Should you be concerned about LastPass uploading your passwords to its server?

The threat scenario described by the article: If someone within LastPass wanted to gain access to your passwords (e.g. rogue employees, or via court order) there is a way that the extension could be made to upload your vault key back to LP <i>if</i> you click on certain things within the extension, namely some parts of the preferences, or something like that. Any such change would be publicly detectable, but could theoretically be targeted to avoid widespread notice. So in other words, the vault itself is not fundamentally flawed, but the design of the current extension doesn&#x27;t proactively firewall against LastPass turning into a bad actor.<p>My $.02: Given that all the cloud-based password managers have their own phone (and even desktop) apps, this seems like a moot point since a bad actor could push out an app update that does anything with your keys anyway.<p>As a long-time LastPass user I appreciate this kind of analysis, but this is just not something I have enough cycles in the day to let bother me. BTW the last time I opened my preferences was 3 years ago. LastPass is quite open to scrutiny and what&#x27;s important is how responsive they are to new findings -- very responsive, from everything I&#x27;ve ever seen. Including many findings from the author of the article.<p>By far the biggest problem with LastPass is that it sometimes just doesn&#x27;t apply (or misapplies) the password or username to the appropriate form entries, and I have to go find it and copy it. Occasionally it also misses the saving of a new password (that it generated) and I have to put it in the vault by hand. I suspect this is a really hard problem given the massive variety of forms out there, but would be curious to hear if other password managers <i>never</i> have these issues.

I recently made the switch from LP to bitwarden and have been incredibly happy about it. I can self host everything + the autofill and UI polish (browser extensions, mobile app, CLI) is much better. AND it&#x27;s FLOSS ((A)GPLv3).<p>Even including the self hosting setup, my all-in migration time was &lt;30 minutes.<p>I looked through a ton of other options like keepass and the author&#x27;s own PfP. But mobile, web, and yubikey support are all very important requirements for me.

Password managers like LastPass and 1Password have a significant advantage over offline database tools like KeePass: You can easily share individual passwords with your co-workers in a somewhat secure way.<p>KeePass for instance lacks the ability to do just that. You can either a) share the entire database or b) use multiple databases with different passwords. However, a) is not secure as your co-workers get access to passwords they do not need and b) is very inconvenient.<p>LastPass (or 1Password, Bitwarden) makes sharing individual passwords within your team very easy, convenient and secure enough. You can create shared folders and define permissions to access those by certain members of your team, and most importantly, deny access to other members. Is there any offline based password manager that allows you to do that (and is usable by the average Joe)?

I am using pass - the standard unix password manager. It&#x27;s simple and just works. It&#x27;s built on gpg and git, and resides on any disk you like.<p><a href="https:&#x2F;&#x2F;www.passwordstore.org&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.passwordstore.org&#x2F;</a>

LastPass is just so damned ugly and terrible to use compared to well crafted products like 1Password.<p>It&#x27;s like the phpMyAdmin of password storage.

I use KeepassXC which I sync to my home NAS from two computers and my phone. Keepass DX is the best Android app I&#x27;ve found and it supports opening the database with your fingerprint.<p>I don&#x27;t see the fuzz here if needing to have a browser extension. When a site asks me to login every now and then, I&#x27;m ok with opening the app and copying the password.

Just a little PSA, 1Password7 let&#x27;s you run entirely on local vault files. I have a NAS at home (Synology, but you could use whatever) to sync that vault file between it and all my devices, mobile included, only on wifi. I subscribe to 1Password&#x27;s monthly model with the cloud services, but I just don&#x27;t use any of them, and they have settings on every client which let you choose the default vault for saving, and I just use the local one. Best in class apps, local password storage only. Best of both worlds, unless there is some angle I&#x27;m missing.

I&#x27;ve only ever used Apple&#x27;s iCloud Keychain [0]. It has always worked great, and seems to have good security in order to enable; it asks for the local login password that you signed onto one of your other devices with, but it feels scarily easy to see ALL your passwords in plaintext with just a single Face ID authentication.<p>I&#x27;d be more comfortable with bio-authenticating per password (though that might use more battery) and preferably asking for the password&#x2F;code if you look up more than 5 passwords too quickly, but I&#x27;d rather have to trust a big company than a smaller third-party that gets acquired and sold around.<p>What are the advantages of LastPass and other password managers over iCloud Keychain?<p>[0] <a href="https:&#x2F;&#x2F;support.apple.com&#x2F;en-ae&#x2F;HT204085" rel="nofollow">https:&#x2F;&#x2F;support.apple.com&#x2F;en-ae&#x2F;HT204085</a>

All the hate towards LastPass... but man, there are so many great tools with LastPass that the other services simply don&#x27;t have yet.<p>Given I haven&#x27;t looked into it in a year or so... but the Dead Man&#x27;s Switch alone makes it worthwhile for me. My lawyer has this, and 30 days after I kick it he can go in and delete all my accounts.<p>Sharing passwords with a team, it&#x27;s really helpful. Being able to share access, but not the password itself... really nice feature.<p>The password audit, showing me how old my passwords are, or which ones are weak... it&#x27;s nice to have a sanity check on all this stuff.<p>Anyway, been on LastPass for a decade or so... tried a few others, always find myself back with LastPass since the others don&#x27;t quite have all the features I want.

I know it&#x27;s probably simplistic, but I&#x27;m horrified by the shift in the password vault market from local control and security to this cloud-based model. Even my choice, 1Password, has gotten on board - though it&#x27;s still possible to store locally and avoid their sync, thank goodness.

I use gopass. It&#x27;s like an extension of pass. The difference is that it has support for multiple stores. And you can add different people to the stores and synchronize each store with git. I wrote a tutorial and a cheatsheet (mostly for me)<p><a href="http:&#x2F;&#x2F;woile.github.io&#x2F;posts&#x2F;sharing-team-secrets&#x2F;" rel="nofollow">http:&#x2F;&#x2F;woile.github.io&#x2F;posts&#x2F;sharing-team-secrets&#x2F;</a>

Wonderful article. Even we were working on the similar issue. One way could be, instead of using Symmetric key (probably stored in the browser - hence not safe) to encrypt passwords before sending to LastPass server, they could have used Asymmetric crypto system. Solution similar to this can be very helpfull in this case : <a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=Slhwunm4oT0&amp;feature=youtu.be" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=Slhwunm4oT0&amp;feature=youtu.be</a> Notice the private key never leaves the mobile device and hence the client does not has to trust on LastPass browser client.

What password manager does tptacek use?

Why take chances or add complications?<p><a href="https:&#x2F;&#x2F;www.passwordstore.org&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.passwordstore.org&#x2F;</a><p>Keep it simple, keep it local, keep it CLI.

I store everything in a Keepass. I maintain that keepass on a SpiderOak Hive that syncs between multiple machines, and mobile. The password for SpiderOak is not one I know - it&#x27;s in my password safe <i>and</i> written on paper in a safety deposit box.<p>The password for my password safe is one three passwords I know: unlocking my root partition, my desktop account passwords, and this.<p>I have infinitely more faith in something whose encryption is zero knowledge with multiple tiers, as opposed to LastPass. I&#x27;ll never understand the notion of password as a service being an acceptable risk.

I assume last pass will be hacked someday. And when it is that person will have my Reddit, Hacker news, amazon etc.. But not my email or financials. I store super important items to human memory only. For many accounts like my github they will have to defeat two factor authentication. I hope people keep polling password managers for exploits to make it more secure. I know it&#x27;s not perfect. I understand the risk-reward.

I never got comfortable with lastpass or 1password, i usually find enpass in middle ground. They don&#x27;t have recurring cost to maintain webserver and security.<p>For me ideal is keepass but once got db corruption when syncing with dropbox like service. Hence went with enpass which allows me to sync password across devices and encrypt with keyfile and master password like in keepass.<p>.

For me, cross platform, offline access, and good UI are paramount. LP checks all that but random scripts on a Linux command line doesn&#x27;t even remotely cut it.<p>Firefox&#x27;s password safe comes close it seems, but I haven&#x27;t read too many opinions about it.

Isn&#x27;t the goal of password managers like LastPass convenience at the cost of security? They might take security as seriously as they can, but it is ultimately less secure than memorizing dozens of unique passwords if you could.

Since no company is totally secure, of course you should be concerned. I would never use a cloud based system even if it is more convenient. I&#x27;ll stick with a local keepass backups thankyouverymuch. Though I suppose if I was a real target I would trust LastPass before my own security.

I never really trust a binary provided by someone which also talks to a server operated by the same entity. There is no way for me to audit an arbitrary binary (or application with source, in any reasonable way), particularly since it is regularly updated on both ends.

As a die hard linux geek, why does the PW manager have to handle cloud storage?<p>I use keepass + spideroak to sync.<p>Keeps things simpler, IMHO. Maybe slightly more effort to log into things but I value having control and simplicity in my workflow.

I use my own password manager and would not trust many proprietary third-party developers to get things right. Most of them have a long history of failures.<p>It&#x27;s safer to self-host and store encrypted backups elsewhere for integrity. If you&#x27;re not familiar with encryption or cryptanalysis, then you can use some open source encryption programs and a text file on an encrypted partition. That&#x27;s a thousand times more secure than any proprietary online password manager.<p>For some passwords it is also more secure to keep them in plaintext on physically secured notes. It depends on the threat scenario.

You should always be concerned about giving private information to third parties.<p>The integrity of that information is only protected by your contract and the law.

Curious about your thoughts on the macOS keychain app? is it a better solution than Lastpass or any other passwords manager?

I subscribe to 1password where your data is synced to their servers.<p>I&#x27;m not sure if this is a good idea now that I&#x27;ve read this...

Wow, I was thinking about this just yesterday. LastPass should offer some kind of self hosted version for businesses.

I’ve been using Lastpass for years. It’s not as unique as it once was but it’s still good.<p>Anecdotally, Joe Siegrist personally emailed me when I launched my first SaaS product to say he liked it. That felt great.<p>Sucks that Logmein bought it (horrible company who hates their customers) but glad he got a win out of that business for himself.

Am I the only one who uses Google&#x27;s built-in password manager?

I am. So I don’t use it.

I never used a password manager, call me paranoid, but giving my password to a third-party (often not free software) for me is just pure madness.

So given the requirement to access passwords across multiple devices, what alternatives exist that stand up to similar scrutiny?<p>Ease-of-use and &quot;looks pleasant&quot; be damned, just security-wise. <a href="https:&#x2F;&#x2F;www.xkcd.com&#x2F;937&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.xkcd.com&#x2F;937&#x2F;</a>

I use KeepassXC, sync the DB via file syncing, no 3rd party servers to trust.

If you can login to a browser and use the one password they can reset on a whim to pull your passwords then it is all in their hands anyway.

I&#x27;ve never trusted password managers. I write the unique portions of my passwords in a notepad and combine those with a common but unwritten alphanumeric sequence to form my full passwords.

I don&#x27;t understand how people could use LastPass or any company that provide cloud password manager.<p>Any password uploaded to a server you don&#x27;t control should be considered disclosed. They can say what ever they want about their encryption pipeline, even release it as open source software, you can&#x27;t be 100% certain that they run it unmodified.<p>You simply can&#x27;t trust a company (that want to make profit at any cost, like all companies) with profitable data (like your login&#x2F;password). One day someone will sell them.

I wouldn&#x27;t trust any password service that uploads my data anywhere, with or without the key (though especially with the key like here). I wouldn&#x27;t trust it if it uploaded the password data to Dropbox or any similar service under an account I own. Even if the data is encrypted, someone can get access to it and work on decrypting it offline. That&#x27;s simply too big of a risk considering the power of state actors, although I assume state actors would just get the data directly from each website and not need my passwords. Still, can&#x27;t assume anything about any adversary. Others could certainly be capable of cracking an encrypted file offline.

LastPass is hard to use for me, so I wrote my own,<p><a href="https:&#x2F;&#x2F;addons.mozilla.org&#x2F;en-US&#x2F;firefox&#x2F;addon&#x2F;passcell&#x2F;" rel="nofollow">https:&#x2F;&#x2F;addons.mozilla.org&#x2F;en-US&#x2F;firefox&#x2F;addon&#x2F;passcell&#x2F;</a> <a href="https:&#x2F;&#x2F;chrome.google.com&#x2F;webstore&#x2F;detail&#x2F;passcell&#x2F;mjbndaapnghbmikhgjnbljiimmdhobdm?utm_source=chrome-ntp-icon" rel="nofollow">https:&#x2F;&#x2F;chrome.google.com&#x2F;webstore&#x2F;detail&#x2F;passcell&#x2F;mjbndaapn...</a><p>All encryption&#x2F;decryption is done inside the browser, as you can verify the source code, <a href="https:&#x2F;&#x2F;github.com&#x2F;zncoder&#x2F;passcell" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;zncoder&#x2F;passcell</a>.