"rebuild their password database with a different service"
Export... import... done. It's really not that hard.
Bitwarden FTW. I switched from Lastpass 2 years ago.
Password manager LastPass has changed its terms and conditions to limit the free version of its code work on a single device type only per user, seemingly in an effort to force free folks into paying for its service. In a blog post, the developer's vice president of product management, Dan DeMichele, said the biz needed to “ …
Any password-saving service that you need to "log on" to is not a security solution. All you're doing is passing your idea of "security management" off to someone else, someone who actually presents a larger footprint as a target for hacking than just doing it yourself. One hack, boom, you plus millions of other users have *all* their passwords comprised.
Just say no. Your passwords should NEVER go beyond your device unless and until YOU ask for it, for local-only backup or import.
This may come as a bit of a surprise to you but you can manage passwords on your own devices. KeyPassX does the job nicely. It will also generate passwords that look like line-noise so you can have unique passwords for each service. You need a sync mechanism. In my case it's a Pi running NextCloud.
KeePass supports three-factor protection alongside not leaving the boundary of devices you control.
Bitlocker (via TPM) means something you have
Biometrics to cover something you are (to unwrap EFS)
Master password to cover something you know
Given that this software is securing all of your credentials to everything else, I think it's worth having the best possible security. That means LastPass is out of the question.
Running your own BitWarden server would potentially make the above possible too though, as you could use your TPM backed with Windows biometrics for an MFA layer for authenticating. In fact, one could use "where you are located" as an additional authentication factor if one never stores a local cache of the keychain... so in that sense, one could make BitWarden run more securely than even KeePass.
I was using KeePass for a while, and while it is quite good ( i still use it on a single device), i was getting frustrated by the manual synch i needed to do every time i updated my database to keep things working across many devices. Have moved to BitWarden a little over a year ago and have had no problems with it, mostly just seems to work and is still free. Not sure what the paid for version might give you.
that said, there's nothing stopping them from removing some free features, say self-hosting, to push people towards payment... If this move works for KeePass, all other solutions will follow. In fact, ironically, the rest of the bunch should wait till keepass free users migrate to their own free services, AND THEN do the same. I'm evil :(
Like I say, no manual synch needed if you store the database on [One]Drive/Dropbox/(iCloud[?])/Other: it works seamlessly for me between devices. It's also cloud-agnostic, which can be useful if you decide you hate Google/Microsoft/Apple/Other and want to switch clouds/roll your own.
I put my tip of the hat to "Keepass2Android Password Safe" from "Phillip Crocoll (Croco Apps)". Interfaces with my fingerprint reader and auto fills if asked. The way I have set it it up I use it on my phone, tablet, laptop and my wife's phone, and I can add a password from any device, and I get the update everywhere.
Disclaimer: I am in no way associated with the Developer, this is just my opinion from personal use, your mileage may vary.
Started using mSecure on a Windows PC 10+ years ago; added an early iPhone, then switched to Mac desktop (iMac) and MacBook, later adding an iPad. Until recently, all were automagically synced via Dropbox; recently dropped Dropbox (m/c limitation for free account meant I could no longer use it as my default sync tool) and switched iCloud. Yes, it keeps files in the cloud, but they’re encrypted and I doubt I’d be worth targeting. There is an option to use sSeven’s own servers, but I reckon one file amongst a morass of others is less of a target than a server pooling numerous encrypted stores.
mSecure rarely gets a mention in articles and reviews of password apps - it deserves a mention (though, personally, I’m happy they keep a lower profile as that makes them a less valuable target.
Same story. I don't have a problem with paying a reasonable amount for decent software (I even pay for good apps where payment is a voluntary donation like IrfanView).
IIRC LastPass used to have a one-device limit and I used to pay to use on mobile as well as laptop. Then they removed that limitation on the free version but increased the price on the paid version which I no longer needed now the free version did what I need. As a home user the price is now too high for multi-device so I'll have to move. How odd. If they'd kept things as they were a few years ago I'd continue with Lastpass and pay a reasonable amount.
Isn't it the same people that pigged off LogMeIn users a few years ago?
I think that this is a classic bait and switch ploy. They already know that most users will be using more than one device. The most likely result will be customers moving to another product. How long before they change their mind to allow two devices at least? Did they really think that all of their users would simply cough up?
Probably not all, but a percentage and that's all they care about, it doesn't affect the current paying base, so no revenue lost, so the percentage growth from the free base plus cost saved on the free base that pivot.
I mean, it's a shot in the foot for future customer acquisition in trade off for the gamble of turning some free customers now as people will no longer be recommending the product or trying it before they buy unlike the competitors.
But I suppose the market is small to start with, given it does what Google already does, so you have to be IT literate enough to not trust Google to store your passwords in chrome and CC details in pay, but not literate enough to know password managers are a bad idea (this last bit will probably not win me any friends).
"so you have to be [...] not literate enough to know password managers are a bad idea (this last bit will probably not win me any friends)."
Care to elaborate? Password managers are juicy targets, and thus they pose a risk to an attacker. Therefore, if you had said something like "Monolithic hosted password managers are a bad idea", I'd be behind you. However, you weren't that clear and if you meant that all password managers are a bad idea, I must disagree. A local password manager means people stop using the same password or multiple weak ones. That's so frequently an avenue for attack that it's probably worth doing something about it. If you have a reason they're a bad idea, you could lay out the details about why so we could debate them or agree and find a solution.
"you have to be IT literate enough to not trust Google to store your passwords in chrome and CC details in pay,"
As mentioned by another, my password manager uses local storage only. I paid for it, but there's no way I will ever pay a subscription for software. I actually have three different password managers on my mobile: the paid one I use, and two cloudy ones I evaluated for other people. I deleted a few evaluation ones as well.
"but not literate enough to know password managers are a bad idea"
Huh? I don't know that. Auuuuuuuggggggggggghhh!!!
My password manager has over 500 passwords, all strong and all unique. I even have some saved passwords belonging to friends and family, given to me in my unpaid support role, which I keep against the day their password system stops working for them, and I'm asked to help with *that*. (And theirs are typically neither strong nor unique, but I'm not fighting that battle.) So please enlighten me how I'm supposed to manage all those passwords without a password manager?
If they aren't paying customers, then they aren't loosing anything. If they go to another product and don't like it, they are likely to come back as a paying customer.
From a business perspective they have challenged freeloaders to find something better or be a customer. or only leach a little - lol
Evernote has likewise been tightening the noose around its free service for years.
This kind of thing only really works when your software has a niche monopoly, though… since otherwise there are alternatives that offer similar feature sets including, in some cases, open source alternatives.
Well I suppose they have to make money somehow, although I must admit I was a bit startled to read about the way they're doing it this morning.
I've been using Lastpass for a good number of years now. I'm sure that I used to pay for the ability to use it on more than one computer back in the old days.
Having said that, it feels like a matter of principle to move when they break existing functionality and force you to pay to get it back, even though it's not a huge amount of money.
Maybe I'll check out Bitwarden, unless anyone has other suggestions.
So, I installed Bitwarden and it was easy to import my lastpass data and 2FA and it seems to work very nicely.
However the Import did screw up some of my bank account and social security numbers (by omitting some fields - it imported notes, but not bsb and account number, for example) so if you have that sort of thing stored, go and check that it’s all there before you kill lastpass off.
Install f-droid and search for "password manager". The top two entries (according to most recently updated) are NC Password which interfaces with Nextcloud Passwords "Passwords is the most advanced password manager for Nextcloud and allows you to manage and store your passwords safely in your own cloud."
The other is KeePassDX which works with KeePass-format password entries, so you could use it with KeePass on your desktop. "KeePass is a free open source password manager, which helps you to manage your passwords in a secure way."
Saw this first thing this morning, did fifteen minutes of research ended up on Bitwarden so logged into LastPass, downloaded CSV file of passwords, created Bitwarden account imported LastPass export installed clients on laptop, phone and iPad & setup multi factor authentication all in around 20 minutes. Stupidly easy. LastPass may be better but not so much better I am going to go reward this type of bait and switch approach. In this market when switching is so easy trying this type of manoeuvre is going to loose you a lot of support very quickly.
Yep. Did exactly the same. Ever since logmein took over IMO they seem to have put as little as possible into it and tried to milk as much as possible from it. I've no objection to paying for quality software and have many paid-for apps but paying a company with this kind of attitude to its customers - not a chance.
I still prefer my beloved PasswordSafe (https://pwsafe.org/). The encrypted database can be shared across devices (PCs, mobiles) via a simple copy or, if you can afford an extra risk, via MEGA or other (uncrypted) cloud storage like Google Drive or Dropbox. The program is available in all platforms including Linux (via a native client or a WINE one).
Another Password Safe/pwSafe user here. I use a combination of both via iCLoud and Dropbox to sync various macOS, iOS and Win devices. I have no problems paying for the macOS/iOS clients. But $36 a year(!) to store some passwords for 2+ devices, that does sound a bit OTT.
I've always avoided LastPass as not only don't I trust their somewhat centralised model (and their suspect security) but also pretty much everything they touch seems to either turn to shit or shortly starts to cost a lot more...
I only have the LastPass phone app for the once-in-a-blue-moon-need-a-password-on-the-go events so this won't bother me too much.
I undertand they need to make money from the service but I won't ever pay for it, I use it in part because it is free, so wil move if the noose gets too tight.
A key principal in cloud is data mobility so as long as any service allows proper import/export this isn't a big deal.
That's when there is no free/ cheap deal to start with (only advertised as such). And why does everyone have such a problem with paying for software, or a service? It's undoubtedly been worked on for a long time by many skilled people who deserve to be paid. Somewhere along the line we've all become over-entitled and expect everything to be free. We should pay for it's value. I guess we could blame Google.
The whole point of an economy is to economise, as in, to reduce overall cost over time until the product/service is free. Trade is but one vehicle for lowering costs toward the goal of making a given class of product free. Sometimes, breakthroughs mean that entire classes of product go from expensive to essentially free overnight. Personal password management is one such example.
Some clever folks at Stanford invented a solution 15 years ago (called pwdhash) which is super effective, free and doesn't require any passwords to be stored electronically in the first place.It doesn't need any regular maintenance and the algorithm can on a toaster these days. It has permanently resolved the problem of needing to remember different passwords for every service one uses, you just memorise one master password and that's it. Even if your computer breaks, you're peachy as long as you don't forget that one password. pwdhash clients have been implemented for just about every platform, for free and are easy to install and use.
So why should anybody pay for a password manager when this is a solved problem? Sure, the algorithm might want tweaking one day... but the problem at an individual level is solved.
Don't blame Google. Blame the economy for working as designed. Only sociopaths in suits try to prevent people from making things free as in both cost and freedom.
I happened to notice LastPass was pre-installed on a new HP laptop I set up yesterday... anything that's part of the pre-installed bloatware package is seriously suspect in my view!
Personally I only really trust "pass" (passwordstore.org) as I can understand what it's doing. It's also minimalist and the most convenient password manager I've ever used. For situations where multiple people need to share password stores or widespread sync is required, bitwarden_rs seems to work well - I've never really felt comfortable with other people hosting my most sensitive data and self-hosting really isn't difficult.
The immediate problem with that is that it generates the passwords on the fly form data such as login ID. One function of KeyPass and, presumably others, is to store not only the password but the login ID and maybe other needed information - such as the exact URL and other stuff such as answers to security questions.
Thankfully, developers now base logins on email addresses and/or phone numbers, obviating the need to use IDs/usernames. With webauthn on the rise and the ability for Secure Enclave and TPM-backed 2FA to be deployed, the only thing left to store is the URL.. which browsers have done for a very long time anyway. With PWAs, folks click on "apps" rather than navigate to URLs anyway.
Additionally. security questions are being phased out as a bad security practice in favour of multi-factor password reset mechanisms, such as requiring users to click a link in their email to then confirm an SMS code which has been sent to their phone.
"$3 a month (or $4 a month for the six-user family option)."
That's ridiculous. I can understand "buy four get two free, or even, every additional linked account is 50%, but 5 extra accounts for 1/15th the price of the first one seems rather like gouging individuals to me.
If they are really saying that 90% of their cost is in payment handling then they really need to work on a better way to handle payments.
No, they are guessing that only one person in a household will be clued up enough to want a password manager, but they can get that person to pay an extra 30% by allowing them to give it to significant other, children, parents, etc.
The price of something is what somebody will pay for it; not what it costs to produce.
I would dispute that; Bitwarden has very few restrictions around free users, and charge much more reasonable annual fees for the limited premium features (Mostly advanced 2FA and TOTP). Some users sign up for premium just to support the developers.
While on a feature checkbox it's not quite got everything lastpass has, there are very few things missing. And generally, bitwarden executes the features it does have much better. When I left lasspass a few years ago, I didn't feel it had had any meaningful enhancements for years.
Lastpass is basically private equity trying to squeeze as much money as they can out of their users, hence price rises and policy changes...
You know that a product's death knell has been sounded once the private equity leeches jam their money funnels into it. Bleed it dry for short-term gain and leave some other poor bastard saddled with a mountain of debt to try to clean up the consequences. Fucking vampire capitalists.
I'm obviously in a tiny minority here, but I don't give my passwords to third parties to look after. I have a VeraCrypt folder on my encrypted hard drive that holds encrypted documents for each password along with any associated information such as account numbers etc. It is a minor faff opening the encrypted files in the encrypted VeraCrypt folder but only I have access to them.
The data is also backed up monthly to VeraCrypt encrypted USB sticks stored in my garage.
As for trivial stuff, such as my El Reg login, I just let Firefox store that.
I'm actually glad about this, I've used them for a number of years and think the service is great. It's always concerned me that even tho I was relatively keen to pay there was literally no feature of premium I needed, so didn't pay. This way they're securing the companies future. All good with me. 23 quid a year is hardly going to break the bank for the value I place on their service.
No subscriptions for me, thanks. All these little subs add up. I will, however, happily pay for new versions of apps if they provide something useful. That doesn’t include paying for bug fixes: I bought something, if it’s buggy it needs fixing free of charge.
Paid-for version of 1Password (no subscription - they don’t make the download easy to find, though).
Mostly iCloud Keychain (free) is good enough for web passwords.
Affinity equivalents of Photoshop and Illustrator, very reasonably priced, no subscription.
"or $4 a month for the six-user family option"
Somehow that feels discriminatory toward larger families. I understand that creating an unlimited family-option might result in some fraud, but the same argument could be made regardless of the limit.
But hey, at least they didn't limit it to one child per family like World Population Balance advocates...
I'd happily give them money for a useful service if it seemed like they could get simple things right - I am constantly running into glitches in the UI that breaks buttons (most notably if I have multiple logins for a single page in the chrome extension the buttons will move on mouse over making them impossible to click - a one line CSS fix (injected using another chrome extension fixes it fortunately...) But the issue persists for 6 months and support will only acknowledge the issue and not resolve) - unfortunately for Lastpass this is a competitive market area and I'm happy to swap to another option rather than pay for a wobbly app that doesn't demonstrate value for money when considered as an annual 'service'.
This post has been deleted by its author
Of course, he could've said:
"We're not a charity but a business. We employ people and contribute to local regional and national economies, so really, we're good guys. Yes, yes, I know we're also Very Stupid Guys, too, to have paid more than we should've done for LastPass -- wowee, $4.3 billion, but hey, private equity firms exist on the basis of making lousy judgments and hoping to profit long-term from exponential growth and exponential profits. That such ain' t happening where we are is hardly our fault.. $4.3 beeellion has gone down the tube with nothing to show for it. So, c'mon peeps, time to open your wallets: pay us a ridiculous amount per month or that's it, we'll bugger up your life."
To which the response could / should be: 'Hey Dan. All this crap about 'adapting offerings to keep up with an ever evolving digital world' but absolutely no mention of pricing and exorbitant monthly fees? Well, there's an outfit called Sticky Password which works pretty well, and every few months or so runs a special offer for lifetime subscriptions that's far greater value for money than LastPass with its grubby monthly charges. Just thought you might like to know."
Biting the hand that feeds IT © 1998–2022