Topic: Lastpass hobbling their free service / alternatives

[Sebastian Cobb]

I'm sure some of you have been using lastpass or use other passwords managers. It seems lastpass are trying to pressure people into buying subscriptions by hobbling their free service to be used through the browser only or through phone apps only but not both. Removing features like this to push people into subscribing is a pet peeve of mine (mixcloud removing backwards seeking was an egregious example) and I feel compelled to stop using companies that try it if I can. Also lastpass have been found to have put loads of trackers in their android app too.

So that leaves me with who to move to now? Dashlane used to be alright, but it was pricey.


Bitwarden looks OK, does everything necessary in the free tier and is open source so they're unlikely to try biking money out of the users. Has anyone tried to migrate from lastpass to them?

[MojoJojo]

I've paid for lastpass for ages - when I started their wasn't a free mobile version, and they really did have the only key manager that wasn't complete bollocks. And now it's the thing that since I've been using them so long moving to something different seems like a complete hassle.

Having a quick look, it looks like google password manager covers most of the basics. Anyone have any comments?

[Old Thrashbarg]

Did KeePass fall out of favour? It was the default choice when we started using a password manager for our work accounts many years ago. The interface has always felt pretty clunky, but it does the job.

For personal passwords, I think I've said on here before that I use an algorithmic approach. I've got a base password that I remember, then apply an algorithm to it that generates a different password for each site. Not as secure as randomly generated strings from a password manager, but I'm confident that it's secure enough for me, given how compromises usually happen.

[Sebastian Cobb]

I'd rather not be bound to chrome or google really.

I think I'm going to see if Bitwarden migrates well (especially for non-web logins which I store in notes).

[Sebastian Cobb]

For personal passwords, I think I've said on here before that I use an algorithmic approach. I've got a base password that I remember, then apply an algorithm to it that generates a different password for each site. Not as secure as randomly generated strings from a password manager, but I'm confident that it's secure enough for me, given how compromises usually happen.

I used to do something like that, in the sense I had a base password and underscored the name of the app/site at the end, which at least added a bit of entropy. But I like the strong generation and multifactor as security so it autofills.

[earl_sleek]

I've moved to Bitwarden, migrating everything took about 2 minutes & it seems to work very well so far. Better than LastPass in fact.

[Sebastian Cobb]

I've moved to Bitwarden, migrating everything took about 2 minutes & it seems to work very well so far. Better than LastPass in fact.

This is what I was hoping to hear!

[Dex Sawash]

Is the google one generally safe-ish? Sure is easy/free and my Android phone and work desktop are screen locked.

I get hack warnings from my google one where they have found my very old login data leaked. (50ish accounts)
These are all forum accounts and retailers from 15 or more years ago that are not linked to any current login or stored financial info. Is it safe to just ignore? It will be stuff like my hackaday login or maddox.xmission.pets.com
Of course they are all an old email address plus the same 5 letter password from a different time online.

Not interested in manually changing all those logins, many of which don't exist now. Any place I spent money, have changed banks and cards 3 or more times since.

[Sebastian Cobb]

^ it's probably fine if it works for you. Anything is better than nothing.

I've exported my lastpass data into bitwarden and everything seems to work. Will clear my cookies so everything's logged out and try it for a bit.

[olliebean]

For personal passwords, I think I've said on here before that I use an algorithmic approach. I've got a base password that I remember, then apply an algorithm to it that generates a different password for each site. Not as secure as randomly generated strings from a password manager, but I'm confident that it's secure enough for me, given how compromises usually happen.

I do that, which works fine most of the time, except when I run up against a site with stupid password requirements that my algorithmically generated password doesn't fulfil. As I said somewhere recently (it might have been here), I'd be willing to bet there is password cracking software that can be set to search specifically for passwords that match these requirements, so I'm pretty sure that on the whole they don't make passwords any more secure.

Doesn't matter I suppose as I use a password manager anyway, but I like the reassurance of knowing that I could still work out my passwords if something went wrong with the password manager and I couldn't access them.

[touchingcloth]

I do that, which works fine most of the time, except when I run up against a site with stupid password requirements that my algorithmically generated password doesn't fulfil. As I said somewhere recently (it might have been here), I'd be willing to bet there is password cracking software that can be set to search specifically for passwords that match these requirements, so I'm pretty sure that on the whole they don't make passwords any more secure.

Doesn't matter I suppose as I use a password manager anyway, but I like the reassurance of knowing that I could still work out my passwords if something went wrong with the password manager and I couldn't access them.

I used to do this, but after a certain point it there were too many non-standard sites so I rely completely on password managers now. Which terrifies me.

[Sebastian Cobb]

When I first started using a password manager I found letting it generate long, strong passwords threw up some really weird behaviour on some badly-written sites.

A few times I'd generate a password and then not be able to login, then it dawned on me when a site did something slightly different that revealed what was probably happening.

I'd entered a long, strong password, and on submission it told me that my 3 character password was too short. Looking at the 4th character, unsurprisingly, this was a 'special' character. I'm guessing what was happening here was someone had used a regex or character replacement to sanitise the password, to prevent some form of sql-injection attack, and the rest of the string after that was just getting dumped.


The poor handling of the password string is basic shoddy coding, but it suggests a more fundamental problem - they're relying on half-arsed sanitisation of the strings rather than just using prepared statements which is a de-facto way of telling a database 'this is text, treat it as such and don't attempt to execute it'.

[evilcommiedictator]

Yeah some places have had a "max length" limit which the KeePass default of 20 went over, hilarious.

[touchingcloth]

When I first started using a password manager I found letting it generate long, strong passwords threw up some really weird behaviour on some badly-written sites.

A few times I'd generate a password and then not be able to login, then it dawned on me when a site did something slightly different that revealed what was probably happening.

I'd entered a long, strong password, and on submission it told me that my 3 character password was too short. Looking at the 4th character, unsurprisingly, this was a 'special' character. I'm guessing what was happening here was someone had used a regex or character replacement to sanitise the password, to prevent some form of sql-injection attack, and the rest of the string after that was just getting dumped.


The poor handling of the password string is basic shoddy coding, but it suggests a more fundamental problem - they're relying on half-arsed sanitisation of the strings rather than just using prepared statements which is a de-facto way of telling a database 'this is text, treat it as such and don't attempt to execute it'.

Yep, this annoys me. Another thing which does is that I make heavy use of tagging when signing up for things (touchingcloth+cookdandbombd@email.com, kind of thing), but some sites will tell you that your email address is invalid or, worse, accept your email address on sign up but reject it when using the exact same address in a password reset.

[Sebastian Cobb]

Yeah I do that as well and suspect I reckon there's a massive crossover between sites that can't recognise an email address with a '+' in it and people who aren't that arsed about spam, gdpr or any other reason you'd want to tag your email address in that way in the first place, depressingly not through intent, just sheer indifference and incompetence.

[olliebean]

I pay 20-odd quid a year for my own domain, so I just use "<sitename>@<mydomain>.com" when signing up for things.

[Jerzy Bondov]

Thanks for making this thread, I was preparing myself to look up passwords on my phone and type them into the computer. Moved over to Bitwarden and it was a piece of piss.

[Noodle Lizard]

Another vote for Bitwarden. I'd be happy to pay for the premium version, but there's really no need.

[crankshaft]

I switched to Bitwarden when LastPass announced they were hobbling their free tier. It took 10 minutes, it works perfectly, and it's more reliable on Android than LastPass ever was.

I paid up for premium because it's only about £7.50 a year.

[touchingcloth]

Another vote for Bitwarden. I'd be happy to pay for the premium version, but there's really no need.

The only thing the free thing is missing which I’d benefit from is document storage for things like my residency certificate, but that’s not hugely sensitive data so I’m fine with it in a note on my phone.

[Sebastian Cobb]

The only thing the free thing is missing which I’d benefit from is document storage for things like my residency certificate, but that’s not hugely sensitive data so I’m fine with it in a note on my phone.

AWS will give you several gb of encrypted s3 storage for nowt if you need it too.

[touchingcloth]

AWS will give you several gb of encrypted s3 storage for nowt if you need it too.

Nice, any easy way of syncing that with a phone? Having it in my iCloud seems as easy and secure as necessary probably - I’ve never actually needed those docs, but they’re stuff that you technically need to have on your person when out and about or while driving.

[Sebastian Cobb]

Dunno about iPhones, I assume iCloud is about as easy as it gets. There are tools to sync s3 and on android you can install extensions to gracefully mount and unmount cloud storage (including s3) seamlessly, but there are more easy to use services like dropbox etc.

I didn't really understand you needed access so just suggested somewhere to leave them safe if you lost your phone, rather than thinking about easy retrieval on the move.