Of note, LastPass just announced that they are splitting out of LogMeIn and becoming independent again: https://blog.lastpass.com/2021/12/lastpass-investing-even-mo...

Of course, you must reduce the risk to the parent company before the huge disclosure comes out </sarcasm>

Yes, I do copy/paste from my local password manager. A clipboard scraper is a possibility, yes.

I hadn't logged into that LastPass account for years, so it's definitely not me who attempted to login earlier.

Re: LastPass, is there another cloud-based tool that's generally considered as more trustworthy? Bitwarden? Thanks

Personally I just stick to local Keepass database files. I’ve never ventured into the cloud based services. If you are really worried about it, do you really need to use a cloud based password service?

Sure, managing the KeePass files by hand is certainly more cumbersome, but to me it’s worth it for the security/ peace of mind gains. I have never put my DB or key files in the cloud. And when I need to sync them up over all my devices, I gather all the DB files and use the handy ‘merge’ functionality to get them into the same state.

TIL about the merge functionality! You can also use Syncthing to synchronise the databases between your devices; if you don't have public IPs for your devices, this essentially means that you can only synchronise when two devices are on the same network -- but this might not be a problem for you.

You can also use Syncthing and the merge function! It comes in very handy when two devices have made changes to the password database file and you end up with merge conflicts :D

Syncthing works great even behind a NAT, not sure how it works but it just works for me (might depend on your NAT though)

I've had zero success with nat hole punching in the past, on multiple networks. Maybe I'm just unlucky. :)

Some routers have UPnP disabled by default, maybe enabling that would help?

Same here, I use KeePass on several Windows machines, and on a couple of Android phones (using KeePass2Android). I use a cheap VPS as a central point for syncing - so I can make changes on any machine, then sync them over SFTP, which merges the changes into the database on the VPS. I can then hit sync on any of the other machines, and it will pull down the latest database over SFTP and merge in the changes.

It sounds a bit complicated reading this back, but in reality it's pretty straightforward.

why not just use dropbox? and secure dropbox using 2FA?

FWIW, I used to run nextcloud on a ec2 instance. Decided to just use dropbox instead. the webdav support on nextcloud was neat with keepass

My whole point was I like to be in total control my password database, and never have to decide whether to trust a third party provider or not.

Not saying Dropbox or lastpass isn’t trustworthy. Just that it’s a point of failure you can eliminate, if the lack of convenience isn’t a huge deal to you.

I might take that back :) currently trending on the front page, a real article about Lastpass master passwords being compromised. https://news.ycombinator.com/item?id=29716715

So yeah, take Lastpass off the list, I don’t trust them :)

I have the VPS for others things anyway, and I don't use Dropbox.

I absolutely agree. I love KeePass and use it for everything... this LastPass account was setup to share passwords with others at an org that I worked at.

The problem is... that LastPass password, the one stored in KeePass, is presumably the one that was leaked.

Which is what is spooking me -- if someone has access to my entire KeePass file, it's game over.

Wow, you were ahead of the curve here @gregsadetsky! Looks like real news articles are coming out about this now! https://news.ycombinator.com/item?id=29716715

I feel like the proverbial canary in the mine. Well, a dead canary...

So...when you say "...was setup to share passwords with others..." is there a chance that this also means the master password was shared with one or more others?

Sorry, no, that was a confusing way of phrasing it.

The LastPass account that was almost-breached today uses the "password sharing" functionality to share passwords (to certain sites) with other people in the same org.

I was just explaining that the only reason why I have a LastPass account was to share passwords. (not the master password, obviously -- I was sharing passwords to other sites)

I typically use KeePass for all of my (site) passwords and keepass stores all of this in a local encrypted file.

Yeah, hard to say. I don’t think it means it’s ‘game over’ though. I think it just means you might need to go through the tedious process of walking through your whole DB file and update every password. And generate a new key file. Then and only then will you have peace of mind I think. Good luck!

Just configure keepass to sync with a file stored online when opening or saving the database and you have the same convenience. Syncing the main database file itself fails if different systems change the file without reloading in-between, but with sync configured it works perfectly.

Bitwarden is great, highly recommend, it's open-source which adds to its trustworthiness and has a good track record of respecting users.

+1, you can host your own server as well https://github.com/dani-garcia/vaultwarden

There's an official self-host open source version as well ( the one you linked is unofficial), but it's rather heavy ( multiple .NET services, MS SQL) and not adapted for small scales.

yes, we don't talk about that one

Is the unofficial one Security Audited?

Unofficial server so you probably should avoid the web application (or build it yourself from official sources). In theory it could contain malicious code that leaks your password.

I'm in this party too. bitwarden for yourself, friends and family...

I use 1Password, seems alright security wise, won’t definitely say one way or the other, but you could DYOR on it.

1Password has a cloud-based option these days, for better or worse.

And soon they'll _only_ have a cloud-based option with no option for local-only vaults.

https://1password.community/discussion/comment/602340/#:~:te...

Gotta get those sweet SaaS dollars and never mind the original goals or the user.

Bitwarden is fantastic

Why do you recommend others to stop using LastPass?

I just switched last night for unrelated reasons

1. BW supports inline Android 11 password fill. I find the UX much better with this feature

2. LP is a bit buggy, particularly on Android

3. LP is slow to add new features

4. I didn't expect this, but I really enjoyed BW's UI

5. On Android, I enjoy the three quick launch buttons they provide

6. LP creates new logins in folders of it's choosing by default. Not a fan

But in general, BW it just "works" better/faster for me

LastPass has suffered a few security breaches and the overall quality of the product hasn’t improved. 1Password is a superior product with no security breaches.

From my interaction with LastPass support (I'm a premium user), they've outsourced to some cheap company where agents have no clue how anything works. It took weeks to get through to somebody who even understands the problem and their reply was essentially "yeah we know it's broken, it's broken because of security".

Left a really bad taste in my mouth. I wouldn't be using them at all if I didn't have to for a client.

I remember reading a blog entry, a few years ago.

Someone received a phishing email from "their bank."

They responded to the email, and got someone on the horn, immediately.

But their bank (the real one), sent them to a horrifying voice jail.

The point was that the crooks gave better customer service than the real bank.

Barclays recently tried sending me a new credit card because they were changing to Mastercard or something.

I got an email one day that my new Barclaycard was activated. Called support, and they swore to me it was a phishing email (it was definitely from Barclay's official domain). Would not listen to me at all and kept trying to get me to hang up. I asked if I could tell them the email MessageID and they could verify the authenticity. They said no.

About 10 minutes into trying to convince them it was not a phishing email, I refresh my dashboard and there was a $600 purchase at a Long Island Walmart. That shut them up really quickly and they transferred me to their fraud department who asked me for the MessageID at the bottom of the activation email and confirmed it was real...

I asked if I could set up any additional security, and how could they activate a new credit card? Did they have my online password? Apparently no, you can just call on the phone and activate it, no authentication required. They told me I could set up a "voice password" for my account for all phone support and I did just that.

I called them back 30 minutes later, got through to support to where I could change anything about my account. Asked them if my "Voice Password" was enabled. "Yes it is." "....Okay, no one has asked me for my voice password yet, and here you are about to change my address". They still didn't really understand the seriousness, so I told them "I'm not <my name> I'm a hacker trying to steal his money." and they understood.

The worst part? I couldn't cancel that credit card until they physically sent me one to activate. No way to visit a branch and get one. It ended up getting stolen out of the mail THREE TIMES before they finally sent it with a signature required.

It makes sense economically. Crooks will steal ~100% of your bank balance in one day. Bank itself earns 1-2% per year.

Yup. The blogger was just being cranky about their bank.