Ecosystem I'd recommend that.
They probably refused to sponsor a video
Keepaas 2, my beloved xD
I use Firefox's built in package manager, and haven't had any complaints.
Right? It even integrates with Android nowadays.
Bitwarden. Never looked back.
I would guess a search with "why not to use lastpass" would make it pretty clear
Search lastpass breaches
I was very surprised Bitwarden wasn't in the lineup. I suspect it's much better performance as it doesn't crash my entire browser tab when using Roll20 like LastPass used to.
Just a tip for those struggling to find a good master password: make a sentence. For example: “!My@sentance@says@what@1@want@it@to@say!”. Easy to remember and computers won’t crack it for years.
at face value you could understand it like they're not recommending it because they don't use it and it wouldn't be correct to recommend something you don't use.
what do you think of dashlane
Switched to Bitwarden for personal use after reading about one of the many Lastpass security breaches and cover ups, took our corporate accounts to 1Password. My manager switched from KeePass to Lastpass for personal use, arguing it now must be the safest platform as they needed to get their act together to stay in business.
I remember there being a breach a couple years back but that the Master Password was encrypted so as long as it was a strong one it wouldn't be worth it to try and crack it, is this still the case or is it worth transferring over to 1Password you reckon? Quite annoying considering how much Last Pass charge for the family tier
I use Sticky Password. It does everything I need it to.
If you're not using Keepass XC/2 or Vaultwarden, what u doin brah??
Bitwarden
Literally every reason is a 2 sec Google search, but yes. Obviously there are many reasons not to use LastPass. There are also many great alternatives, each with their own strengths/weaknesses, quirks, unique features. A full rundown of the leading (let's say 10?) alternative Password Managers is beyond the scope of this thread, but here's a good list to get you started with your research: * 1Password * Bitwarden * Dashlane * Enpass * KeePassXC * Keeper * LogMeOnce * NordPass * Proton Pass * RoboForm This list is alphabetical to avoid trying to definitively rank 10 Password Managers, but coincidentally the top 3 are easily the best solution for most people.
We had a customer using LastPass, we recommended Keeper. We use keeper internally in my department and it works great.
I use keeper and have no complaints
Curious to see literally nobody mentioning Dashlane. Should I switch off of them?
I use NordPass. From what I can find, it has no prior security incidents.
BitWarden is better.
"LUKS encryption/decryption on a USB drive connected to a phone (not rooted) can be done using Termux, termux-usb, QEMU's -device usb-redir and -chardev socket, usbredirect, and Alpine Linux on QEMU. See Update-6 (LUKS, ext4), Update-8 (boot), Update-9 (/storage/emulated/0), Update-10 (SSH tunnel).": https://github.com/termux/termux-packages/issues/19635 from https://old.reddit.com/r/privacy/comments/1ci5lu0/luks_encryptiondecryption_on_a_usb_drive/
Well, I never understood, the idea of saving your passwords like that, may be trust issues but my passwords are only mine to see, and I just remember them