LastPass / Password Managers

Started by Lazybones, January 19, 2023, 06:35:36 PM

Previous topic - Next topic

Lazybones

Knowing from past threads that others on here have uses LastPass previously thought I would start a thread as I just finished going through migrating off.

In addition to another breach that had poor disclosure, it as come to light LastPass kind of screwed up basic security.

1. Vault Metadata contains unencrypted info like domains for the autofill feature which can probably be used to identify or target you personally.
2. While new customers receive updated password rounds settings to strengthen vault security it turns out many old customers where on very low vulnerable settings at the time of breach including some users having a setting of 1 that basically made vault security useless.


Bitwarden appears to be the TOP alternative with self hosting and online options, however after testing it out I have concluded that the browser auto fill kinda sucks vs nearly all other options, and if you need to do sharing / family. Bitwarden has a convolude org / collections sharing structure with a bunch of limitations.

For family use I have opted to use keeper (https://www.keepersecurity.com/) party because I get a free licence via work but also in general it is very feature complete and easy to use which has been a barrier for getting family members to use a password manager at all. Edit: apparently they have 30% off referral codes if anyone is interested.

Curious if anyone else recently abandon LastPass has any other DBs there using these days.

Mr. Analog

At work we use Dashlane and I have been looking for a password vault I can use for myself for a while but I'm not sure what to go with so I appreciate your list!
By Grabthar's Hammer

Lazybones

Lastpass, 1Password, Bitwarden are the top three that turn up in reviews and top lists

Dashlane and Keeper also show up often so with those you have nearly all of the primary players at least in functionality.. There are others like NordPass that is bundled with some NordVPN options but it tends to score lower in functionality.

Your personal use case and preferences may be different.

I was highly attracted to Bitwarden due to pricing and open source reputation.. However the auto fill / browser function is very limited still but functional and as I noted I really need sharing between me and the spouse / family and Bitwarden is just a little strange in this regard.

Melbosa

#3
I host BitWarden using VaultWarden Docker (https://hub.docker.com/r/vaultwarden/server) for my company and at a couple client sites. Pretty easy to maintain I find.  Add in this Backup and you get automated backups as well: https://hub.docker.com/r/bruceforce/vaultwarden-backup

I personally use 1Password, which is Canadian company; previously I was LastPass and am slowly moving my stuff off to  1Password. It is not free though, you have to buy 1Password.

My Serverless client just moved to 1Password Business, and I'm really liking the product. They get Personal edition as part of the license for each employee, so just like you @Lazybones, they use it personally now to cause of free version.

NAIT Uses Lastpass Enterprise and I hate it. Horrible @%&# for Business level sharing of passwords.
Sometimes I Think Before I Type... Sometimes!

Lazybones

Well as of tonight managed to get the whole set of family accounts off LastPass onto Keeper (fully deleting all accounts and the family from lastpass).. Fingers crossed I don't have to migrate again any time soon lol.

Hard to convince some people of the importance of the task sometimes or the inconvenience of learning a new tool.

Figures crossed NAIT moves to something else.

Tom

I use Passman via NextCloud. Works reasonably well, but I have a modified version of the android app that I started hacking on between contracts, but is still somehow less annoying than the latest version lol.
<Zapata Prime> I smell Stanley... And he smells good!!!

Melbosa

The 1 thing 1password does that a lot of these others don't is that they give you a SECRET key when you register your account.  This acts like a SALT encryption key if anyone is familiar; which means if someone actually hacks 1passwords DB, without the SECRET key, they cannot decrypt your data.

Still not good if they do get hacked, but there is just that extra layer of security that some of the other guys don't do.  They all encrypt the data obviously, but even 1password doesn't have your SECRET key, and can't see your data without it: https://support.1password.com/secret-key-security/
Sometimes I Think Before I Type... Sometimes!

Mr. Analog

The problem is if someone gets your key somehow, you're screwed again

But I do like the extra layers
By Grabthar's Hammer

Tom

While I don't think Passman has been security vetted, the fact that you are the only one with access to any of the keys (assuming you host your nextcloud install) is a nice thought. That said, its also scary if somehow you loose the data...

I have a bad habit of not making sure things are properly backed up or updated, etc, so it can be a bit scary lol. One reason I started to stop hosting my own services. Got to be a bit of a maintenance headache.

Did I ever mention my gitlab instance got hijacked? yeah. fun. I hadn't updated it in a while and someone found it and used an exploit. I still haven't re-installed it yet. So my personal git repos have been down for many moons. But at least it isn't part of any botnet or running cpu miners anymore. lol.
<Zapata Prime> I smell Stanley... And he smells good!!!

Melbosa

Quote from: Mr. Analog on February 10, 2023, 05:55:12 PMThe problem is if someone gets your key somehow, you're screwed again

But I do like the extra layers
Yeah, but if someone gets you phone and password, with MFA (that all these systems use, including 1password), you are screwed anyway.  So this is not protecting you specifically, this is protection from 1password getting hacked. If it isn't clear, 1password uses MFA and this secret key, not just the secret key.

Quote from: Tom on February 11, 2023, 10:29:25 AMWhile I don't think Passman has been security vetted, the fact that you are the only one with access to any of the keys (assuming you host your nextcloud install) is a nice thought. That said, its also scary if somehow you loose the data...
With verification methods with 1password, you can get it reset. No password solution will be full proof, I was just mentioning the extra layer.



Thanks for the input though guys. Good discussion.
Sometimes I Think Before I Type... Sometimes!

Tom

Quote from: Melbosa on February 12, 2023, 11:23:37 PM
Quote from: Mr. Analog on February 10, 2023, 05:55:12 PMThe problem is if someone gets your key somehow, you're screwed again

But I do like the extra layers
Yeah, but if someone gets you phone and password, with MFA (that all these systems use, including 1password), you are screwed anyway.  So this is not protecting you specifically, this is protection from 1password getting hacked. If it isn't clear, 1password uses MFA and this secret key, not just the secret key.

Quote from: Tom on February 11, 2023, 10:29:25 AMWhile I don't think Passman has been security vetted, the fact that you are the only one with access to any of the keys (assuming you host your nextcloud install) is a nice thought. That said, its also scary if somehow you loose the data...
With verification methods with 1password, you can get it reset. No password solution will be full proof, I was just mentioning the extra layer.
Yeah, I was just mentioning more details of Passman. Not really directly replying to what you had said. More of information that can be used to compare.

For instance, I recently re-enabled the very alpha password autofill i added, and for some reason its just working now. It was semi ok when I implemented it, but now its working real well even with the BMO app. I'm surprised. The method its using isn't supposed to be used for this, but at the time the apis android was adding for autofill was beta at best and didnt appear to work very well at all. At some point I want to get back to finishing up the changes I made to the passman android app, and see if they want to merge any of my changes at all. But work has been a grind lol. And I have another personal project that I think of as much higher priority so things like the passman app don't get touched for /ages/. It's been years since I last touched the code. lol.
<Zapata Prime> I smell Stanley... And he smells good!!!