I think it is mostly inertia and cross-platform support. Before they were acquired, they seemed to care a lot more about security, instead of just security theater.
They also have some nice crypto features: For instance, I forgot my master password, and they have a one time password reset protocol that lets them send you an unlock code that only works on previously logged in devices.
Also, it has rock-solid offsite backup built in.
Moving away has been on my TODO list for a long time.
I certainly have worried about LastPass after their aquisitions, but have no concrete grievances, save the extension seems slower than it was previously.
I like a number of features in LastPass. The auto fill, the auto password change feature, password sharing, etc.
They've started to dump crap into the Lastpass Vault. First it was adverts and then they modified the search bar to search the web rather than only your saved passwords/notes. Both attempts at gaining advertising/referral revenue and in my opinion at the cost of security.
I've disabled the idiotic search and was paying for Lastpass Premium before so don't see the ads but it is the principle that the company now places minor revenue over what I consider security which I cannot stand.
Plus I had issues with LogMeIn's business practices previously and moved to a competitor. Only to now have them follow me by buying Lastpass. I am in the early stages of looking at moving away from Lastpass (after four years).
I just moved away from LastPass due to the acquisition and migrated to 1P. I had two issues with the migration that were easily solvable by someone technically inclined.
1) Folders don't get migrated over to tags into 1P. You need to use this pearl script to do so. (google it)
2) Autofill is well umm different. It took some getting used to, but you now have to hit Cmd+\ to autofill intsead of using the mouse. It's more secure and it ends up being more "clean" I've noticed.
KeePass is anything but user friendly or convenient - it involves a lot of tinkering and not a lot of people have time, patience, or even know-how for that.
1Password has ignored every other platform other than the fruit company ecosystem for a really long time now.
Bitwarden comes close. OSS, polished, and seemingly with a business model. After checking on Firefox (on Linux), iOS, and Android apps when I wanted to install it on my Mac I found out its Safari extension doesn't exist and the Github issue is clear that they will not be working on that anytime soon [0]. Also, I read a reddit comment that there is only one full time developer and this was just few weeks ago[1]. Now I know it's an open source project but I want to use a service that is really ready to be used for my password management while I want to pay for it.
LastPass is everywhere - Windows, Linux, Mac, Chrome, Ff, Safari, IE, iOS, Android. You name it. And it has been on these various platforms since long. Sync, client side encryption, easy import from other apps, good extensions, decent support ticket TATs (even for free accounts), continuous development (however I must add that they have started to add bloat and useless gloss after the sale) - have really been consistent. This is what makes it a favourite option.
So when you say "better designed" I assume you mean better security architecture/design and yes the reason for its popularity is indeed ease of use with acceptable security for the most. I have really tried all other apps out there and for some reason or the other I keep coming back to LastPass.
KeePass is anything but user friendly or convenient - it involves a lot of tinkering and not a lot of people have time, patience, or even know-how for that. It has never been and I don't see that happening in near future. In comparison LastPass is "sign up once, use everywhere".
1Password royally ignored every other platform other than the fruit company ecosystem for a really long time.
See, I am not speaking as a fanboy, I am not one. Just a satisfied user - I have really tried all other apps out there and for some reason or the other I kept coming back to LastPass.
Bitwarden came close to make me switch. OSS, polished, and seemingly with a business model. After checking on Elementary Firefox, iOS, Android apps when I went find its Safari extension (that's where I do my personal browsing) - it didn't exist, it still doesn't and the Github issue is clear that they will not be working on that [0] anytime soon. Also, I read a reddit comment that there was only one full time developer and this was few weeks ago[1]. Now I know it's an open source project but I want to use a service that is really ready to be used for my password management.
LastPass - it's not really entirely browser based, it's actually available everywhere - Windows, Linux, Mac, Chrome, Ff, Safari, IE, iOS, Android. You name it. And it has been on these various platforms since long. Sync, client side encryption, easy import from other apps, good extensions, decent support ticket TATs (even for free accounts), continuous development (however I must add that they have started to add bloat and useless gloss after the sale) - have really been consistent. This is what makes it a favourite option.
So when you say "better designed" I assume you mean better security architecture designed and yes it is ease of use with acceptable security for the most.
I think you make some good points, I prefer the practical perspective.
Lastpass seems to lack a fair amount of usability polish, but it’s all relative maybe no one is better.
For example, why when adding new sites, it likes retain even super long useless query param strings that clutter the interface. Without going into detail, this is in no way technically necessary for most cases.
Also, they already have the ability to pre-associate common login sites, yet won’t do it for many popular domains. For example, there are a few stack exchange sites with different domains but that use the same credentials. Why should I have to manually set this up for a site that’s not far from the top 100 in traffic on the planet? It’s been requested, they won’t do it. Pay a damn intern to pre-associate the top 500 domains at least when needed.
There are many other practical examples.
But again, maybe the bar just isn’t that high in this category of software.
Edit: What didn’t you like about bitwardem? Haven’t had a chance to try it yet.
I use 1Password at work. It's not very good and doesn't seem to work on linux, which I need for work. Add to that really clunky user management...it's just not that great usability wise. I've never been able to get it to autofill either. Lastpass on the other hand just works on all my devices. We were using Keepass before but syncing was such a massive PITA that my wife wouldn't use it. Now she at least uses Lastpass with a better password than what she was using before, but I suspect until we're robbed she's not going to see the value in security. Don't get me started on her and the 2FA grievances.
I’ve used all of the alternatives and each has pros and cons. I’ve settled on Bitwarden at the moment but may end up moving back to KeePass (again) to gain control of my data. I’ve had to refer to KeePass backups months down the road when I accidentally deleted or didn’t store a password. Feels good to have that control.
The mobile experience lacks polish on iOS with KeePass but the control and security might end up winning out for me.
I ditched 1Password because their Windows app is a catastrophe and their forcing users off to their sync service was really badly handled.
iCloud Keychain doesn't work with all apps or even all browsers, when it doesn't there's no trivial way of copying in a password, it isn't cross-platform, and you cannot import or export existing passwords.
I consider the other products listed as actual competitors of Lastpass, I don't even rank iCloud Keychain that high, it lacks even basic features.
Copying a password isn’t that hard, you can get to it through keychain or the password section in iOS Settings.
It’s definitely not cross platform, but that’s to be expected from an Apple product.
Doesn’t support other browsers? I suppose, but for me and many other people that’s not an issue.
It works fine in for many individuals I think they could consider it a competitor. It’s certainly not an answer for MOST people, but if you’re in the right group it works great.
> (Edit #1, 7.30pm GMT): A lot of people are saying that this flaw requires physical access. However, as I pointed out above, you don’t need physical access, a maliciously installed application can easily access the activity and capture the code.)
You'd be surprised how many people (not on HN) use extremely weak (or no) unlocking mechanisms for their devices. It overlaps with the set of folks who would want to use LastPass because of how easy it is.
Well, I have several family members that fall in the "I use a pattern to unlock my phone or do not use anything to lock it, but store passwords in Last Pass" category. So I guess you're wrong.
1. It's not easy to have all the integrations necessary to make this product
2. There ultimately doesn't appear to be that much money in it compared to other businesses
3. The least secure password manager is more willing to do the unsafe thing that is a killer feature that users want.
Seems folks forget just how poor of a job they were doing only a year ago.
SIK-2016-038: Subdomain Password Leakage in 1Password Internal Browser
SIK-2016-039: Https downgrade to http URL by default in 1Password Internal Browser
SIK-2016-040: Titles and URLs Not Encrypted in 1Password Database
SIK-2016-041: Read Private Data From App Folder in 1Password Manager
SIK-2016-042: Privacy Issue, Information Leaked to Vendor 1Password Manager
The tradition with this company is not a serious (as in mission-critical serious) approach to security and the amount of FUD that they spread anytime they take real criticism from the community speaks volumes. They had more vulnerabilities disclosed last year than any of their competitors.
Just because you like it doesn't mean that it's secure software.
They're owned by Citrix so they have automatic credibility.
In this case, the name is important too. It's easy to remember and it explains the product as well. The only alternative with a better name is 1password
They also have some nice crypto features: For instance, I forgot my master password, and they have a one time password reset protocol that lets them send you an unlock code that only works on previously logged in devices.
Also, it has rock-solid offsite backup built in.
Moving away has been on my TODO list for a long time.