Hacker News new | ask | show | jobs
by palata 1095 days ago
Genuine question: why are there still LastPass users?

I mean, if you have a password manager, it means that you somehow care about your passwords. If you have LastPass, it means that you chose something that was not the default Google Wallet or Apple whatever-it-is-called.

Are there so many LastPass users who haven't followed the news in the last 2 years?
10 comments
yallpendantools 1095 days ago
I'm a developer by profession and I almost didn't switch from LastPass after their breach last year.

Simply put, after all the reports of last year's breach, I assessed how vulnerable I am. First, my LastPass settings were such that I shouldn't be too affected by their breach; among other things in their self-assessment report, I had the "new" healthy default of 600K iterations. Also, the three most important accounts forming the basis of my online identity were never on LastPass and had unique passwords.

(And yeah, I understand that the security issue isn't purely on technical merit but also a social question of LastPass' reputation as a company. But on a personal level, I didn't really care that much. Moving on...)

Hence, on a personal basis, I didn't see much reason to switch out. The alternative would be the hassle of evaluating a new password manager, exporting data from LastPass, setting up the new password manager on my devices, importing my pre-existing vault, tweaking the new password manager so it behaves as I expected, etc. I know I'm playing the world's smallest violin with this grievance but that's really how it was. I think there was also a confluence of other factors why I didn't want this hassle on my plate at the time (e.g., I remember this was end of last year and I'd rather focus on my holiday arrangements).

I did reach out to family members whom I might've recommended LastPass to in the past though, and advised them to switch out. I didn't believe they could make the same self-assessment that I did.

In the end, I did switch to Bitwarden though. I did go through the hassle as I thought I would but articles like this make me glad I did. The decisive factor for why I did it anyway was that I realized that I might have some passwords/keys in my vault that I use professionally so, out of professional prudence, I switched. Were I not a developer, I might not have had this factor at all.

link
charles_f 1095 days ago
It's not about the leak itself, but the lax of their operational policies that resulted into it, the low level of ownership they demonstrated in communication through the incidents, the weird design decisions that were made to leave parts of wallets unencrypted, that you would never know of since it's all a black box (1pwd for example opensourced some of their designs).
link
koheripbal 1095 days ago
Unless you want to self host, it is naive to think other password managers are not also the subject of attack
link
palata 1094 days ago
The problem, IMHO, is that selling a password manager is about selling trust. It is okay to have an incident (to some extent of course: "we got hacked and somebody stole our database, which was not encrypted" is pretty bad), but it is not okay to lose trust.

Given how it has been going with LastPass, I don't see how one would still trust them with their passwords.

link
baal80spam 1095 days ago
Very true, that's why I stick to KeePassDX for many years now.
link
NegativeK 1095 days ago
I've been involved in switching users in a corporate environment from one password manager to another.

You want to irritate non-technical people? Tell them that they need to use a password manager.

You want to irritate even technical people? Tell them that the password manager you had to force them to use is going to be replaced by a new one, and _they_ have to do the export/import steps -- despite the fact that their boss is breathing down their neck for four projects that are late, half of which they have no control over.

I'm glad I don't have to worry about the Lastpass breach, but I can absolutely commiserate with anyone who has to care about password managers for other people.

link
jeroenhd 1095 days ago
You want irate non-technical people? Tell them they need to come up with something better than Password123.

People hate passwords. You can explain to them why passwords are important, how people from the outside can do all kinds of nasty things if you pick weak ones, but people will ignore all that because they never need to deal with the fallout.

When these people eventually get hacked, they will blame their computers, their antivirus, their browsers, the websites they use, and most likely also the most recent person who touched the computer.

Password security is like herding toddlers. This is why I'm looking forward to a future where physical keys and passkeys are supported essentially everywhere. We don't even need them as 2FA because they work fine as a first factor in most cases, though 2FA would be much better of course.

And to be honest, whoever manages normal people's IT is probably partially to blame for the hate most people have for passwords. Things like monthly password resets, session tokens that last less than a work day, separate passwords with slightly different usernames across different applications, and all kinds of other useless limitations are why people hate passwords so much: using a password manager once or twice is fine, but having to use it to copy/paste passwords every other hour is tedious and terrible.

Companies unable or unwilling to fix their terrible password setup should invest into something like Yubikeys to at least make the process less frustrating. The difficult part is getting a backup when people lose their keys, but you can probably use passwords as a fallback until a new key can be arranged.

link
NegativeK 1095 days ago
NIST's recommendation of passphrases that don't expire except when cracked is better, because it avoids <employer name>fall2023. But now you have to pay for the audit (whether it's internal or external) and then explain why their TV quote/book title/whatever is easy to guess.

And whether it's passphrases or passkeys, we still haven't solved the problem of the gajillion other accounts people will have to log into to do work that are nowhere near that standard.

link
throwaway67743 1094 days ago
As a technical user faced with the most absurd of password complexity policies I totally understand non technical user frustration given my much higher bar of ability etc, so I don't think it's entirely fair to blame them, sure they could do with making more of an effort but most people just don't care or aren't aware of the ramifications...
link
maerF0x0 1095 days ago
> and _they_ have to do the export/import steps

At least for a personal account, the 1password import tool worked flawlessly (as far as I can tell after about a month switched) .

Does it not work for enterprise? Or perhaps each would have to run it?

link
NegativeK 1095 days ago
When there's segregation between passwords that the organization can see and passwords that only the employee can see, then each user has to run the import/export.
link
Waterluvian 1095 days ago
Yes. Most of them.

It’s such an important lesson for informed people, and tech people, especially, to learn: our context is absolutely not the common one. Things that are obvious and clear to us are a world away for most others.

link
Trufa 1095 days ago
I am pretty tech savvy, read HN often and still use it.

Partially, laziness, partially hard to change flows, partially hard to migrate, partially I don’t believe that it’s THAT bad, though the last one is the one I’m least sure.

link
iLoveOncall 1095 days ago
But you don't even have to have followed the news. LastPass has sent an email to all its users informing them of the somewhat recent breach.

I had already left by then but I would have otherwise.

link
zdragnar 1095 days ago
People still read their emails? I thought it was mostly just for registration verification links and spam.
link
Waterluvian 1095 days ago
Yep. They either don’t know or don’t care. There’s a level of security fatalism among non-techs.

I can imagine a security professional explaining to a random person everything they ought to do to be secure. Not gonna happen.

link
UncleMeat 1095 days ago
Okay. But how is a typical person supposed to effectively judge the relative risk of LastPass against alternatives such that it justifies the hassle of switching?

The core problem with the LastPass breach was their response to it, not necessarily that they were pwned in the first place. Like, the whole point of password protected vaults is to make this situation less harmful.

link
jeroenhd 1095 days ago
People don't know about the ability to export and import passwords, though. Modern interactions are so much "everything is locked behind this branded app" that it's a miracle people still remember they can email to other domains.

What they do know is how annoying it was to have to set up LastPass, entering each and every password, dealing with accounts and setup and recovery keys, and the process of getting used to it.

Unless LastPass adds a button that says "click here to switch to a competitor", I doubt their remaining customers will ever leave the problem.

link
secabeen 1095 days ago
Bitwarden still doesn't have as good a multi-account workflow as LastPass does. They finally added multi-account support late last year, that was a full blocker for me, as I need access to both my personal and work vaults on my devices. Now that they have multi-account support, it's better, but they still are significantly worse than the LP approach. If they get multi-account search working as requested here, I might finally switch over:

https://community.bitwarden.com/t/implement-multi-account-se...

link
dgrin91 1095 days ago
Time.

Password managers have a stickyness to them. Moving is hard. There are import/export functions, but I found all of them have issues.

Moving needs to be fast and seamless enough that I can move my entire family without hassle. Thats why I'm stuck.

link
palata 1095 days ago
I exported my LastPass vault (yeah I used to be on LastPass...) and imported it into Bitwarden. Maybe I was lucky, but I was amazed by how simple it was. It took like 2 minutes, and it just worked.
link
squeaky-clean 1095 days ago
Unless you also changed every password for every account you store in your password manager, you still have the original security issues of Lastpass to deal with, as well as any potential issues from your new password manager.
link
palata 1095 days ago
Yeah, obviously, but good to mention.

I did change them. Very quickly for the important ones, more slowly for the others.

link
wruza 1095 days ago
Some of them may be company-plan users who can’t choose and it’s hard to replace overnight.
link
latexr 1095 days ago
> the default Google Wallet or Apple whatever-it-is-called.

It’s just called “Passwords”. Consistent with “Mail”, “Notes”, “Reminders”, “Calendar”, but it doesn’t have a dedicate app like the others (it’s inside System Settings).

link
holiveros 1095 days ago
Probably mostly companies stuck with long-term contracts.

The global company I work at uses it, they have an enterprise-wide contract. Migrating to something else is just a massive PITA, extra costs & sure downtime.

link
x3874 1095 days ago
Good question. I cannot even 100% remember why i left a couple of years ago. IIRC it was a compromised cache / logon on a device i didn't control anymore and the general uneasyness of having my digital identities stored on a foreign service that could be hacked / could lock me out any time.

Keepass plus syncthing works for me; Keepass' autotype is great.

link
paultopia 1095 days ago
Frankly, it's a crappy landscape:

1. The main competitor everyone knows about, 1Password, has its own problems. (I gave up on it a couple years ago after learning that you can't quit the goddamn MacOS application when it's logged out. It literally requires you to be logged in to make use of a super-secret-strong quit that doesn't leave some daemon on the system. Which is incredibly irritating when you're trying to just run a software update but instead you have to type your super long and secure password manager password.)

2. Transitioning passwords is hard even once you find a good alternative. One should change passwords after a breach, but there are basically three options: (a) use the automated password changing within the old password manager. But if you don't trust your password manager after a breach, it's probably a bad idea to use the automated password changing feature of said password manager and end up with your new passwords in the insecure service. (b) import everything to a new password manager and change from there. But if you have a lot of passwords, there's a good chance the new password manager won't be able to automatically change them all, and then you'll either have to carve out a huge amount of time to do it all at once, or have a mixture of secure and insecure passwords in the new password manager, which seems very problematic. (c) gradual transition: move the mission critical passwords first and change them on the spot, then as you use a less important service, change the password for that and move it to the new service as you go. Which makes sense, but means you'll still be using the shitty old one for a while.

link