2 out of 5 with 1 ratings

lastpass-cli Reviews

Lastpass can read the URL addresses of your accounts.

about lastpass-cli and pass, KeePassXC, LastPass · · Helpful Not helpful 2 Helpful Report as spam

The Lastpass CLI reveals that the domain names of the website accounts you store in Lastpass are completely readable to Lastpass. This means that law-enforcement/Lastpass/others who get at your database could find out what websites you like or go to and that could be used to profile you. Stay away from Lastpass; it's a privacy-hostile app as a result of this.

Systemoverlord has a good discussion of what the CLI teaches us about Lastpass's design, including this:

It can be confirmed by using a proxy to examine the traffic, but it turns out that the URL of sites in your LastPass account database are stored only as the hex-encoded ASCII string. No encryption whatsover. So LastPass can easily determine all of the sites that a user has accounts on. (This is genuinely surprising to me, but I triple-checked that this is actually the case.)

If you care about your privacy use something that properly encrypts your data. The best alternatives are open source ones which enable you to keep control over your password database rather than trusting a third party. If you like a command line interface and use Linux or Mac (or other Unix distro), try Pass (which also comes with QtPass and browser integration). I also very highly recommend KeepassXC, which also has browser integration via PassIFox and ChromeIPass. It works equally well on Windows, Mac and Linux.