Cybersecurity - Password Manager - Lock - Nodes

Don’t Use LastPass, Use These Instead

Intro

We’re of the opinion that everyone should be using a password manager. If you’re not, we believe you’re making a mistake*. In researching top password managers, you’ll see LastPass at the top of many lists/reviews. However, is it really as good as people claim, or are there better options? Let’s discuss the pros and cons of LastPass as well as some alternatives that we consider to be superior for most users.

*See “Why You Need a Password Manager

Podcast

1
00:00:00,000 –> 00:00:14,160
Hey everyone, welcome to the Bigger Insights Privacy & Security podcast where we’ll help

2
00:00:14,160 –> 00:00:16,560
you live a more private and secure life.

3
00:00:16,560 –> 00:00:22,200
In this episode, we’re going to talk about TrashPass, I mean LastPass, and why we think

4
00:00:22,200 –> 00:00:28,800
you should use one of our recommended alternatives if you are using LastPass or if you’re considering

5
00:00:28,800 –> 00:00:30,800
using LastPass.

6
00:00:30,800 –> 00:00:36,100
Before we get started, just to provide you the proper context, you might want to listen

7
00:00:36,100 –> 00:00:43,200
to our previous episodes, “Why You Need a Password Manager” and “Why Free and Open-Source Software

8
00:00:43,200 –> 00:00:44,520
Matters”.

9
00:00:44,520 –> 00:00:51,080
We actually started warning our clients about the dangers that LastPass poses all the way

10
00:00:51,080 –> 00:00:58,360
back in 2021. And we wrote an article about this as well on our website, BiggerInsights.com,

11
00:00:58,360 –> 00:01:01,020
back in September of 2022.

12
00:01:01,020 –> 00:01:07,240
So consider checking out our website and consider becoming a client, because we help our clients

13
00:01:07,240 –> 00:01:13,480
choose software and services that best meet their needs, and we will regularly warn them

14
00:01:13,480 –> 00:01:17,960
about companies like LastPass and some of the shady things that they’re up to and some

15
00:01:17,960 –> 00:01:20,880
of the risks that they present to their users.

16
00:01:20,880 –> 00:01:25,000
So go to our website and fill out the short form at the bottom of the page if that sounds

17
00:01:25,000 –> 00:01:27,040
interesting to you.

18
00:01:27,040 –> 00:01:33,660
If you’ve never heard of LastPass, LastPass is one of, if not the most popular password

19
00:01:33,660 –> 00:01:35,160
manager out there.

20
00:01:35,160 –> 00:01:40,400
If you do a search for password managers or you look at, you know, review websites for

21
00:01:40,400 –> 00:01:45,640
password managers, you’re probably going to see LastPass all over the place.

22
00:01:45,640 –> 00:01:50,280
And you know, if you watch people’s screen shares on YouTube and stuff like that, most

23
00:01:50,280 –> 00:01:53,440
of them are using LastPass, so it’s very popular.

24
00:01:53,440 –> 00:01:59,840
And the question is, is it really that good and does it justify that popularity?

25
00:01:59,840 –> 00:02:04,240
And you know, spoiler alert, we don’t think that it is that good and we don’t think that

26
00:02:04,240 –> 00:02:06,700
it justifies its popularity.

27
00:02:06,700 –> 00:02:11,200
So we’re going to discuss some of the reasons why we think that and why we think that there

28
00:02:11,200 –> 00:02:13,640
are better alternatives out there.

29
00:02:13,640 –> 00:02:18,200
Let’s start out on a positive note and give credit where credit is due.

30
00:02:18,200 –> 00:02:23,040
LastPass is a very feature rich password manager.

31
00:02:23,040 –> 00:02:28,720
It has pretty much everything that you could ask for or expect, at least when comparing

32
00:02:28,720 –> 00:02:31,680
to other password management options.

33
00:02:31,680 –> 00:02:38,680
It’s got good multi-factor authentication options, including YubiKey, which it might support

34
00:02:38,680 –> 00:02:39,840
other hardware keys as well.

35
00:02:39,840 –> 00:02:43,760
I’m not too sure about that, but you know, that’s one thing that some password managers

36
00:02:43,760 –> 00:02:45,080
don’t offer.

37
00:02:45,080 –> 00:02:49,240
It’s pretty good about warning you if you have vulnerable passwords.

38
00:02:49,240 –> 00:02:54,880
So if you were using passwords or you have, you know, weak passwords or if it finds them

39
00:02:54,880 –> 00:02:59,400
on the dark web or something like that, you know, that’s, that’s pretty useful, especially

40
00:02:59,400 –> 00:03:04,320
for the average person who doesn’t really understand, you know, how passwords work and

41
00:03:04,320 –> 00:03:07,400
how easy they are to crack and things like that.

42
00:03:07,400 –> 00:03:14,000
It also has a good emergency access feature, which in our opinion is one of the few reasons

43
00:03:14,000 –> 00:03:17,560
to actually use a cloud-based password manager.

44
00:03:17,560 –> 00:03:21,960
There are workarounds for that if you’re not using a cloud-based password manager like

45
00:03:21,960 –> 00:03:26,960
KeePass or something, but this feature is pretty helpful when I can see how, you know,

46
00:03:26,960 –> 00:03:29,520
people would be interested in that.

47
00:03:29,520 –> 00:03:34,200
We also really like LastPass’s random password generator.

48
00:03:34,200 –> 00:03:37,720
One of the things that’s interesting about that that we don’t see in a lot of other

49
00:03:37,720 –> 00:03:43,520
password managers is it has an option to weed out ambiguous characters.

50
00:03:43,520 –> 00:03:49,240
So like i’s and or like uppercase i’s and lowercase L’s and things like that, that if

51
00:03:49,240 –> 00:03:54,160
you need to read the password and type it in, it can be very difficult to tell.

52
00:03:54,160 –> 00:03:55,800
So that’s interesting.

53
00:03:55,800 –> 00:04:01,560
And also we like the way that it shows passwords with color coding.

54
00:04:01,560 –> 00:04:07,160
So it’ll color numbers and letters and special characters with different colors to help make

55
00:04:07,160 –> 00:04:12,200
them easier to read because like when you’re looking at like an O versus a zero or something

56
00:04:12,200 –> 00:04:17,280
like that, having those different colors can really help you, you know, read your password

57
00:04:17,280 –> 00:04:18,280
better.

58
00:04:18,280 –> 00:04:21,520
Unfortunately, that’s kind of where the pros end.

59
00:04:21,520 –> 00:04:26,000
And now we’ll talk about, you know, the uglier side of LastPass.

60
00:04:26,000 –> 00:04:29,320
And that is that it’s kind of very troubled history.

61
00:04:29,320 –> 00:04:35,360
LastPass was purchased by LogMeIn, you know, a number of years ago at this point.

62
00:04:35,360 –> 00:04:38,200
And LogMeIn is now called GoTo, I believe.

63
00:04:38,200 –> 00:04:43,800
But one of the first things that they did after they bought it was they doubled the prices.

64
00:04:43,800 –> 00:04:49,720
And you know, the price point was one of the selling points of LastPass back in the day.

65
00:04:49,720 –> 00:04:51,680
It used to be a dollar a month.

66
00:04:51,680 –> 00:04:57,240
And other alternatives like Dashlane were about $2 a month or more.

67
00:04:57,240 –> 00:04:59,200
So they doubled the price.

68
00:04:59,200 –> 00:05:03,960
And the question is, did they double the value and did they double the features or anything

69
00:05:03,960 –> 00:05:04,960
like that?

70
00:05:04,960 –> 00:05:07,160
No, it was, it was basically the same product.

71
00:05:07,160 –> 00:05:12,480
Now it just costs twice as much, which is, you know, really disappointing considering

72
00:05:12,480 –> 00:05:16,200
how simple password managers actually are.

73
00:05:16,200 –> 00:05:21,320
They just take some very basic inputs, encrypt them into a file and then store them in their

74
00:05:21,320 –> 00:05:22,320
cloud.

75
00:05:22,320 –> 00:05:25,280
I mean, they’re really not that complicated.

76
00:05:25,280 –> 00:05:30,240
And you know, unfortunately, this is very common in the software industry when a large

77
00:05:30,240 –> 00:05:33,360
player buys out a smaller one.

78
00:05:33,360 –> 00:05:34,880
We see this all the time.

79
00:05:34,880 –> 00:05:41,800
So for example, Fecesbook bought WhatsApp and I’ve never used WhatsApp before and I’m glad

80
00:05:41,800 –> 00:05:43,320
that I haven’t.

81
00:05:43,320 –> 00:05:49,400
But from what I understand, WhatsApp was actually a pretty good and respected messenger until

82
00:05:49,400 –> 00:05:55,040
Fecesbook bought it and basically turned it into a corporate surveillance engine.

83
00:05:55,040 –> 00:05:58,680
And there are many other examples like this in history.

84
00:05:58,680 –> 00:06:05,000
So the lesson here is when an app or service that you’re using gets bought out by a big

85
00:06:05,000 –> 00:06:11,200
player, like Fecesbook or Google or Apple or Amazon or Microsoft or whomever, you should

86
00:06:11,200 –> 00:06:14,240
be very, very wary of that.

87
00:06:14,240 –> 00:06:19,360
Because when this happens, typically what they do is the prices go up, the quality goes

88
00:06:19,360 –> 00:06:25,200
down, the privacy goes down, the security goes down, you know, advertising, data collection,

89
00:06:25,200 –> 00:06:30,160
and whatever telemetry, those go up and they just, they just ruin the product.

90
00:06:30,160 –> 00:06:34,920
Because to them, this is just an asset on their balance sheet, they don’t care about

91
00:06:34,920 –> 00:06:35,920
it.

92
00:06:35,920 –> 00:06:36,920
They don’t care about you.

93
00:06:36,920 –> 00:06:39,640
It’s just, it’s just not a good situation.

94
00:06:39,640 –> 00:06:46,000
And perhaps most troubling is that LastPass has a very poor security track record, which

95
00:06:46,000 –> 00:06:51,600
is the last thing that you want from an application that you’re relying on to secure some of your

96
00:06:51,600 –> 00:06:54,880
most sensitive data, like your passwords.

97
00:06:54,880 –> 00:07:01,080
So I’m going to read a few passages from our blog post that we wrote about this in September

98
00:07:01,080 –> 00:07:05,040
of 2022 on our website, biggerinsights.com.

99
00:07:05,040 –> 00:07:08,520
You can go there and search for LastPass and it should show up.

100
00:07:08,520 –> 00:07:12,960
And I’m going to bring this up because, you know, it’s almost as if we had predicted the

101
00:07:12,960 –> 00:07:19,280
future because right after we wrote this, they had a very, very serious security incident

102
00:07:19,280 –> 00:07:22,440
later that year in 2022.

103
00:07:22,440 –> 00:07:29,040
So this is what we said, “LastPass also has a spotty security track record, not something

104
00:07:29,040 –> 00:07:31,600
you want from a security service.

105
00:07:31,600 –> 00:07:36,520
Some consider this to be a non-issue because your data is encrypted locally.

106
00:07:36,520 –> 00:07:43,880
The idea here is that if LastPass itself gets hacked, your data should still be safe because

107
00:07:43,880 –> 00:07:47,440
it’s encrypted at rest and only you have the key.

108
00:07:47,440 –> 00:07:49,880
However, we disagree.

109
00:07:49,880 –> 00:07:56,200
If LastPass is dropping the ball in security, this exposes users to supply chain attacks.

110
00:07:56,200 –> 00:08:01,480
If a hacker is able to gain access to their source code, for example, they could inject

111
00:08:01,480 –> 00:08:07,720
malware into LastPass clients that get pushed out to your device during the next update.”

112
00:08:07,720 –> 00:08:13,920
Now this specific attack isn’t exactly what happened in 2022, but something very similar

113
00:08:13,920 –> 00:08:17,400
happened, which we’ll talk about in just a minute.

114
00:08:17,400 –> 00:08:22,360
Just to help add a little bit more context to this, I’m just going to read just a list

115
00:08:22,360 –> 00:08:29,240
of the number of incidents that they’ve had that you can read about on Wikipedia. 2011

116
00:08:29,240 –> 00:08:38,440
security incident, 2015 security breach, 2016 security incidents, plural, 2017 security

117
00:08:38,440 –> 00:08:47,240
incidents, plural, 2019 security incidents, plural, 2020 security incident, 2021 third

118
00:08:47,240 –> 00:08:55,280
party trackers and security incident, 2022 customer data and partially encrypted vault

119
00:08:55,280 –> 00:08:56,280
theft.

120
00:08:56,280 –> 00:09:01,400
Now, I don’t know about you, but that doesn’t sound like the track record of a company that

121
00:09:01,400 –> 00:09:04,280
I want storing my passwords.

122
00:09:04,280 –> 00:09:14,080
So in 2021, it was discovered that their Android app contained at least seven third party trackers,

123
00:09:14,080 –> 00:09:15,080
including Google.

124
00:09:15,080 –> 00:09:19,360
Now, maybe that’s changed since that was reported.

125
00:09:19,360 –> 00:09:23,640
I’m not really sure, but yeah, it’s just completely unacceptable.

126
00:09:23,640 –> 00:09:28,920
When I use an app like a password manager, I don’t want what I’m doing being reported

127
00:09:28,920 –> 00:09:34,360
to Google or any other third party tracker. That should be between me and the password

128
00:09:34,360 –> 00:09:36,600
manager only.

129
00:09:36,600 –> 00:09:42,840
Now regarding those trackers in the Android app, which I read on Wikipedia, one of the

130
00:09:42,840 –> 00:09:48,720
things that I found interesting that’s not in Wikipedia is the iOS app has had trackers

131
00:09:48,720 –> 00:09:50,440
in them as well.

132
00:09:50,440 –> 00:09:57,920
Last time I opened up the LastPass app, which I believe was in 2022, it was connecting to

133
00:09:57,920 –> 00:10:05,320
firebaselogging-pa.googleapis.com, which is obviously owned by Google.

134
00:10:05,320 –> 00:10:10,600
And I’m sure they have some excuse for that, like, “Oh, this is just for debugging purposes”

135
00:10:10,600 –> 00:10:16,480
or something like that. But what what companies need to understand is that when you’re getting

136
00:10:16,480 –> 00:10:22,480
your telemetry and you’re debugging an analytics from a third party like Google, you’re causing

137
00:10:22,480 –> 00:10:28,920
a problem for your users because now your users data is going to a third party.

138
00:10:28,920 –> 00:10:34,280
And I don’t know about you, but I’m not okay with my data going to Google, especially if

139
00:10:34,280 –> 00:10:36,960
I’m not using Google products.

140
00:10:36,960 –> 00:10:39,960
So this is a major red flag to be aware of.

141
00:10:39,960 –> 00:10:44,880
If an app that you’re using is embedding third party trackers in them, you can bet that they’re

142
00:10:44,880 –> 00:10:46,800
doing other things that you wouldn’t agree with.

143
00:10:46,800 –> 00:10:52,200
And it’s an admission that they don’t care about you, they don’t value you, which is

144
00:10:52,200 –> 00:10:57,800
especially disturbing when you’re paying for the product, like LastPass, which is not

145
00:10:57,800 –> 00:11:00,360
exactly cheap to begin with.

146
00:11:00,360 –> 00:11:06,400
So let’s talk about this most recent security incident that they’ve had back in 2022, in

147
00:11:06,400 –> 00:11:13,080
which they got breached and customer data got stolen, which by the way is still unfolding.

148
00:11:13,080 –> 00:11:18,840
And we believe there are going to be other security incidents in the future.

149
00:11:18,840 –> 00:11:23,920
Basically one of their senior DevOps engineers got hacked.

150
00:11:23,920 –> 00:11:29,600
He was using a personal device for work, which you should never do by the way.

151
00:11:29,600 –> 00:11:36,960
And on that device, he was running a very outdated and very insecure version of Plex.

152
00:11:36,960 –> 00:11:43,720
And a vulnerability in Plex allowed someone to install a key logger on this person’s machine

153
00:11:43,720 –> 00:11:46,480
to grab his username and password.

154
00:11:46,480 –> 00:11:52,360
So that allows somebody to get into their corporate vault, which contained keys and other sensitive

155
00:11:52,360 –> 00:11:53,880
information.

156
00:11:53,880 –> 00:11:59,760
Those keys were used to get into their storage accounts, which contained customer password

157
00:11:59,760 –> 00:12:01,840
vaults and other data.

158
00:12:01,840 –> 00:12:08,760
That data included URLs of the accounts that people were typing into LastPass, which for

159
00:12:08,760 –> 00:12:11,680
God knows what reason were not being encrypted.

160
00:12:11,680 –> 00:12:17,840
I’ve yet to hear LastPass provide an explanation as to why they weren’t encrypting people’s

161
00:12:17,840 –> 00:12:20,720
URLs, which might not sound like a big deal to you.

162
00:12:20,720 –> 00:12:23,840
But you know, that’s pretty sensitive information.

163
00:12:23,840 –> 00:12:29,800
You don’t want a company like LastPass knowing every website that you have an account with,

164
00:12:29,800 –> 00:12:34,080
because not only could they be doing something malicious with that information like selling

165
00:12:34,080 –> 00:12:39,520
it, but now whoever hacked them has that information as well.

166
00:12:39,520 –> 00:12:45,440
So LastPass customers should be very concerned about this because whoever took their vaults,

167
00:12:45,440 –> 00:12:51,280
even if they can’t get into them, that person can still see where you have your accounts.

168
00:12:51,280 –> 00:12:56,400
And they can see your email address that you used with LastPass and your name and your

169
00:12:56,400 –> 00:12:57,920
billing address.

170
00:12:57,920 –> 00:13:03,920
And they can use this information to, you know, send you phishing emails or text messages

171
00:13:03,920 –> 00:13:09,120
and, you know, potentially look up what passwords you’ve used in the past that have been involved

172
00:13:09,120 –> 00:13:14,280
in other data breaches and try to use credential stuffing and other techniques to get into

173
00:13:14,280 –> 00:13:19,040
your accounts, even if they can’t crack your LastPass vault.

174
00:13:19,040 –> 00:13:25,200
So this is a very big deal, this is a very big screw up on LastPass’s part.

175
00:13:25,200 –> 00:13:31,080
And this is why you don’t use a closed-source password manager or any other application

176
00:13:31,080 –> 00:13:34,360
that you’re relying on to protect your security.

177
00:13:34,360 –> 00:13:40,000
If LastPass was open-source, like Bitwarden or KeePass are, for example, then we would

178
00:13:40,000 –> 00:13:44,480
have known all along that they weren’t encrypting URLs and we could have, you know, asked

179
00:13:44,480 –> 00:13:49,520
LastPass about this and demanded that they address this before it became an issue.

180
00:13:49,520 –> 00:13:55,600
We should also mention that some of LastPass’s source code has also been stolen.

181
00:13:55,600 –> 00:14:00,560
We’re hoping that that gets leaked so that we can see more details about what LastPass

182
00:14:00,560 –> 00:14:04,080
is doing or not doing that it should be doing.

183
00:14:04,080 –> 00:14:10,480
And this also gives the attacker the ability to see how LastPass’s encryption is being

184
00:14:10,480 –> 00:14:16,600
done because that’s closed-source and LastPass seems to brag about that

185
00:14:16,600 –> 00:14:17,600
like that’s a good thing.

186
00:14:17,600 –> 00:14:21,320
They say “Our vaults are protected with proprietary encryption.”

187
00:14:21,320 –> 00:14:23,280
Well, that’s not a good thing.

188
00:14:23,280 –> 00:14:28,240
I mean, it’s just one of the most generally accepted principles in security.

189
00:14:28,240 –> 00:14:30,800
You don’t roll your own crypto.

190
00:14:30,800 –> 00:14:32,600
There’s no reason to do that.

191
00:14:32,600 –> 00:14:39,040
We have off-the-shelf encryption standards that are peer-reviewed, highly secure, open

192
00:14:39,040 –> 00:14:41,480
source and free.

193
00:14:41,480 –> 00:14:46,640
So when any company tells you that they’re using proprietary encryption to protect your

194
00:14:46,640 –> 00:14:50,720
data, you know, that should be a real head-scratcher. You should be wondering why they’re

195
00:14:50,720 –> 00:14:54,560
doing that because it’s a very stupid thing to do.

196
00:14:54,560 –> 00:14:59,360
Another naughty thing that we’ve learned that they’ve been doing is using a lower number

197
00:14:59,360 –> 00:15:02,680
of password iterations for older users.

198
00:15:02,680 –> 00:15:06,320
So the number of iterations helps to secure your password.

199
00:15:06,320 –> 00:15:11,600
The more you use the harder it is to crack. And over time, they’ve been increasing the

200
00:15:11,600 –> 00:15:16,880
number of iterations for newer users because, you know, standards have changed, but they

201
00:15:16,880 –> 00:15:21,880
never went back and upgraded the passwords for older users.

202
00:15:21,880 –> 00:15:27,040
So if you’ve been using LastPass for several years, you should be concerned because your

203
00:15:27,040 –> 00:15:32,880
vault is potentially more vulnerable than it is for other users.

204
00:15:32,880 –> 00:15:38,800
And even if, you know, the iterations aren’t a problem and if you’re using a decent password

205
00:15:38,800 –> 00:15:45,520
and whoever stole these can’t crack your vault for now, just be aware that they have it in

206
00:15:45,520 –> 00:15:46,760
their possession.

207
00:15:46,760 –> 00:15:51,040
So they might be able to get into it later for a number of reasons.

208
00:15:51,040 –> 00:15:53,480
Maybe they’ve come across better hardware.

209
00:15:53,480 –> 00:15:59,400
I mean, just think about how many more password guesses today’s GPUs can make as opposed to

210
00:15:59,400 –> 00:16:01,400
just a few years ago.

211
00:16:01,400 –> 00:16:06,120
You know, the risk there is that this hardware keeps getting better and better and better.

212
00:16:06,120 –> 00:16:09,520
Meanwhile, your vault is static.

213
00:16:09,520 –> 00:16:14,640
Another thing to keep in mind is that if you’re one of the, you know, probably 90% of the

214
00:16:14,640 –> 00:16:21,600
population that reuses passwords, if you’ve used your master password in any other system,

215
00:16:21,600 –> 00:16:26,440
you should be worried about those other systems getting breached and potentially exposing

216
00:16:26,440 –> 00:16:28,600
your master password.

217
00:16:28,600 –> 00:16:35,560
So in other words, even if your vault is technically safe today, it might be vulnerable to being

218
00:16:35,560 –> 00:16:37,360
cracked in the future.

219
00:16:37,360 –> 00:16:42,600
All right, let’s keep talking about the issues that we have with LastPass because this is

220
00:16:42,600 –> 00:16:45,240
the gift that keeps on giving.

221
00:16:45,240 –> 00:16:48,200
Most LastPass clients are closed-source.

222
00:16:48,200 –> 00:16:53,200
And there’s good reason for that because LastPass is hiding some pretty shady stuff, whether

223
00:16:53,200 –> 00:16:59,840
that be third party trackers, poor security practices, like not encrypting your URLs and

224
00:16:59,840 –> 00:17:02,360
potentially data collection as well.

225
00:17:02,360 –> 00:17:07,680
I don’t think a lot of people realize this, but LastPass collects location data, whereas

226
00:17:07,680 –> 00:17:11,200
other password managers like Bitwarden do not.

227
00:17:11,200 –> 00:17:14,480
And I’m sure that they have a good excuse for that.

228
00:17:14,480 –> 00:17:20,640
Like there are some security uses for having somebody’s location, but do you really trust

229
00:17:20,640 –> 00:17:26,120
this company with your precise location data, especially all these other issues that they’ve

230
00:17:26,120 –> 00:17:31,680
had, and especially considering they have third party trackers embedded in their clients

231
00:17:31,680 –> 00:17:34,520
and are sending your data to Google?

232
00:17:34,520 –> 00:17:41,240
So even if they are using your location data for security purposes, do you or should you

233
00:17:41,240 –> 00:17:47,400
trust them to use that only for security purposes and not to do something with it that you wouldn’t

234
00:17:47,400 –> 00:17:52,400
agree with, like share or sell it to a third party like Google?

235
00:17:52,400 –> 00:17:56,440
Another thing that we really don’t like are browser extensions.

236
00:17:56,440 –> 00:18:02,000
Now we’ll admit that they’re very convenient, especially for filling forms, but they’re

237
00:18:02,000 –> 00:18:03,000
risky.

238
00:18:03,000 –> 00:18:09,680
LastPass does have some desktop apps as far as we can tell, but from what we’ve researched,

239
00:18:09,680 –> 00:18:15,040
a lot of people complained about them either not being stable or not having features that

240
00:18:15,040 –> 00:18:20,040
the browser extension had, and I’ve never actually seen anybody use the desktop app.

241
00:18:20,040 –> 00:18:28,080
I always see the browser extension and admittedly Bitwarden and other password managers have

242
00:18:28,080 –> 00:18:33,160
browser extensions as well, but you don’t have to use them and we don’t recommend that

243
00:18:33,160 –> 00:18:35,360
you do use them.

244
00:18:35,360 –> 00:18:40,760
And the reason we don’t like browser extensions is because they present privacy and security

245
00:18:40,760 –> 00:18:43,040
risks for users.

246
00:18:43,040 –> 00:18:49,160
On the security front, there’s no shortage of known malware out there that target data

247
00:18:49,160 –> 00:18:51,040
stored in your browser.

248
00:18:51,040 –> 00:18:57,320
A lot of people store addresses and passwords and other information in their browser, so

249
00:18:57,320 –> 00:19:01,040
it’s a very attractive target.

250
00:19:01,040 –> 00:19:06,000
Vulnerabilities in the browser itself could also present security issues if you’re using

251
00:19:06,000 –> 00:19:09,640
a browser extension for your password manager.

252
00:19:09,640 –> 00:19:16,040
As far as privacy is concerned, using browser extensions makes it easier for websites to

253
00:19:16,040 –> 00:19:17,760
fingerprint you.

254
00:19:17,760 –> 00:19:23,000
So this deserves its own episode, which we’ll get around to at some point.

255
00:19:23,000 –> 00:19:28,400
But when you visit a website, most websites collect a tremendous amount of information

256
00:19:28,400 –> 00:19:33,880
from your device and your browser, and they look at the uniqueness of that information

257
00:19:33,880 –> 00:19:41,400
to identify you individually. And one of those pieces of information are what extensions

258
00:19:41,400 –> 00:19:44,000
you have installed in your browser.

259
00:19:44,000 –> 00:19:49,120
So if you have the LastPass extension installed in your browser, that makes it easier for

260
00:19:49,120 –> 00:19:51,720
a website to identify you.

261
00:19:51,720 –> 00:19:57,640
Another thing that has really bothered me about LastPass for many years now is they

262
00:19:57,640 –> 00:20:01,440
encourage really risky behaviors.

263
00:20:01,440 –> 00:20:06,280
And this actually bothered me so much that I took a screenshot of this just in case

264
00:20:06,280 –> 00:20:10,120
if they remove some of this information from their website.

265
00:20:10,120 –> 00:20:14,400
But if you go to their website and you look at their screenshots and some of their marketing

266
00:20:14,400 –> 00:20:22,520
material, they really try to encourage people to store a lot of highly sensitive information

267
00:20:22,520 –> 00:20:24,400
in LastPass.

268
00:20:24,400 –> 00:20:29,400
So these are some of the things that I just saw last time I was on their website.

269
00:20:29,400 –> 00:20:37,280
Bank cards, bank accounts, driver’s licenses, health insurance information, passport numbers,

270
00:20:37,280 –> 00:20:39,240
social security numbers.

271
00:20:39,240 –> 00:20:44,880
Now last time I checked, society has kind of come to a consensus that you shouldn’t

272
00:20:44,880 –> 00:20:47,320
put all of your eggs in one basket.

273
00:20:47,320 –> 00:20:50,360
But for whatever reason, LastPass doesn’t think that that applies.

274
00:20:50,360 –> 00:20:56,880
Now, I don’t know, maybe they think that this makes their service seem more useful than

275
00:20:56,880 –> 00:20:58,320
it actually is.

276
00:20:58,320 –> 00:21:04,440
I don’t know, but we definitely don’t recommend that you put any information anywhere that

277
00:21:04,440 –> 00:21:06,720
you don’t absolutely need.

278
00:21:06,720 –> 00:21:11,360
I mean, first of all, who doesn’t have their social security number memorized?

279
00:21:11,360 –> 00:21:15,080
And what are you going to do with your passport number in LastPass?

280
00:21:15,080 –> 00:21:19,920
I mean, if you need your passport, you need your passport. Just knowing the number is

281
00:21:19,920 –> 00:21:22,840
not usually very helpful anyway.

282
00:21:22,840 –> 00:21:27,680
And now that they’ve been hacked and customer vaults have been stolen, that information

283
00:21:27,680 –> 00:21:29,880
could potentially be compromised.

284
00:21:29,880 –> 00:21:34,720
So if you’ve been using LastPass and kind of following their marketing and being a good

285
00:21:34,720 –> 00:21:39,920
little user and typing in all this highly sensitive information, that information might

286
00:21:39,920 –> 00:21:43,720
now be in the hands of a hacker.

287
00:21:43,720 –> 00:21:48,560
And even if LastPass did not suffer from all these other issues, at the end of the

288
00:21:48,560 –> 00:21:51,120
day, it is expensive.

289
00:21:51,120 –> 00:21:59,280
So I’ll go over some of the pricing information that I dug up last September 2022.

290
00:21:59,280 –> 00:22:04,040
The first issue is that they basically gutted the free tier.

291
00:22:04,040 –> 00:22:08,280
They limited it to one device, which really irritated a lot of people.

292
00:22:08,280 –> 00:22:11,840
I think a lot of people left the service for that reason.

293
00:22:11,840 –> 00:22:14,760
And I bet now they’re glad that they did.

294
00:22:14,760 –> 00:22:18,920
Bitwarden on the other hand, does not have this limitation. If you’re using the free

295
00:22:18,920 –> 00:22:23,720
version of Bitwarden, as far as I know, they don’t limit the number of devices that you

296
00:22:23,720 –> 00:22:25,880
can use with your free account.

297
00:22:25,880 –> 00:22:33,200
The premium version is $3 a month, which keep in mind was a dollar a month, not that long

298
00:22:33,200 –> 00:22:34,200
ago.

299
00:22:34,200 –> 00:22:35,800
So it’s three times the price.

300
00:22:35,800 –> 00:22:38,520
I really don’t think it’s three times the product.

301
00:22:38,520 –> 00:22:42,800
And you know, like I said earlier, password managers are actually quite simple.

302
00:22:42,800 –> 00:22:47,520
There’s no reason that they should be charging $3 a month for this.

303
00:22:47,520 –> 00:22:53,720
Now for context, Bitwarden’s equivalent premium tier is only $10 per year.

304
00:22:53,720 –> 00:22:55,240
That’s less than $1 a month.

305
00:22:55,240 –> 00:23:00,000
So it’s less than what LastPass was like eight years ago.

306
00:23:00,000 –> 00:23:07,960
The family plan, which covers up to six users, is a little bit more compelling at $4 a month.

307
00:23:07,960 –> 00:23:13,760
But even Bitwarden is still cheaper than this at about $3.33 a month.

308
00:23:13,760 –> 00:23:19,800
So as far as we’re concerned, at least comparing LastPass to Bitwarden, you’re paying a lot

309
00:23:19,800 –> 00:23:25,960
more money for a less secure product, a less private product that’s collecting more of

310
00:23:25,960 –> 00:23:27,880
your information.

311
00:23:27,880 –> 00:23:32,040
And I don’t know about you, but that doesn’t sound like a very good deal to me.

312
00:23:32,040 –> 00:23:36,760
And just for anybody who’s wondering, we’re not sponsored by Bitwarden anyway.

313
00:23:36,760 –> 00:23:41,480
We have no relationship with Bitwarden at the time of this recording.

314
00:23:41,480 –> 00:23:46,080
We just talk about it because we like their service and we think that it’s a much better

315
00:23:46,080 –> 00:23:49,560
cloud based password manager than LastPass is.

316
00:23:49,560 –> 00:23:50,560
All right.

317
00:23:50,560 –> 00:23:56,800
So now let’s talk about the two password managers that we recommend at the present time.

318
00:23:56,800 –> 00:24:02,320
The first one is KeePass, K-E-E-P-A-S-S.

319
00:24:02,320 –> 00:24:07,400
We’ll talk about KeePass in more detail in a future episode, but for now, we’ll just

320
00:24:07,400 –> 00:24:13,640
go over some basics and explain a few reasons why we like it better than LastPass.

321
00:24:13,640 –> 00:24:17,280
So KeePass is free and open-source software (FOSS).

322
00:24:17,280 –> 00:24:20,560
It’s local only, meaning that it runs on your machine.

323
00:24:20,560 –> 00:24:24,160
It’s not backed up to a cloud or anything like that.

324
00:24:24,160 –> 00:24:30,000
And the original KeePass application is a Windows only application.

325
00:24:30,000 –> 00:24:36,600
However, KeePass uses an open encrypted database format that’s used by other clients.

326
00:24:36,600 –> 00:24:40,400
So there’s KeePassXC, which we really like.

327
00:24:40,400 –> 00:24:49,520
There’s KeePassDX, KeePass2Android, KeePassium, Strongbox, and other clients that read the

328
00:24:49,520 –> 00:24:51,720
KeePass format.

329
00:24:51,720 –> 00:24:56,120
So just keep that in mind when you hear people talk about KeePass, they might not be talking

330
00:24:56,120 –> 00:24:59,280
about the original KeePass application.

331
00:24:59,280 –> 00:25:05,600
They might be talking about another client that reads the KeePass database format.

332
00:25:05,600 –> 00:25:10,560
And you might not have heard of KeePass before, and there’s a good reason for that.

333
00:25:10,560 –> 00:25:16,800
When you go to YouTube or Google or something like that and you search for what’s the best

334
00:25:16,800 –> 00:25:22,520
password manager or what’s the best VPN or something like that, you typically don’t get

335
00:25:22,520 –> 00:25:24,960
true answers to those questions.

336
00:25:24,960 –> 00:25:30,880
What you get are a list of applications and services that pay affiliate marketers a very

337
00:25:30,880 –> 00:25:37,160
high commission, which is why you’ll typically see things like LastPass and NordVPN and these

338
00:25:37,160 –> 00:25:39,840
other applications that we don’t like.

339
00:25:39,840 –> 00:25:45,480
But they’re very popular because most content creators out there are pushing these applications

340
00:25:45,480 –> 00:25:47,640
to get those commissions.

341
00:25:47,640 –> 00:25:51,960
So you’ll hardly hear a peep out of anybody about KeePass because creators aren’t getting

342
00:25:51,960 –> 00:25:54,240
paid to shill it to you.

343
00:25:54,240 –> 00:25:59,120
So we’ll talk about some pros and cons with KeePass because like anything else, it’s not

344
00:25:59,120 –> 00:26:05,080
perfect and it’s not necessarily right for everyone, which is why we also recommend Bitwarden.

345
00:26:05,080 –> 00:26:08,200
But the great thing about KeePass is it’s free.

346
00:26:08,200 –> 00:26:09,200
It’s completely free.

347
00:26:09,200 –> 00:26:12,480
There’s no freemium model or anything like that.

348
00:26:12,480 –> 00:26:16,400
It’s extremely private because it only runs locally on your system.

349
00:26:16,400 –> 00:26:21,320
There’s no cloud involved unless that’s how you want to back up your database file.

350
00:26:21,320 –> 00:26:26,720
And it’s very secure, depending on how you use it, obviously, you’re going to want to

351
00:26:26,720 –> 00:26:29,440
give it a strong master password.

352
00:26:29,440 –> 00:26:34,800
And depending on what client you’re using, you might have tons of options for what encryption

353
00:26:34,800 –> 00:26:39,280
algorithm to use and what key derivation function to use.

354
00:26:39,280 –> 00:26:46,240
And some clients also support key files and security keys with challenge-response.

355
00:26:46,240 –> 00:26:53,400
So it’s a very secure, very private application that’s very popular with IT and cybersecurity

356
00:26:53,400 –> 00:26:55,160
professionals.

357
00:26:55,160 –> 00:27:00,320
We use KeePass extensively, but there are some things that you might not like about

358
00:27:00,320 –> 00:27:01,320
it.

359
00:27:01,320 –> 00:27:07,800
First of all, the user is responsible for managing the KeePass database file.

360
00:27:07,800 –> 00:27:13,680
So if you’re not good about managing and backing up your data and keeping track of different

361
00:27:13,680 –> 00:27:19,920
versions of your data, this might be something to keep in mind. Along those lines, because

362
00:27:19,920 –> 00:27:22,560
KeePass is offline,

363
00:27:22,560 –> 00:27:29,080
there are some difficulties in doing things like syncing your database file between devices,

364
00:27:29,080 –> 00:27:35,440
sharing passwords with other people, and implementing a feature like emergency access, which you

365
00:27:35,440 –> 00:27:41,280
see in LastPass and Bitwarden and some of these other cloud-based password managers.

366
00:27:41,280 –> 00:27:47,120
That is a downside of KeePass, but it’s not necessarily insurmountable.

367
00:27:47,120 –> 00:27:52,920
You can use things like SyncThing to sync your database file between your devices.

368
00:27:52,920 –> 00:27:57,120
And I think a lot of people don’t really think this through, but you don’t necessarily need

369
00:27:57,120 –> 00:27:59,880
to have one database file.

370
00:27:59,880 –> 00:28:03,840
You can have different KeePass database files for different purposes.

371
00:28:03,840 –> 00:28:08,720
So if you do need to share passwords with someone else, you can put those passwords in their

372
00:28:08,720 –> 00:28:14,000
own database file and then use something like SyncThing to share them between you.

373
00:28:14,000 –> 00:28:18,920
And another thing to keep in mind if you’re considering using KeePass is what operating

374
00:28:18,920 –> 00:28:24,640
systems you’re using and whether there’s a client available or which client is right

375
00:28:24,640 –> 00:28:28,760
for you, that makes things a little bit more complicated.

376
00:28:28,760 –> 00:28:33,480
So like I said, the original KeePass client is Windows only.

377
00:28:33,480 –> 00:28:40,160
There’s a very popular one on Linux called KeePassXC, which is what we primarily use.

378
00:28:40,160 –> 00:28:41,680
It’s very good.

379
00:28:41,680 –> 00:28:44,240
And I think that one is also cross-platform.

380
00:28:44,240 –> 00:28:50,960
So if you’re trying to use Windows and Linux, possibly Mac as well, I can’t remember.

381
00:28:50,960 –> 00:28:53,720
KeePassXC is probably a good choice.

382
00:28:53,720 –> 00:28:58,360
And then when you go to mobile, that’s where things get a little bit more complicated.

383
00:28:58,360 –> 00:29:01,920
So on iOS, there are a couple of good clients.

384
00:29:01,920 –> 00:29:05,360
I’ve used Strongbox, which is very good.

385
00:29:05,360 –> 00:29:10,280
One of the things I like about Strongbox is it has YubiKey support.

386
00:29:10,280 –> 00:29:17,760
So if you have a YubiKey, I think I tested it with a YubiKey with NFC.

387
00:29:17,760 –> 00:29:19,400
It does support that.

388
00:29:19,400 –> 00:29:25,880
The only downside to that is I’m pretty sure the pro version of Strongbox is like $45 or

389
00:29:25,880 –> 00:29:28,000
something, which we did pay for.

390
00:29:28,000 –> 00:29:32,760
It’s a little rich for my blood, but you know, it is a good option.

391
00:29:32,760 –> 00:29:38,160
And I think there’s also one called KeePassium on iOS, which a lot of people like.

392
00:29:38,160 –> 00:29:40,200
We just haven’t tested that one.

393
00:29:40,200 –> 00:29:46,880
And then on Android, there’s KeePassDX and KeePass2Android.

394
00:29:46,880 –> 00:29:49,160
I’ve heard a lot of good things about those.

395
00:29:49,160 –> 00:29:54,640
We’ve only tested KeePassDX and so far we like it, but that’s just something to keep

396
00:29:54,640 –> 00:30:01,400
in mind on client situation with KeePass, especially between workstation and mobile

397
00:30:01,400 –> 00:30:04,760
and different operating systems and stuff is not,

398
00:30:04,760 –> 00:30:05,760
it’s not ideal.

399
00:30:05,760 –> 00:30:09,680
It’s not as seamless as using something like LastPass or Bitwarden or something else like

400
00:30:09,680 –> 00:30:10,680
that.

401
00:30:10,680 –> 00:30:14,200
So now let’s talk about Bitwarden in a little bit more detail.

402
00:30:14,200 –> 00:30:16,640
Bitwarden is also open-source.

403
00:30:16,640 –> 00:30:22,920
It’s got a freemium model and their free tier is actually pretty good.

404
00:30:22,920 –> 00:30:29,800
It’s more powerful than what LastPass has to offer and their paid tiers are very reasonably

405
00:30:29,800 –> 00:30:32,800
priced and they’re very powerful.

406
00:30:32,800 –> 00:30:39,040
I think that the paid tiers put them on par with the features that LastPass has to offer.

407
00:30:39,040 –> 00:30:45,600
But then again, they are open-source and they don’t include third party trackers in their

408
00:30:45,600 –> 00:30:47,920
clients as far as I can tell.

409
00:30:47,920 –> 00:30:52,520
So we think it’s a much better option than at least LastPass.

410
00:30:52,520 –> 00:30:56,880
And by default, Bitwarden syncs with their cloud.

411
00:30:56,880 –> 00:31:02,000
That’s where your database file gets backed up to, but they do have a self host option

412
00:31:02,000 –> 00:31:06,800
if that’s your thing. If you are going to use Bitwarden, we would recommend that you

413
00:31:06,800 –> 00:31:11,720
use the apps and not the browser extension for the reasons that we mentioned earlier

414
00:31:11,720 –> 00:31:13,800
when talking about LastPass.

415
00:31:13,800 –> 00:31:19,000
We would also recommend setting a very strong, unique password.

416
00:31:19,000 –> 00:31:26,000
If they are storing your database in their cloud, they are also vulnerable to a hacker

417
00:31:26,000 –> 00:31:31,200
getting into their cloud and stealing your vault just like what happened with LastPass.

418
00:31:31,200 –> 00:31:36,480
But the difference here is that Bitwarden is more transparent about what they’re encrypting

419
00:31:36,480 –> 00:31:38,200
and how they’re encrypting it.

420
00:31:38,200 –> 00:31:42,120
And as far as we can tell, they’re doing a lot better jobs than LastPass was.

421
00:31:42,120 –> 00:31:47,200
So as long as you’re using a really good, unique password, even if someone does get

422
00:31:47,200 –> 00:31:51,440
into their cloud and steal your vault, you should be safe.

423
00:31:51,440 –> 00:31:57,400
And as an added layer of protection, which these apply to any cloud based password manager,

424
00:31:57,400 –> 00:32:02,360
by the way, this isn’t specific to Bitwarden. But we would also recommend, I can’t remember

425
00:32:02,360 –> 00:32:08,720
if you log in with either an email address or username, but however they do it, we always

426
00:32:08,720 –> 00:32:13,840
recommend that you use a unique email address or username, just in case somebody does get

427
00:32:13,840 –> 00:32:18,880
into their systems, they can’t necessarily piece together who’s behind, you know, what

428
00:32:18,880 –> 00:32:22,040
accounts or what database or something like that.

429
00:32:22,040 –> 00:32:28,640
So we typically recommend that our clients first consider whether they can make something

430
00:32:28,640 –> 00:32:33,440
like KeePass work, and if they can’t or they don’t like it for whatever reason, like they

431
00:32:33,440 –> 00:32:38,120
don’t, they don’t want to manage the database file themselves or, you know, syncing and

432
00:32:38,120 –> 00:32:41,560
sharing is just too difficult or something like that.

433
00:32:41,560 –> 00:32:45,360
Then a cloud-based password manager is probably right for you.

434
00:32:45,360 –> 00:32:49,440
And we think that Bitwarden is probably the best cloud based password manager there is

435
00:32:49,440 –> 00:32:51,520
for most people.

436
00:32:51,520 –> 00:32:57,240
But if you are going to use Bitwarden or any other cloud based password manager, there

437
00:32:57,240 –> 00:33:02,280
are still concerns that someone could breach their vault or hack one of their employees

438
00:33:02,280 –> 00:33:05,640
and get access to your vault database.

439
00:33:05,640 –> 00:33:11,440
And if they do, you better hope that you’re using a very strong and secure password to

440
00:33:11,440 –> 00:33:14,320
prevent them from being able to crack it.

441
00:33:14,320 –> 00:33:19,080
And if you’re having trouble deciding between the two, we think you should consider using

442
00:33:19,080 –> 00:33:20,080
both.

443
00:33:20,080 –> 00:33:23,280
We use both password managers for different purposes.

444
00:33:23,280 –> 00:33:28,880
So just as an example for you to think about, you could use KeePass for very personal, you

445
00:33:28,880 –> 00:33:34,440
know, high security items, notes, passwords, et cetera, and use Bitwarden for something

446
00:33:34,440 –> 00:33:40,320
like low priority passwords or something that you might need out on the go or for sharing

447
00:33:40,320 –> 00:33:45,840
credentials with your friends, family, coworkers, employees, things like that.

448
00:33:45,840 –> 00:33:52,280
So you can use both and especially considering, you know, KeePass is free, Bitwarden has a

449
00:33:52,280 –> 00:33:58,080
nice free tier, and even their paid tier is very recently priced, you really should consider

450
00:33:58,080 –> 00:33:59,080
using both.

451
00:33:59,080 –> 00:34:03,280
All right, so to start wrapping things up here, make sure you subscribe because we’re

452
00:34:03,280 –> 00:34:08,920
working on another episode where we’re going to talk about lessons from the LastPass hack.

453
00:34:08,920 –> 00:34:14,200
And if you are a LastPass user, what you can do to protect yourself.

454
00:34:14,200 –> 00:34:19,400
And another thing that we want to stress here is the importance of taking action.

455
00:34:19,400 –> 00:34:23,680
Stay on top of your security because no one else is going to do that for you.

456
00:34:23,680 –> 00:34:29,440
I mean, we help our clients out as much as we can, but we can only do so much.

457
00:34:29,440 –> 00:34:38,400
So for example, we helped a client about a year ago transition from LastPass to Bitwarden.

458
00:34:38,400 –> 00:34:43,440
And when we left off from that meeting, we had helped her set up a Bitwarden account,

459
00:34:43,440 –> 00:34:49,480
showed her how to use it, and gave her some tips for moving her accounts over from LastPass

460
00:34:49,480 –> 00:34:53,200
to Bitwarden, and then instructed her to delete it.

461
00:34:53,200 –> 00:34:58,000
So we weren’t going to just sit there and spend hours helping her do that unless she

462
00:34:58,000 –> 00:35:03,000
asked us to because we don’t believe in racking up high fees for our client unless there’s

463
00:35:03,000 –> 00:35:05,200
a very good reason for it.

464
00:35:05,200 –> 00:35:13,000
And after this hack in 2022, I asked her about this maybe a few weeks ago, and she still

465
00:35:13,000 –> 00:35:15,080
hasn’t deleted LastPass.

466
00:35:15,080 –> 00:35:21,280
And I, I gathered that she wasn’t moving her accounts over like we instructed her to.

467
00:35:21,280 –> 00:35:25,960
So you know, I had to mention to her like, “Hey, by the way, they got hacked.

468
00:35:25,960 –> 00:35:29,960
A hacker might very well have your password vault now.”

469
00:35:29,960 –> 00:35:35,920
And now I’m concerned, perhaps even more than she is, that someone might crack into her

470
00:35:35,920 –> 00:35:39,560
vault and start breaching all of her other accounts.

471
00:35:39,560 –> 00:35:42,200
So make sure you stay on top of things.

472
00:35:42,200 –> 00:35:46,960
You might be like her and think like, “Well, I don’t have the time to go through, you know,

473
00:35:46,960 –> 00:35:51,200
100 different accounts and move them over from one system to another.”

474
00:35:51,200 –> 00:35:57,600
But think about how that might compare to someone hacking into your LastPass vault and

475
00:35:57,600 –> 00:36:01,440
getting into your email accounts and your bank accounts and whatnot.

476
00:36:01,440 –> 00:36:06,000
Trust me, that’ll be a lot more painful for her to deal with than just simply moving her

477
00:36:06,000 –> 00:36:09,480
accounts from one password manager to another.

478
00:36:09,480 –> 00:36:12,840
And finally, consider becoming a Bigger Insights client.

479
00:36:12,840 –> 00:36:17,120
We help our clients live more private, secure lives by helping them navigate these kinds

480
00:36:17,120 –> 00:36:18,640
of issues.

481
00:36:18,640 –> 00:36:22,920
Like I said earlier, we started warning our clients about, you know, the dangers that

482
00:36:22,920 –> 00:36:27,160
LastPass posed back in, I believe, 2021.

483
00:36:27,160 –> 00:36:32,760
And for those that actually took our advice, they should be fine as long as LastPass actually

484
00:36:32,760 –> 00:36:34,840
deleted their account.

485
00:36:34,840 –> 00:36:39,920
So if that sounds interesting to you, go to our website, BiggerInsights.com, and fill

486
00:36:39,920 –> 00:36:43,440
out the short form at the bottom to schedule your initial consultation.

487
00:36:43,440 –> 00:36:49,400
But otherwise, if you know anybody who’s using LastPass, you might want to share this podcast

488
00:36:49,400 –> 00:36:54,360
with them to warn them of the dangers that they’re dealing with and give them ideas

489
00:36:54,360 –> 00:36:57,840
for moving to a more secure and private password manager.

490
00:36:57,840 –> 00:36:59,160
All right, that’s it.

491
00:36:59,160 –> 00:37:03,720
So make sure you subscribe because we’re producing a lot more great content like this.

492
00:37:03,720 –> 00:37:29,000
Thanks for staying until the end and stay safe out there.

Blog

The Good Side of LastPass

Let’s start out on a positive note. LastPass is a feature-rich password manager that has a lot going for it:

  1. LastPass is generally feature-rich. You would be hard-pressed to find significant features that other services have, but LastPass does not.
  2. There are many multi-factor authentication (MFA) options, including YubiKey (security key)
  3. LastPass does a solid job of informing users of password vulnerabilities. This includes password reuse, weakness, and checks for presence in the dark web.
  4. The Emergency Access feature is useful. In our opinion, such a feature is one of the few reasons to use a cloud-based password manager.
  5. The random password generator is useful. In addition to coloring letters vs. numbers for clarity, you can also have it create passwords that are easier to read.
  6. From our testing, LastPass.com doesn’t block Tor users, which we appreciate

The Ugly Side of LastPass

A Troubled History

We started testing and evaluating LastPass around the time GoTo (formerly LogMeIn) bought it. Soon after this acquisition, GoTo doubled the prices from $1/month to $2/month. Did they double the value of the service? No – no they didn’t. It was essentially the same, only now twice the price. This kind of story is common in the software industry: Someone creates an innovative product or service, then some large player buys it. Then, things usually go downhill – prices increase, quality goes down, surveillance increases, etc. Just look at what Meta (Facebook) did to WhatsApp. WhatsApp used to be pretty decent until Meta bought it and turned it into a corporate surveillance engine.

LastPass also has a spotty security track record – not something you want from a security service. Some consider this to be a non-issue because your data is encrypted locally. The idea here is that if LastPass itself gets hacked, your data should still be safe because it’s encrypted at rest and only you have the key. However, we disagree. If LastPass is dropping the ball on security, this exposes users to supply chain attacks. If a hacker is able to gain access to their source code, for example, they could inject malware into LastPass clients that get pushed out to your device during the next update.

During our testing, we once saw LastPass show us sensitive information, in plain-text, from an account that we had previously deleted. That was not confidence-inspiring.

Privacy - Private - Anonymity - Secret - Lies - Deception

Closed-source Clients

Most of the LastPass clients are closed-source**, which is extremely disappointing. An application that’s intended to protect your security should be open-source so the community can verify that it’s living up to its claims. Otherwise, all you have is the company’s promises. A tech company’s promises are worth about as much as a politician’s. Remember when Zoom lied to customers for years, claiming their service used end-to-end encryption when it didn’t? These are the prizes you win when you play with closed-source software.

Speaking of prizes, users should be aware that we’ve discovered Google trackers in the LastPass iOS app (as of September 21, 2022). When we installed the app and clicked the sign in and create account links, LastPass attempted to make three connections to firebaselogging-pa.googleapis.com. Needless to say, we don’t appreciate our data going to the likes of Google.

To drive this point home, let’s also compare the tracking data LastPass collects vs Bitwarden (an open-source competitor) in their respective iOS apps. Not surprisingly, LastPass not only collects more data, but more sensitive data at that. LastPass collects location data, whereas Bitwarden does not. Location can be used to flag potential security concerns (e.g. if you live in Texas and someone logs in from Bangladesh). However, considering the Google trackers and closed-source clients, why would anyone entrust their location data to this company? This is why apps like LastPass are closed-source – to hide shenanigans like these from users.

**There is an open-source command line client, but this isn’t appropriate for many users and use cases. LastPass released this almost 8 years ago and as far as we’re aware, this didn’t blow up in their faces. Therefore, what’s the excuse for not open-sourcing the other clients?

Browser Extensions are Problematic

LastPass is primarily used as a browser extension in desktop environments. They do distribute desktop apps, but our research has determined that these aren’t as solid as the browser extensions.

While convenient at times, browser extensions are inherently problematic for two reasons:

  1. You sacrifice compartmentalization, which is a security concern. When it comes to browsers, the KISS (Keep It Simple, Stupid) method is best. Your browser directly receives and interprets [potentially-malicious] code from the internet. The more data you store in your browser (passwords, credit cards, addresses, etc.), the more risk you take.
  2. Browser extensions make it easier for websites to fingerprint you. Many websites look at several metrics, including what extensions you have installed, to identify you and record your activities across the web. Although LastPass is a popular extension, more people do NOT use it, making those that have it installed more identifiable. The ideal number of browser extensions is 0.
LastPass - Screenshot - Extraneous Sensitive Data
Screenshot from lastpass.com (September 22, 2022)

Encouraging Risky Behaviors

During our testing, we were disappointed to see the degree to which LastPass would encourage users to store highly sensitive data beyond passwords. This includes credit card details, bank information, passport numbers, etc. Having the option is one thing, but encouraging your users to put all of this other info in your app is irresponsible. Take a gander at the above screenshot from lastpass.com (September 22, 2022). Here we can see:

  1. Payment cards
  2. Bank accounts
  3. Driver’s license
  4. Health insurance
  5. Passport
  6. Social Security

Even though they claim the app is trustworthy, which we can’t verify because it’s closed-source, the “don’t keep all your eggs in one basket” rule still applies. Nothing is completely secure. Please do not store extraneous data in a password manager unless you have a very good reason. What would one do with a passport number in LastPass anyway? If you need to travel, you probably need your actual passport.

LastPass is Expensive for What it Offers

The following pricing information is current as of September 23, 2022.

Free Tier

Don’t get your hopes up over the LastPass free tier as it’s relatively useless. There was actually quite a bit of backlash about this when LastPass gutted the free tier by limiting it to one type of device. Bitwarden’s free tier, on the other hand, places no such limitations.

Premium

The Premium subscription is $3/month, billed annually (USD). This is pretty pricey, especially considering it was only $1/month just a few years ago for essentially the same product. Bitwarden’s Premium tier is only $10 per year, less than a third of LastPass.

Families

The Families subscription is a little more compelling at $4/month. This will cover up to 6 people, but only 2 will make this relatively worthwhile. However, Bitwarden’s Families tier (also 6 people) is still cheaper at $3.33/month.

Use These Password Managers Instead

If you use or are considering using LastPass, we encourage you to consider the following alternatives. 

KeePass

Do you:

  1. Like money?
  2. Enjoy increased levels of privacy and security?
  3. Want something simple and portable that just works?

If your answers to these is “Yes”, then KeePass may be right for you. KeePass is a free and open-source password manager*** that’s been around since 2003. Rather than store your passwords in “the cloud” (i.e. other peoples’ computers), KeePass stores them in an encrypted database file on your machine. Of course, this leaves you responsible for managing your vault (backups, syncing between apps, etc.). 

You might be thinking, “If KeePass is so great, why have I never heard of it?” The answer is because it’s completely free. Because it’s free, marketers don’t get paid to peddle it, so peddle it they do not.

***Although there is an official KeePass application, we’re really referring to the KeePass password vault specification. Because it’s open-source (and awesome), there are many “KeePass” clients that use the KeePass vault specification as a basis. The details are beyond the scope of this article, but we mention this because we may recommend different “KeePass” apps (KeePassXC, KeePassDX, Strongbox, etc.) to our clients depending on their needs.

Bitwarden

If you’re looking for a more managed solution, Bitwarden is a great alternative to LastPass. Like LastPass, Bitwarden encrypts your data locally before uploading it to their cloud. They also have a self-hosting option if you don’t want to use their cloud. Unlike LastPass, Bitwarden is reasonably-priced, its clients are open-source, and its free tier is actually useful.

Final Thoughts

LastPass isn’t a terrible service. Most people aren’t using any password manager. For them, using LastPass would be an improvement. If there were no other options available, we would rather use LastPass than nothing at all. However, we do have other options. Great options, in fact.

We recommend that clients first see if they can make KeePass work. With it being free, widely-adopted, and local, this is a great place to start. If KeePass doesn’t meet your needs, consider Bitwarden before LastPass. Should you insist on using LastPass or are forced to (e.g. for work), we recommend the following:

  1. Implement multiple MFA options
  2. Do not store any information in here beyond what’s necessary
  3. Where you can, use the mobile app instead of the browser extension
  4. For mobile apps, revoke all unnecessary permissions (e.g. location) in your OS settings
  5. Consider a firewall to prevent LastPass apps from contacting privacy-invasive trackers (e.g. Google)

If you would find value in professional assistance with implementing a password management solution, please reach out to use using our contact form at the bottom of the page.

Support Us

We’re an ethical company that puts our community first. You won’t find us injecting targeted ads or trackers into our website, peddling sketchy products/services, or selling our visitors’ data to 3rd-parties. As a result, our visibility and resources are rather limited.

Please consider supporting us to help keep our mission going. There are several ways to make a difference – from cryptocurrency contributions to simply sharing our content. Every bit of support is greatly appreciated and helps us make the world a more private, secure, and prosperous place.

More Great Content

  • All
  • Finance
  • Privacy & Security
  • Technology
Finance - Budgeting - Financial Planning - Accounting - Asset Allocation - Taxable and Tax-favored Accounts - Cash Finance

Asset Location: Taxable vs. Tax-favored Accounts (401k, IRA, HSA)

Asset Location (AKA Asset Placement) is a strategy for organizing your assets in an optimal way that helps you meet your financial goals. In the previous episode, we focused on asset location strategies for reducing taxes and simplifying your tax return. In this episode, we focus on asset location considerations ...
Continue →
Security - Software - Email - Computer Screen Privacy & Security

Email is Insecure – Here’s How to Improve Email Security

Email was never designed to be private or secure, so not surprisingly, it is neither private, nor secure. In the previous episode, we explained the reasons why as well as the risks inherent to email. However, email is so prevalent that it is unfortunately a necessary evil. In this episode, ...
Continue →
Planning - Concepting - Whiteboard - Tax Planning Tips - Asset Location - Asset Placement Finance

Asset Location: Reducing Taxes & Simplifying Your Tax Return

Asset Location (AKA Asset Placement) is a strategy for organizing your assets in such a way as to reduce tax burden, simplify your tax return, and manage risk. We discuss our Asset Location strategies, which includes specifics about tax treatment for growth stocks, dividend stocks, taxable bonds, real estate investment ...
Continue →
Drake - Bad Choice-Good Choice - Linux vs Windows macOS ChromeOS Technology

Linux Doesn’t Suck – Here’s Why Even Normies Should Use It

Linux has long been viewed as a science fair project for nerds. We explain why Linux doesn’t suck and why it's now usable even for normies. Some of the items discussed: Issues with Windows, ease of use, performance (efficient use of resources), hardware support, application support, OS licensing, concerns about ...
Continue →
Email - Mobile Phone - Privacy and Security - Technology - Hands Privacy & Security

Email is Insecure – Stop Using it for Sensitive Communications

Email is the primary means of sending messages and documents for many people. Unfortunately, email was never designed to be private or secure. Over time, we’ve developed several tools and techniques to help make it more secure. But at the end of the day, no matter how uncomfortable it makes ...
Continue →
Woman Shopping - Holding Shopping Bags - Retail - Spending Money Finance

What Does it Mean to be Able to Afford Something?

Most everyone will agree that you shouldn’t buy things that you can’t afford, yet so many do. Why is that? It seems to us that one of the reasons for this is because many don’t know what it means to be able to afford something. Spoiler alert – it doesn’t ...
Continue →
Scroll to Top