Changes to LastPass free

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Lazareth
Posts: 337
Joined: Tue Nov 01, 2016 9:21 am
Location: USA

Re: Changes to LastPass free

Post by Lazareth »

DCode wrote: Thu Feb 25, 2021 12:42 pm
Lazareth wrote: Tue Feb 23, 2021 1:08 pm I be interested to learn how others are successfully using Last Pass or any other PW manager, in a family/sharing situation like me.
I've been using LastPass for many years and have the family plan with my wife and two teenage boys using it also.

For sharing, I use shared folders (see Sharing Center in your vault) which makes it extremely simple to share passwords with other members of the family. We have folders named like "Shared-Wife-Me", "Shared-Son1-Mom-Dad", etc. When you save or edit the site and if you want to share it, you simply set the folder to the appropriate one. For example instead of having "Netflix" in the default or Entertainment folder, we put it in the Shared-Son1-Mom-Dad folder and we all have access to it.

We also have the Emergency Access set so others can get a copy of another family members vault in case of emergency. This is very flexible and you can set it to have them wait x number of hours or days until access is granted. We do have a wait period set since I can't think of anything where someone would need it immediately and it also is a safeguard in case an unauthorized person gains control of an account and tries to recover a trusted family members vault (ex. Son1's account is compromised and person tries to get emergency access to Dad's vault). From LastPass:

When your trusted contact requests Emergency Access, you can decline their request within the specified waiting period.
Thank you DCode, I appreciate the folder-naming tip, and the Emergency Access set-up info. I like the Family/Sharing feature as my wife is entrusted with employer and client-related log-in credentials, and I prefer to not have access to those, a firewall if you will, for our mutual protection.
a/69, retired, married, enjoy p/t employment. Three-fund portfolio, after decades of chasing active-managed fund performance.
User avatar
Bylo Selhi
Posts: 1310
Joined: Mon Feb 19, 2007 9:40 pm
Location: Great White North
Contact:

Re: Changes to LastPass free

Post by Bylo Selhi »

1Password has none, KeePass has none... So why are there seven embedded trackers in the LastPass Android app?
The Exodus report on LastPass shows seven trackers in the Android app, including four from Google for the purpose of analytics and crash reporting, as well as others from AppsFlyer, MixPanel, and Segment...

Even the app developers do not know what data is collected and transmitted to the third-party providers, said Kuketz, and the integration of proprietary code could introduce security risks and unexpected behaviour, as well as being a privacy risk. These things do not belong in password managers, which are security-critical, he said..

Kuketz recommended changing to a different password manager, such as the open-source KeePass.

Do all password apps contain such trackers? Not according to Exodus. 1Password has none. KeePass has none. The open-source Bitwarden has two for Google Firebase analytics and Microsoft Visual Studio crash reporting.
1. Who are "AppsFlyer, MixPanel, and Segment," what are they doing with our data and why should we trust them?
2. Even though BitWarden is open source, these two trackers aren't. Even though these two trackers are from known companies Google and Microsoft, that's no guarantee that a bad actor couldn't get to BitWarden data via these trackers.
3. This report is only about the Android version of password managers. It's unclear how these revelations pertain to their desktop versions as well as the iOS versions of their phone apps.
rebellovw
Posts: 1748
Joined: Tue Aug 16, 2016 4:30 pm

Re: Changes to LastPass free

Post by rebellovw »

Bylo Selhi wrote: Fri Feb 26, 2021 9:15 am 1Password has none, KeePass has none... So why are there seven embedded trackers in the LastPass Android app?
The Exodus report on LastPass shows seven trackers in the Android app, including four from Google for the purpose of analytics and crash reporting, as well as others from AppsFlyer, MixPanel, and Segment...

Even the app developers do not know what data is collected and transmitted to the third-party providers, said Kuketz, and the integration of proprietary code could introduce security risks and unexpected behaviour, as well as being a privacy risk. These things do not belong in password managers, which are security-critical, he said..

Kuketz recommended changing to a different password manager, such as the open-source KeePass.

Do all password apps contain such trackers? Not according to Exodus. 1Password has none. KeePass has none. The open-source Bitwarden has two for Google Firebase analytics and Microsoft Visual Studio crash reporting.
1. Who are "AppsFlyer, MixPanel, and Segment," what are they doing with our data and why should we trust them?
2. Even though BitWarden is open source, these two trackers aren't. Even though these two trackers are from known companies Google and Microsoft, that's no guarantee that a bad actor couldn't get to BitWarden data via these trackers.
3. This report is only about the Android version of password managers. It's unclear how these revelations pertain to their desktop versions as well as the iOS versions of their phone apps.
Thanks for the info - another lock down setting in LP - don't send any crash reports to anyone! (advanced -> Privacy)
User avatar
Bylo Selhi
Posts: 1310
Joined: Mon Feb 19, 2007 9:40 pm
Location: Great White North
Contact:

Re: Changes to LastPass free

Post by Bylo Selhi »

rebellovw wrote: Fri Feb 26, 2021 9:51 amanother lock down setting in LP - don't send any crash reports to anyone! (advanced -> Privacy)
I'm not overly concerned about sending crash reports to Google.

This LP setting doesn't seem to affect tracking by "AppsFlyer, MixPanel, and Segment." I am very concerned about who they are, what they track and how secure their code is.
TravelGeek
Posts: 4902
Joined: Sat Oct 25, 2014 3:23 pm

Re: Changes to LastPass free

Post by TravelGeek »

A reminder that if you aren’t a customer, you are probably the product. And in this case even paying customers are apparently also having certain data tracked and sold.
squirm
Posts: 4239
Joined: Sat Mar 19, 2011 11:53 am

Re: Changes to LastPass free

Post by squirm »

I'm going to stay with lastpass, and pay the yearly fee for now. I have everything on my vault, so my life is over if it ever gets compromised. I'll look at bitwarden when I feel more comfortable.
rebellovw
Posts: 1748
Joined: Tue Aug 16, 2016 4:30 pm

Re: Changes to LastPass free

Post by rebellovw »

Bylo Selhi wrote: Fri Feb 26, 2021 10:15 am
rebellovw wrote: Fri Feb 26, 2021 9:51 amanother lock down setting in LP - don't send any crash reports to anyone! (advanced -> Privacy)
I'm not overly concerned about sending crash reports to Google.

This LP setting doesn't seem to affect tracking by "AppsFlyer, MixPanel, and Segment." I am very concerned about who they are, what they track and how secure their code is.
Your right - it is just callstack info - certainly not like they are sending a crash dump.
Invest4lt
Posts: 328
Joined: Sat Jul 15, 2017 12:25 pm

Re: Changes to LastPass free

Post by Invest4lt »

While it seems possible to lock down the Lastpass tracking cookies, they don't seem like a best practice. The article notes, “There are solutions that do not permanently send data to third parties and record user behavior.”

https://www.theverge.com/2021/2/26/2230 ... ch-privacy

That's enough incentive for me to move to 1Password and avoid potential tracking from LastPass, Dashlane, and Bitwarden.
"People sometimes fail to live because they are always preparing to live." - Alan Watts
tibbitts
Posts: 23728
Joined: Tue Feb 27, 2007 5:50 pm

Re: Changes to LastPass free

Post by tibbitts »

dflaher wrote: Thu Feb 25, 2021 5:05 pm
Lee_WSP wrote: Thu Feb 25, 2021 4:30 pm I've always wondered why couples would have two master accounts instead of just sharing the single account or having a single shared master account and two separate individual accounts.
I've just realized the same thing after being forced to think about it by the latest LastPass action. I upgraded my account to Premium, and now my wife will use mine. So for $36/year we will have it on all our devices. This also eliminates the need to share passwords across userIDs.
I don't understand - how are you not sharing passwords?
cacophony
Posts: 1363
Joined: Tue Oct 16, 2007 9:12 pm

Re: Changes to LastPass free

Post by cacophony »

Invest4lt wrote: Fri Feb 26, 2021 6:51 pm While it seems possible to lock down the Lastpass tracking cookies, they don't seem like a best practice. The article notes, “There are solutions that do not permanently send data to third parties and record user behavior.”

https://www.theverge.com/2021/2/26/2230 ... ch-privacy

That's enough incentive for me to move to 1Password and avoid potential tracking from LastPass, Dashlane, and Bitwarden.
So then what's this? https://www.reddit.com/r/Bitwarden/comm ... &context=3
Invest4lt
Posts: 328
Joined: Sat Jul 15, 2017 12:25 pm

Re: Changes to LastPass free

Post by Invest4lt »

What is this? Good question, cacophony--I think the answer is "Confusing!" as the answer depends on Android vs iOS. The article you reference (theregister.com), however, reiterates that the LastPass Android app has SEVEN trackers and 1Password and KeePass has ZERO. The article continues: "Do all password apps contain such trackers? Not according to Exodus. 1Password has none. KeePass has none. The open-source Bitwarden has two for Google Firebase analytics and Microsoft Visual Studio crash reporting. Dashlane has four. LastPass does appear to have more than its rivals. "

Since app developers cannot guarantee what data is collected and transmitted to third parties, it makes sense to me to avoid the Lastpass issue entirely.
"People sometimes fail to live because they are always preparing to live." - Alan Watts
cacophony
Posts: 1363
Joined: Tue Oct 16, 2007 9:12 pm

Re: Changes to LastPass free

Post by cacophony »

Invest4lt wrote: Fri Feb 26, 2021 9:25 pm What is this? Good question, cacophony--I think the answer is "Confusing!" as the answer depends on Android vs iOS. The article you reference (theregister.com), however, reiterates that the LastPass Android app has SEVEN trackers and 1Password and KeePass has ZERO. The article continues: "Do all password apps contain such trackers? Not according to Exodus. 1Password has none. KeePass has none. The open-source Bitwarden has two for Google Firebase analytics and Microsoft Visual Studio crash reporting. Dashlane has four. LastPass does appear to have more than its rivals. "

Since app developers cannot guarantee what data is collected and transmitted to third parties, it makes sense to me to avoid the Lastpass issue entirely.
I should have been more clear, but I was pointing out that the 1Password app in iOS collects a fair amount of analytics info as shown in this screenshot: https://imgur.com/gallery/JnNQeN1

Bitwarden actually has less identifiers than 1Password according to Apple: https://imgur.com/gallery/gxJNVvx
User avatar
Bylo Selhi
Posts: 1310
Joined: Mon Feb 19, 2007 9:40 pm
Location: Great White North
Contact:

Re: Changes to LastPass free

Post by Bylo Selhi »

With BitWarden apparently the trackers on Android are Google's condition for listing in their Play store. BitWarden offers the Android app sans trackers on the independent F-Droid store. But that comes with a limitation of its own:
Bitwarden on F-Droid wrote: Since the Bitwarden F-Droid build does not include Firebase Messaging, push notifications for live sync updates of your vault will not work. Manual vault syncing is required.
User avatar
Anon9001
Posts: 1884
Joined: Fri Dec 20, 2019 8:28 am
Location: بھارت

Re: Changes to LastPass free

Post by Anon9001 »

neuro84 wrote: Tue Feb 16, 2021 8:59 am
It's pretty good I switched from KeePass to Bitwarden and it is much more user friendly. It's been a while since I used LastPass but I found this link while googling:https://bitwarden.com/help/article/impo ... -lastpass/
Land/Real Estate:89.4% (Land/RE is Inheritance which will be recieved in 10-20 years) Equities:7.6% Fixed Income:1.7% Gold:0.8% Cryptocurrency:0.5%
User avatar
Peculiar_Investor
Site Admin
Posts: 2445
Joined: Thu Oct 20, 2011 12:23 am
Location: Calgary, AB 🇨🇦
Contact:

Re: Changes to LastPass free

Post by Peculiar_Investor »

Bylo Selhi wrote: Fri Feb 26, 2021 9:15 am 1. Who are "AppsFlyer, MixPanel, and Segment," what are they doing with our data and why should we trust them?
3. This report is only about the Android version of password managers. It's unclear how these revelations pertain to their desktop versions as well as the iOS versions of their phone apps.
LastPass' blog attempts to address the concerns in LastPass’ Commitment to Privacy and User Experience  - The LastPass Blog

I have had a LastPass Premium subscription for years. I wasn't particularly happy when they jumped the price from $1/month to $3/month. But at the end of the day LastPass offers me (and my family members) good value at a relatively low cost and I plan to continue using it going forward. Low cost is good enough for me. The enemy of a good plan is the dream of a perfect plan.
Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams
fourwheelcycle
Posts: 1968
Joined: Sun May 25, 2014 5:55 pm

Re: Changes to LastPass free

Post by fourwheelcycle »

cacophony wrote: Fri Feb 26, 2021 10:14 pm I should have been more clear, but I was pointing out that the 1Password app in iOS collects a fair amount of analytics info ....
I use the licensed version of 1Password, not the cloud version. As a result, my master password, my vault data, and my "high level user data" never go to 1Password's servers, even in encrypted formats. It is possible for me to install 1Password's iOS app on my iOS devices and export my vault data from my computer to 1Password's iOS app, but I do not do that.

I also use a MacOS app called Cookie on my computer that deletes all of my tracking cookies every time I close my browser.
ddurrett896
Posts: 1712
Joined: Wed Nov 05, 2014 2:23 pm

Re: Changes to LastPass free

Post by ddurrett896 »

How do you handle family members getting your passwords?

I was a will and end of life instruction with all banking/financial/password info all in a safe. Is there a way to give someone access without giving them access while your alive?
neilpilot
Posts: 5006
Joined: Fri Dec 04, 2015 12:46 pm
Location: Memphis area

Re: Changes to LastPass free

Post by neilpilot »

ddurrett896 wrote: Sat Feb 27, 2021 8:19 am How do you handle family members getting your passwords?

I was a will and end of life instruction with all banking/financial/password info all in a safe. Is there a way to give someone access without giving them access while your alive?
Sure....just give them the LastPass password (and log in instructions) in your end of life instructions.
ddurrett896
Posts: 1712
Joined: Wed Nov 05, 2014 2:23 pm

Re: Changes to LastPass free

Post by ddurrett896 »

neilpilot wrote: Sat Feb 27, 2021 8:20 am Sure....just give them the LastPass password (and log in instructions) in your end of life instructions.
Problem is that I leave that in my safe too since is contains all of my account number and personal info.
neilpilot
Posts: 5006
Joined: Fri Dec 04, 2015 12:46 pm
Location: Memphis area

Re: Changes to LastPass free

Post by neilpilot »

ddurrett896 wrote: Sat Feb 27, 2021 8:42 am
neilpilot wrote: Sat Feb 27, 2021 8:20 am Sure....just give them the LastPass password (and log in instructions) in your end of life instructions.
Problem is that I leave that in my safe too since is contains all of my account number and personal info.
If they have access to the safe, what's the problem?

Or you can read above post on Emergency Access, although I'd think the safe is sufficient. viewtopic.php?p=5843529#p5843529
tibbitts
Posts: 23728
Joined: Tue Feb 27, 2007 5:50 pm

Re: Changes to LastPass free

Post by tibbitts »

ddurrett896 wrote: Sat Feb 27, 2021 8:42 am
neilpilot wrote: Sat Feb 27, 2021 8:20 am Sure....just give them the LastPass password (and log in instructions) in your end of life instructions.
Problem is that I leave that in my safe too since is contains all of my account number and personal info.
I assume "safe deposit box" not "safe", and at least one person you're not commonly close to physically is authorized to access the contents of the safe deposit box. I believe it varies by state but in many states at least, an authorized user can access a safe deposit regardless of the death of the owner. In some states there may be a separate agreement you sign giving access to your box after death, allowing your designated authorized user to avoid having a court allow access. You would want to make sure that individual has a key to your safe deposit box.

If you mean that you have an actual safe and you haven't given anyone access to it, that's not really a problem since unlike with a bank, anybody who's interested can easily break into your safe and access the contents.
seawolf21
Posts: 1590
Joined: Tue Aug 05, 2014 7:33 am

Re: Changes to LastPass free

Post by seawolf21 »

Saving$ wrote: Fri Feb 19, 2021 10:32 pm
Soon2BXProgrammer wrote: Thu Feb 18, 2021 7:44 am
Saving$ wrote: Tue Feb 16, 2021 11:42 pm KeePass

Free, always has been, always will be.
Works on any platform - been using it since Palm Pilot days, into blackberry OS, to Android and in Iphone, as well as on both work and personal computers concurrently along the way. No complaints at all.
what iphone and android app are you using specifically, since i see a couple of options... Also do any of them support having your keypass database on a cloud file storage option (google drive or microsoft onedrive, etc)
Yes, my KP database is encrypted and uploaded to Google Drive. I can set it up to sync automatically with the phone or PC, or do it manually. The KP database requires a keyfile to access it, and the keyfile is NOT on the cloud - I store a copy of it on each device from which I access KP.
For Android I'm using KeePass2Android and VERY happy with it. I'm not currently using an Iphone version.
For Keepass on the computer, I use the 2xx version of the database, rather than the 1xx
Same here.

A bit of setup involved but been using this for past several years and no subscription fees. Architecturally no different than LastPass

1.) Run KeePass (open source) on Windows https://keepass.info/download.html
2.) Use sync application from cloud drives such as onedrive/google drive to sync the KeePass password file to cloud.
3.) Run KeePass compatible app on mobile which will pull the password file from onedrive/google.
Outer Marker
Posts: 4382
Joined: Sun Mar 08, 2009 8:01 am

Re: Changes to LastPass free

Post by Outer Marker »

I've been meaning to set myself up with a password manager. If all my devices are Apple, is there any reason not to use "Keychain" for free?

I'm a little mystified because half the time I tell keychain to remember a password it doesn't work. Not sure what I'm doing wrong - so was tempted to try one of the pay services but don't want to if I don't need to.
User avatar
Go Blue 99
Posts: 1119
Joined: Thu Oct 09, 2008 3:42 pm

Re: Changes to LastPass free

Post by Go Blue 99 »

CDub wrote: Thu Feb 25, 2021 8:01 am FYI - when switching from LastPass to Bitwarden, I noticed Bitwarden was not auto-filling the login (like LastPass would).
You can enable that by going to settings -> options -> Enable Auto-fill On Page Load.
I looked at that feature and they have a note saying "WARNING: This is currently an experimental feature. Use at your own risk."

Why such a stern warning?
CDub
Posts: 79
Joined: Thu Jan 18, 2018 7:27 am

Re: Changes to LastPass free

Post by CDub »

I was wondering about that as well. I assumed they were just not guaranteeing that it would work as expected everywhere, but that’s just a guess
User avatar
Bylo Selhi
Posts: 1310
Joined: Mon Feb 19, 2007 9:40 pm
Location: Great White North
Contact:

Re: Changes to LastPass free

Post by Bylo Selhi »

Go Blue 99 wrote: Sat Feb 27, 2021 12:38 pm Why such a stern warning?
That's probably their [lawyer's?] way of saying that they haven't yet finished testing it so if something breaks don't blame them ;)

I've been using that feature for the past week or so without any problems. On some pages the auto-fill doesn't happen and I have to either do auto-fill manually using right-click or copy/paste the password.

Their Help page Browser Extension Auto-fill Options isn't as stern, "Auto-fill on Page Load is an experimental and opt-in feature offered by Bitwarden Browser Extensions."

Google's portfolio of apps is also chock full of "experimental" features that provide them an opportunity to beta test before release to the general user population.
stocknoob4111
Posts: 3509
Joined: Sun Jan 07, 2018 11:52 am

Re: Changes to LastPass free

Post by stocknoob4111 »

OK, Switched to Bitwarden and I find it to be not as user friendly as LP. One of the things is that there are way too many clicks to autofill and I also miss the big icon display format in the Dashboard that makes it real easy. Otherwise it seems pretty good.

I will probably keep my LP account inactive for a while before I delete it for good.
cacophony
Posts: 1363
Joined: Tue Oct 16, 2007 9:12 pm

Re: Changes to LastPass free

Post by cacophony »

stocknoob4111 wrote: Tue Mar 02, 2021 7:37 pm OK, Switched to Bitwarden and I find it to be not as user friendly as LP. One of the things is that there are way too many clicks to autofill and I also miss the big icon display format in the Dashboard that makes it real easy. Otherwise it seems pretty good.

I will probably keep my LP account inactive for a while before I delete it for good.
I've found Bitwarden to be significantly more user friendly and less clunky than LastPass.

For autofill I'd suggest doing the keyboard shortcut, which on Windows is CTRL-SHIFT-L. I've found that much quicker more convenient than what I used to do with LastPass.
stocknoob4111
Posts: 3509
Joined: Sun Jan 07, 2018 11:52 am

Re: Changes to LastPass free

Post by stocknoob4111 »

cacophony wrote: Tue Mar 02, 2021 7:52 pm For autofill I'd suggest doing the keyboard shortcut, which on Windows is CTRL-SHIFT-L. I've found that much quicker more convenient than what I used to do with LastPass.
Yes, thanks for that... substantially better :D
Topic Author
neuro84
Posts: 79
Joined: Thu Jul 24, 2014 11:25 am

Re: Changes to LastPass free

Post by neuro84 »

I appreciate all the replies and helpful info.

Based on this thread I ended up switching from LastPass to BitWarden. The migration was relatively painless, and I find the functionality to be much the same as LastPass. On PC, the ctrl-shift-L shortcut is very easy to use. There's also a setting in the BitWarden browser addon that will autofill your user/password and even automatically log you in when you're signed into BitWarden - that's super convenient.

The only difference in functionality that I've noticed is that the BitWarden mobile app doesn't auto-fill other apps. For example, if I open my Chase mobile app, and tap the username or password field, LastPass will pop up with an "autofill with LastPass" option. I haven't been able to figure out how to get BitWarden to do this. However, it's not too difficult to just open the BitWarden app, copy the password, and paste it in the other app. So this is not a deal-breaker for me.

Overall I'm very happy with BitWarden so far and I'll stay with this as my password manager.
User avatar
tuningfork
Posts: 885
Joined: Wed Oct 30, 2013 8:30 pm

Re: Changes to LastPass free

Post by tuningfork »

neuro84 wrote: Thu Mar 04, 2021 7:06 am The only difference in functionality that I've noticed is that the BitWarden mobile app doesn't auto-fill other apps. For example, if I open my Chase mobile app, and tap the username or password field, LastPass will pop up with an "autofill with LastPass" option. I haven't been able to figure out how to get BitWarden to do this. However, it's not too difficult to just open the BitWarden app, copy the password, and paste it in the other app. So this is not a deal-breaker for me.
Here's a help article for getting autofill to work with Bitwarden on Android. There are multiple Bitwarden and OS settings you have to make. It seems to be working the same as Lastpass for me now.
https://bitwarden.com/help/article/auto-fill-android/
squirm
Posts: 4239
Joined: Sat Mar 19, 2011 11:53 am

Re: Changes to LastPass free

Post by squirm »

I stuck with lastpass for now, I don't mind paying the twenty something bucks. Everything I have is in LP. If that ever gets compromised, I'm screwed!
simpletone
Posts: 79
Joined: Sat Oct 17, 2020 9:47 am

Re: Changes to LastPass free

Post by simpletone »

One can also consider a layered approach to password management if we don't mind a little more complexity. Some of our passwords may have a high level of security (e.g. banks); whereas others are less important (e.g. walmart). There are local password managers, like KeePass, where our more sensitive passwords can be stored outside of the cloud and can benefit from additional layers of security, such as hardware token, bitlocker encryption and authentication and local access to our devices.
FireAway
Posts: 247
Joined: Mon Jan 29, 2018 2:56 pm

Re: Changes to LastPass free

Post by FireAway »

One feature I've valued in LastPass is the one-time password. This has enabled me, for example, to get in to my vault if I'm using a public computer, without giving away my master password. Could also be useful to get into the vault if I forget my password (has never happened to me, but my wife lost all of her passwords once because she forgot her LastPass master password).

It doesn't appear as though BitWarden (free) has this feature... is there some approach people are using with BW to handle these scenarios? (public computer; master password loss)
rebellovw
Posts: 1748
Joined: Tue Aug 16, 2016 4:30 pm

Re: Changes to LastPass free

Post by rebellovw »

FireAway wrote: Fri Mar 05, 2021 6:15 pm One feature I've valued in LastPass is the one-time password. This has enabled me, for example, to get in to my vault if I'm using a public computer, without giving away my master password. Could also be useful to get into the vault if I forget my password (has never happened to me, but my wife lost all of her passwords once because she forgot her LastPass master password).

It doesn't appear as though BitWarden (free) has this feature... is there some approach people are using with BW to handle these scenarios? (public computer; master password loss)
I disabled this feature in my LastPass setup - It is a security risk and allows others to gain access to your Vault if it becomes necessary. I have my master password available if I need it - in a couple of secure places.
rebellovw
Posts: 1748
Joined: Tue Aug 16, 2016 4:30 pm

Re: Changes to LastPass free

Post by rebellovw »

Nobody mentioned to me how much a pleasure it would be setting my wife up with LastPass on her IPhone - what a nightmare that was - I'm about to uninstall it. :D
FireAway
Posts: 247
Joined: Mon Jan 29, 2018 2:56 pm

Re: Changes to LastPass free

Post by FireAway »

rebellovw wrote: Fri Mar 05, 2021 6:23 pm
FireAway wrote: Fri Mar 05, 2021 6:15 pm One feature I've valued in LastPass is the one-time password.
I disabled this feature in my LastPass setup - It is a security risk and allows others to gain access to your Vault if it becomes necessary. I have my master password available if I need it - in a couple of secure places.
What is the risk? Simply that someone else may find it? Seems this is no different than having your master password 'available'. At least the one-time password is safe to use on a public device.
cacophony
Posts: 1363
Joined: Tue Oct 16, 2007 9:12 pm

Re: Changes to LastPass free

Post by cacophony »

FireAway wrote: Fri Mar 05, 2021 10:12 pm
rebellovw wrote: Fri Mar 05, 2021 6:23 pm
FireAway wrote: Fri Mar 05, 2021 6:15 pm One feature I've valued in LastPass is the one-time password.
I disabled this feature in my LastPass setup - It is a security risk and allows others to gain access to your Vault if it becomes necessary. I have my master password available if I need it - in a couple of secure places.
What is the risk? Simply that someone else may find it? Seems this is no different than having your master password 'available'. At least the one-time password is safe to use on a public device.
One risk is the chance that some of your unencrypted site specific passwords are left in computer memory: https://security.stackexchange.com/ques ... d-managers
The concept of the one-time use password is fine. It's logging into an important site from a public computer that's the risk. You have no idea what's running on a public computer and I wouldn't be surprised if nefarious software could obtain your entire unencrypted vault.
denovo
Posts: 4808
Joined: Sun Oct 13, 2013 1:04 pm

Re: Changes to LastPass free

Post by denovo »

AerialWombat wrote: Wed Feb 17, 2021 12:29 am I think I pay $36 per year for LastPass. I'm surprised that a group that debates which $5,000 watch to buy is griping about such a miniscule fee for such an important service. I would expect such discussion on the Mr. Money Mustache forums, not Bogleheads. :confused
It's only $2.50/month for a great service, but I can't believe the number of people prepared to ditch for a measly fee.
"Don't trust everything you read on the Internet"- Abraham Lincoln
cacophony
Posts: 1363
Joined: Tue Oct 16, 2007 9:12 pm

Re: Changes to LastPass free

Post by cacophony »

denovo wrote: Sat Mar 06, 2021 3:11 am
AerialWombat wrote: Wed Feb 17, 2021 12:29 am I think I pay $36 per year for LastPass. I'm surprised that a group that debates which $5,000 watch to buy is griping about such a miniscule fee for such an important service. I would expect such discussion on the Mr. Money Mustache forums, not Bogleheads. :confused
It's only $2.50/month for a great service, but I can't believe the number of people prepared to ditch for a measly fee.
I can't speak for others, but for me it had nothing to do with cost. The circumstances just presented an excuse to compare alternatives and I found bitwarden better. I abandoned four months of remaining LastPass premium subscription when I switched and I'm paying more for bitwarden now then I ever did for LastPass.
User avatar
Bylo Selhi
Posts: 1310
Joined: Mon Feb 19, 2007 9:40 pm
Location: Great White North
Contact:

Re: Changes to LastPass free

Post by Bylo Selhi »

denovo wrote: Sat Mar 06, 2021 3:11 amIt's only $2.50/month for a great service, but I can't believe the number of people prepared to ditch for a measly fee.
Had they reinstituted the $12/year fee they used to charge for Premium (and with it multi-platform support) I would have paid up without much thought. But they turned it into a cash grab. That caught my attention. It nudged me to look for alternatives. I found BitWarden. It took a few minutes to switch. Now I've paid BitWarden the $10 that would otherwise have gone to LP.

So far, I actually prefer BW to LP. That makes me wonder why I didn't make the switch earlier.

It seems to me that LP's greed may ultimately backfire on them.
rebellovw
Posts: 1748
Joined: Tue Aug 16, 2016 4:30 pm

Re: Changes to LastPass free

Post by rebellovw »

FireAway wrote: Fri Mar 05, 2021 10:12 pm
rebellovw wrote: Fri Mar 05, 2021 6:23 pm
FireAway wrote: Fri Mar 05, 2021 6:15 pm One feature I've valued in LastPass is the one-time password.
I disabled this feature in my LastPass setup - It is a security risk and allows others to gain access to your Vault if it becomes necessary. I have my master password available if I need it - in a couple of secure places.
What is the risk? Simply that someone else may find it? Seems this is no different than having your master password 'available'. At least the one-time password is safe to use on a public device.
When I investigated LP in making my choice for a PW manager - I read up quite a bit on it.

I'm sure you are fine using the OTP feature and I'm being over the top - but based on my investigation - I've decided - I don't need it. And by being available - my master password is very safe and offline. I'm not concerned.

I've done all I can do to lock down LP as much as I can.

This is one of such writeups that I've found useful.

https://palant.info/2018/07/09/is-your- ... ine-vault/

Thanks,
international001
Posts: 2748
Joined: Thu Feb 15, 2018 6:31 pm

Re: Changes to LastPass free

Post by international001 »

The author is criticizing LP and promoting (sor-of) his own PFP

But if LP has vulnerability, others like PFP are not 100% safe. Common case is Malware installed on your computer (it could just read what you are typing).

From other BH threads, I understood that for more security you need Yubikey, using U2F (not OTP, that it's not secure enough). Lastpass only supports OTP. 1Password and bitwarden supports U2F.

But I guess the website itself (like www.vanguard.com) would need to support yubikey with U2F. Otherwise, the malware could intercept the password that 1PAssword/bitwarden 'types' into the browser.

I'm just learning a lot from more knowledgeable people on BH, so please correct me if I'm wrong on something.
rebellovw
Posts: 1748
Joined: Tue Aug 16, 2016 4:30 pm

Re: Changes to LastPass free

Post by rebellovw »

international001 wrote: Sat Mar 06, 2021 12:41 pm The author is criticizing LP and promoting (sor-of) his own PFP

But if LP has vulnerability, others like PFP are not 100% safe. Common case is Malware installed on your computer (it could just read what you are typing).

From other BH threads, I understood that for more security you need Yubikey, using U2F (not OTP, that it's not secure enough). Lastpass only supports OTP. 1Password and bitwarden supports U2F.

But I guess the website itself (like www.vanguard.com) would need to support yubikey with U2F. Otherwise, the malware could intercept the password that 1PAssword/bitwarden 'types' into the browser.

I'm just learning a lot from more knowledgeable people on BH, so please correct me if I'm wrong on something.
I didn't get that from the author.

LP supports 2FA and Yubikey - I use the LP authenticator for 2FA.
cacophony
Posts: 1363
Joined: Tue Oct 16, 2007 9:12 pm

Re: Changes to LastPass free

Post by cacophony »

rebellovw wrote: Sat Mar 06, 2021 2:38 pm
international001 wrote: Sat Mar 06, 2021 12:41 pm The author is criticizing LP and promoting (sor-of) his own PFP

But if LP has vulnerability, others like PFP are not 100% safe. Common case is Malware installed on your computer (it could just read what you are typing).

From other BH threads, I understood that for more security you need Yubikey, using U2F (not OTP, that it's not secure enough). Lastpass only supports OTP. 1Password and bitwarden supports U2F.

But I guess the website itself (like www.vanguard.com) would need to support yubikey with U2F. Otherwise, the malware could intercept the password that 1PAssword/bitwarden 'types' into the browser.

I'm just learning a lot from more knowledgeable people on BH, so please correct me if I'm wrong on something.
I didn't get that from the author.

LP supports 2FA and Yubikey - I use the LP authenticator for 2FA.
LP supports Yubikey 2FA but not Fido U2F. This covers the differences: https://www.yubico.com/blog/otp-vs-u2f- ... -stronger/
rebellovw
Posts: 1748
Joined: Tue Aug 16, 2016 4:30 pm

Re: Changes to LastPass free

Post by rebellovw »

cacophony wrote: Sat Mar 06, 2021 4:19 pm
rebellovw wrote: Sat Mar 06, 2021 2:38 pm
international001 wrote: Sat Mar 06, 2021 12:41 pm The author is criticizing LP and promoting (sor-of) his own PFP

But if LP has vulnerability, others like PFP are not 100% safe. Common case is Malware installed on your computer (it could just read what you are typing).

From other BH threads, I understood that for more security you need Yubikey, using U2F (not OTP, that it's not secure enough). Lastpass only supports OTP. 1Password and bitwarden supports U2F.

But I guess the website itself (like www.vanguard.com) would need to support yubikey with U2F. Otherwise, the malware could intercept the password that 1PAssword/bitwarden 'types' into the browser.

I'm just learning a lot from more knowledgeable people on BH, so please correct me if I'm wrong on something.
I didn't get that from the author.

LP supports 2FA and Yubikey - I use the LP authenticator for 2FA.
LP supports Yubikey 2FA but not Fido U2F. This covers the differences: https://www.yubico.com/blog/otp-vs-u2f- ... -stronger/
Thanks - I took a look - seems great. I think I'm solid and absolutely secure with my locked down/work encrypted iPhone - and LP Authenticator 2FA.
User avatar
Bylo Selhi
Posts: 1310
Joined: Mon Feb 19, 2007 9:40 pm
Location: Great White North
Contact:

Re: Changes to LastPass free

Post by Bylo Selhi »

Some background on what led to LP's attempted cash grab and its effect on BW: Demand for fee to use password app LastPass sparks backlash
Experts say it is hard to know whether the new limitations on the free version of LastPass will encourage more paying users to sign up.

“Without the ability to sync, there’s very few users who will really be able to use [LastPass],” said Joseph Bonneau, a cryptography researcher and computer security expert at New York University. “They’re making the free version so difficult to use that most people will be forced to pay or use another solution.”

LastPass, which claimed more than 25 million users last year, said it had given 30 days’ notice of the change and was not deleting any user data. It added that the free version of LastPass still offered functions that rivals lacked, and that “a healthy number of users” had taken up its discounted subscription offers.

But one free password app, BitWarden, has registered a fivefold increase in new users since LastPass announced its more restrictive policy last month, according to Gary Orenstein, its chief customer officer. “We’re understandably thrilled,” he said.
mptfan
Posts: 7218
Joined: Mon Mar 05, 2007 8:58 am

Re: Changes to LastPass free

Post by mptfan »

Lee_WSP wrote: Thu Feb 25, 2021 4:30 pm I've always wondered why couples would have two master accounts instead of just sharing the single account or having a single shared master account and two separate individual accounts. Children/relatives in addition to the above.
I'm not sure how you are defining master accounts versus individual accounts, but there may be couples who want to keep separate access to separate accounts in addition to shared access to other accounts. For example, a couple who marries later in life where one or both of them have premarital accounts that they wish to keep separate. Another example is inheritance or estate planning accounts...one spouse may receive an inheritance and want to keep the inherited account separate with separate access, or one spouse may be added as a joint account holder on a parent's account as an estate planning tool.
sycamore
Posts: 6360
Joined: Tue May 08, 2018 12:06 pm

Re: Changes to LastPass free

Post by sycamore »

Bylo Selhi wrote: Tue Mar 09, 2021 5:43 am Some background on what led to LP's attempted cash grab and its effect on BW: Demand for fee to use password app LastPass sparks backlash
Experts say it is hard to know whether the new limitations on the free version of LastPass will encourage more paying users to sign up.

“Without the ability to sync, there’s very few users who will really be able to use [LastPass],” said Joseph Bonneau, a cryptography researcher and computer security expert at New York University. “They’re making the free version so difficult to use that most people will be forced to pay or use another solution.”

LastPass, which claimed more than 25 million users last year, said it had given 30 days’ notice of the change and was not deleting any user data. It added that the free version of LastPass still offered functions that rivals lacked, and that “a healthy number of users” had taken up its discounted subscription offers.

But one free password app, BitWarden, has registered a fivefold increase in new users since LastPass announced its more restrictive policy last month, according to Gary Orenstein, its chief customer officer. “We’re understandably thrilled,” he said.
I read that article too. Regarding “Without the ability to sync, there’s very few users who will really be able to use [LastPass]” apparently I’m one of the very few. I only use LP from my non-mobile devices. I just don’t access many sites (that require login) from my smartphone. The ones that I do (like bogleheads) I just look up the password from my computer, then stay logged in.

I wish they had provided some facts for the “very few users” statement.
User avatar
Bylo Selhi
Posts: 1310
Joined: Mon Feb 19, 2007 9:40 pm
Location: Great White North
Contact:

Re: Changes to LastPass free

Post by Bylo Selhi »

sycamore wrote: Tue Mar 09, 2021 7:59 amI wish they had provided some facts for the “very few users” statement.
Likewise many young people have only smartphones and tablets. They too would be able to use LP Free. So even if the number of desktop-only users is declining, they're being replaced by mobile-only users.

In any case, having migrated to BW and used it on multiple platforms, I have zero regrets. Also I'm much more comfortable with paying for an open source product like BW than being extorted by an opportunistic, cash grabbing private equity firm.
Post Reply