Incredibly pathetic. I am so disappointed in LastPass. I was willing to forgive their subpar UX because hey, at least my passwords were safe. I've moved over to Bitwarden and am happy for now, but man what a shitshow.
I love BitWarden, but coincidentally yesterday I saw a problem pop up on Reddit that was terrifying: There is a known issue where changing your master password can cause you to lose all your data:
> When you rotate an encryption key, you must immediately log out of any logged-in sessions on Bitwarden client applications (Desktop App, Browser Extension, Mobile App, etc). […]
> Making changes in a session with a "stale" encryption key will cause data corruption that will make your data unrecoverable.
I love Bitwarden but this is just… borderline hilarious. Laughing nervously. God damn it, don’t write a damn “help” article about it, create a P0 bug, fix it asap and write a post-mortem.
Field report: I tried to see this UX in action and while it is indeed bad, there are some redeeming factors:
- By default, you don’t rotate encryption key when you change master password. This is opt-in. I’m not qualified to say whether this is a good default or not.
- If you do, a full modal warning pops up explaining to log out or wait an hour:
- They invalidate the sessions automatically, but this is delayed.
AIUI you have to tick the box, not read the warning, hurry to a different device and modify the vault, and have pissed off the cache invalidation gods all at the same time to reach corruption.
Agreed. It should at least log you out of all sessions without you having to do it yourself. This is good to know if I ever want to rotate my encryption key. Knowing this, I may even log out of all sessions even if I was rotating my master key.
Same, I held onto Lastpass much longer than I would have put up with any less-essential SaaS product.
Finally moved to Bitwarden and couldn't be happier. Still trying to decide if I want to self-host it or not, but more breaches of cloud-based password managers like this one may push me in that direction.
At least Bitwarden encrypts the whole vault as a blob. I don't bother self-hosting because I figure I know less about hosting a Bitwarden vault than they do so it's not much more secure. If I had a local server on my LAN I might consider it, because then at least I have a few firewalls between me and the internet. I've been a happy paying Bitwarden user for several years now, since just before the first "minor" Lastpass breach.
Yeah, I’m definitely not trained in security like the password manager engineers are. But I keep wondering if being distributed offsets that risk. That is, I can spin up Bitwarden in my Unraid machine in like five minutes and behind a reverse proxy, nobody even knows it’s there to attack. Maybe I have some security vulnerability, but it seems significantly less likely to be tested than a centralized commercial service. Curious if others have thoughts. I’d happily pay Bitwarden for whatever.
Yea this is exactly where I am. I have an Unraid box at home, currently mostly using it as a NAS, Plex server and for some home automations.
I realize that "security through obscurity" is not a best practice but even if I trust SaaS Bitwarden to be more hardened than I will ever be, I can't help but think that any centralized password manager will have a target on their back so much larger than mine that it may even out.
The biggest risk I see with self-hosting is accidentally borking the whole thing and locking myself out of my vault. But I'll probably gain enough confidence to mitigate that somewhat soon.
I'm one of those software devs who don't do my own stuff, I happily pay services for good products, but I know it would be "better" security (probably) to have my own server in-home and all that. I don't just choose anything, but I don't want to deal with servers or technology debugging outside of my day job. I used to run my own servers and just got tired of having to maintain them; and even "fully automated" systems need maintenance.
> disappointed in LastPass ... moved over to Bitwarden
Same as well, with an intermediate move to Dashlane. I want a reliable, expensive password manager. It's not an easy problem to solve, so if someone's trying to do it cheap, they'll get it wrong. I wish Bitwarden would charge more, but they've proven more secure than LastPass and the Android client is way more reliable than Dashlane.
https://bitwarden.com/help/account-encryption-key/#rotate-yo...
What?!
Of course, if you are careful and follow all the instructions, in theory you could avoid this. But why allow such a foot-gun?