Security Issues with LastPass on Android

These aren't really novel security vulnerabilities or anything, just some common sense things to be aware of so you don't shoot yourself in the foot: generated pronounceable passwords might not strictly follow the length that you set, don't paste your passwords into the address bar of a web view, and don't set a weak master password.

After lastpass&#x27;s recent policy changes around free multi-device use, I finally decided to switch password management services. I don&#x27;t really mind spending like $10&#x2F;year for password management but lastpass was slow&#x2F;buggy&#x2F;frustrating enough that I didn&#x27;t want to pay for it.<p>The whole process took probably three minutes front-to-back. Lastpass lets you export your passwords in a CSV, which you then upload to any other service which automatically imports them. Very easy. If you&#x27;re frustrated with lastpass I recommend the switch. Personally I chose Bitwarden because it&#x27;s open source.

I personally have been using LastPass since it came out. I am much more secure than if I didn&#x27;t use LastPass. A friend loved trying to break into my accounts for fun so I feel like I was a much more secure person just for stupid reasons. (It really was a game and nothing he did was nefarious)<p>Companies that use password managers are infinitely better off with one then without. My co-workers would repeat their passwords and make them incredibly simple and easy for anyone to break the it with basic social hacking. My old company had the lowest level of tech skills and the company contracted their IT work and had the stupidest password policy. You just had to change one digit. So the joke was people would just +1 their passwords and they would know how long they worked there.<p>Repeated passwords is something people do because we all have hundreds of passwords if they don&#x27;t have a password manager. Even me and my paranoid ways had several because I had to use a system that was based on the url of what I using.

I&#x27;m more and more worried about a supply chain attack on LastPass&#x2F;KeePass. To the point that I&#x27;m skittish about upgrading them.<p>It feels to me like we need someone with huge resources, like Microsoft&#x2F;Gooogle&#x2F;Apple... to buy them and apply their methods against this attack.<p>For example, where are the binaries built? Who controls the accounts used to upload the installers? Do they regularly pay security teams to try to find vulnerabilities?<p>To be clear, I&#x27;m not worried about the code, but I&#x27;m very worried about the downloadable binaries.

I dumped lastpass when they started forcing free accounts to choose between desktop and mobile. I had been considering paying for a family account, but trying to force me to do it by removing features was unacceptable. Because of this, lastpass will never see a dime from me and another company will have the opportunity to serve me.

I&#x27;m not into infosec, but trusting a password generator blindly seems like a dangerous practice. I always make sure to double check LastPass generated passwords and make them as long as possible. I only expect LastPass to remember my secrets and it does that just fine.

I do not like another Lastpass behaviour. If your laptop dies and you are logged into web extension, upon re-starting the browser session Lastpass straight away asks you for 2FA without asking for master password. On top, if you do not login into that 2FA instance but keep the tab open it keeps the session alive for infinite time and if your laptop dies again upon re-start you will now have 2 lastpass 2FA windows open. And so on. It will let you log you in through one of the 2FA tabs, until you change focus to the other 2FA tab then your lastpass will be logged out until you login again through tab in focus.

I use algorithmic passwords. I have an algorithm that takes in several parameters and generates a unique password per service. For example, my algorithm `f` might be:<p>f(domain, secret_word, secret_sentence, rules)<p>= UPPER(KEY_TO_RIGHT(domain[0:3])) + secret_word + secret_sentence[LENGTH(domain)] + LENGTH(domain) + PAD_TO_20(&quot;X&quot;)<p>So if my secret word were &quot;bottleneck&quot; and my secret sentence were &quot;It is a truth universally acknowledged, that a single man in possession of a good fortune, must be in want of a wife.&quot; my algorithm generates the following passwords:<p>google.com:<p>f(&quot;google&quot;, &quot;bottleneck&quot;, &quot;It is a truth universally acknowledged, that a single man in possession of a good fortune, must be in want of a wife.&quot; , rules)<p>password = &quot;HPPbottleneckacknowledged,6&quot;<p>(note that &quot;HPP&quot; are the letters on the keyboard shifted right from &quot;GOO&quot;)<p>microsoft.com:<p>f(&quot;microsoft&quot;, &quot;bottleneck&quot;, &quot;It is a truth universally acknowledged, that a single man in possession of a good fortune, must be in want of a wife.&quot; , rules)<p>password = &quot;ZOVbottlenecksingle9&quot;<p>The &quot;rules&quot; parameter is because some sites have length restrictions, symbol restrictions, and you may have to truncate the password or replace symbols. Also in &quot;rules&quot; is how many times you&#x27;ve changed a given password. I store the &quot;rules&quot; in a google doc.<p>Anyway, the nice thing about this system is that the algorithm is in your brain and you can use it to generate the password for a given service without relying on a password manager. So theoretically if I got stranded in Europe as a tourist and my phone got stolen, I&#x27;d still be able to get into my accounts (assuming 2FA isn&#x27;t enabled...).<p>Password managers definitely generate more secure passwords, but my goal isn&#x27;t to be the most secure, it&#x27;s to strike a balance between the things I care about (and I care about being able to get into my accounts if I somehow lose access to my password manager).

That&#x27;s very interesting. I would love to read this student&#x27;s paper once it comes out.

Bitwarden. With U2F keys and Authy on a mobile for backup.<p>Accept no substitutes.

I&#x27;ve switched to self hosting vaultwarden

Nice article. Love your website. Small, no bloat, how the entire internet should be

why can&#x27;t people just use keepass and be done with it?