[thesuitonym]

> I think a lot of people use products like LastPass because it makes storing passwords easier. Works on mobile, computer, tablet. Pretty good experience tbh.

> With something like LastPass it's also much easier to create unique strong passwords for other sites.

Sure, but LastPass, in addition to being the least secure option, doesn't even have a good user interface, and it's expensive. There are dozens of other password managers out there, each one better than LastPass in every way.

[Arainach]

Doing the research takes time and energy.

Switching takes time and energy.

Changing all your passwords after you switch so they aren't potentially exposed in the next LastPass break takes time and energy.

People have a lot of things going on and have to make a decision about whether the risk justifies the effort.

Then there's feature gaps. LastPass is available on all platforms, has convenient sharing, a good story for emergency recovery if I'm incapacitated and want family to get access to things, and support for 2FA options such as Yubikey. Most competitors lack at least some of those, which is an issue if you're relying on them.

Personally, I left Lastpass for 1Password several breaches ago, but it took me a couple weeks of research to decide where to move to, at least a week of changing passwords on sites afterwards, and however much time and energy it took me to help others who I share credentials with switch at the same time.

[fragmede]

Password managers are entirely a UX problem waiting to be solved better. Every time I hit a UX bug with my password manager, I mutter that I could do fix that, and then know that mine would also be worse in so many ways just to reach parity. What I wish is there was a public bug tracker of UX issues/optimizations that I, and the rest of the world, could log ideas to. Password managers are such a good idea but they all need just that much more work to be seamless.

[scottlamb]

Can you give me an example of a UX problem that you attribute to the password manager? That'd help me understand.

I often hit problems with 1Password's autofill on particular websites, but by and large I blame the website. Few examples:

* one website expects me to type the PIN then a Symantec VIP OTP token into a single field called "password". That's a (possibly deliberately) password manager-hostile design. I finally got annoyed with it enough to use an open source project called `python-vipaccess` to create a proper `otpauth://totp/...` URL I could add into 1Password and wrote a TamperMonkey script that added separate autofillable fields that would get concatenated automatically. Now 1Password works fine.

* frequently websites will complain about needing a valid credit card number after autofill. I have to go to the field, delete the last digit, add it back, tab away, then it works. I think they have just used the wrong event handlers and never tested it with autofill.

* they often will skip `autocomplete="new-password"` attributes, so my password manager will look for a (nonexistent) current password rather than prompting me for a new one, and/or they won't have the username and new password fields ever in the DOM at the same time so the password manager doesn't save it properly. (Even if it makes sense in terms of user-visible flow to do these in sequence, they can still leave the username in as a hidden form element for the benefit of the password manager.)

I've also hit UX problems in 1Password itself, for example the "quick access" pop-up doesn't reliably appear on the current Space in macOS. (Confusing and annoying to have to switch to another to see it.) But they seem less common.