LastPass

LastPass increases your online SECURITY by:

• helping you generate and manage strong passwords
• supporting 2 factor authentication (e.g. Yubikey)
• syncing your database so you can access your passwords wherever you go.

HOWEVER, you should be aware of the downsides:

• LastPass DOES NOT encrypt the URLs (web addresses) of the accounts you have
• Therefore LastPass, and anyone who they share info with, such as govt agencies, can in principle see very easily which websites you have accounts with. This has obvious PRIVACY (not the same as SECURITY) implications, since such information could be used to profile you. (This is why LastPass is a security, not a privacy product. For more info, see here: https://systemoverlord.com/2015/09/16/what-the-lastpass-cli-tells-us-about-lastpass-design/
• LastPass is not open source, which means you cannot be sure they are implementing their security correctly. Previous weaknesses have been found, including the LostPass vulnerability.
• LastPass syncs your password database online. Whilst your passwords and login names (and other data, but not URLs) are encrypted, it makes this a very attractive online target for hackers. LastPass take precautions against hackers stealing and being able to break into your password database, but - again - you have to trust they've done this right. Oh, and guess what... there's evidence their servers have been hacked before (e.g. in 2011 and 2015).
• Consider KeePass (free, open-source and local) as an alternative (for Windows and Linux)
• Or, if you want something open source for Mac, Linux and Windows try KeepassXC with PassIFox or ChromeIPass for browser integration.

[Edited by JohnFastman, March 05]

It is known that Lastpass DOES NOT encrypt the URLs at which you have accounts.
See here: https://systemoverlord.com/2015/09/16/what-the-lastpass-cli-tells-us-about-lastpass-design/

This means that which websites you have accounts with can be a) known to Lastpass, b) known to government agencies who subpoena them, c) known to anyone who breaches their servers to pull this data, d) used to profile users (you will have a fairly unique collection of URLs, probably), e) it might - in principle - be used to monitor when you call on Lastpass to let you into these sites.

Don't go with Lastpass. Go with Bitwarden, precisely because they are open source and because, unlike Lastpass, they encrypt EVERY field in your database.

An alternative is to go with something like KeepassXC (also open source) and connect to the browser via a plugin.

Was a great tool, very versatile and easy to use.
Until the March 2019 update.
Please consider other alternatives, as the functionality is gone and is now cumbersome and hard to use.
I've been a LastPass user for 5 years and I'm now researching the other password managers.

My twin brother and I are entrepreneurs. We have been working together for more than fifteen years. After ten years starting and growing our tech company in Seattle, we made a transition to follow our passion of building companies from zero (idea) to one (product/market fit). With our venture studio, we partner with entrepreneurs to build SaaS startups that hopefully become growing companies. In addition to my brother and I, we have one other employee.

With over 150 various logins with around 65% of them being shared, we needed a solution to manage logins and another secure notes (account numbers, billing details, etc.). My brother was using LastPass for a couple months as a solo individual. Since LastPass had a family plan, we decided to give it a try.

In order to onboard with LastPass all the rest of our shared logins along with my personal logs, we spent the good part of a half of a day trying to understand their sharing functionality. Since the updates from one user to another are not real-time, it was extremely frustrating to use. In today’s modern times of real-time collaboration, we expected when him or I would make an update, it would somewhat quickly be reflected in the other person’s account. We ended up having to refresh the page to get the other’s updates. Each refresh, promoted to login again so we could continue getting everything setup and organized together.

While LastPass worked great for my brother as an individual user, they need to make some enhancements with their sharing functionality to support team collaboration.

Pros

• Very secure solution with local-only encryption and strong encryption algorithms.

• When one user shares something with another, the recipient can organize the shared item in their own folders. While my brother and I have similar organization methods, for team/family members with different methods to their madness, this seems to be very helpful.

• When one user shares something with another, the recipient can accept or reject the shared item. With other solutions, acceptance is inherited if the user has access to the folder/vault.

• Sharing with Family is $4/month with LastPass including 6 users while 1Password is $5/month including up to 5 users. So if you want to save a $1/month, LastPass may be good option.

Cons

Sharin

• Sharing is not fully integrated with all functionality. Instead it is a separate component. Sharing has to be setup and managed specifically with the Sharing Center.

• In order to start sharing, you need to “generate a sharing key”. As their website says, this takes several minutes: “Generating sharing keys can take a long time (sometimes several minutes) when done via JavaScript, and your browser may become unresponsive during this process.”

• From the Sharing Center, when you can not move items into a shared folder. Instead, you have to go into the “Sites”, select the site and then update the “folder” to be the shared folder. It is not very intuitive.

• Even if you are part of a team (family), and you have not created a Shared Folder, then you can not share an item. Instead you need to create your own shared folders.

• If one user shares something with another, the other user won’t be prompted of the new item until after they refresh the page. However, refreshing the page forces user to re-authenticate. Share is not real-time.

• If one user has a shared item (sharee) like a note and they update the note, the change by the sharee does not get propagated and updated timely in the account of the sharer. Not a real-time solution when items get changed/updated by other users.

I have premium accounts on both. "Which one is more trustworthy?" Lastpass is the most popular, and LogMeIn is behind it, which as a well established company, they care about their reputation and customers, so they won't try to take away your trust.

Bitwarden is a new company, made by one guy. The big difference is that Bitwarden is Open Source, so anyone can check and audit the code. Not only that, you can take such software and implement it on your local server at not cost. Since they're a new company, they also don't want to loss your trust, they depend on their initial customer base.

Both have my trust. I believe both try their best to keep my data safe. But if you're talking about security issues, I think Bitwarden is better. I know for sure that Lastpass devs are either lazy or don't have enough resources to update their software. The plugins feel outdated, they're slow, and they have a lot of bugs. As you mention, they already had some security problems. I think it has to be expected, because the popularity of the platform. Also consider that these vulnerabilities, while allowed hackers to get data from lastpass accounts, they couldn't do much with it, because the data was encrypted.

Bitwarden, in the other hand, is Open Source, so anyone can check for bugs, report them, and the development is more transparent. The developer seems to be more active, and the software feels faster, well made, and stable.

So, my bet is for Bitwarden. Give it a try, the premium features are nice (like getting two-factor-authentication directly on your Bitwarden plugin) and is cheaper.

Source : https://www.reddit.com/r/Android/comments/7mex7b/lastpass_android_authenticator_app_is_not_secure/