Slashdot Mirror

← Back to Stories (view on slashdot.org)

Popular Password Manager LastPass Doubles Price of Its Premium Plan, Removes features From Its Free Service Tier (neowin.net)

Posted by msmash on from the where-things-are-now dept.

An anonymous reader shares a report: In November, LastPass made a big change to its service, allowing users to keep track of their passwords across all their internet-enabled mobile and desktop devices, free of charge. In addition to the free tier, the cross-platform password manager - available on iOS, Android, and Windows 10 -- also offered a Premium plan with additional features, priced at $12 per year. Today, LastPass announced another wave of changes to its lineup for individual users -- but this time, the changes are unlikely to be welcomed with open arms by its customers. LastPass Premium has now doubled in price to $24 a year, which includes "emergency access, the ability to share single passwords and items with multiple people, priority tech support, advanced multi-factor authentication, LastPass for applications, and 1GB of encrypted file storage," along with all the other features of the Free tier. In a statement, the company said, "While LastPass Free continues to offer access on all browsers and devices and the core LastPass password management functionality, unlimited sharing and emergency access are now Premium features. Free users will be able to share one item with one other individual.

79 of 156 comments (clear)

  1. I use passwords.txt. by Anonymous Coward · · Score: 1, Insightful

    Format:

    # SomeShittySite
    username / password

    # AnotherShittySite
    username / password

    # AThirdShittySite
    username / password

    $0/year. You can have this "service" for free.

    1. Re:I use passwords.txt. by ShanghaiBill · · Score: 4, Funny

      I do the same, except I have the same 6 byte prefix for all the passwords. So if a password is listed in "passwords.txt" as "correctHorseBatteryStaple" the real password is "7Rz8t5correctHorseBatteryStaple". If anyone gets access to my list, they won't know the prefix, or even know that there is a prefix.

    2. Re:I use passwords.txt. by Captain+Splendid · · Score: 1

      Yeah, I do something very similar except my prefix is a calculation, not an addition, and I don't bother with a text file, I keep it all in my head. I also segregate passwords into tiers, depending on the service. Throwaway web accounts do not need the complexity my online banking does. I do have an encrypted excel file for my wife to use should something happen to me though...

      --
      Linux, you magnificent bastard, I read the fucking manual!
    3. Re:I use passwords.txt. by Solandri · · Score: 1

      Sony did the same thing. And when they got hacked, all their passwords were revealed to the world too.

      If you're gonna store your passwords locally, it needs to be encrypted with a single master password which you never write down.

    4. Re:I use passwords.txt. by unixisc · · Score: 2

      Yeah, but that's not automatically available from any device. Lastpass allows that. I adapted LastPass but do not need any of the extra features, just the simple logins & passwords. Note, however, that LastPass also allows you to store things like Credit Card information (in case one gets stolen), DMV, WiFi SSIDs, Bank Accounts, Router info, et al. All of it quite handy. I don't need emergency access, tech support, ability to share, multi factor authentication or ability to share or any of that.

    5. Re:I use passwords.txt. by Anonymous Coward · · Score: 3, Insightful

      It's misdirection all the way down.

      His password is Hunter2

    6. Re:I use passwords.txt. by infolation · · Score: 1

      And enforce numbers, punctuation & mixed capitalisation on yourself. If you get your own prefix wrong, SMS 2FA.

    7. Re:I use passwords.txt. by vux984 · · Score: 1

      I do something very similar except my prefix is a calculation,

      I used to do that. Then sites started having breaches, and that would require me to change the password I used, and the calculation method doesn't cope with that well.

      And other sites with goofy rules about password expiration/rotation, or stupid lenth requirements (forcing me to use shorter passwords than i want, or omit punctionation etc...)

      It started to be much too difficult to keep in my head all the exceptions to the "rule".

    8. Re:I use passwords.txt. by ShanghaiBill · · Score: 1

      It's a good idea, but you should make the prefix 8 characters long.

      Some sites only allow 8 bytes. So the prefix would be the entire password, leading to the same repeated password on all these sites.

      A few years ago my bank limited passwords to 8 bytes ... and insisted that they be changed every 3 months to show they were serious about security.

    9. Re: I use passwords.txt. by VikingNation · · Score: 1

      Six characters that are alpha numeric is not that much entropy. If they know the word from the text file and your convention they can execute an exhaust attack very quickly

    10. Re:I use passwords.txt. by reboot246 · · Score: 1

      My bank is worse. I'm limited to numbers, uppercase letters, and lowercase letters - no characters or punctuation. Some security, huh?

    11. Re:I use passwords.txt. by sublayer · · Score: 1
      https://www.westpac.com.au/ limits the password for online banking to exactly six characters - letters and numbers only - and is not case sensitive.

      And you have to enter the password using the mouse and an on-screen keyboard so you can't copy/paste the password from a password manager.

    12. Re: I use passwords.txt. by Anonymous Coward · · Score: 1

      That is assuming someone gaining access to those passwords would know about that prefix in the first place, which is unlikely.
      So without that knowledge they would have to test both prefixes and suffixes, without knowledge of the length or of what characters can be in the prefix or suffix. Of course if someone is dedicated enough to brute force a password with an unknown modifier it is not that secure, but it is probably less trouble than dealing with a password manager.

    13. Re:I use passwords.txt. by RuaisLampSilog · · Score: 1

      You obviously have no clue of what you are saying and/or the implicancies of needing to store ~600 different logins, ssh keys and texts securely and still available wherever you go. Oh,and have the tool do the searching and autologin for you.

      --
      We all knew this would happen. Alas, we did it anyway.
    14. Re: I use passwords.txt. by RuaisLampSilog · · Score: 2

      Just in case: http://bash.org/?244321

      --
      We all knew this would happen. Alas, we did it anyway.
    15. Re:I use passwords.txt. by Captain+Splendid · · Score: 1

      And other sites with goofy rules about password expiration/rotation, or stupid lenth requirements (forcing me to use shorter passwords than i want, or omit punctionation etc...)

      This is where the 'tiers' come in. Lax password requirements/burner email addresses? Low tier. Most stuff? Medium Tier. Online banking/Sites with crazy requirements? Multiple 20 digit alphanumerics.

      --
      Linux, you magnificent bastard, I read the fucking manual!
    16. Re:I use passwords.txt. by maestroX · · Score: 1

      That's amazing! I have the same combination on my luggage!

    17. Re: I use passwords.txt. by ShanghaiBill · · Score: 1

      Six characters that are alpha numeric is not that much entropy.

      (26 + 26 + 10) ^ 6 = 56800235584

      If they know the word from the text file and your convention ...

      1. They don't know the convention
      2. They have no way to do offline search, so each attempt will be online and take a significant fraction of a second.
      3. All the accounts I care about shut down after 3 to 5 unsuccessful attempts and require 2 factor to re-enable.
      4. Most important accounts don't allow ANY attempts from an unrecognized device without 2 factor.

  2. Re:Well, i don't know... by fustakrakich · · Score: 2

    That post is almost illegible. Did you do that on purpose?

    And please, don't start crying about unicode

    --
    “He’s not deformed, he’s just drunk!”
  3. 1GB? by magarity · · Score: 1

    A hosted 1GB of storage is kinda dinky compared to all the providers where one can get cloud storage but the infrastructure to provide it properly isn't all that cheap. I can't help but wonder why they thought to tack this on to their service.

    1. Re:1GB? by swb · · Score: 1

      Maybe it's meant to cover all your stored password data, notes, etc in aggregate.

      Because there are people who will look at it as a kind of steganographic file system and try to store a bunch of non-password data in LastPass under the idea that it's more secure than most file sharing systems, an unconventional place to put it, and possibly provides greater legal protection that file sharing specifically (I don't know if this last bit is true, but I guess I'd see it harder for the cops to get a warrant for your LastPass account as opposed to your Dropbox account).

    2. Re:1GB? by darkain · · Score: 1

      My only thought is simplified remote encrypted storage? Something I don't really see the other providers doing. For basic personal documents, I think this would be worth it (think life insurance, social security, etc)

    3. Re:1GB? by Roger+W+Moore · · Score: 2

      For basic personal documents, I think this would be worth it (think life insurance, social security, etc)

      Agreed but both the local and remote copies need to be encrypted and require password access. My current solution for this is an encrypted disk image on Dropbox which works fine as long as the image can be kept reasonably small (few 100 MB).

  4. The Drawback of the Cloud by sehlat · · Score: 5, Insightful

    Once you become dependent on cloud services, they are no longer in your service, you are in theirs.

  5. Had no idea this was even a thing by Rick+Schumann · · Score: 1, Informative

    Furthermore I can't comprehend why anyone would think such a service is safe to use in the first place. Typical 'Cloud' service: Get you used to it, then rip the rug right out from under you. Also, as previously stated: Why would anyone think something like this is safe or a good idea in the first place? Let a bunch of faceless strangers on the Internet keep all your passwords for you?

    1. Re:Had no idea this was even a thing by msauve · · Score: 4, Informative

      "Let a bunch of faceless strangers on the Internet keep all your passwords for you?"

      They don't. They keep encrypted versions of your passwords. All encryption/decryption happens locally.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    2. Re:Had no idea this was even a thing by jtara · · Score: 1

      > Furthermore I can't comprehend why anyone would think such a service is safe to use in the first place

      It's safe because the data is encrypted on your local computer/device. The encrypted data is sent up to the cloud. The company doesn't have any key that can be used to decrypt it.

      You do have to guard your master password! But most of us can memorize one good password.

    3. Re:Had no idea this was even a thing by Rick+Schumann · · Score: 1

      I understand all that. But I still would not trust them.

    4. Re:Had no idea this was even a thing by Rick+Schumann · · Score: 1

      I understand perfectly well how all that works. Doesn't mean I trust them at all or see why anyone with at least two working brain cells would trust them.

    5. Re:Had no idea this was even a thing by ctilsie242 · · Score: 3, Insightful

      It is a gamble. For a lot of users, having randomly generated passwords that are stuffed in a PW database is more secure than having them have "hunter2" for their bank, "swordfish" for their Facebook account, etc. The chance of a mass compromise of a Lastpass is definitely less than having one's password revealed to the world the next time some company's list of hashed PWs gets snarfed.

      Even with the potential hazard, if combined with 2FA, the hazard of a compromised password is reduced significantly.

      To boot, longer, hairier PWs can be used as well, as the user doesn't have to remember them.

    6. Re:Had no idea this was even a thing by suutar · · Score: 1

      You also have to trust the company to not have their product leak your master password to them.

    7. Re:Had no idea this was even a thing by bill_mcgonigle · · Score: 3, Insightful

      Ummmm...yeah. I'm sure they do. And I promise I won't cum in your mouth. Pinky promise.

      So do you work for a competitor or did you just want to comment without reading up on how the encryption is done locally with audited viewable-source code in the browser extensions?

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    8. Re:Had no idea this was even a thing by AmiMoJo · · Score: 5, Insightful

      The real issue with LastPass is that it runs in a browser. The most common way of using it is a browser add-on, and it's been found vulnerable in the past.

      Much better to have a separate app and copy/paste. Javascript is not secure.

      Also, KeePass is free and you can sync the database via your own server or any number of free services.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    9. Re:Had no idea this was even a thing by aaarrrgggh · · Score: 1

      Unfortunately, copy/paste isn't so secure either.

    10. Re: Had no idea this was even a thing by Anonymous Coward · · Score: 1

      KeePass has at least two ways of password-transfer that do not involve copy/paste:

      1. Auto-fill using global hotkey: press hotkey, enter master password, username+tab+password+enter is "typed" into the active window.
      2. Drag-and-drop text using the mouse pointer.

      Neither of these are KeePass-specific, but KeePass does them very well.

    11. Re:Had no idea this was even a thing by Anonymous Coward · · Score: 1

      Much better to have a separate app and copy/paste. Javascript is not secure.

      JS isn't the root problem here. The security context is. If the browser gets compromised so is any code that it runs, or any memory that it has allocated, as a result. If it can launch a new process, so is that process and any descendant it makes. Anything on disk that it has permission to open is compromised, anything it has permission to write is infectable. Any connection it has the ability to listen on is compromised, any connection it has the ability to send on is a new impersonation. This is true of any program not just web browsers.

      The last thing you want to do is expose critical authorities to unreasonable risk. Which is what you are doing when running something like a password manager inside of a insecure program that runs instructions from an unknown untrustworthy source. (Like a web browser.) What those instructions are, is not as important as where they come from and how they can be changed. I.e. A locally installed program that must be updated manually by an authorized individual is much harder to alter for malicious purposes than code from some random server on the internet.

      And before you say code signing: Unless you got that public key from the developer themselves in person, and you both verified it and each other at that time, it's not trustworthy. It can be just as easily intercepted in transit and replaced with a compromised key, as can any code, signature, or html document you request from the server over a connection "secured" by a random bundle of unverifiable certificates that either shipped with your computer / browser or was downloaded the same way as your request via a url that has no means to verify, and could be intercepted anyway by someone modifying the routing tables between you and the real server to say whatever "verified" IP address you looked up was owned by some other random server. Never mind that the signature only verifies the executable image on disk NOT the code in memory while it's running. (The only way it could would be to use a crypto processor to verify each executed instruction between each instruction fetch, and you'd have to have a ridiculous amount of memory to account for each possible codepath (as the instructions executed before the current one are important, you have to include context in the verification process), and you'd have to solve the halting problem to do that. Also the ridiculous amount of processing power you'd need to verify each individual instruction for every possible codepath makes that idea impossibly difficult to implement with any amount of reasonable execution speed. And all of that assumes your system is not already compromised by something else.) Long story short, code signing is useless except under very specific circumstances that do not apply to most people nor can it be expected to. The only thing it's good for is giving false assurances of security to a clueless public that wants SOMETHING done about their lack of security without them being involved in it.

    12. Re:Had no idea this was even a thing by Lost+Race · · Score: 1

      I like how they claim "more than thirty years of combined development, network security and user interface experience" then show pictures of 32 people. So... about one year of experience each then?

    13. Re:Had no idea this was even a thing by Rick+Schumann · · Score: 1

      Meanwhile there's zero risk when I use my own formula for passwords that the likelihood of anyone cracking is small, and since it's a formula and not random characters they're easy for me to remember -- or if it's one I don't use more than a couple times a year, write it down on a nice piece of low-tech paper and hide it somewhere. Frankly I feel I have more to worry about from data breaches from whatever website or company than I do anyone guessing my passwords or raiding my house to look for scraps of paper.

  6. $24 seems kind of high by execthis · · Score: 3, Interesting

    I just renewed recently while it was still $12/year. I feel that $24/year is a bit high. But on the other side, I would never need any of the premium features. That said, I'm happy to pay $12 per year for their service to help a great company. Lastpass has been solid and their service is indispensible.

    1. Re:$24 seems kind of high by blahbooboo · · Score: 1

      You *should* be using two-factor auth, which comes at premium sub.

      Wrong. Multifactor is in free teer. Advanced multifactor is extra. Read next time

  7. No objection by jtara · · Score: 3, Interesting

    I've been using LastPass for many years. I used to use Password Safe, which is strictly local. But they had me at "all popular platforms including Linux".

    I have no objection to the price increase. They deserve it, and no doubt will use the money to make the product even better.

  8. Re:Well, i don't know... by grub · · Score: 2

    Is that Perl?

    --
    Trolling is a art,
  9. Re:Betteridge's Law of Headlines by unixisc · · Score: 1

    Says someone obviously grammar challenged, & can't tell whether or not a headline is a question. Betteridge's law only applies to headline questions that have a simple yes/no answer

  10. Re:Well, i don't know... by unixisc · · Score: 1

    Not a bad idea, if one is afraid of the browser quitting any time and eating that composing time w/ it. A lot of people, after being burned, adapted this policy. And yeah, it's perfectly legitimate to scream about Unicode: Android, iOS and even Windows 10 supports it, but Slashdot doesn't. And renders posts in ridiculous ways out here.

  11. Great - count me in by Troed · · Score: 3, Interesting

    I was a Premium user since they launched. The changes to the free tier last year caught me by surprise, and sure enough, since I had no reason to pay for Premium I stopped. I remember getting an automated questionnaire as to why I stopped being a Premium customer and I explained clearly that they now offered the full feature set I was interested in in the free tier.

    Now they're apparently changing it so that one feature I want (emergency access) becomes part of the Premium package. Fair enough, they'll get me back as a Premium customer. LastPass is one of those tools I happily pay for, no questions asked.

    --
    it's in my head
  12. I use KeePass by b0bby · · Score: 5, Informative

    I've used KeePass for years now, and while I don't have all the fancy password sharing features I do have my passwords, in a format I trust, available on my PCs and phone. I haven't yet seen a reason to switch.

    1. Re:I use KeePass by idji · · Score: 1

      and with the keepass files in dropbox, my passwords are auto synched to my wife's laptop and vice versa. Pressing CTRL-S on a password file synchs it. and with dropbox and minikeepass on my iphone they all synch to my smartphone.

    2. Re:I use KeePass by bigal123 · · Score: 1

      Last i saw Minikeepass on iPhone still did not support the new Keepass XML format or encryption. You found anything else for iOS? Still looking for my iOS friends. Android was easy.

  13. Re:Well, i don't know... by Frosty+Piss · · Score: 1

    Not a bad idea, if one is afraid of the browser quitting any time and eating that composing time w/ it. A lot of people, after being burned, adapted this policy. And yeah, it's perfectly legitimate to scream about Unicode: Android, iOS and even Windows 10 supports it, but Slashdot doesn't. And renders posts in ridiculous ways out here.

    Actually, I *did* type it in Word on Windows 10, but what's interesting is I pasted it into Notepad and replaced all the Unicode, but apprently Notepad really didn't replace them...

    --
    If you want news from today, you have to come back tomorrow.
  14. Just use KeePass by chaotixx · · Score: 5, Insightful

    Just use open source KeePass to hold your passwords and use DropBox to sync your encrypted database between computers/phones/tablets. Works great between Windows, iOS, and Android at least. http://keepass.info/

    1. Re:Just use KeePass by Major_Disorder · · Score: 2

      I do exactly this. Has worked well for me for several years.

      --
      First law of people: People are generally stupid.
    2. Re:Just use KeePass by jukk · · Score: 1

      I've also been using keepass for years with password file in Dropbox. Syncs between all of my devices including linux PCs and Jolla phone (Sailfish). Even on terminal with keepassc (dropbox works also fine in terminal). Then there is an increasing number of sites accepting TOTP 2FA. You then also need your phone or tablet with a TOTP application, but it doesn't feel like too much hassle.

  15. Keepass & NextCloud.. by erktrek · · Score: 5, Interesting

    So why not use a local app and cloud storage service? I use Keepass and NextCloud but could easily use GoogleDrive or DropBox or somesuch. The encrypted file doesn't take up that much space and you can sync it to whatever device you want.

    1. Re:Keepass & NextCloud.. by danpritts · · Score: 1

      The browser integration is arguably as valuable as the multi-device syncing. They also have sharing features so that you can share certain passwords with other people.

    2. Re:Keepass & NextCloud.. by Anonymous Coward · · Score: 1

      KeePass does have browser integration for the record. It's not built in but it's as simple as download a plugin, install an extension and then approve the extension and it's basically working anytime you have it open and not when you don't.

      Which is cool because it means you can for instance put your key file on a flash drive and no one can access your passwords with your computer even with your database.

    3. Re:Keepass & NextCloud.. by Anonymous Coward · · Score: 1

      For me, it's a matter of accessing my passwords at home and at work. I use LastPass because it runs in the browser. At work, we can't install third party applications. But I can install a browser plugin.
      So I can't use KeePass at work, because that's an applicaiton. But I can use LastPass at work. So I'm using LastPass.

      If you're happy with LastPass then this probably doesn't matter, but it may still be possible for you (or anyone in your situation) to still use KeePass.

      You said you can't install applications, which is fairly common, but can you run executables?
      (By "can" that would be both technically and allowed to by policy)

      There is a standalone "portable" version of KeePass that doesn't require any installation.
      It's one program executable and one config file read from the same directory, which typically is where you'd also keep the database file.
      This way it can be kept on and run straight from a USB flash drive, or in a folder synced to a server somewhere, etc.

      Also I don't know exactly how LastPass integrates with your browser, but there is at least two Chrome extensions for KeePass available.
      One works completely within the Chrome extension and can decrypt and open a keepass database file directly, although in a read-only sort of way.
      The other extension however requires KeePass installed to communicate with, in order to replace the Chrome password store. I don't know for sure but assume it requires the installed version of KeePass, so that option probably wouldn't work for you.

      I do recall seeing other KeePass addons available on their website for other browsers, but have no experience with them myself.

    4. Re: Keepass & NextCloud.. by Anonymous Coward · · Score: 1

      Keepass does not have to be installed. Use the portable download. Unzip and run.

      Install keepass apps on your phone and with cloud drive apps you have access to the same data. Android use keepass2android.

      You should report the hole in the company policy about third party application installation. A browser plugin is as dangerous to security and stability as installed applications.

      OS policy on installing is easy to get around. OS policy on application execution may not.

  16. Re:If you need a password manager by Minupla · · Score: 2

    I can remember a few passwords. I can't remember a 24 digit random alpha-numeric-symbol string.

    You know what I do when I get one of those "Geez, sorry guys, we hashed our data with md5 and posted it on our fridge and someone got all your passwords. Change them quick!" emails form SecurityWazzat.org? Giggle as I imagine someone chewing up cycles trying to dehash my random gibberish... Hope they enjoy waiting forever for my password to turn into something readable. Oh, and since I use a different random password for each site it doesn't matter anyways.

    Now I'm in the infosec industry and some of my passwords protect other people's data, and I have a responsibility to keep your data safe, but let's not be so dismissive of other people's security practices. If HorseBatteryStaple is secure enough for your risk tolerances, that's awesome, but it won't be for everyone else's.

    Oh and I'll leave this here for anyone interested in a more indepth review of password security:

    https://diogomonica.com/2014/1...

    Min

    --
    On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
  17. Why use a password manager? by BitterOak · · Score: 1

    I just use gandalf as my password everywhere. If they require letters and digits then I use gandalf1.

    --
    If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
  18. rent seeking as inevitable as gravity by Thud457 · · Score: 2

    That's a nice password list you've trusted us to hold for ya. It'd be a real shame if anything happened to it.

    --

    the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff

  19. in other news... by dAzED1 · · Score: 1

    In other news, people still use services what that store all the keys to the kingdom...and now, those services have extended to sharing your passwords to others. :sigh: it's like laziness and lack of security is a virtue these days...

  20. Re:Well, i don't know... by fustakrakich · · Score: 1

    Android, iOS and even Windows 10 supports it, but Slashdot doesn't.

    Yes, and that is a feature. There is no need to take unnecessary risks.

    --
    “He’s not deformed, he’s just drunk!”
  21. Re:"Lastpassholes hobble free tier, jack prices" by EndlessNameless · · Score: 2

    Never understood the whole, "here Internet, take my passwords" mentality anyway.

    They don't have your passwords---at least, not in a usable form.

    You create a master password for the application. It encrypts your unique, per-site passwords and syncs them. LastPass only sees encrypted data.

    Meanwhile, you can create a strong, unique password for every site that you use. You can even use unique names to obstruct doxxing.

    The application acts as a local database so that you don't have to remember each and every logon. Your security is a little easier, and they have nothing useful assuming the crypto is solid.

    It makes a lot of sense if you have a lot of accounts. Me, though... I don't sign up for enough things to make it worthwhile.

    --

    ---
    According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
  22. Re:Well, i don't know... by mark-t · · Score: 1

    It doesn't help matters that the edit box in which one creates such posts will happily accept such characters as input and display them appropriately there.

    --
    File under 'M' for 'Manic ranting'
  23. Re:Well, i don't know... by fustakrakich · · Score: 1

    That part is not a feature. The text box should sanitize input also, or maybe not since it is not stored on their server yet. That's where preview comes in? And it's a bit trickier in journals, but I did find a preview that works there.

    --
    “He’s not deformed, he’s just drunk!”
  24. So basically, they just went all Netflix..... by Drakonblayde · · Score: 1

    If I'm understanding things right, what they're doing is basically pulling some features out of Free and making them Premium only (I'm ok with this), but they're doubling the price of Premium without actually adding any additional benefit to the users.

    I cancelled my Netflix account when they tried this same stuff lo those many years ago. I understand the need to raise prices, but generally speaking, a naked money grab doesn't tend to go over well with users, A moderate raise in the yearly price, ok, not that big of a deal, but when you mark up 100% without adding any benefit, yeah, thanks, but no.

    Thankfully, I've had my solution in place for years. KeePass is also multi platform and I just sync the database among my devices (started out with Dropbox, then Google Drive, now I use the Synology Cloud Sync stuff on my NAS in order to keep all my Cloud Synced stuff private)

  25. Re:"Lastpassholes hobble free tier, jack prices" by butzwonker · · Score: 3, Insightful

    I wouldn't trust them, since they're located in Washington D.C.. I've written my own password manager 20 years ago and still use it. Less features, but at least if there is a flaw in it, then it's my own fault and not some intern's at random company XYZ.

  26. Proprietary software for passwords? by VeryFluffyBunny · · Score: 1

    You can't trust closed source, proprietary software, full stop. It may be ethical and secure today but how will you know when that changes if nobody but the company selling you the software/service can do a security and privacy audit? And what if they get a national security letter one day and push an update that sends all your passwords and usernames to the NSA?

    --
    Debate is a form of harassment. Do not question my truth.
  27. Re:"Lastpassholes hobble free tier, jack prices" by vux984 · · Score: 1

    They only hold blobs of bits that you can ask them to retrieve and resend to you. Everything is done local on your device (cellphone, laptop, PC, etc.).

    Given that it's a web application, you potentially download new application code each time you use it.

    It would be pretty trivial for them to sneak in an update that doesn't do what you expect it to do, and even to serve just targeted individuals malicious code.

    So ... If the site were ever compromised, or under NSA gag etc, they could inject code, and collect master passwords without you ever knowing.

    Of course, these are risks with any web app; but other web apps aren't the master repository for my security credentials, including credentials to corporate property like their domain registrars, vpn credentials, etc; not to mention a one stop identity theft shop.

    Of course, that begs the question why not save $20 a year and just do the same thing with a USB key or some sort of storage that you can easily duplicate/synchronize to all your devices?
    Flag as Inappropriate

    Indeed. I personally advocate separating the responsibility for the hosting from the encryption. Encryption should be strictly client side; not 'client side downloaded from the server everytime you need it". Because then you really don't know what you are running each time you visit.

    So, something like password gorilla or password safe or keepass running against spideroak, or owncloud... or even dropbox. Because then really doesn't matter if the cloud storage provider gets hacked through and through.

    Now its possible password safe etc gets hacked and a malicious download made available, but the updates aren't that regular, it's open source, and I choose when to update, and whether to update. An attack like that would be far less far-reaching or effective. It is far easier for the code to be inspected and vetted, and to establish that I am actually running the code that was inspected, etc than anything in a web app.

    No security is perfect, and everyone needs to make their own balance of convenience to security. I feel lastpass is way over on the side of convenience, with the compromises to security inherent in that.

  28. EnPass by CrashNBrn · · Score: 2

    I switched to EnPass, which runs locally on your machine (encrypted) and a browser addon uses a websocket to connect the two. Which means it doesn't inject itself into every page like Lastpass. Also LastPass tends to cause Firefox to take fits.

    EnPass runs on pretty much any platform:

    iOS, Android, Blackberry, macOS, Windows, Linux, USB-Stick, Chromebook

  29. Re:"Lastpassholes hobble free tier, jack prices" by Excelcia · · Score: 1

    Sure, LastPass may do everything is done on the local device - but it's done with a non-open-source app that they distribute. So we can just trust them that they would never ever do anything with my passwords.

    A fantastic solution, which works fantastically for me, is KeePass + Syncthing (or you can use KeePass + DropBox/Box/anything). My password database file is distributed across all the devices which use it by Syncthing. I happen to control the communication path end-to-end with a hosted virtual server (which I have anyway for my web site, mail, and DNS server), but even so I still use a password + key file with the KeePass database so that the database is essentially useless if it's intercepted. The key file is never ever transmitted over any network. KeePass is also great for storing all my bank account and credit card numbers and photo ID (since you can attach images to an entry in the database), so as long as I have my phone I have all my ID as well. If I were ever to lose my phone the database's password is strong enough to stand up to strenuous brute force long enough for me to change all my passwords. Getting my credit cards reissued would be a pain, but is a trade off I'm willing to accept for the convenience of easy access to everything in the few times I forget my wallet at home.

  30. Re:Well, i don't know... by unixisc · · Score: 1

    Why not use Wordpad instead, which saves you from those formats? I know that Notepad has that annoying scrollovers that won't go to the next line until carriage return. But Wordpad does it right

  31. Re:Well, i don't know... by unixisc · · Score: 1

    It's happened to me occasionally w/ both FireFox and Chrome. Not on Slashdot, though, but other sites.

  32. Re: Well, i don't know... by BcNexus · · Score: 1

    XP?!? That can't be secure online, can it?

  33. Mobile by eWarz · · Score: 1

    They haven't even figured out how to implement proper support on mobile devices and they are raising the price? Hah! On Android, their only real 'supported' method is using Android accessibility services that drastically slow down the device and reduce battery life (it's meant for REAL accessibility needs like blindness, etc.). If you try to avoid that option your only other options are a glitchy Android 2.3 era keyboard or their internal browser. Thanks, but no thanks. The password manager built into Chrome or the Samsung browser may be far more limited, but it works better than lastpass...don't get me started on the fact that Google is rumored to be toying with a universal password manager for Android internally. (I don't mention Apple here because outside of a Macbook Pro and Mac Mini I use for dev work, I don't use anything Apple creates at all, so I have no idea if the situation is better/worse over there).

  34. Re: If you need a password manager by cdwiegand · · Score: 2

    Or youâ(TM)re a network admin and need to share hundreds of network credentials for internal and vendor systems with your team. Thereâ(TM)s a lot more use cases than what you are magically aware of.

    --
    . Define sqrt(x) as something really evil like (x / rand()), and bury it deep. Watch your coworkers go nuts.
  35. NOT stuff that matters by UsuallyReasonable · · Score: 1

    Someone raised their price. Who cares?

  36. I use Codebook by CanadianMacFan · · Score: 1

    It used to be called STRIP and they have been around since Palm was popular. It doesn't sync to their servers. If you want to sync between devices you log into Dropbox or Google Drive or you can sync over Wi-Fi from the mobile device to the desktop app. It stores the passwords in an strongly encrypted file on your account.

    The application itself could use polish but it is very stable and it does everything that I need. It lets you add custom fields. The developers are quick to respond to queries. It's stable, quick, easy to use, and secure.

  37. LastPass cut off access 2 password with no warning by leftie · · Score: 1

    password just stopped working in the middle of the night

    LastPass websites now demanded a full year payment up front to get access to MY PASSWORDS on their servers

    Disabled person SSD cut off from online banking in the lat on Friday night
    Not one email sent to warn me