Password Security Catch-All Thread

Gathering weak npm credentials. This one really irritates me, because now security-unconscious developers can cause my PC to be trivially hacked.

LastPass posted to their blog about LastPass Families today:

Unlimited sharing with your family

Every family is unique, so you need a flexible way to store and share information with others. With LastPass Families, organize items into as many folders as you need, so you can share login credentials to household bills with your significant other, while sharing entertainment sites with the whole family – all while keeping personal sites separate in your private vault.

A family backup plan

There’s no telling what the future holds, and traditional methods of preparing for the unknown no longer cover everything. With LastPass Families, you can combine all valuable information, from online bank accounts to Social Security cards to healthcare details, in one place and give emergency access to a family member so you’re never locked out in unexpected situations.

Simple setup & management

With a LastPass account for up to 6 family members, LastPass Families allows everyone to easily store and access all their passwords and information, no matter what device they’re using. The lead family manager purchases the subscription and is able to designate additional managers, as well as add and remove family members.

I'll wait and see exactly what it looks like, but I like the idea. I've never managed to convince my spouse to use a password manager, and so her passwords and any shared passwords we have are pretty weak. With these new features, I might finally convince her it's worthwhile.

Interesting. My wife and I just share one account, but this could be pretty handy.

OK. I now have enough different passwords that remembering them is becoming problematic.

What password service should I try? I'm on Mac 10.9.5 and use Chrome. I'm in the UK.

LastPass is advertising heavily in the UK. I've also heard of one 1Password and I've read that 'things' are stored locally, which sounds like a good idea.

However I simply don't have enough knowledge to know what I should be using, or to truly understand the differences.

I have been using LastPass for quite a few years now and have been very, very happy with it. I pay the $24 a year to get premium, which allows for syncing of my database across multiple platforms. The interfaces (PC and mobile) are good, and when I am creating a new account on a website, it will capture the information >99% of the time.

I've also had a good experience with LastPass. And their most recent update to their plugins on Safari actually make it no longer hurt my eyes to look at...

I chose LastPass a few years ago and have been really satisfied with it. I use the plug-in in Safari, Firefox, Opera, and Chrome, in macOS, Win10, and iOS.

If you're only using macOS/iOS, you might consider iCloud Keychain. But it's not as flexible as other password managers, and won't be much use if you're using Windows.

Only works on Safari, not other browsers.

+1 to LastPass. I use it the desktop app for Windows, the extension for Chrome, and the app for Android and they've all been great. The Android app can be a bit fussy, but no more so than most mobile apps, really.

My only complaint is a few months back when there was some vulnerability in their Chrome extension serious enough that people should have been avoiding the extension while they fixed it, and I found out about it here rather than from them, despite the fact that I pay for premium and they have my email address. This is a pretty big complaint, and I'm still pretty annoyed, but otherwise my experience has been good.

Add another happy LastPass premium customer here. The Firefox plugin isn't fully functional at the moment because the extension tech has been updated and the plugin hasn't yet, but it still works and the mobile client works great.

1Pass - More safe if you do local only storage (no ciphertext over the wire)
Lastpass - convenient as hell, I use it. I give them the 20 bucks a year.

Remember also enable 2fa (preferably not the SMS/email option as the second factor as well).
Don't use the lastpass 2fa stuff, keep that separate.

boogle wrote:

Don't use the lastpass 2fa stuff, keep that separate.

What did you mean by this boogle?

I use the LastPass authenticator app for both my LastPass account and several other accounts. The former uses a popup notification when you are signing in elsewhere which is very handy.

PaladinTom wrote:
boogle wrote:

Don't use the lastpass 2fa stuff, keep that separate.

What did you mean by this boogle?

I use the LastPass authenticator app for both my LastPass account and several other accounts. The former uses a popup notification when you are signing in elsewhere which is very handy.

You now have 2 factors controlled by one thing.
I also don't trust their 2fa implementation
Really I would prefer if everything I used adhered to the new fido standard, which is a more robust possession factor.
If you are at all curious about this from a development perspective, I recently saw the below talk and it's quite good.

I look forward to all of Boogle's posts beginning with, "Well, at Strangeloop..."

To be fair there were also some bad talks and the kotlin talk just made me not want to use kotlin.

I think there must be another thread for this? Anyways I just found out that last pass is now $36 per year which isn't outrageous, on it's own, but the last time I paid it was $12! I did a little alternative researching and open source Bitwarden has almost identical functionality for free or $10 a year that includes file storage.

I imported everything from Lastpass within a couple minutes and I'm liking it so far. The plugins feel less clunky than lastpass too.

Damn, that is quite the price hike

I just use the free version of LastPass.

I'm using one of the multi-factor authentications they only support in the premium one, but otherwise yeah, the free version seems fine. Maybe I should just get used to another authentication.

I use the cross device syncing a ton so the free version doesn't cut it. Also, I don't think secure notes are in the free one right?

Edit; Oh, I see they now include cross device syncing as part of the free plan. Definitely, wasn't always that way. No secure notes though.

I installed Bitwarden a few weeks back to see if I can get over my skittishness about trusting my passwords to the cloud and mobile devices for convenience.... So far the vault sits empty, but part of that is lack of time to test.
Edit: Ha! Since I was testing I set it up on my Android phone, tested the biometric unlocking, and apparently have now forgotten the test password I set on the vault. Super cryptic password hint is super cryptic and not ringing the bells I thought it would. "Topic:Persistent" Good job, past me. Good job.

I also just saw that the LastPass premium service price got hiked outrageously so I've switched to BitWarden. So far it works well.

I also didn't realise that cross device syncing is now a Lastpass free feature so probably didn't need to move, but I'm still fine with the switch.

MrDeVil909 wrote:

I also just saw that the LastPass premium service price got hiked outrageously so I've switched to BitWarden. So far it works well.

I also didn't realise that cross device syncing is now a Lastpass free feature so probably didn't need to move, but I'm still fine with the switch.

Not related in the slightest but I wanted to comment on your avatar MrDeVil. I just finished season 4 of Lucifer and thought that was it (I mean, it did wrap up pretty nicely and I would be ok with how it ended). Now I'm just super excited for the next season!

I am still chugging along on 1Password here. I haven't had any reason to switch and I never understood why it seemed LastPass is/was more popular.

DeThroned wrote:
MrDeVil909 wrote:

I also just saw that the LastPass premium service price got hiked outrageously so I've switched to BitWarden. So far it works well.

I also didn't realise that cross device syncing is now a Lastpass free feature so probably didn't need to move, but I'm still fine with the switch.

Not related in the slightest but I wanted to comment on your avatar MrDeVil. I just finished season 4 of Lucifer and thought that was it (I mean, it did wrap up pretty nicely and I would be ok with how it ended). Now I'm just super excited for the next season!

Still haven't watched Season 4, the backlog is overwhelming. But I'll get to it soon.

LeapingGnome wrote:

I am still chugging along on 1Password here. I haven't had any reason to switch and I never understood why it seemed LastPass is/was more popular.

When I was looking LastPass was 1 sub for multiple devices, 1Password was per device, so LP was way cheaper. Now there's really no difference, as far as I can tell.

Ah, I got onto 1Password before they even had subscriptions and we use it on a bunch of devices.

I started looking around for a LastPass replacement after the price hike, but honestly most vendors are in the same price category (about 36USD per year). If that's the case, I'm staying on LastPass as my wife was already grumbling about potentially having to relearn another platform.

dejanzie wrote:

I started looking around for a LastPass replacement after the price hike, but honestly most vendors are in the same price category (about 36USD per year). If that's the case, I'm staying on LastPass as my wife was already grumbling about potentially having to relearn another platform.

I mentioned Bitwarden a few posts back. For $10 It has almost identical functionality.

I've been "stuck" using LastPass for years now as it was the first one I tried. It works great overall, but I kinda hate its UI. I've considered trying to move to another solution but I don't have the will to go through all of that.

EvilDead wrote:
dejanzie wrote:

I started looking around for a LastPass replacement after the price hike, but honestly most vendors are in the same price category (about 36USD per year). If that's the case, I'm staying on LastPass as my wife was already grumbling about potentially having to relearn another platform.

I mentioned Bitwarden a few posts back. For $10 It has almost identical functionality.

I missed that, my apologies. I'll be looking into it for sure.