jacobianThis is your regular reminder that if you're still using LastPass you should, uh, stop that.
https://blog.lastpass.com/2022/11/notice-of-recent-security-incident/
DavidR@jacob maybe this will be the final nail in the coffin for us using it at work. The UI annoys me every day
Łukasz Langa@jacob reporting security incidents should be the norm but I'm sure there are countless instances where this is not the case. LastPass reported theirs now, I'm afraid that if they meet with scorn and hostility for it, their competitors (or themselves in the future) might decide against being open about this sort of thing.
Besides, since all data is E2E encrypted, it doesn't seem like this actually put users in danger this time?
@ambv generally I'd agree with you but this is different.
It's not just this one incident; they've had a series of terrible incidents & appear to learn nothing. Eg: E2E encryption is littered with bugs and has been broken/bypassed repeatedly. The master key is accessible by the sever. Malicious plugins can exfil your master password. The support forum (phpbb) somehow knows your master password. And more.
This isn't about scorning; LastPass is actively unsafe and people need to not use it.
@jacob OK, having the master password shared around is a dealbreaker indeed. What are you using?
@ambv I use and recommend 1Password.
AFAIK Dashlane is fine too — they've had some serious issues in the past too, but unlike LastPass seem to have fixed them all and are pretty solid now.
I believe Bitwarden is OK too, but have less info there. And I understand that KeePass and KeePassXC are good if you don't want a cloud component (but I do want a cloud component, so haven't tried them.)
Paul Ganssle@jacob @ambv FWIW I’ve been using KeepassXC (and before that KeepassX and Keepass) for over a decade. I sync it to all my devices over WAN-only using syncthing, but it would be pretty easy to sync using any other file syncing service. Very happy with it, and I’m also happy with Keepass2Android Offline as well.
Paolo Melchiorre
Dylan 
mr.nEJC 🏳️🌈 🏳️⚧️
mike bayer 
Zate 🦘🇦🇺@jacob @ambv I'm calling bullshit on this. Can't find any of these listed as CVE's, or any serious discussion on these vulns. https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=lastpass doesn't mention them. The kinds of things you are mentioning here would have been, or would still be (if not fixed) big news.
@jacob @ambv yeah maybe. Vulns like you are describing don't remain unpublished or secret for long. I can't anything but some bullshit on hacker news about the forum thing.
See the reason I'm looking for actual truths and facts is that many orgs have to do 3rd party assessments on things they use or buy, especially password managers, and yet, none of this stuff you talk about shows up for that, and if it's all real and valid, it should. This is the kind of stuff that should disqualify a vendor. But it has to be verified and backed up. This feels like the security version of hating on nickelback.
@jacob @zate Jacob, I wouldn't dare be so upfront as Zate is here. I mean, your opinion holds a lot of weight in the Python community. I trust you.
But I gotta admit, Zate's got a point that basing damaging public statements on what to us is hearsay (as we cannot verify the claims ourselves) feels off. I guess the old adage that "extraordinary claims require extraordinary evidence" rings true here.
Sure, LogMeIn had it coming but this feels like an overcorrection.
@ambv @zate Look you can completely ignore me and come to a similar conclusion. There's plenty of public info out there about their security posture. Heck, you can read a lot into the fact that this one incident started in August (that they know of) and is still ongoing. But my energy here for an argument is approximately zero, so I guess you should write me off as a crank then.
@jacob @ambv nah, not writing anything off, also not really arguing.
Also not asking you to do anyones homework (such as.. hey.. PROVE IT!) etc.
There has to be some amount of merit and truth behind what you are saying, but also, I think there are conclusions that might not be as they seem.
Really though, its Friday, who cares :)
Glyph@zate @jacob @ambv I think there would be value in somebody compiling an authoritative “logmein sucks” omnibus article. I *fully* agree with jacob here for a whole bunch of reasons but I don’t have a nice coherent rhetorical package to present, just years of bad experiences and consistent opinions of security folks I trust. But it isn’t incumbent on Jacob (or me, for that matter); we’re just sharing opinions & judgements for those who trust us already
@glyph I think I'd stop short of saying logmein sucks, although, I have been known to say manage engine sucks .. so there is that.
the comprehensive list of vulns would be super useful for people who are doing a bake off, or trying to decide between different tools. It's going to depend on what their needs are though as to whether it sucks.
Last time I did that, was ~ 2018 ish I think, and there was no other options for deploying a passwords manager across an enterprise that met the needs we had, and we generally evaluated the known vulns, and potential risks, weighed them against all the other options and risks and ended up deploying it.
Would I do that today? I'd do the same process of understanding all the requirements and needs, both technical and non, and work out what the best option was. I have seen from these threads that there are more enterprise class options today, which is awesome.
At the end of the day, I dont have time for making that list either, and the people who need it, are likely to make their own list anyhow. I think we're just using bandwidth at this point heh.
I do appreciate all your input though, thanks!
@zate @jacob @ambv I also agree with the concern here for “reporting security incidents should be normal”, but also not doing so may actually be illegal, so this is not something we need to reward with praise; a corporation is not a colleague in a blameless postmortem. See for example https://www.ftc.gov/news-events/news/press-releases/2022/03/ftc-takes-action-against-cafepress-data-breach-cover
e. hashman@jacob And in the interest of "here are some good alternative password managers:"
- 1Password (paid, $34/yr) https://1password.com/
- Bitwarden (FOSS, free or low cost tiers) https://bitwarden.com/
People told me to move off LastPass for years but weren't very helpful with offboarding. 1Password is what I use now, it has much slicker autofill support and integrates well with Firefox on Linux and Android.
Jameslew
Stephen Paulger@ehashman @jacob I switched from LastPass to Bitwarden nearly a year ago. The import was simple, the only painful step was migrating 2FA codes and there’s no way round that.
I paid $10 to Bitwarden last year, the renewal is the same price.
I had been using LastPass since 2010, they did a promotion with Yubico. I’d listened to a podcast to try to understand how it could be secure. Transcript - https://www.grc.com/sn/sn-256.pdf
I know several happy users of 1Password so I think either should suit.
@ehashman @jacob do they offer open standards TOTP for 2FA ? per https://www.tomsguide.com/news/lastpass-vs-1password they only support..."Authy and MSFT authenticator"? WTF ? no google authenticator etc. ?
@ehashman at the moment if im going to switch, running the bitwarden clone in a container is seeming most appealing at the moment
Jonathan Kamens 86 47@zzzeek @ehashman @jacob Tom's is wrong. While 1Password lists Authy and Microsoft on their support article (https://support.1password.com/two-factor-authentication/) as the examples of Authenticator apps you can use, it's standard TOTP so you can use any Authenticator app, and WebAuthn as well. I don't know why the support article is unclear like this, but it's definitely ambiguity in the article, not a functional limit in the actual product.
jsled
Jonathan Hartley's old account@ehashman @jacob Also, if you're looking for the model of "an encrypted file stored locally", I love KeePass, open source, free. (And sync the file between machines by some other mechanism) There are interoperable forks though, which is confusing. I happily use KeePassXC on desktop and keepass2android.
lefarfadet
Dave Lane 🇳🇿
@jacob for those who, quite sensibly, want to manage their passwords with a great interface, but without most of the liabilities (and costs) of using LastPass or their ilk (proprietary, centralised, profit-motivated password mgr corporations), I can recommend this approach: https://tech.oeru.org/setting-your-own-bitwarden-password-manager-and-vaultwarden-sync-server Been hosting my own for several years now. Migrating from LastPass took about 5 minutes.
Setting up your own BitWarden password manager and VaultWarden sync server | OERu Technology Blog
One of the key requirements of pursuing Good Digital Hygiene is using strong passwords, and a different strong password for every application. This is relatively easy to do in theory, with the aid of clever software, but it's something desperately few people do well in practice. I'm going to explain how I've addressed this issue of digital hygiene for myself, and how you can do it for yourself, and your entire family, social circle, or community.
Robin Monks@jacob Forever shocked they still have customers after the first 3 breaches. KeePass is free and open source and 1Password is run by a cool independent team that seem pretty cool too.
schauer@jacob I took today’s notification from LastPass and this thread (mostly this thread) as the final push to move out. Trying bitwarden. It took me about an hour to completely switch just now.
Doug Winter@jacob is there an alternative you recommend?
@winjer some recs here: https://social.jacobian.org/@jacob/109434957801414862
jacobian (@[email protected])
@[email protected] I use and recommend 1Password. AFAIK Dashlane is fine too — they've had some serious issues in the past too, but unlike LastPass seem to have fixed them all and are pretty solid now. I believe Bitwarden is OK too, but have less info there. And I understand that KeePass and KeePassXC are good if you don't want a cloud component (but I do want a cloud component, so haven't tried them.)
@jacob that's great, thanks ;)
Patrys
Ninja Notion@jacob local password dbs are the best.
James Harris@jacob 1Password are so nice to deal with. I brought them onboard at my last job at the corporate level, then dealing with them personally I got a pretty sweet deal for a family plan.
Μιχάλης 🇺🇸 🇬🇷 🇺🇦 ⚛@jacob after their last incident (a couple of months ago or so) I moved over to 1Password. It was remarkably easy to move away and they even refunded me for the rest of the year's fee. I was surprised.