back to article 1Password has none, KeePass has none... So why are there seven embedded trackers in the LastPass Android app?

A security researcher has recommended against using the LastPass password manager Android app after noting seven embedded trackers. The software's maker says users can opt out if they want. German infosec bod Mike Kuketz spotted LastPass's trackers in analysis produced by Exodus, which describes itself as "a non-profit …

  1. Claptrap314 Silver badge

    Privacys is an "advanced option".

    ... Welp. ....

    1. jonathan keith

      Re: Privacys is an "advanced option".

      Sounds like they sadly missed the opportunity to add a "Beware of the Leopard. Are you sure you don't want to proceed? Y/N" pop-up in the sequence.

    2. teknopaul

      Re: Privacys is an "advanced option".

      privacy is illegal. anon apps are not allowed in most jurisdictions. the login page is a tracker.

      if you install it on a phone its not private, if it goes over the Internet it's not private. end to end encryption is a myth, it means encryption in the middle, they pwnd your phone. you don't even have root on your own phone ffs. somebody does and they see everything they want to.

      1. Version 1.0 Silver badge

        Re: Privacys is an "advanced option".

        LOL - 18 downvotes illustrates the problem - teknopaul, nobody realizes that you are pulling their leg, they just think that if Android says it check the app then it must be "OK" ...

        It is, it's OK for Google because it's passing on the information.

  2. gollum1
    Mushroom

    Not in my settings!

    All LastPass users, regardless of browser or device, are given the option to opt-out of these analytics in their LastPass Privacy Settings, located in their account here: Account Settings > Show Advanced Settings > Privacy

    Well in my version of Lastpass in Firefox on OS X there is no such setting!!

    1. Quando

      Re: Not in my settings!

      Not in iOS app either

    2. hitmouse

      Re: Not in my settings!

      Not in Chrome Windows nor Android app.

    3. hitmouse

      Re: Not in my settings!

      In one of LastPass' numerous UI design fails, there is also (from the browser)

      Security Dashboard -> Account Settings . A dialog comes up with a "Show Advanced Settings" button at the bottom. Click that and scroll down to the bottom, where there is a Privacy section with two checkboxes:

      * Keep track of Login and Form Fill History

      * Send anonymous reporting data

      This is different to what you get from the Account Options menu on the browser add-in, and also to the Advanced Options on the Security Dashboard

      The Security Dashboard is just a clusterf*** of poor design that this latest news and the imminent expiry of my LastPass Premium subscription has motivated me to move to another product.

      1. John Brown (no body) Silver badge

        Re: Not in my settings!

        The Security Dashboard is just a clusterf*** of poor dark method design so they can say the option is there while doing everything they can to make sure most people never find it

    4. PTW
      Facepalm

      Re: Not in my settings!

      You have to login to lastpass.com

    5. This post has been deleted by its author

  3. Unbelievable!
    Unhappy

    The more doors, the more locks, the more vulnerabilities.

    Seriously, security software should be just that. Nothing extra or sponsored by any party.

    For each corp

    have own agenda and policies and skills.

    Next

  4. elDog

    KeyPass as an alternative? Are you sure you didn't mean KeePass?

    There was a product many years ago that was called KeyPass. Don't think it is still alive.

    KeePass is open source, well maintained, has versions that run on all major platforms (well, perhaps not CPM-80).

    1. bpfh

      Re: KeyPass as an alternative? Are you sure you didn't mean KeePass?

      Only problem was keeping all my devices in synch between several OS on several laptops plus a mobile phone was a pain in the butt, especially if you have to add a password to your iPhone.

      In any case time to give 1password a look. If I’m paying for a service (and I am paying for a family subscription of LastPass), it should not have any 3rd party trackers in it at all!

      1. MiguelC Silver badge

        Re: "Only problem was keeping all my devices in synch"

        Just use a cloud service to keep the KeePass DB and use it on all devices, works without a hitch and KeePass even offers to merge the changes when you make them on different copies of the DB

        1. Pierre 1970

          Re: "Only problem was keeping all my devices in synch"

          yeah.... When I'd finally decided to use a password vault, I've faced the problem of accesing and synching from multiple devices. Google Drive (because is there for free) work like a charm between my both PC and phones.

          (using KeePassDX in the phones downloaded from Druidics, not from GooglePlay)

          1. Adelio

            Re: "Only problem was keeping all my devices in synch"

            Just the thought of storing all my passwords in the "cloud" sends shivers down my spine.

            Why would i do that?

            Keep it local, always

            1. An ominous cow herd

              Re: "Only problem was keeping all my devices in synch"

              security, functionality, ease-of-use: choose two (at most)

            2. Hubert Cumberdale Silver badge

              Re: "Only problem was keeping all my devices in synch"

              Keeping a password database in the cloud is not a problem if it's only decrypted locally. I use KeePassXC, syncing the database via $cloudprovider, and it makes cross-device sync completely seamless. Of course, security should be in layers and all that, and I wouldn't go posting the database for just anyone to download, but to a certain extent I don't actually care who gets to see it, because it's 256-bit AES encrypted with a very strong password. Not impossible to break, but hard enough that I don't think it likely that anyone with any sense will even bother trying.

            3. mdubash

              Re: "Only problem was keeping all my devices in synch"

              KeePass allows you to use 2FA. Keep the key file separate and secret - and the database is encrypted until you ring the two together with our master password.

            4. Alpine Hermit

              Re: "Only problem was keeping all my devices in synch"

              Sticky Password gives a choice of syncing via the cloud or just over a local network. When I used it, the local sync didn't work sometimes, but networking is something that has always defeated my brain and I'm sure that proper techies wouldn't be as easily defeated as I was.

              I also went bak to Last Pass. Various password managers I've used over the years struggled with autofill or even recognising the password fields, and especially on sub-domains vs domains, but LP has been by far the best at this in my experience although it's not 100%. I shudder at the cost of LP, although it's paid by my business. Think I'll give Bitwarden a look before my renewal is up.

        2. Max Pyat

          Re: "Only problem was keeping all my devices in synch"

          Yes, lots of options.

          I have a git repository on my local network, and keep the encrypted keepass file in that.

          Then when I'm at home with phone, I can run a one liner in termux to synchronise the phone's git repository with the local server. Ditto for laptop and desktop.

          The restriction is that you really should only edit on one device, as there's no way (obviously) to merge changes made in parallel via the version control system given it's a binary file. But on flip side, I don't move file to uncontrolled cloud services.

    2. diodesign (Written by Reg staff) Silver badge

      Re: KeyPass as an alternative? Are you sure you didn't mean KeePass?

      Yes, yes, see the note at the end of the article: we meant KeePass. Though KeyPass does exist and also has no trackers, I'm told.

      Don't forget to email corrections@theregister.com if you spot anything that looks wrong, please, so we can fix it immediately.

      C.

      1. An ominous cow herd

        Re: KeyPass as an alternative? Are you sure you didn't mean KeePass?

        What? And lose Reg Forums creds? No way! ;)

    3. cipnt

      Re: KeyPass as an alternative? Are you sure you didn't mean KeePass?

      KeePass is great - I love MacPass implementation for macOS

      1. Anonymous Coward
        Anonymous Coward

        Re: KeyPass as an alternative? Are you sure you didn't mean KeePass?

        "KeePass is great - I love MacPass implementation for macOS"

        Indeed.

        KeePass is also in the Linux repositories:

        (sudo apt install keepass2)

        1. PerlyKing
          Linux

          Re: KeePass implementations

          Also KeePassXC.

          This is about my only "criticism" of KeePass - there are several implementations to choose from. Which is a nice problem to have :-) I'm using KeePassXC on Kubuntu and Keepass2Android Offline on Android.

          1. krivine

            Re: KeePass implementations

            KeepassXC here too, with Syncthing to - well, keep in sync locally.

          2. NonSSL-Login

            Re: KeePass implementations

            KeePassXC is great for linux and KeePassDX on android is a good pairing with it as both support v4 databases with the different encryption options which many other versions don't.

    4. Anonymous Coward
      Thumb Up

      Re: KeyPass as an alternative? Are you sure you didn't mean KeePass?

      "perhaps not CPM-80"

      But it does have ports for Palm and Windows Phone.

      I use it not just for passwords but also for credit cards, bank and brokerage accounts, and various lists of information that I want to be secure.

      It is the second thing I install on a new PC or phone (after Dropbox which is where KeePass keeps my database).

    5. itzumee
      Happy

      Re: KeyPass as an alternative? Are you sure you didn't mean KeePass?

      You mean there's a CPM-86 version? Well I never...

      1. Zippy´s Sausage Factory
        Thumb Up

        Re: KeyPass as an alternative? Are you sure you didn't mean KeePass?

        Ah I remember CP/M. Now I'm off to sit in a corner and cry nostalgic tears while clutching my WordStar manual tightly...

        1. CAPS LOCK

          "WordStar" - Dont forget...

          ... Supercalc and dBase II

        2. bpfh

          Re: KeyPass as an alternative? Are you sure you didn't mean KeePass?

          I have a copy of wordstar - v3 iirc. Last run on an OS/2 Warp vm of DOS 1.2 - if the floppy disk still works!!!

  5. bombastic bob Silver badge
    Unhappy

    The company says users can opt out if they want.

    The company says users can opt out if they want.

    Read: "It's in there somewhere, just search if you really want it"

    or "Most users won't care anyway so it doesn't matter it YOU shut it off"

    or "Good luck figuring out which magic buttons to press, Muahahahaha!"

    or something else that's equally arrogant and/or condescending.

    Tracking should be OPT IN or NOTHING. no exceptions.

    1. Falmari Silver badge
      Stop

      Re: The company says users can opt out if they want.

      Tracking should not be allowed no exceptions.

    2. JassMan

      Re: The company says users can opt out if they want.

      "Tracking should be OPT IN or NOTHING. no exceptions."

      Tracking MUST be OPT IN or NOTHING. no exceptions. FTFY

      Under GDPR and the UK equivalent, all cookie options must be opt-in. Opt-out is not acceptable.

      1. Chris G

        Re: The company says users can opt out if they want.

        "Under GDPR and the UK equivalent, all cookie options must be opt-in. "

        Which makes me wonder why so many European and UK sites still have only the blarb that says you can change options in your browser. It's about time, if Europe and the UK are serious about their legislation, that they had a simple reporting system for sites that don't comply with the regs.

        1. Anonymous Coward
          Anonymous Coward

          Re: The company says users can opt out if they want.

          if Europe and the UK are serious about their legislation

          What on earth made you think that the UK was, in any way, serious about this?

          The aim is that, like in a certain country some hours west of here, to teach you that you have no rights. You have no rights to security, to privacy or even to what you buy. The only right you have is to give money to corporations. Any other restrictions are red tape that the government is giving itself the right to sweep away!

      2. nematoad Silver badge
        Unhappy

        Re: The company says users can opt out if they want.

        "...all cookie options must be opt-in."

        Try telling that to Google and its Youtube tentacle. There it's opt-out and the bastards even sneak in one for Doubleclick but somehow forget to mention it.

        I was mulling over whether I should report this to the ICO but having been fobbed off in the past I have hesitated. I might give them a buzz and see if I can get any joy this time.

        1. A.P. Veening Silver badge

          Re: The company says users can opt out if they want.

          the bastards even sneak in one for Doubleclick but somehow forget to mention it.

          Doubleclick isn't really important (to me), I still have it in my hosts file from before I started using a Pi-Hole (where it is also blocked).

      3. TDog

        FTFY

        For some stupid reason this was one that I had forgotten. Given the context I assumed it meant Fuck This, Fuck You.

        Oh well, finding out was a bit disappointing.

    3. DryBones
      Holmes

      Re: The company says users can opt out if they want.

      So, important question. Has anyone ever verified that the opt out actually does anything?

      Might be just a check box with a null action, if you look at the server where it points...

  6. Inventor of the Marmite Laser Silver badge

    No, no, no.

    In that order

    1. A.P. Veening Silver badge

      You seem to have forgotten (or left out) "NO" ;)

      1. Adair Silver badge

        And, my personal favourite: Nooooooooooooooooooooooooooooooooooooooooooooooo!

  7. PJ H
    Meh

    > "All LastPass users, regardless of browser or device, are given the option to opt-out of these analytics in their LastPass Privacy Settings, located..."

    ..next the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard.

    It's hardly discoverable, if people are unaware of it to begin with, is it?

  8. Danny 2

    Lockdown cabin fever

    Just before my dad was diagnosed with dementia he kept forgetting all his passwords so I set him up with a password keeper so he'd only have to remember one. He instantly forgot it, and also forgot where he'd written it down.

    On the upside we got a bottle of pink gin delivered six months ago but it came with one of those magnetic security seals on it. We got the price discounted but it has been mocking my engineering skills since then. YouTube videos are out of date, here is what I did to get to the nectar. I cut a couple of millimetres on either side of the metal bolts, and then I pulled like fuck. Brute force attack, literally. Wouldn't work in-store, somebody would notice, but fine in your house.

  9. blackpearl1477

    Just justified the reason to leave.

    First of all this is a back stab move from Last pass!

    Few months ago I became committed to move all my passwords from google to Last pass and just before I heard the news for use on one device I was considering the family pass account.

    Now this nonsense with tracking is totally not what I expected. Especially for my kids! They should not and may not be tracked when under aged! (EU law)

    Sorry last pass you just lost a potential paying customer!! I'm leaving!!

    1. doublelayer Silver badge

      Re: Just justified the reason to leave.

      If you're in the EU, report them to the local data protection authority before you leave. This pressure could do something about that.

    2. itzumee

      Re: Just justified the reason to leave.

      As a long time 1Password user, I can recommend it

      1. blackpearl1477

        Re: Just justified the reason to leave.

        I would if I know where to do that. But I'm still leaving because it won't be solved before the 16th.

        I'm going to bitwarden.

  10. bryces666

    moving company now.

    After the price increase earlier I moved my personal lastpass over to bitwarden. Now with this revelation I'll be moving the entire companies lastpass over to something else.

  11. fidodogbreath

    I would expect nothing less. LastPass is owned by LogMeIn, which is a garbage, customer-hostile company. Literally the day the LMI acquisition was announced, but before it had closed, I switched to a different password manager and deleted my (paid) LastPass account.

    @#$% LogMeIn.

    1. pc-fluesterer.info
      Flame

      LogMeIn is owned by - uhm - Private Equity

      https://www.globenewswire.com/news-release/2020/08/31/2086214/0/en/Francisco-Partners-and-Evergreen-Coast-Capital-Complete-Acquisition-of-LogMeIn.html

  12. UBF

    Congrats to El Reg

    Exemplary journalism: just the facts and their implications, no sensationalism, no clickbaits, the truth, all the truth and nothing but the truth. I regret you don't belong to Europe anymore, is it perhaps time to move to e.g. Netherlands or Greece?

    1. Old Tom

      Re: Congrats to El Reg

      I'm pretty sure that El Reg is still in Europe.

  13. demon driver

    Bitwarden does not track

    Translation from a recent post on golem.de:

    ==========

    They only use App Center to get crash reports and Firebase only uses the notification API for push notifications. It's not enough to look at what frameworks an app uses with some rubbish tool, you also have to look at what exactly it does with it, and anyone can do that, because Bitwarden is open source and anyone can convince themselves that nothing is tracked there:

    Q: What third-party scripts, libraries, and services are used?

    A: Currently, we load third-party payment scripts from Stripe and PayPal on payment pages in the Web Vault. In the mobile app, the Firebase script is used for push notifications. The HockeyApp is used for crash reporting. Please note, Firebase and HockeyApp are removed completely from the F-Droid build if you are interested in using that option. Turning off push notifications on a Bitwarden server will disable using the push relay server if you want to self-host.

    https://bitwarden.com/help/article/security-faqs/

    1. iron

      Re: Bitwarden does not track

      > It's not enough to look at what frameworks an app uses with some rubbish tool

      Exactly and I wish some of these security "experts" that I've invariably never heard of before would understand that. Really they should work as devs before moving into security in order to understand how software works.

      For example: "Even the app developers do not know what data is collected and transmitted to the third-party providers, said Kuketz" - Bullshit. I know exactly what data is collected and transmitted to third-party services by my apps. If a service does not tell me what data it can collect and provide me control over what is collected then I won't use it. If I use analytics in an app I know exactly what is being sent.

      I'm not saying he's wrong about LastPass but you can't just assume that because an app uses a particular analytics service that it is sending everything about you to them. And, assuming the devs don't have a clue what their software is doing is insulting.

    2. hayzoos

      Re: Bitwarden does not track

      I checked this aspect out when I switched to Bitwarden. With this news, I re-examined the situation. I did change to the F-Droid build to avoid the third-party code.

      Not the best solution for the masses though. I had no trouble switching to the F-Droid build. Too many steps and unfamiliar actions for the typical end-user.

      I also rethought my initial assessment. I did not know Firebase. I did not know HockeyApp. Even though the Bitwarden app may only be using the push functionality of Firebase to sync the database... What else did Google embed in the push code?

      HockeyApp for crash analytics, okay, I can understand the need to have data to improve the reliability. Bitwarden is built using Xamarin which is part of the open source .NET and also a subsidiary company of Microsoft. A healthy amount of skepticism will suspect HockeyApp of the same.

      I think I will try pressuring the devs to consider replacing both. Firebase would be easier to replace since it is only a component. HockeyApp itself may only be a component, but how about Xamarin?

      Why has my last "Hello World" program measured 10 MB, while the first only measured under 512 bytes?

  14. arachnoid2

    No need for such triffilings

    Password1 and 12345678 works just fine

    1. ItWasn'tMe
      Coat

      Re: No need for such triffilings

      Password1# surely.

      Can't forget that outdated requirement to include a special character...

  15. Paul Barnett

    keepass - which version?

    Prompted by this, I looked at what is available in the fedora 33 repositories - I have these choices - keepass keepassx keepassx0 keepassxc - and no indication in dnf info of why I should choose any of them - For those using keepass* , which version, and why?

    1. Hubert Cumberdale Silver badge

      Re: keepass - which version?

      KeePassXC. It's unfussy, written in C++ (rather than for example C#), GNU licensed, largely cross-platform (although for Android or iOS you'll need a different majigger), and for me it just works when I sync via [my current cloud drive provider]. (Note that in this case cloud sync is a very minimal security risk because the database only gets decrypted locally.) See also this info.

      1. Hubert Cumberdale Silver badge

        Re: keepass - which version?

        Does the downvoter care to elaborate, or will he or she choose to remain a chimp?

    2. drankinatty

      Re: keepass - which version?

      keepassx, or, if available on your platform, the current keepassxc are the optimal choices. keepassxc is the continuation of keepassx and continues under active development. It is open-source (so you can verify there is nothing in the code) and it has a great interface. I don't know 1password, so I can't opine about it or other managers. But with close to 20 years use of keepassx and now keepassxc -- I can tell you, you can't go wrong with either.

  16. Aaiieeee
    Unhappy

    App uninstalled

    Seriously considering whether to move to a different platform

    1. Hubert Cumberdale Silver badge

      Re: App uninstalled

      Do. KeePassXC FTW (see above).

    2. Anonymous Coward
      Anonymous Coward

      Re: App uninstalled

      I've been using SecureSafe for ages, partly because of its inheritance feature (and partly because I know who audits them).

      I do occasional BCM work, and it's quite impressive to see how many people neglect succession planning (even in a family context). SecureSafe's solution is simple, effective and prevents abuse, and works on the platforms I use.

  17. Anonymous Coward
    Anonymous Coward

    Way to *seriously* miss the point

    This is the thing that always p*sses me off when a company is caught with its hand in the privacy jar:

    The software's maker says users can opt out if they want.

    1 - I should not have to opt out of something that impairs my rights because yes, Internet companies, privacy has actually been a Human Right (#12) since 1948;

    2 - It is in Europe not allowed to default to opt in to privacy grabbing;

    3 - even from a sheer marketing perspective it's lunacy to do this, because the moment it leaks (it will, and it has, QED) you have a major PR problem because you're also managing people's most important online data, passwords. Who's to say you haven't been tapping those as well?

    Stupid beyond belief. I hope they lose all their customers.

    This, by the way, pours some extra validation sauce over Apple's push to get developers to declare what they get up to with user data. No wonder Zuckerberg is seriously pissed off about that..

  18. richardalm

    Important article (about open source)

    KeePass and its many forks -- KeePass2Android in particular -- are the real McCoys. Hopefully this article helps get that message across at a quicker pace. And if KeePass source code is ever abused here's hoping El Reg is on the case like flies on LastPass.

  19. Mike 137 Silver badge

    "... the complex passwords needed for security are particularly hard to memorise"

    "Complex" passwords are only hard to memorise because the rules provided for creating them don't take account of human psychology (or indeed in many cases, the mechanics of crackability). Even the concept of "complexity" is not understood, It typically means no more than "looks random to me", without reference to the absolute fact that the human brain can not create a truly random string due to a phenomenon called "memory". In any case, where's the rationale for even true randomness providing protection against anything except possibly the most naïve schoolboy attempts at guessing?

    There's masses of robust research into real password quality (in all senses) spanning some 30 years, but nobody who sets the rules seems to have read it.

    What we have instead is a regime defined by folks who don't even seem to understand the basics, such as "strength". There's actually no such thing as password strength. For it to mean anything, it must be qualified as "strength against what?" Each specific threat to a password needs different attributes and conditions to protect against, and by far the majority don't relate to the composition of the string at all. Just for example, infinite retries on a credentials entry form with a fixed maximum field length allow any possible password to be cracked by long term trial and error. It's also worth noting that pretty much all the major reports on "weak passwords" have obtained their data from offline cracking of exfiltrated password databases. So the fundamental problem was exfiltration of the database, as no password hash is immune to eventual cracking offline.

    1. Charlie Clark Silver badge

      Re: "... the complex passwords needed for security are particularly hard to memorise"

      The definition of strength for passwords is based on dictionary-based attacks and refers to the permutations afforded by the character set and password length. Hence, awarding marks for case mixing, numbers and non-alphanumerics. While I agree that this is not really a good way to determine password security, it's better than nothing for those situations where passwords are still unavoidable.

  20. Anonymous Coward
    Anonymous Coward

    Bitwarden Trackers

    As mentioned in the article, Bitwarden has signatures for two trackers. Bitwarden has this posted in their security FAQ regarding the trackers used:

    "What third-party scripts, libraries, and services are used?

    A: Currently, we load third-party payment scripts from Stripe and PayPal on payment pages in the Web Vault. In the mobile app, the Firebase script is used for push notifications. The HockeyApp is used for crash reporting. Please note, Firebase and HockeyApp are removed completely from the F-Droid build if you are interested in using that option. Turning off push notifications on a Bitwarden server will disable using the push relay server if you want to self-host."

    https://bitwarden.com/help/article/security-faqs/

  21. Twilight

    If I was a LastPass user, I'd definitely be leaving after this finding. As it is, I've been a happy 1Password user for years.

  22. Blackjack Silver badge

    Remember my hate for password manages? This is another reason why.

    To clarify, if I ever use a password manager is going to be an open source one because I don't trust private companies with my data... despite the fact that I use Google so they have it anyway.

    1. hayzoos

      You should be using a password manager that encrypts and decrypts passwords only on your own devices and only you have the decryption key (aka master password) with well vetted strong encryption. If that is the case, you should have no problem storing the encrypted passwords anywhere. You should even be able to post the encrypted passwords publicly. If not, you are using the wrong password manager.

      The good ones will be warning you that if you lose the master password, you are screwed, since nobody will be able to decrypt.

  23. Smartypantz

    "Cloud" and passwords

    if a sentence containing "Cloud" and "personal passwords" doesn't set of any alarms for you, you shouldn't be using the Internet!

    1. Tony W

      Re: "Cloud" and passwords

      This has been well dealt with in previous posts. My master pw is stored nowhere but in my head. It's 20 characters long, and I am not a particularly valuable target. With Keepass it is also possible to require a specific local file for decryption.

    2. pc-fluesterer.info
      Megaphone

      Re: "Cloud" and passwords

      nothing to worry about if all content is encrypted client-side an the cloud stores it zero-knowledge. Go for Bitwarden (the FOSS version from f-droid).

  24. saabpilot

    Great article so Dashlane tracks as well -kind puts me off my planned migration to it from Last(timediuseit)pass. Guess I will investigate 1password.

  25. drankinatty

    KeePass, KeePassX and KeePassXc Have Been Staples for Nearly Two Decades

    Long ago, before KDE reached 3.5, keepassx was a premier password manager. It offered something rare then, versions for both Linux and Windows. That largely being due to it being an interface wrapped around a hashing and storage algorithm. It does one thing, and does it very well. Then when phones got smart enough to run apps, keepassx was there on the iphone (probably android as well). While I particularly liked the 0.4.3 interface, all interfaces were incredibly clean, well thought out, and ... practical and useful (a rarity in the "kids with crayons" UI design world of today). OpenSource (so you can look and ensure there is nothing nasty in the code) and GPL2.

    But alas, development on keepassx has waned -- enter keepassxc. Keepassxc is a continuation of keepassx that continues to enjoy active development. Slight changes to the interface that do not detract from what was available with keepassx 0.4.3 (hard to improve on something that is already that good -- changes more likely screw things up than make things better). So while I still use keepassx 0.4.3, I have keepassxc as well that happily imports directly from keepassx (both 0.4.3 and the 2.x versions).

    The thought of someone providing a password manager that contains tracking software is an absolute show-stopper. The fact that the trackers in LastPass are so granular they can report when and to what type a password was changed is one malicious .dll away from sending the keys to the kingdom out to some redirected 3rd party server. Any developer including trackers in a password manager lacks the modicum of decency necessary for users to trust their most critical data with that app. The fact the opt-out is intentionally hidden under Settings->Advanced Settings->Privacy is a direct reflection of the disdain the developer has for user privacy. Run, run like lemmings to another password manager that values your privacy enough to provide tracker-free code (do that for all apps you can).

    So, you must think I am involved in some way with keepassx or keepassxc. Nope. The only contact I have ever had with the developers is to send in UI suggestions back in the 2008 time-frame. But I have been a user or keepassx since it's inception (or soon thereafter) and I am a staunch open-source and privacy advocate with more than two-decades of open source use and development experience. When you think about the mindset it takes to make the decision "Okay, go ahead with the trackers in the password management software", it is repugnant, and one-step-too-far in the perverted game of tracking users behavior. So pick a password manager that respects your privacy -- never compromise.

  26. Goopy

    None

    Yep option opt out LastPass has no place anywhere in the Android app that is an opt-in or an opt out for any of this nonsense, don't know what they're talking about and they're telling you there's we have the ability to opt out, none.

  27. saabpilot

    Nordpass Has anyone tested it as an alternative? does that track or do other naughty things?

  28. KevinFanch

    We need more private OS for phones

    I use /e/ and its app store already shows how many trackers each app has. It gives you an idea which app is OK to use and which one not. It also doesn't send private data to Google unlike stock Android, which is a huge feature, if you care about privacy.

  29. HelpfulJohn

    Hypocrisy, much?

    Of course the Very Righteous Register would never have trackers, analytics or other scripts running on its website.

    Google-analytics, ads-twitter, doubleclick, amedo, a tagmanager from Google and possibly others that remain hidden.

    Not that the Register would *ever* allow such things. Not while berating others for that offence.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like