Y’know, it’s weird - in all this time I don’t think anyone has posted ExecutionerFive, which password manager? in the thread.
I haven’t paid attention to this thread in a long time - there must have been 3 LastPass breaches and I didn’t know about any of them. Looks like most people have moved on to Bitwarden too.
I’ve been using the free Lastpass because I don’t have multiple devices I need it for. I use the google password manager on Chrome on my PC and when using chrome on my phone. I don’t see anywhere to turn on 2FA or the ability to export my passwords on the free Lastpass android app. Should it those options be there?
Also, did google used to not save passwords for apps on android, but now it does?
Counterintuitive, but iirc you log into the website on a PC browser to export your stuff.
I’d be really shocked if the multifactor options aren’t available in the free version. I’ve had the paid version for so long that I can’t say for sure, but open your vault on the PC and go to Account Settings for the Multifactor Options tab.
Ahh ok, I didn’t have it on PC, just my phone.
Should I just get rid of LastPass and switch everything to Google passwords since I only have android / pc
This forum needs a like button.
Yeah, @stusser was recommending it for a long time here, and I finally caved and switched to BW myself a couple of months back. It was easy to do and I’ve barely noticed the difference, since.
Bitwarden became even better when I figured out it has custom fields filling.
Recent Lastpass compromise is not good.
I haven’t been using Lastpass lately, and had deleted my vault when I last left.
Hopefully anyone using it has very good master passwords…
So happy to have left. I also blanked/deleted my vault when they made it only free for one of mobile/desktop. And then moved to 1password which is much more expensive, but you know, I’d rather have a smaller target (fewer users because it’s pay only) with more resources to prevent breaches.
For better or worse (probably worse) this is not a new breach but new news about the previous breach from August.
I’ve never understood the whole password manager thing because it seems like creating a single point of failure. This would seem, on its face, to support that supposition.
Sure, but if properly managed it’s about as good a solution as you can get that works with nearly every computing platform and web browser. The days before the password manager was a nightmare of forgotten passwords, repeated passwords, and weak passwords.
I’d rather have my setup than my life before the password manager. And if you do it correctly, there is minimal risk. Everything is encrypted on the client end, so the password manager company never sees your decrypted data. I’ve got an extremely lengthy master password that would take billions of years to attack (well, until quantum becomes a thing), and it’s backed-up in a way that’s encrypted digitally on my iPhone as well as a paper copy locked away in a safe.
The best counterpoint to this argument is that there has always been a single point of failure - email. Up until fairly recently* if I had your email password I also I had access to every account you own tied to that email address. Doesn’t matter what their passwords are; all that’s needed is for me to click the ‘reset password’ link and boom, that account is also pwned.
Every IT security professional worth their salt will recommend two things: enabling 2FA everywhere you can, and using a password manager.
* 2FA can stop this, though of course it needs to be enabled… and not 2FA that happens via the compromised email address.
Yep, same breach but new and worse revelations.
This is a solid point.
2Fa scares the hell out of me, because one of these days I’m going to lose or break my phone and not be able to get into anything, ever. I have it enabled anyway, mind you, but still.
I gather folks around here prefer BitWarden these days? Paid or free tier?
Some 2FA services offer encrypted back-ups so you can restore your codes.
And when you enable a 2FA more often than not you generate a list of recovery codes. Copy-paste into your password manager notes. Now they’re encrypted.
Free bitwarden is fine, unless you need any of their paid features of course.
TBH I feel a little weird handing over the keys to basically everything to an unpaid service. What’s the business model, here?