Mastodawn

I am once again asking you to stop using LastPass. The company has a history of security issues dating back years, and has yet to make holistic security improvements — or heck even investigate incidents properly.

Good alternatives:

- 1Password is my #1 rec, best for most use cases
- Bitwarden if you want open source
- KeePassXC if you want local vaults and open source
- I hear ok things about Dashlane but don’t know a ton

https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/

Security Incident December 2022 Update - LastPass

We are working diligently to understand the scope of the incident and identify what specific information has been accessed.

The LastPass Blog

James Green Dec 22, 2022

@jacob I had literally been planning to change a year or so back, but was convinced by someone I thought knew a thing or two to stay 🤦‍♂️

meggyn watkins Dec 22, 2022

@jacob +1 to all your points; similarly heard positive experiences with Dashlane but can't confirm. I'd add that Google Password Manager is a good mix of security and convenience for folks already bought into the ecosystem (additional encryption available too) – but I'm biased 🤷🏻‍♀️

RikiGuitarist Dec 23, 2022

@meggawat
Is there a standalone app to manage Google Password Manager without needing to use the website or Chrome?
@jacob

meggyn watkins Dec 23, 2022

@RikiGuitarist @jacob I'm not 100% certain, but I think you do need Chrome on iPhone? But I know that you don't need Chrome on Android: GPM is part of the OS settings.

Jesse Dec 22, 2022

@jacob how about plain old Apple Keychain?

Adam Lassek Dec 22, 2022

@misc @jacob it’s fine, but you have essentially no platform support beyond Apple systems.

KayDub Dec 22, 2022

@jacob Yeah, this breach was the last straw. Back to 1Password for me.

The fact they've got staff who were spoofed into handing over cloud keys means they've got the wrong staff to work on security software.

RC 🌳Dec 22, 2022

KeePassxc all the way

Tally Phoenix Dec 22, 2022

@jacob KeePass, Keepass2Android, and syncthing for the past 5ish years.

Dźwiedziu Dec 22, 2022

@jacob
1Password is still a blackbox.

KeePassXC (or almost any local password manager, like pass, for that matter) can be made un-local with Syncthing (pass also with Git).

Hareksu Dec 23, 2022

@dzwiedziu @jacob Oh I hadn't heard about syncthing yet. Will check it out, seems interesting.

Beardo The Bearded Odalisque Dec 22, 2022

@jacob you are absolutely right. I dumped lastpass when they just stopped updating. They never kept up with androids versions and those are slow as hell. They were good once upon a time, but it was ages ago.

John Minnihan Dec 22, 2022

or... none?
https://jbminn.com/posts/passwords-part-two/

Passwords Part Two

I spent the past several weeks designing & implementing my own password manager. For context on that, take a look at Password Managers. Under the heading Security, I noted that I would revisit this in-depth after working through the project. I’ve decided not to use my own online password manager. This post explains what I found & why I’ve decided that it’s not more secure for me. Introduction & Methodology To maintain unambiguous compliance with the Computer Fraud and Abuse Act (CFAA), I utilized only systems over which I had complete ownership & control.

jacobian Dec 22, 2022

@jbminn I don’t think this is generalizable advice.

Jared 🇦🇺🏳️‍🌈⚧️👽Dec 22, 2022

@jacob +1 for KeePass XC.. Been using it since LastPass upped prices suddenly a few years back which I'm still dirty about. I also sync my KeePass database across devices and phone with self hosted nextcloud.

Ralf Süss Dec 23, 2022

@jared @jacob this is the way

Matt Panhans Dec 22, 2022

@jacob yes, I personally am extremely happy with bitwarden

XorOwl Dec 22, 2022

@jacob bitwarden is amazing if mildly quirky to self host.

Softwarewolf Dec 23, 2022

@jacob I can't recommend enough KeePassXC paired with Nextcloud or some other reputable file synchronization.

Paul Von Zimmerman Dec 23, 2022

@jacob even without the security issues, the UX of LastPass is 🤢

Jonathan LaCour Dec 23, 2022

@jacob yes so much this.

I use Bitwarden client apps with a self-hosted vault using Vaultwarden that is only accessible on my Tailscale network.

rutger Dec 23, 2022

@jacob keepass has served me well for years!

Garheade Dec 23, 2022

@jacob Bump for BitWarden. Been using it for about 3 years and I love it.

Dr. Ruchira S. Datta Dec 23, 2022

@jacob Thank you for this

Mykl Wynntrs Dec 23, 2022

@jacob Jfc ... the layers of failure. With this level of gross negligence I don't even trust their "zero knowledge" implementation. Thanks for the post, I'm switching immediately.

Joe Heafner Dec 23, 2022

@jacob @hjhornbeck I currently use Enpass because it doesn’t require a subscription.

hjhornbeck Dec 23, 2022

@heafnerj @jacob I’m a happy user of KeePassXC, myself!

Joe Heafner Dec 23, 2022

@hjhornbeck @jacob Had never heard of that one before. Thanks!

Joe Heafner Dec 23, 2022

@hjhornbeck @jacob It has a iOS client too. I need to look into this. Thank you!

Joe Heafner Dec 23, 2022

@hjhornbeck @jacob To clarify, I now see there are several iOS clients for the KeePass ecosystem. Very interesting.

adrinux Dec 23, 2022

@heafnerj @jacob @hjhornbeck I was also a happy user of Enpass for a few years, after switching from 1password (poor cross platform support at the time).

But have a family account at Bitwarden these days.

Enpass had the best UX of any that I've tried, but they all change over time...

kreg Dec 23, 2022

@jacob been a big fan of bitwarden for some time now. Super easy and gives a way for my wife and I to share passwords. Also gave us a good way to use different passwords for everything. I only recently noticed the username generator too.

ASHTON 🇯🇲Dec 23, 2022

@jacob I’ve never used LastPass... I used Enpass at first and then switched over to @bitwarden as I wanted to use an Open Source solution. I haven’t looked back since!

skribe 🇺🇦

verified_mustard

@jacob this really needed a Bernie Sanders meme attached to the toot 😂

Stephan Hochdörfer Dec 23, 2022

@jacob I've been using @passbolt for years now and happy with it

missy c Dec 23, 2022

@jacob I'm in the process of switching over to KeePassXC. If I'd known how bad LastPass was, I would have deleted my account ages ago 🙄

Trombone Joe Jackson Dec 23, 2022

@jacob I switched to https://1password.com/ a couple of years ago - I think I chose them because they were the easiest to import data from eWallet.

To say I've been happy with it is an understatement. I'd say having unique, generated, 32-character random strings as my passwords for the hundreds of websites I have a profile on has very likely saved me from identity theft many times over.

Password Manager & Extended Access Management | 1Password | 1Password

More than a password manager and leader in Extended Access Management. Secure all sign-ins to every application from any device with 1Password.

Ruben Dec 23, 2022

@jacob I use AuthPass. You can get it in the FDroid store.

@jacob @aral your thoughts on #Enpass / https://enpass.io ?

Shure it's not #FLOSS like #KeePassXC / #KeePassDX but it's sleek, allows 100% control over where stuff is stored and has a #TechIlliterate-friendly interface.

Enpass: Secure Passkey & Password Manager That Keeps Your Data On Your Cloud Storage

With Enpass, choose where your passwords and passkeys are secured and synced â€“ on your personal or business clouds (or even offline). Not on our servers

Enpass

RobertSE Dec 23, 2022

I use Google/Chrome Password Manager probably worrse than anything

RobertSE Dec 23, 2022

@jacob @RobertSE

@jacob I would recommend to not use *any* password manager. Ever.

jacobian Dec 23, 2022

@clipperchip strong disagree

Martin Becker Dec 23, 2022

@jacob my biggest issues with 1Password are that Firefox addon development is clearly not a priority (lags significantly behind other releases), and its free/trial offering is pretty rubbish. Bitwarden solves both those problems, and also allows local hosting of vaults if you want (same as Keepass)

realTimo Dec 23, 2022

@jacob I use gopass but I realize it's not for everyone. It's great for teams, though.

François Lemaire 🏴‍☠️Dec 23, 2022

@jacob
Password safe is great!

Breadcentric Dec 23, 2022

@sossalemaire @jacob feared I was too out of touch to have my solution even mentioned as good or bad :D

Andrew Price Dec 23, 2022

@breadcentric @jacob @sossalemaire I've also been happy with Password Safe.

bitbonk Dec 23, 2022

@jacob Do you have a good open source recommendation for mobile (Android, iOS)?

Claudius (legacy account)Dec 23, 2022

@jacob @janl keepass / KeepassXC should be higher on that list, IMO.

I use nextcloud and keep my passwords to myself. Who ever got the idea sharing your passwords with a third party anyway?

Ben Curthoys Dec 23, 2022

@jacob the more I hear about lastpass, the happier I am I chose 1password.

Guillaume Laforge Dec 23, 2022

@jacob I've happily been using #Dashlane for years! Works great across all devices.

yawnbox Dec 23, 2022

Not for everyone, but #KeepassXC supports keyfiles and so vaults can safely exist in the cloud, especially with iOS Advanced Data Protection.

Keep the vault synced with iCloud (etc), sync the keyfile 'offline' (AirDrop, Signal, etc) on at least two devices.

#StrongBox is the open-source, iOS equivalent, it can open the vault from the iCloud directory, and the keyfile from a local directory. Master password (something you know) + keyfile (something you have) = 2FA

yellow Dec 23, 2022

@yawnbox @jacob do you know if it’s be possible to use the Yubikey instead of the key file?

yawnbox Dec 23, 2022

"yes and no" https://keepassxc.org/docs/#faq-yubikey-2fa

Documentation and FAQ - KeePassXC

Connel Dec 23, 2022

@jacob what makes 1password better than bitwarden?

Just curious as there's a fairly big difference in price for a family subscription.

SparcMX 🇦🇺Dec 23, 2022

@jacob not a single mention of PassBolt, interesting...

cpf Dec 23, 2022

@jacob
Is there a good answer somewhere as to why on earth they had the URLs etc unencrypted in the first instance? That seems like a huge, huge red flag in and of itself.
@ialja

Daniel has moved Dec 23, 2022

@jacob Very much this.
Also I tell people about diceware* pass-phrases. My family (wife, 2 x 70+ in-laws) are all using (different) 7-word diceware phrases, and all online accounts have random nonsense passwords and 2FA wherever it is supported.

Took a little social engineering and patience but they are all much happier and safer now. Also, shared passport details makes it easy to book flights!

* eg. https://diceware.nickschick.com/#alternative, or ideally five dice and a shoebox!