LastPass Reviews

LastPass does not encrypt your web addresses

about LastPass and PassIFox & ChromeIPass, KeePass, KeePassXC · · Helpful Not helpful 10 Helpful Report as spam

LastPass increases your online SECURITY by:

  • helping you generate and manage strong passwords
  • supporting 2 factor authentication (e.g. Yubikey)
  • syncing your database so you can access your passwords wherever you go.

HOWEVER, you should be aware of the downsides:

  • LastPass DOES NOT encrypt the URLs (web addresses) of the accounts you have
  • Therefore LastPass, and anyone who they share info with, such as govt agencies, can in principle see very easily which websites you have accounts with. This has obvious PRIVACY (not the same as SECURITY) implications, since such information could be used to profile you. (This is why LastPass is a security, not a privacy product. For more info, see here: https://systemoverlord.com/2015/09/16/what-the-lastpass-cli-tells-us-about-lastpass-design/
  • LastPass is not open source, which means you cannot be sure they are implementing their security correctly. Previous weaknesses have been found, including the LostPass vulnerability.
  • LastPass syncs your password database online. Whilst your passwords and login names (and other data, but not URLs) are encrypted, it makes this a very attractive online target for hackers. LastPass take precautions against hackers stealing and being able to break into your password database, but - again - you have to trust they've done this right. Oh, and guess what... there's evidence their servers have been hacked before (e.g. in 2011 and 2015).
  • Consider KeePass (free, open-source and local) as an alternative (for Windows and Linux)
  • Or, if you want something open source for Mac, Linux and Windows try KeepassXC with PassIFox or ChromeIPass for browser integration.

[Edited by JohnFastman, March 05]

reply
about LastPass · · Helpful Not helpful 6 Helpful Report as spam

It is known that Lastpass DOES NOT encrypt the URLs at which you have accounts.
See here: https://systemoverlord.com/2015/09/16/what-the-lastpass-cli-tells-us-about-lastpass-design/

This means that which websites you have accounts with can be a) known to Lastpass, b) known to government agencies who subpoena them, c) known to anyone who breaches their servers to pull this data, d) used to profile users (you will have a fairly unique collection of URLs, probably), e) it might - in principle - be used to monitor when you call on Lastpass to let you into these sites.

Don't go with Lastpass. Go with Bitwarden, precisely because they are open source and because, unlike Lastpass, they encrypt EVERY field in your database.

An alternative is to go with something like KeepassXC (also open source) and connect to the browser via a plugin.

reply

Very interesting, would you say Buttercup password manager is good too? It is open source but stores your data which is encrypted to Dropbox, Gdrive, Box

Buttercup is ok, and if you want to use services like Dropbox, Gdrive, etc. then that's your call. My opinion is that:
1.

  • The best synced open source password manager is Bitwarden
  • The best local (you choose how to sync it, if at all) is KeePassXC
  • Instead of Dropbox, Gdrive, etc., try sync.com and Tresorit.
    These are encrypted, zero-knowledge service in their own right, which means that if you sync your password database with them, they'll never know about it. Dropbox and their ilk can see at least that you are syncing a password database, and if the Snowden leaks and previous Yahoo.com scandals are anything to go by, it's not unlikely that those files can be earmarked for future analysis, as is done with encrypted emails.

Another option is to use Cryptomator to secure your files on Dropbox, etc. Cryptomator is one of my absolutely favourite apps for advancing online security: simple, free, open-source, necessary and cross-platform.

However, that doesn't get around the fact that if you go with, e.g. Buttercup + Dropbox (via Cryptomator or not), you still will have Dropbox, GDrive or whatever installed on your machine. I don't advise that, either (see list of alternatives above), because they have questionable practices. But that's a whole new rabbit hole to dive into and probably beyond the scope of this question/comment.

I see, well Buttercup says that they encrypt password file before storing it on Gdrive, Dropbox, etc. Also you do not need to have the Gdrive client installed on your device Buttercup to sync with it.

I'll open an issue on Github for Buttercup to have support for Sync.com it looks good. I am currently using Bitwarden, i have found Buttercup and enjoyed it only issue i have with buttercup is that it can't import Bitwarden CSV file and syncs with mainstream unproctected cloud services.

Thanks :)

My opinion is that this app is secure

about LastPass · · Helpful Not helpful 5 Helpful Report as spam

Most of recent security issues are really related to chrome and phishing and aren't really 0 day vulnerabilities, chrome doesn't have the same environment as other browser when it comes to addons programming, most extension that deal with outside request done through human input can be forged so i don't know what is the fuss about it.

I don't think this app should be marked as insecure as long as it isn't 100% developers fault.

reply
about LastPass · · Helpful Not helpful 1 Helpful Report as spam

Secure, Easy to use, works on all my platforms

reply

Best password managing extension

about LastPass · · Helpful Not helpful 1 Helpful Report as spam

My experience with this app in google chrome has been really good. I strongly recommend this extension, changed my way to surf the web.

reply
about LastPass · · Helpful Not helpful Report as spam

broken functional after firefox 57 release - no copy\past data, slowdown work, authorization troubles.

and still no any updates for few months.

reply
about LastPass · · Helpful Not helpful Report as spam

I have premium accounts on both. "Which one is more trustworthy?" Lastpass is the most popular, and LogMeIn is behind it, which as a well established company, they care about their reputation and customers, so they won't try to take away your trust.

Bitwarden is a new company, made by one guy. The big difference is that Bitwarden is Open Source, so anyone can check and audit the code. Not only that, you can take such software and implement it on your local server at not cost. Since they're a new company, they also don't want to loss your trust, they depend on their initial customer base.

Both have my trust. I believe both try their best to keep my data safe. But if you're talking about security issues, I think Bitwarden is better. I know for sure that Lastpass devs are either lazy or don't have enough resources to update their software. The plugins feel outdated, they're slow, and they have a lot of bugs. As you mention, they already had some security problems. I think it has to be expected, because the popularity of the platform. Also consider that these vulnerabilities, while allowed hackers to get data from lastpass accounts, they couldn't do much with it, because the data was encrypted.

Bitwarden, in the other hand, is Open Source, so anyone can check for bugs, report them, and the development is more transparent. The developer seems to be more active, and the software feels faster, well made, and stable.

So, my bet is for Bitwarden. Give it a try, the premium features are nice (like getting two-factor-authentication directly on your Bitwarden plugin) and is cheaper.

Source : https://www.reddit.com/r/Android/comments/7mex7b/lastpass_android_authenticator_app_is_not_secure/

reply

It is known that Lastpass DOES NOT encrypt the URLs at which you have accounts.
See here: https://systemoverlord.com/2015/09/16/what-the-lastpass-cli-tells-us-about-lastpass-design/

This means that which websites you have accounts with can be a) known to Lastpass, b) known to government agencies who subpoena them, c) known to anyone who breaches their servers to pull this data, d) used to profile users (you will have a fairly unique collection of URLs, probably), e) it might - in principle - be used to monitor when you call on Lastpass to let you into these sites.

Don't go with Lastpass. Go with Bitwarden, precisely because they are open source and because, unlike Lastpass, they encrypt EVERY field in your database.

An alternative is to go with something like KeepassXC (also open source) and connect to the browser via a plugin.

about LastPass · · Report as spam

Great App,
Mobile Desktop Web all supported ,

reply
about LastPass · · Helpful Not helpful Report as spam

Lastpaas is very useful Application for password management

reply
about LastPass · · Helpful Not helpful Report as spam

Easy to use, offers a lot in free version.

reply
about LastPass · · Helpful Not helpful Report as spam

It's only $12/mo and performs almost as well as Dashlane

reply

Security issues:

about LastPass · · Helpful Not helpful Report as spam
reply

Look no further, this is the best password manager.

about LastPass · · Helpful Not helpful Report as spam

Very pleased with this password manager. Works with a variety of browsers. Top marks.

reply

Excellent!!

about LastPass · · Helpful Not helpful Report as spam

Top notch indeed! and so intuitive to use. I am just getting started and I enjoy it very much.

reply

It's intuitive if you use it simply. But any serious use of it requires use of the 'support' documentation, which appears to have been written on some remote island in the Pacific, that has never been visited by homo sapiens.