LastPass (password manager) limiting their free tier starting March 16

There’s really not much to say, but if you use LastPass then you can choose to subscribe or only be able to access your passwords either on mobile or desktop. The subscription costs $36/yr.

Everyone should be using a password manager at this point. You should be using secure passwords, and different ones for each site. But all of us have dozens or hundreds of logins and it’s not tenable to remember all of them. You’re exposing yourself to serious risk unless you use a password manager or some other system that allows unique, secure passwords.

I’d been using LastPass for years, mostly happily, but their app and sites were not without their quirks (which have also gone on for years). So with this latest news, I switched to Bitwarden. It’s a really good service; free and seems to fix most of the annoyances I had with LastPass. Literally took under 15 minutes to transition, most of which was installing the add-ons and apps for my various browsers and devices.

If you aren’t using a password manager and want to, feel free to ask questions here. Or if you are using one and like it, which one? Bitwarden is only one of several but it seems to be the best of the free ones.

I use the one built in to firefox. Is that good enough?

I use KeePass for Computer and Mobile as it’s free and open source.

Probably. Are you using it in sync mode? If so, then you should have a strong master password, but aside from that it should work well.

Dedicated password managers have the advantage of working on multiple browsers, and are likely to have their own app. I switch between Firefox and Chrome regularly and need the passwords to sync between them. On my phone, I want access to my passwords to I can log into various non-browser apps. Password managers integrate all this stuff, but if it’s not important to you, the standard Firefox sync may be good enough. Security-wise, I’m sure it’s fine.

Similar thread from last month: “Password Managers: Do You Use One?

I haven’t used KeePass, but the disadvantage as far as I can tell is that it doesn’t do cloud sync by default, and you have to combine it with some other storage system, like USB drive or a cloud storage system. Those seem fiddly to work with. Bitwarden and others sync in the cloud. In principle, they are just as secure since the cloud only stores the encrypted data and it’s useless even if it leaks (the same would be true of, say, a KeePass file on a USB drive that gets lost).

I’ll still continue to use LastPass, since I only use it on my PC.

LastPass is by no mean a bad service, and if it weren’t for free alternatives I’d pony up the $36/yr. In absolute terms that’s more than worth it. And if you really don’t need mobile support, then there’s not a huge motivation to switch.

However, unless you don’t own a smartphone at all, I’d definitely recommend setting it up for mobile. And I’ll emphasize that transitioning to Bitwarden really couldn’t be simpler. You just export the CSV file from LastPass and import to Bitwarden. All the browser add-ons are easy to find and install.

I can’t help but think it’s only a matter of time before a password manager gets hacked.

I only have about 3 dozen sites total (yes, I actually do keep track of them), and all but around 8 I seldom use and then only from home, where I have them written down off-line which makes it a bit harder for a hacker to get their hands on. The rest I’ve got memorized.

And let’s face it - if someone hacks my Straight Dope password it’s not the end of the world, it won’t drain my bank account, and won’t steal my legal identity.

The three I use at work I can’t put onto a password manager - work won’t let me do that. And those are the ones I use the most.

I don’t usually access anything requiring a password on my cell phone. I bought that to 1) make phone calls and 2) text. I do get my e-mail occasionally on it, but I the current password for that I have memorized.

So explain to me again why I need to pay someone else $36 a year for this service…?

It’s unlikely. The way passwords usually get hacked is that the whole password database from a site is stolen. From there: either the site was incredibly stupid (it happens) and the passwords were stored in plaintext, and the hackers now have a nice collection; or, the passwords were stored encoded, but the hackers can apply offline password crackers and extract some of them. They won’t get all of them but they will get the weakest ones. They then try the passwords out on other sites like banks.

Password managers don’t store anything like this on the net, though. Just a blob encrypted with your master password. You never transmit your master password to their site, nor any of the encoded passwords. So even if hackers steal every byte of data from LastPass, Bitwarden, etc., they gain nothing as long as your master password is strong.

If you are diligent about never using the same password twice, then you will have avoided the worst of the exposure. But that is difficult for many of us. I have somewhere around 3 hundred accounts total. I probably have 3 dozen financial accounts alone. Every one of the financial sites has a long, unique password, made from fully random characters (and so hard to memorize). Almost all the rest do as well, though there are a few older ones that I haven’t fixed up yet.

If your exposure isn’t so great, and if you access your sites from much more limited locations, then a password manager may be overkill. Still pretty convenient, though.

That’s perfectly fair, but also about two decades behind modern day use. I do banking and other important stuff on my phone. There’s some stuff I can’t do anywhere but my phone, such as check depositing by photo.

Again, Bitwarden is free and as good or better than LastPass. They make money though enterprise sales and a premium tier.

I do banking on my phone, but type the password each time. It’s also set up for fingerprint access.

Other logins I have to remember, or check my password on Lastpass on my computer. None are so important that I can’t wait to find it.

Thanks for explaining about how password managers work, I appreciate that.

Sure, if I had as many on-line accounts as you do I can see where a password manager makes sense.

Sure, I’ll admit to being a bit old-fashioned at this point. I’ll check my bank account by way of my home PC (and I currently use the 2 types authentication with it, and don’t store the password on my PC) and also my credit card, but my savings account is, by choice and design, NOT on line (if it’s too convenient it becomes a “spendings” account instead of a savings). Outside of direct deposits, I still drop my other deposits off at the bank in person. Again, by choice. As there are multiple branches of the banks I use between where I live and where I work this is not in any way inconvenient for me. Yeah, I still use checks. Maybe by 2050 I’ll have fully entered into 21st Century banking :wink:

If I used my phone as you do then a password manager would, again, make more sense. But I don’t. Thanks for the info, though, I"ll keep it mind going forward because things do change.

There have been some exploits where the passwords were intercepted by some sort of rogue code running in the browser (so, client side scraping or something - after they have been decrypted locally)

Of course, that’s also possible for any regular entry of passwords into a browser, and probably via a wider variety of methods such as keyloggers, so still makes the argument for using a password manager

Yeah, once you’re locally compromised, all bets are off. Browser plugins are generally held to a somewhat higher standard than generic local apps (rogue add-ons can be pulled from the store by the browser provider, and generally have fewer permissions), so there’s a tiny benefit in that respect.

This is why you implement MFA on every account possible, and this is doubly true for your password manager tool. A password alone isn’t very valuable without that second authentication method.

Indeed - I have been trying to persuade people to use MFA (and other security controls such as location restrictions, and account recovery options) wherever they are offered.