LastPass Reviews

LastPass does not encrypt your web addresses

about LastPass and PassIFox & ChromeIPass, KeePass, KeePassXC · · Helpful Not helpful 14 Helpful Report as spam

LastPass increases your online SECURITY by:

  • helping you generate and manage strong passwords
  • supporting 2 factor authentication (e.g. Yubikey)
  • syncing your database so you can access your passwords wherever you go.

HOWEVER, you should be aware of the downsides:

  • LastPass DOES NOT encrypt the URLs (web addresses) of the accounts you have
  • Therefore LastPass, and anyone who they share info with, such as govt agencies, can in principle see very easily which websites you have accounts with. This has obvious PRIVACY (not the same as SECURITY) implications, since such information could be used to profile you. (This is why LastPass is a security, not a privacy product. For more info, see here: https://systemoverlord.com/2015/09/16/what-the-lastpass-cli-tells-us-about-lastpass-design/
  • LastPass is not open source, which means you cannot be sure they are implementing their security correctly. Previous weaknesses have been found, including the LostPass vulnerability.
  • LastPass syncs your password database online. Whilst your passwords and login names (and other data, but not URLs) are encrypted, it makes this a very attractive online target for hackers. LastPass take precautions against hackers stealing and being able to break into your password database, but - again - you have to trust they've done this right. Oh, and guess what... there's evidence their servers have been hacked before (e.g. in 2011 and 2015).
  • Consider KeePass (free, open-source and local) as an alternative (for Windows and Linux)
  • Or, if you want something open source for Mac, Linux and Windows try KeepassXC with PassIFox or ChromeIPass for browser integration.

[Edited by JohnFastman, March 05]

reply
about LastPass · · Helpful Not helpful 11 Helpful Report as spam

It is known that Lastpass DOES NOT encrypt the URLs at which you have accounts.
See here: https://systemoverlord.com/2015/09/16/what-the-lastpass-cli-tells-us-about-lastpass-design/

This means that which websites you have accounts with can be a) known to Lastpass, b) known to government agencies who subpoena them, c) known to anyone who breaches their servers to pull this data, d) used to profile users (you will have a fairly unique collection of URLs, probably), e) it might - in principle - be used to monitor when you call on Lastpass to let you into these sites.

Don't go with Lastpass. Go with Bitwarden, precisely because they are open source and because, unlike Lastpass, they encrypt EVERY field in your database.

An alternative is to go with something like KeepassXC (also open source) and connect to the browser via a plugin.

reply

Very interesting, would you say Buttercup password manager is good too? It is open source but stores your data which is encrypted to Dropbox, Gdrive, Box

Buttercup is ok, and if you want to use services like Dropbox, Gdrive, etc. then that's your call. My opinion is that:
1.

  • The best synced open source password manager is Bitwarden
  • The best local (you choose how to sync it, if at all) is KeePassXC
  • Instead of Dropbox, Gdrive, etc., try sync.com and Tresorit.
    These are encrypted, zero-knowledge service in their own right, which means that if you sync your password database with them, they'll never know about it. Dropbox and their ilk can see at least that you are syncing a password database, and if the Snowden leaks and previous Yahoo.com scandals are anything to go by, it's not unlikely that those files can be earmarked for future analysis, as is done with encrypted emails.

Another option is to use Cryptomator to secure your files on Dropbox, etc. Cryptomator is one of my absolutely favourite apps for advancing online security: simple, free, open-source, necessary and cross-platform.

However, that doesn't get around the fact that if you go with, e.g. Buttercup + Dropbox (via Cryptomator or not), you still will have Dropbox, GDrive or whatever installed on your machine. I don't advise that, either (see list of alternatives above), because they have questionable practices. But that's a whole new rabbit hole to dive into and probably beyond the scope of this question/comment.

I see, well Buttercup says that they encrypt password file before storing it on Gdrive, Dropbox, etc. Also you do not need to have the Gdrive client installed on your device Buttercup to sync with it.

I'll open an issue on Github for Buttercup to have support for Sync.com it looks good. I am currently using Bitwarden, i have found Buttercup and enjoyed it only issue i have with buttercup is that it can't import Bitwarden CSV file and syncs with mainstream unproctected cloud services.

Thanks :)

My opinion is that this app is secure

about LastPass · · Helpful Not helpful 5 Helpful Report as spam

Most of recent security issues are really related to chrome and phishing and aren't really 0 day vulnerabilities, chrome doesn't have the same environment as other browser when it comes to addons programming, most extension that deal with outside request done through human input can be forged so i don't know what is the fuss about it.

I don't think this app should be marked as insecure as long as it isn't 100% developers fault.

reply
about LastPass · · Helpful Not helpful 1 Helpful Report as spam

Was a great tool, very versatile and easy to use.
Until the March 2019 update.
Please consider other alternatives, as the functionality is gone and is now cumbersome and hard to use.
I've been a LastPass user for 5 years and I'm now researching the other password managers.

reply
about LastPass · · Helpful Not helpful 1 Helpful Report as spam

LastPass is not event open source, which should be obligatory for sensitive data

reply
about LastPass · · Helpful Not helpful 1 Helpful Report as spam

My twin brother and I are entrepreneurs. We have been working together for more than fifteen years. After ten years starting and growing our tech company in Seattle, we made a transition to follow our passion of building companies from zero (idea) to one (product/market fit). With our venture studio, we partner with entrepreneurs to build SaaS startups that hopefully become growing companies. In addition to my brother and I, we have one other employee.

With over 150 various logins with around 65% of them being shared, we needed a solution to manage logins and another secure notes (account numbers, billing details, etc.). My brother was using LastPass for a couple months as a solo individual. Since LastPass had a family plan, we decided to give it a try.

In order to onboard with LastPass all the rest of our shared logins along with my personal logs, we spent the good part of a half of a day trying to understand their sharing functionality. Since the updates from one user to another are not real-time, it was extremely frustrating to use. In today’s modern times of real-time collaboration, we expected when him or I would make an update, it would somewhat quickly be reflected in the other person’s account. We ended up having to refresh the page to get the other’s updates. Each refresh, promoted to login again so we could continue getting everything setup and organized together.

While LastPass worked great for my brother as an individual user, they need to make some enhancements with their sharing functionality to support team collaboration.

Pros

  • Very secure solution with local-only encryption and strong encryption algorithms.

  • When one user shares something with another, the recipient can organize the shared item in their own folders. While my brother and I have similar organization methods, for team/family members with different methods to their madness, this seems to be very helpful.

  • When one user shares something with another, the recipient can accept or reject the shared item. With other solutions, acceptance is inherited if the user has access to the folder/vault.

  • Sharing with Family is $4/month with LastPass including 6 users while 1Password is $5/month including up to 5 users. So if you want to save a $1/month, LastPass may be good option.

Cons

Sharin

  • Sharing is not fully integrated with all functionality. Instead it is a separate component. Sharing has to be setup and managed specifically with the Sharing Center.

  • In order to start sharing, you need to “generate a sharing key”. As their website says, this takes several minutes: “Generating sharing keys can take a long time (sometimes several minutes) when done via JavaScript, and your browser may become unresponsive during this process.”

  • From the Sharing Center, when you can not move items into a shared folder. Instead, you have to go into the “Sites”, select the site and then update the “folder” to be the shared folder. It is not very intuitive.

    • Even if you are part of a team (family), and you have not created a Shared Folder, then you can not share an item. Instead you need to create your own shared folders.
  • If one user shares something with another, the other user won’t be prompted of the new item until after they refresh the page. However, refreshing the page forces user to re-authenticate. Share is not real-time.

  • If one user has a shared item (sharee) like a note and they update the note, the change by the sharee does not get propagated and updated timely in the account of the sharer. Not a real-time solution when items get changed/updated by other users.

reply
about LastPass · · Helpful Not helpful 2 Helpful Report as spam

I have premium accounts on both. "Which one is more trustworthy?" Lastpass is the most popular, and LogMeIn is behind it, which as a well established company, they care about their reputation and customers, so they won't try to take away your trust.

Bitwarden is a new company, made by one guy. The big difference is that Bitwarden is Open Source, so anyone can check and audit the code. Not only that, you can take such software and implement it on your local server at not cost. Since they're a new company, they also don't want to loss your trust, they depend on their initial customer base.

Both have my trust. I believe both try their best to keep my data safe. But if you're talking about security issues, I think Bitwarden is better. I know for sure that Lastpass devs are either lazy or don't have enough resources to update their software. The plugins feel outdated, they're slow, and they have a lot of bugs. As you mention, they already had some security problems. I think it has to be expected, because the popularity of the platform. Also consider that these vulnerabilities, while allowed hackers to get data from lastpass accounts, they couldn't do much with it, because the data was encrypted.

Bitwarden, in the other hand, is Open Source, so anyone can check for bugs, report them, and the development is more transparent. The developer seems to be more active, and the software feels faster, well made, and stable.

So, my bet is for Bitwarden. Give it a try, the premium features are nice (like getting two-factor-authentication directly on your Bitwarden plugin) and is cheaper.

Source : https://www.reddit.com/r/Android/comments/7mex7b/lastpass_android_authenticator_app_is_not_secure/

reply

It is known that Lastpass DOES NOT encrypt the URLs at which you have accounts.
See here: https://systemoverlord.com/2015/09/16/what-the-lastpass-cli-tells-us-about-lastpass-design/

This means that which websites you have accounts with can be a) known to Lastpass, b) known to government agencies who subpoena them, c) known to anyone who breaches their servers to pull this data, d) used to profile users (you will have a fairly unique collection of URLs, probably), e) it might - in principle - be used to monitor when you call on Lastpass to let you into these sites.

Don't go with Lastpass. Go with Bitwarden, precisely because they are open source and because, unlike Lastpass, they encrypt EVERY field in your database.

An alternative is to go with something like KeepassXC (also open source) and connect to the browser via a plugin.

about LastPass · · Helpful Not helpful 1 Helpful Report as spam

Secure, Easy to use, works on all my platforms

reply

Best password managing extension

about LastPass · · Helpful Not helpful 1 Helpful Report as spam

My experience with this app in google chrome has been really good. I strongly recommend this extension, changed my way to surf the web.

reply
about LastPass · · Helpful Not helpful Report as spam

It's bloated

reply
about LastPass · · Helpful Not helpful Report as spam

Horrible web UI, horrible extension that breaks websites, horrible desktop UI. Yes it does work, but it's not a pleasant experience. I would rather write down all my passwords in a google doc than use this.

reply
about LastPass · · Helpful Not helpful Report as spam

broken functional after firefox 57 release - no copy\past data, slowdown work, authorization troubles.

and still no any updates for few months.

reply
about LastPass · · Report as spam

Great App,
Mobile Desktop Web all supported ,

reply
about LastPass · · Helpful Not helpful Report as spam

Lastpaas is very useful Application for password management

reply