Lastpass and all those centralized pass stores scare the shit out of me. I don’t care how secure they say they are, hell even if it’s been audited, it’s still a giant bullseye for any hacker to get everyones passwords and bank accounts.
I’ll stick with keepass and syncthing ( self hosted bitwarden is also good ).
pass is also very nice. It has git integration, so you can use that for syncing. It also has got a decent android app. https://www.passwordstore.org/
If I hadn’t already switched to bitwarden, this would have made me do it
They really fucked me with this. The entire reason I migrated from Keepass last year was for the shared database on mobile and PC.
swap to Bitwarden
And if you’re self hosting, consider using bitwarden_rs. It’s a drop in replacement for the official Bitwarden server. I used to use regular bitwarden, but it was pretty resource heavy for a single person, and it’s nice having just one docker container instead of… four?
Much like everyone else has said switch to bitwarden. I did that two years back and its fantastic. It also has an import tool to get all your data migrated from lastpass so it will be fairly simple move to be honest.
Absolutely, I play on migrating to Bitwarden this weekend, it looks like a great product.
They even have a KB article explaining how to migrate:
Definitely look into Bitwarden, it syncs between phone & computer, you can host the sync server yourself but especially if you’re used to lastpass it just works.
Where we’re going you don’t need databases. Try the lesspass way.
Not sure what you’re trying to say here. Do you use the same password for multiple sites? I have unique passwords all over the place, so trying to remember passwords without some kind of tool is impossible.
With Lesspass, you have only one password to remember, but for every website (every account) Lesspass generates a unique password from your single password to Lesspass and the website itself (and your login to that website). Therefore, you need no sync at all as Lesspass only computes the password from the given input (even offline). It might just be a bit problematic with having to remember logins for every site. Changing the password for a single website is a bit tricky too.
The ELI5 version: take your master password for all sites, take the name of the site, scramble them together. This is your password for that site.
Lesspass does this for you but there are other ways too. You should find it more convenient and more secure.
How does this handle the inevitable case of site requiring password rotation? How does this handle password strength/composition rules? (theres so many stupid ones!)
You’ll see if you go on the website. All you ask for is right there, and more.
Is there anyway to back this up, is it necessary in the case you lose a phone/device etc?
What do you want to backup? There is the master password, but that is it. Nothing more. You have to remember the master password, the website you were using, and possibly the login to that website, but there are no more passwords to backup. The algorithm to generate the password is the same for all of the passwords.
Okay, I get it, but what happens if your master password is compromised? I assume all of your passwords would need to be recalculated.
Sorry, I didn’t understand what you were asking about earlier. Yes, exactly. That is the reason why I don’t use Lesspass. From what I know, you would have to change the password for every single website to ensure no one guesses your login used by some website, and consequently, with your leaked master password, has access to that particular site.
His could someone ever get your master password though?
And i think it’s the same for lastpass. If someone (somehow?) gets your lastpass login details, you have to change them, and also change all your other passwords.
It’s not so easy for sure, but still I feel it is much easier to change the master password to your database as well as other passwords, when you actually can change every password to every side individually (which you would have to do with Lesspass too) or not at all, if the site is not important enough right now. With Lesspass, you would have to remember both the old and the new password to be able to change the site’s passwords. It just seems safer to me this way. But you are right about it being difficult to get to a very sophisticated master password anyway, the same for the second point, I’d guess. When someone gets your Lesspass password, they have access to everything for sure. With, in my case, Bitwarden, there is possibly a chance it might be harder to get to the individual passwords one after the other. It is a bit more tedious to work with it, not just calling the algorithm at different websites to see whether you use these. But this is an interesting though.
I didn’t think if that - with a password manager, the attacker who gets your master password also gets a list if all the sites you use, and all your username/password pairs for each site. With lesspass or similar, he needs to guess which sites you use, and your username, before he can do anything.
But i still don’t see this as an important threat. There are other threats and inconveniences which IMO are bigger, and which the lesspass model mitigates.
You are right, when your master password gets stolen, the attacker doesn’t know which sites under which usernames you use, but it is not so hard to get to this information in these days, I’d say. Still, once the password is stolen, you won’t just say “Oh, nobody knows my username for sure, so I won’t bother changing it.” and I find the process of changing passwords much easier with a standard password-username-site database. And for sure, Lesspass solves other issues, but with all of its quirks / security features, Lesspass doesn’t interests me that much.
I am using Bitwarden as I find the standard database system more convenient yet still secure enough. Somehow, I still cannot believe myself with Lesspass. Otherwise, Lesspass is a fantastic “password manager” for sure.
deleted by creator
if they don’t have an iPhone they can. last time I checked there was no SyncThing client for ios.
+1 for Keepass, excellent open source password manager
Subscribe to see more stories about technology on your homepage