Password Security Catch-All Thread

misplacedbravado wrote:
MannishBoy wrote:

I think LastPass's problem was they made the free plan TOO good for awhile.

That sounds about right. I started out with the free plan, then happily moved to the paid tier when they added mobile apps. I was a paid subscriber for just a year or two before they moved all the features I used to the free tier.

And human psychology being what it is, their asking $3/month for what they've been providing free for years is a grave insult to me. So now I guess I'll check out Bitwarden.

I had no problem paying (which I did for years) for LastPass until they tripled in price. Similar thing happened with Logmein and both owned by the same parent company. I switched to Bitwarden and haven't looked back. I could even use the free version of Bitwarden but I pay them 10 bucks a year to support them.

EvilDead wrote:
misplacedbravado wrote:
MannishBoy wrote:

I think LastPass's problem was they made the free plan TOO good for awhile.

That sounds about right. I started out with the free plan, then happily moved to the paid tier when they added mobile apps. I was a paid subscriber for just a year or two before they moved all the features I used to the free tier.

And human psychology being what it is, their asking $3/month for what they've been providing free for years is a grave insult to me. So now I guess I'll check out Bitwarden.

I had no problem paying (which I did for years) for LastPass until they tripled in price. Similar thing happened with Logmein and both owned by the same parent company. I switched to Bitwarden and haven't looked back. I could even use the free version of Bitwarden but I pay them 10 bucks a year to support them.

This was my path, too. Bitwarden is virtually the same as LastPass, and the transfer of information was super simple. Bitwarden’ interface handles some things a bit better, some a bit clunkier than LastPass, but it’s been a pretty easy transition.

I will say that I feel like it doesn’t grab new accounts / passwords as well as LastPass, which makes it a bit more challenging with the family.

Yeah, I was also on LastPass Premium till they tripled the price and switched to Bitwarden. I didn't realise at the time that LastPass Free actually had the features I'd originally signed up to Premium for so it wasn't necessary to switch, but I'd already made the change.

A couple of years on now and I'm pretty happy with Bitwarden. I'm currently on free, but I'll sign up for the paid service pretty soon.

What's the pros/cons of 1password vs Bitwarden? I should get around to setting up one of these at some point soon. I'd need to get both me and my wife on it, and ideally have a vault of shared passwords, along with some non-shared ones. It'd need to be pretty painless for her to use, and we'd need it on probably three different computers, plus several mobile devices (two of which are Kindle Fires with child profiles and the Amazon Kids wrapper).

I remember a while ago, I got a pretty strong recommendation to use 1password because it was better for security reasons that were over my head.

Been using Bitwarden free over LastPass over the past week and I have really liked it so far. The Interface is better, app is better and it's overall faster.

The only thing I don't like is that I can't right click a field and autofill the address and or credit card. It needs to be done at the top right extension icon. Not to big of a deal but it does take a tiny bit longer.

The CSV import to Bitwarnden did transfer all that Home/credit card info but all my picture secure nots are blank since they were encrypted I guess in LP and AFAIK CSV can't export images.

As someone who's been meaning to set something like up for years, I got a question.

if I lose my phone, how am I not completely locked out of everything?

Jonman wrote:

As someone who's been meaning to set something like up for years, I got a question.

if I lose my phone, how am I not completely locked out of everything?

Bitwarden is just a normal online account with a user id and password. You can log in from multiple devices including mobile and desktop.

HOWEVER, you should absolutely set up Two Factor Authentication because your password manager has all the keys to your castle. Two factor apps are meant to be used on just one device and is a pia if you lose your phone. Therefore, I use Authy which allows logins from multiple devices. It’s less secure, but as far as I know it’s never been compromised. It gives me that one extra sense of reassurance that if I lose my phone I still have access to my 2FA accounts.

What PaladinTom said AND make sure your master password is unique and very "strong". The best thing about a password manager is you only need to remember the master password and it can handle & generate all the rest.

Reminds me, I've also been using LastPass as an authenticator for TFA. Have they said anything about changing that? Don't think it's tied to your regular account, so I assume not. I also have some stuff in Google's tool as well as MS's.

Does Bitwarden use fingerprints to unlock on Android?

EDIT: Nevermind, see that biometrics were added at the end of January. I'd seen something saying it didn't support it.

I started using Bitwarden about six months ago and I'm not sure I could live without it now. Super convenient, especially with biometric log-in and the option to auto-lock for certain actions (e.g. phone screen off, browser close). With the government computer system requirement for increasingly arcane and long password that have to be changed every 30-90 days, Bitwarden keeps me sane and my passwords very strong.

Wow, Bitwarden is almost exactly like Last Pass, but better.

1password lacks polish, but doesn't have any trackers.

I made the jump from LP to Bitwarden today. Going to run them side by side for a couple of weeks while I put BW through its paces, then I'll probably sign up for the $10/year plan.

I've had LP premium for a while. I just checked and my account says "LastPass Premium User : Expires on June 21, 2021" so I have a few months to decide if I want to transition to something like BitWarden before I have to pay LP again.

I've been contemplating a switch for a while, at least since logmein took over (holy carp that was over 5 years ago; doesn't seem that long). I use LP on both browsers and on my android phone, but the android app has been unreliable at best.

They've also been nagging me since January that I have to update my billing information "for security reasons". This week I read this:
Security researcher recommends against LastPass after detailing 7 trackers
1Password has zero trackers, and Bitwarden two

(yes, that article does link back to the one that Garion posted)

The text of the article makes it sound like it's not a big deal, but it does have my attention, given that logmein doesn't have a sterling reputation to begin with.

From what I've read, moving data from LP to BW isn't very painful and people seem generally contented with the BW Android app, so maybe it's time for me to take it for a test run.

Hrdina wrote:

From what I've read, moving data from LP to BW isn't very painful and people seem generally contented with the BW Android app, so maybe it's time for me to take it for a test run.

I just did it. Some folder and credit card info came in kind of odd, but it may have been that LP was just hiding some miscatogorization that I'd done in the past. Otherwise pretty easy.

I already miss the LP Chrome and Firefox extensions ability to put a number of passwords in the password/User ID boxes so that I can more quickly fill passwords. Bitwarden has three methods to fill that I see, clicking up on the browser bar icon, right clicking and using the context menu, or using hot keys that I don't have memorized yet.

Another thing I miss is the LP Authenticator automatically popping up on my phone when I log into LP. With BW, you have to manually go into your TFA app (assuming you use TFA apps).

Otherwise, things are fine.

MannishBoy wrote:

I already miss the LP Chrome and Firefox extensions ability to put a number of passwords in the password/User ID boxes so that I can more quickly fill passwords. Bitwarden has three methods to fill that I see, clicking up on the browser bar icon, right clicking and using the context menu, or using hot keys that I don't have memorized yet.

A quick check in the options shows an experimental feature for auto-fill on page load. I haven't tried it, but would this meet your needs?

Coldstream wrote:
MannishBoy wrote:

I already miss the LP Chrome and Firefox extensions ability to put a number of passwords in the password/User ID boxes so that I can more quickly fill passwords. Bitwarden has three methods to fill that I see, clicking up on the browser bar icon, right clicking and using the context menu, or using hot keys that I don't have memorized yet.

A quick check in the options shows an experimental feature for auto-fill on page load. I haven't tried it, but would this meet your needs?

Sometimes. If you have multiple accounts it would be a hinderance. I had seen that, but haven't tried it. Thanks for reminding me.

Basically the way it works by default is adding an additional mouse travel or clicks, or putting both hands on the keyboard to do the hot key (removing one from the mouse). (CTRL-SHIFT-L)

BTW, Ctrl-Shift-L is a horrible hot key setup for me. You know what my most use hotkeys are in my day job in all MS Office products (except PowerPoint...damn MS not being 100% consistent)? Ctrl-Shift-L to do a bullet list. Use it all the times taking notes and organizing my thoughts visually.

Looks like you can change the default through browser settings. Will probably do so.

Configuring Keyboard Shortcuts
Configuring the keyboard shortcuts used by a Bitwarden Browser Extension differs based on which browser you’re using. To access the configuration menu:

In Chrome, enter chrome://extensions/shortcuts in the address bar.

In Chromium-based browsers like Brave, substitute chrome for the relevant browser name (e.g. brave://extensions/shortcuts).

In Firefox, enter about:addons in the address bar, select the Gear icon next to Manage Your Extensions, and select Manage Extension Shortcuts from the dropdown.

Some browsers, including Safari and legacy Edge do not currently support changing the default keyboard shortcuts for extensions.

Also looking at the docs, looks like they also include a TFA tool. Will check into that. Suspect it won't auto-fill or validate it's me on the phone like Last Pass or MS does for their own stuff, but I'll report back if it does.

Does Bitwarden have a way to sort passwords by a modification date? I used that with LastPass to change my oldest passwords every so often, but I'm not finding a way, unless I'm missing it.

I have my older gaming rig sitting around, collecting dust, and I decided it was time to pass it on to my parents. They're currently using one of my older, older gaming rigs which is probably at the end of its life.

One of the things I'd love to do for them is get them into a password manager tool. At the moment, their password manager tool is a sheaf of papers with various scribbled passwords all over them. Not only not secure, especially since there may only be two or three "different" passwords on the list, but also could be lost easily in a disaster.

I need some recommendations of which password manager service fits this bill:

  • Senior-citizen-friendly - My parents are not totally foreign to technology, but I absolutely do not want to have them on the phone every other week when they try to sign in to their medicare site and can't figure out how to get the right password
  • Fully integrated with the browser - meaning when they go to a site, they don't have to open another site or app to retrieve their passwords
  • Simple (or at least logical) process for adding new passwords (I will be there to help them set up, but I want them to be independent when they need to make a new password somewhere, and that the hurdle is small enough that my dad doesn't just start using his old bullsh*t passwords)
  • Cost effective for two retired senior citizens on fixed incomes (they're not poor or struggling by any means, but they are at least somewhat frugal, and if I come to them with something that costs them $15 a month or something, they're going to scoff)
  • Works with Windows 10, iOS, and Android - Mom has an iPad, and they share a Pixel 3 on Google Fi

I wish I could recommend Bitwarden, but it is just fiddly and clunky enough I think it probably wouldn't work for your parents as you describe them. It doesn't always capture a new site, it doesn't always offer to auto-fill on Android.

  • Generating passwords is easy, and it is easy to find, but ensuring they get saved with each site can be another story.
  • It's free across devices.
  • Premium is only $10 a year. I doubt they need any of the premium features unless you want it to tell them their long list of the same password is not good.
  • Filling passwords feels counterintuitive at first in a browser until I remembered that with LastPass I was always fighting to see around the browser auto-fill that would pop up with the password box and going to the top right of the browser and just selecting the icon and then which password from the short list of (usually) 1 or maybe 3 (some overlap on CC's and such) actually made it easier in some cases.
  • On a mobile device it's more likely they would have to launch the app and copy/paste the login info most times.

Maybe I'm wrong and it could work for them, but they would likely find a reason to not use it, or not update their passwords.

Honestly, I'd probably just buy them a pair of really nice paper password books, have them take down their important passwords in both of them, and then stick one in a bank deposit box or something.

That, plus teaching them not to reuse passwords. With the booklet, it shouldn't be necessary.

NM

Based on some other recommendations, I think I'm going to use Firefox Lockwise - I'm satisfied with its Android and iOS integration, and it is, of course, already integrated with Firefox. But thanks for the password book idea - I will get them one of those, as well, and have them keep that handy, too.

It's password-changing time! And don't forget to set up 2FA if you haven't already.

Massive Twitch Data Breach

merphle wrote:

It seems like LastPass is regaining its independence.

So their business model of trying to rake in a bunch of money and running off their paid and unpaid consumers to focus on business failed completely. Shocked.

MannishBoy wrote:
merphle wrote:

It seems like LastPass is regaining its independence.

So their business model of trying to rake in a bunch of money and running off their paid and unpaid consumers to focus on business failed completely. Shocked.

LogMeIn and LastPass were sold to an equity firm for $4+ bil, so seems like it worked out well for whoever got paid from that transaction.

LogMeIn chief executive Bill Wagner and his management team will continue to run LastPass until a new chief executive is hired in 2022.
Wagner said LastPass had around $10 million in sales when LogMeIn paid $110 million to acquire the startup six years ago. It has since grown to about $200 million in annual recurring revenue.

That's probably funny math and sales aren't that strong, but whatevs.

https://www.bostonglobe.com/2021/12/...

It's four dollars a month for *six* licenses! How the heck is that a money grab? The service is fast, reliable, and has some nice additional features.

Yeah, I've been a satisfied Premium/Family member for years. No complaints. It does its job and lets me not have to think too much about it. Any quirks I run into are more the fault of web designers trying to be cute and/or clever with their login screens. ("Oh, you didn't physically TYPE anything into the password box, so we won't enable the login button yet.")

Robear wrote:

It's four dollars a month for *six* licenses! How the heck is that a money grab? The service is fast, reliable, and has some nice additional features.

I was talking about their move awhile back shortly after the Logmein acquisition. I don't remember exactly what I was paying for a license initially, but it went up several multiples. Their first screw up was moving too much stuff into the free category, then they swung it back way too far the other direction.

I moved over to Bitwarden and haven't looked back. Don't even really need anything above their free category, so have been thinking about bumping up to paid just to support them.