Why Lastpass is a great piece of software that sucks

Update : I've added comments to sections where the release of Lastpass 3.0 and subsequent versions have affected the issue that I've identified. Look for those updates in bold. I've moved all issues that have been resolved into a section at the end for historical purposes.

I am a big proponent and supporter of Lastpass. I've used for about 5 years now and have many hundreds of credentials in my Lastpass vault. At the moment I think it's the best software out there for password management. Unfortunately it has a lot of problems. Here are some of them

Support

  • Submitting bug reports that are subsequently confirmed to indeed be bugs, almost always fails to result in a bugfix. Of the 12 bugs I've reported, all have been ignored but 2. Below you'll see some of the problems with Lastpass with the date I originally reported the bug and the fact that it continues to be broken up to now.
  • Lastpass has a status page hosted at https://lastpass.com/status.php Understandably, when they have an outage, the status page is inaccessible since their site is down. The last time they had an outage I opened a support request asking how customers should determine what's going on when the status page is inaccessible (always when there's an outage) and when they don't post anything to twitter. Instead of addressing the question about status notification, they tried to explain to me why I really shouldn't have experienced an outage "your browser should have automatically failed over to the next on the list with a relatively small timeout" and "Accessing stored passwords is always possible even if LastPass is offline if you utilize the extension which is what we intend". They totally missed the point and I, to this day, don't know how to determine the status of an outage when they happen.

UI

  • Deleting multiple records from your vault causes weird behavior. Update : Lastpass 3.0 doesn't solve this problem but it appears that the speed improvements in the vault UI in Lastpass 3.0 has made the issue less pronounced. I reported this bug December 2011, got no resolution, followed up October 2012 and got the response of "Quite honestly, I am not sure when we will get to it"

    There is a weird behavior when deleting multiple records from lastpass. Here's how to reproduce it :

    1. Create a handful of records. For me this usually results from trying to come up with a password that conforms to some sites unspecified password requirements. This results in a handful (let's say 5) "Generated Password for foo" records.
    2. Go to your lastpass vault inside firefox : chrome://lastpass/content/home.xul
    3. Click "Delete" on the first record you want to delete. When prompted in the modal window that pops up, click "Yes". You'll see the record disappear as expected from the vault.
    4. Immediately click "Delete" on the next record and again click "Yes"
    5. You'll now see the second record disappear as expected, then re-appear for a second, and then disappear for a second time.

    The expected behavior here is for the record, once deleted, to disappear permanently. I'm assuming this is being caused by some kind of race condition between the vault checking back with the lastpass servers for updates and the "delete" action propagating to the lastpass servers.

    If you have trouble reproducing this just do it with 2 or 3 records in a row.

    I encounter this pretty frequently since usually when I'm deleting records, I'm deleting multiple ones as I clean cruft out of lastpass.

  • The monospace font that Lastpass uses for the password field makes the lowercase letter "L" and the number "1" indistinguishable. Update : Lastpass 3.2.20 claims to address this issue. I'll upgrade and check it out Here's a screen shot of it. To work around this whenever I'm viewing a password, for example to type into my phone or some flash interface that Lastpass can't deal with, I have to copy the password into a text editor to be able to distinguish between the characters. I reported this bug October 2012 and got "I will pass your feedback to the development team for their review for future releases." which I'm confident means that it will be ignored.

  • Intermittently when creating new credential sets, after creating them, they fail to appear in the vault. This is not only annoying but also really scary since the impossible-to-remember password you just set on whatever website you were creating an account on is now apparently gone. Logging fully out of lastpass and back in or waiting some period of time for whatever server client interaction to happen sometimes fixes it. I reported this in September 2011. They said to upgrade my Lastpass browser plugin which I did. This still occurs to this day intermittently.

  • I got tripped up by their instructions on installing Lastpass on Linux and reported my confusion with their documentation. They responded with "I mentioned this to developers, but they felt that this step was common sense if you're a linux user. (ie, it'd be like telling a windows user to double-click on a program to launch it)" and left the instructions in their ambiguous state.

  • When you log into Lastpass in your browser plugin it starts by downloading your encrypted blob of data. It then decrypts the blob locally on your machine in javascript. While this whole process happens, which when you have 600 credentials and secure notes can take some amount of time, the page used to display text as if your vault is empty and encourages you to add credentials into it. Now it merely displays an empty vault. As a user, this is pretty scary to see a page where you expect to see your credentials and instead you see an empty vault. They should be displaying a progress bar or a please wait while they download and decrypt the blob.

  • In your browser, when you go to a site that has a password field, and you're not yet logged into lastpass, it pops up a notification bar that says "Simplify your life, use Lastpass to capture this site's login" and a button that says "Save Passwords with Lastpass". This language makes sense if you're on a page for which you don't already have a stored credential. The much more likely case of coming to a site with a login when you haven't yet logged into lastpass is that you're going to the site to login with your existing credentials stored in lastpass. This language should reflect that fact that it's possible and likely that you're not there to create a new credential set but instead to login into Lastpass so you can login to the site you're on.

Browser Plugin Interaction

  • There's no way to tell Lastpass that a given field is a CAPTCHA. Lastpass has some heuristic to detect a CAPTCHA in a login page and display a useful UI behavior instructing you to fill it out. If that heuristic fails and it doesn't understand that a field is a CAPTCHA, there's no way to tell it to treat that field as one. Upon asking how Lastpass determines that a field is a CAPTCHA, they report that "We determine this via field name." and helpfully offer to solve the problem with "If you let us know what this is on the site, and it's likely to come up again, we can look into adding it as a possible field name that would pop the security notification." The way to solve this problem is not to wait for users to report sites that have unexpected field names for their CAPTCHAs and add them into some list stored in Lastpass. This is a totally unscalable, poor user experience approach. Of course after giving them the details of the web page that had a CAPTCHA with a field name they hadn't predicted (I mean how could they have?) they responded with "I will put this on the list of suggestions and hopefully our dev team can add it in." Obviously this never happened.
  • When you encounter a site that uses basic or digest HTTP authentication (where the login window pops up in front of the site and you log into your browser instead of typing your password into a field on a web page), Lastpass has a checkbox that you can check to save the credentials that you're typing in. This makes sense. The checkbox state however is sticky. Once you save a credential set for a site that uses basic or digest auth, the next time you come to some other site that has basic or digest auth, and Lastpass fills in your username and password for you, the checkbox is still checked and so Lastpass saves a second copy of the credentials set. As long as this checkbox is checked Lastpass continues saving duplicate credential sets over and over again. This UI is absurd. Lastpass knows when you're going to a site for which it has credentials and when you're going to a new site. Why present a checkbox in a dialog on a site where you already have credentials indicating that you want to save a duplicate copy of those credentials?!
  • Lastpass uses a combination of settings called "Equivalent Domains" and "URL rules" along with it's internal rules to decide what credentials go to what sites. These are confusing and difficult to use. I frequently get into a situation (in fact I'm stuck in one right now) where I can't get Lastpass to offer the credential set for the site I'm on. I have to pull it up in my vault, and copy and paste it into the form. This is especially bad when it happens in the basic/digest HTTP auth pop up window. In that case the plugin will indicate that you've got multiple matching credential sets and when you click the drop down to pick one, it displays only one.

Payment

  • Lastpass charges $12 a year for premium service which gives a user access to using a second factor of authentication. In any given year the likelihood that one will have to change one's credit card number due to fraud, it being lost, changing cards, etc. is pretty high. When the annual auto charge comes up, and fails due to the card number having changed, Lastpass decides that the appropriate way to deal with this is not to notify the customer, wait some window of time and then disable their two-factor auth. Instead they silently disable two-factor auth, opening your account up to attack and then later notify you that they're having trouble charging your credit card. I reported this problem first in December 2011 when it happened the first time then again in April 2012. I'm sure the next annual renewal if my credit card has changed it will fail again and disable two-factor on my account.

    Recently my wife's lastpass premium account came up for renewal. It was configured for yearly auto-renewal against our credit card. A few months back we had to change our credit card number because the bank sent us a new one due to some security compromise. We forgot to put this new number in google checkout/lastpass so that the auto-renewal would work.
    Problem is, what happened when the renewal date came up and the charge didn't work (because the old card number was invalid), is that the 2-factor yubikey authentication was just disabled. No email warning of this fact to the user, just disabled.
    To have a billing issue open up an account to attack (by having only one factor) without notifying the user, is a risky security practice.
    Some better solutions would be :

    • Locking the account down until the user either logs in and disables 2-factor auth, or re-enrolls in lastpass premium with a new credit card
    • An email to the security email address of the users account warning them that 2-factor has been disabled
    • An email to the security email address stating that you tried to charge their card with no luck and 2-factor auth will be disabled in 48 hours, 5 days, etc. if the billing issue isn't corrected. Really anything other than silently disabling 2-factor auth.

Security

  • The Lastpass mobile applications for Android, IOS and others are unusable from a security standpoint, here's why :
    • To have a secure Lastpass vault, you must have a strong master password
    • If you were required to type this strong password on your phone each time you wanted to access a password from your vault to log into a site, it would be too onerous and people wouldn't use the app.
    • Consequently, when you log into the Lastpass app on your phone, it decrypts your hosted blob of passwords and stores them on the phone. These cleartext passwords stay on the phone until you log out.
    • This means that if at any time, your phone gets lost or stolen, all of your credentials are accessible in plaintext on the phone.
    • Lastpass provides a function on your account that says "Kill other sessions on login". I asked if the mobile apps do some kind of polling to know to kill their session if you log in at another machine and it turns out they don't (understandably because of the battery hit for doing so).
    • Sadly this means there is no way to safely and conveniently access your lastpass vault from your phone.
    • I asked them to enable an option to poll and got back "We may enable some sort of option in a future version to set a polling time for the app or at all." and as you can imagine, no such option has appeared.

Sharing

  • Lastpass provides a sharing feature that lets you share credentials with other Lastpass users. I use this a lot and it's very helpful. I routinely get notifications that shared credential sets have been changed by the other user. Here's how that interaction goes :
    • I get an email that says "LastPass Shared Item Update Notification" and says "LastPass items you have shared have been updated by other users. Please click the below link to login to your LastPass Vault. Login to your LastPass Vault. Any items in your vault that have a icon next to them indicate that they have outstanding updates. Click the icon to view, accept, or delete the updates"
    • I click the link and it opens up my Vault
    • I scroll down pages and pages of credentials (600+) searching for the one that has a little icon next to it indicating it has pending changes from someone who I've shared it with
    • I find it and click the icon and it brings up a dialog showing something like 3 or 9 changes.
    • I click on one of the changes and it says that there is no change and the credential is the same.
    • I continue and click on all of them to find that the credential hasn't changed?
    • I'm not sure how to identify all the ways in which this sucks

Other stuff

Issues that have been resolved and are no longer an issue

  • There are 2 Lastpass Vault interfaces. Update : Lastpass 3.0 does a good job at unifying the look and feel of the locally hosted vault and the lastpass.com website vault. One hosted locally in your browser and one on the Lastpass website. Unfortunately the "Settings" interface for Lastpass only works in the Vault interface on the website, not in the browser. Their solution? Put the "Settings" interface inside an iframe in your localy hosted browser Vault interface. Why do we need two different Vault interfaces, each with slightly different UIs? Why does the user need to use one Vault for some actions and the other vault for other actions?

  • Update : Lastpass cleaned up their website at the end of October 2013 and it looks great now. Previously the Lastpass website was a hilarious explosion of confusing imagery. Go check it out, I'll wait here : https://web.archive.org/web/20131024014857/https://lastpass.com/.

  • Update : With the lastpass October 2013 website redesign these ads for premium no longer display. While logged into Lastpass, when you go the lastpass.com website, it's aware that you're logged in and displays at the top a button that says "Jon Doe's Vault ->". So the website understands that you're logged in and already a Lastpass user. It also knows, based on your username and the fact that you're logged in, if you're an existing lastpass premium (paying) customer. Why then would you display ads asking people to "Get Lastpass Premium! ($12 a year, that's $1 a month)"? Why not display a useful page to customers since you know that they're already customers, instead of a page of ads and attempts to convince the user to use Lastpass. They already use Lastpass, leave them alone.

  • Update : This message has been fixed in Lastpass 3.0 The 2-factor yubikey dialog box that prompts you for your yubikey one time password says to "touch-button for 2 seconds". Unfortunately doing so will never work because with the yubikey you have to touch it for less than 2 seconds. More than that and it types out your static password, not your one time password. I reported this UI bug in December 2011, checked back in October 2012 and got "It's still on our list to review and update". It would take 2 minutes to fix. Maddening.

    When logging into lastpass with 2-factor authentication enabled using a Yubikey, a window pops up with the field to enter the Yubikey one-time-password into. In that window you'll find the following text :

    1. Insert your YubiKey in the USB-port with the USB-contact facing upward
    2. Wait until your YubiKey touch-button shines with a steady light
    3. Hold your fingertip on the touch-button for 2 seconds"

    The yubikey doesn't use a 2 second button touch though. If you go to the yubikey manual : http://static.yubico.com/var/uploads/pdfs/YubiKey_Manual_2010-09-16.pdf On page 20, you'll see that for most yubikeys (mine included) that have the OTP configuration used with lastpass set in the primary position, need a button touch of between 0.3 and 1.5 seconds. Even keys that are configured with the OTP used for lastpass in the secondary position also wouldn't use a 2 second press, they take a 2.5 to 5 second press.

    I'd recommend you change the text to something like "Hold your fingertip on the touch-button for a half second"

    Here's the text from the manual explaining the default behavior :

    Ensure that the cursor is placed in a valid input field and touch the button with a finger tip and hold steady
    for approx 0.5 seconds and the OTP string is emitted. The indicator will then be turned off for approx 2 seconds
    where the touch button is disabled to prevent multiple triggers.

    And here's the text from the manual talking about yubikeys with a second configuration enabled :

    Yubikey 2 supports an optional second configuration. This allows the Yubikey to be used for multiple services where
    both configurations are completely separated from each other. A typical usage is that one configuration is used for
    a remote service and one for a local service in static mode. If both configurations are set, the trigger behavior is
    slightly different as the user must select which OTP configuration that is desired:
    Short press 0.3 - 1.5 seconds) and release - OTP from configuration

    1 is yielded Long press (2.5 - 5 seconds) and release - OTP from configuration

    2 is yielded

81 Comments

  • Robert says:

    This article is pretty comical. I agree with you on a lot of these points. I stopped using lastpass before some of these features were added. A possible security breach before steered me away last year. Just didnt think putting my passwords in their hands was a good idea afterwards. Good read.

    • Mikaya Swabb says:

      I’m curious to know if Peguta is a good service. Has anyone tried it and able to provide a good comparison to LastPass?

      I’ve noticed my browser is much slower running Chrome with LastPass extension installed, and it’s really bogging me down as a webdeveloper, i’m frequently logging into various client websites and 3rd party service websites.

      I’ve done google searches for Peguta and there’s really no reviews out there to speak of. Thanks!

    • Robert Allen says:

      LastPass is not perfect and I freely admit that fact. However, it is not entirely fair to say that they had a “possible security breach” last year. LastPass is designed in such a way that they cannot have a company breach in which your passwords are stolen. The LastPass company itself cannot even see your passwords if they wanted to. I’m not suggesting that the system is flawless, but everything in LastPass is decrypted only on your machine and LastPass owns nothing but an encrypted blob. This is why if you forget your master password, LastPass can’t help you. They don’t even have your password and thus it cannot be stolen from them.

      Yes, LastPass did have a system breach, but the only things that could have be stolen were irreversible hashes of our LastPass passwords and the encrypted databases themselves. These things could only be useful to an attacker if you were using a very short, weak LastPass password as then the attackers might stumble upon a hash that matched yours and this would tell them they had found your password. This would still take lots of computer time unless your master password was very weak (less than 10 characters). If you use a strong master password of 12 characters or more, this breach posed no threat. I didn’t even change my master password.

      What many people don’t realize is that far worse security breaches happen all the time (where passwords and other info can be stolen), but many companies choose to keep them secret because they know the public will react horribly. LastPass offered immediate and thorough disclosure of what had happened to their systems and this actually demonstrated that they are trustworthy, but many users reacted by switching to much less reliable password managers :(. For example, most iOS and Android password managers store all your passwords in plaintext all the time and are totally useless in terms of security.

      Re: Gene Wood.
      If you are using LastPass at all, please don’t allow your browsers to store your passwords. LastPass is FAR more secure. If your passwords are also stored in your browsers, LastPass is really just an extra hassle that you may as well uninstall. Most browsers will now “sync” your passwords between all your devices. It’s fine to use the browsers as they are more convenient and probably work better than LastPass at correctly detecting and filling the login fields, but be aware that, to my knowledge, browser password managers don’t offer the security that LastPass does.

      • gene_wood says:

        Robert, a very good point. The “security breach” a year or two ago doesn’t bother me for just the reasons you mention.

        Regarding your recommendation to not use local browser password managers, I agree. It’s nice that the lastpass browser plugin by default offers to disable your local browser password manager for just that reason.

      • Peter says:

        Honest question: “They don’t even have your password and thus it cannot be stolen from them.”

        Can you provide some verifiable proof that this is the case? (I know lastpass claims this). Can’t they, theoretically, send the password in some form to them, and they just claim they don’t have it? (I don’t say that is the case, I am just asking how you can be so sure).

        • gene_wood says:

          Peter, indeed it would be possible for lastpass to tell your client to send them your passwords in a form that they could read, however since all of the encryption is happening client side (and in javascript if you’re using the web interface) you could potentially just read the client side code to see what it’s doing. If it’s doing what they say it is, encrypting client side with your master password which is never sent un-hashed to lastpass, then you can be confident.

          So, the verifiable proof would be the javascript that your client browseris running.

        • Peter says:

          @gene_wood To what I know Lastpass is not evening sending your password to the server just a hash of it and then it even (to what I understood) add an other salt to the has and hashes it again. Meaning that when it is “unhashed” it would mean that at that point that would have to start all over again. So, no they would not have you password, and they also say this at the start when you forget your password then all data is gone forever.

        • Ronald says:

          Can’t they, theoretically, send the
          password in some form to them,

          Well, every time you log into their website / forum you submit your password to them. That isn’t being used by local Javascript; it’s sent over HTTPS to their webserver. All the things their webserver might do then are well beyond our ability to test or prove.

  • Neeraj says:

    Hi Gene Wood,

    I’ve been using LastPass since 2008, now. And I can relate to some of the issues you’ve pointed out above. Especially the one about ‘http digest‘ (whatever that means) – one of the survey sites (Toluna.com) of which I’m a member, has recently changed to this mode of authentication. So, instead of entering credentials in a couple of fields on a web page, now they pop up one of those HTML5 (?) translucent boxes floating over the web page. But lastpass fails to detect it – and since I used it to generate a strong password (as opposed to manually creating one) I am forced to open the “vault” in another browser tab, locate that password, then copy and paste. Irritating at the least.

    So I never opted for the subscription. And I continue to allow my browsers (I use multiple browsers in multiple OSs on the same computer) to store some of my passwords. I also use Xmarks and Google sync. I only disabled Firefox’s sync – I couldn’t get it to work anyway.

    • Benk bob says:

      use contextual menu.

      Right click, Lastpass (if you didnt hide it), copy username/password, and just paste it (LP even resets the clipboard after X seconds.)

      If you choose to hide the contextual menu, there are shortcuts you can use :).

      Visit extensions’ options before stating wrong arguments. Lp owns.

  • Phil Blake says:

    I found LastPass to be extremely frustrating while testing various password managers, and the lack of support just added to this. I ended purchasing RoboForm Everywhere to be used with my various computers, tablets, phone and USB drives. RoboForm was the first on the market and it appears that many others like LastPass are still struggling to catch up. The other thing I like about RoboForm and their developers at Siber Systems, is the fact that they not only have an online support ticketing system available 24/7 but live phone support based in my home state of VA from 8am t0 8pm.

    • Alvin B. says:

      Personally, I was a Roboform user many many years ago.

      Unfortunately at some point they decided that fully paid users would suddenly have to repurchase the app upon one of the upgrades. Just because.

      That left such a sour taste in my mouth I moved to LastPass and haven’t looked back.

  • snaven says:

    Would an option to choose your own personal server (as online storage) for your password database, make it safer? I would guess few hackers would try to hack your personal server, opposed to the LastPass servers.

    • jake says:

      All it takes is a single WordPress / PHP vulnerability to make your entire server vulnerable. If you write your own database code, adhere to best practices to maintain your codebase, and you learn encryption – then I suppose its possible. Your point about likelihood of being attacked is well taken, but if you run ANY popular software under the the same user on the server, you are at risk as I have learned

  • SP says:

    Thank you Gene, very thought provoking. I certainly will give your review serious consideration before I renew my yearly subscription to LastPass.

  • Jarrod says:

    Great write up on the quirks they need to straighten out. I was in the market for Enterprise level password entry to Hide, restrict and share logins to users. LastPass works better than Roboform by far, the Roboform personal one is very much the better personal product but for enterprise the LastPass Enterprise is Elite.

  • wschloss says:

    Hi, have been using lastpass for about two years and totally agree with you—and there are other frustrations you have missed:

    Inability to select preferred credential for sites for which you have multiple logins. Others too numerous to mention but easily findable in their ticket system if they cared.

    Problem is, from what I have read (extensively) most of the alternatives are no better. This would be an awesome piece of software if they would fix just half the problems. Their core really is good, I trust their encryption, which doesn’t leave your device, and they have some very nice bells and whistles, like the ability to export everything to CSV. Twice a year (calendar reminder) I do this and store in Excel with strong pa$$word and hide on my machine, and back that up on and offline.

    What are they running out of money? If they would just fix the damn bugs I would be willing to pay a lot more! aarghhh! I wish someone like Mozy would buy them and run the company better!

  • birdmom9726 says:

    I found LastPass to be thoroughly irritating and downright scary. I thought I was fairly savvy at this kind of thing, but evidently I’m not “savvy” enough. LP got confused over various domains, remembered wrong passwords, and kept changing passwords without warning. Maybe it’s just me. I wanted to love this software because it seemed like such a good idea, but I guess I’m just not up enough on the technicalities of how it all works together (or is supposed to) to be able to deal with it on an everyday basis. Is it just me? All these people keep saying how great it is, and then I find a site like this that has some of the same complaints as I did, and more. I feel better now! Especially because I just UNinstalled LastPass and got it the hell off my computer and devices. It made my life a scary hell for three weeks before I wised up that I wasn’t wise enough to use it!

  • Geezenslaw says:

    Very interesting read indeed. However, most if not all of these folks have had the advantage of purchasing lastpass. For myself I have given up w/o even using the product. Reason: it is impossible to purchase lastpass for the most part. Attempts to purchase say: email unrecognized. Attempts to create an account with the same wayward email address evoke from lastpass.com: email not recognized! I’m glad I steered clear b4 wasting my money! BTW: my email address has been the same for 10 years but lastpass.com has an issue with my email!?

  • David Tonhofer says:

    “This is especially bad when it happens in the basic/digest HTTP auth pop up window. In that case the plugin will indicate that you’ve got multiple matching credential sets and when you click the drop down to pick one, it displays only one.”

    This. Over and over and over. And over.

    Psst, you wanna buy lastpass?

    Payment methods. Why, we have the following, dear customer:

    1) Google Checkout … HELL, F*CK NO.
    2) Paypal … No. NOPE. NEVER AGAIN.

    No other options exist.

    Any hardscrabble site run by a webdesigner soliciting money from users “to keep running” has at least the standard “credit card” payment option, if need be by bouncing the user to reputable third parties (i.e. not CCBill)… What is this?

    • JasonBourne says:

      Can’t you just buy a prepaid card for G-checkout? That’s the way i do it with iTunes Store, because i have an Apple phone…
      No real credentials needed, and in the event of Apple being hacked, no worries about credit card hacks.

  • Zombeezy says:

    I have been using Lastpass for a couple of years on my home PCs and laptops, but several times my adventures with it on various cell phones has been horrible. I did not renew my subscription, and now only use the free version.

    Recently I bought the Yubikey Neo for the 2-stage authentication using NFC, but I haven’t tried it because I don’t see any evidence yet that the mobile use of Lastpass has gotten any better for me to pay for the subscription. If I see some raves about the mobile experience, I might try it again.

    Nice article!!

  • Joshua says:

    I definitely agree that a better font could be chosen for the display of the passwords in LastPass, however, if you look very carefully, you will notice a tiny, 1 pixel difference between the lowercase L and the numeral one. The lowercase L has a straight top, whereas the numeral one has a very slight curve.

    With this in mind, it can be seen that the password in the screenshot is ab L xy ONE fg ONE ab ONE ss L bz L

  • Jess says:

    Thanks for the detailed post. It’s good to see I’m not alone in my frustration with Lastpass. Quite frankly, I’m not sure why they get such praise. In the last year I’ve also tried KeePass, Dashlane and RoboForm. I’m sticking with RoboForm. I like the options to store my info on my computer only, the way it integrates with the browser, the GUI, the fact that it has one installer and a few other things. I’ve found them to be very responsive when it comes to my questions and their mobile apps even work pretty well. I’ll update this in a month or two, but for now I’m loving RoboForm.

  • Will says:

    Robert wrote:

    the only things that could have been stolen
    were irreversible hashes of our LastPass passwords
    and the encrypted databases themselves

    Robert, you must be aware that encryption can be cracked.

    Computer processing power is increasing all the time, and flaws are sometimes found in encryption methods.

    Given enough time, a brute force attack on an encrypted password may reveal that password in plain text. So “irreversible hashes” do not need to be reversed to be cracked.

  • David says:

    I am a long time LastPass user. I’m currently trying a 30 day trial of Dashlane. Has anybody tried it? The UI is very nice. It’s $20 per year to sync with all devices.

  • A different David says:

    I tried the LastPass Firefox plugin because (unlike the generally superior 1Password) it works when you’re running Linux. Despite the buggy interface, which sometimes worked and sometimes worked only after a restart, I was able to enter some credentials and give it a try. It more or less worked okay, though sync with the corresponding iOS program never worked at all.

    However, immediately upon installing LastPass, Firefox Sync broke for me. Every time I logged into Firefox there after, I would have to restart Sync. So, I uninstalled LastPast — or tried to, since it was saved within Sync. Every time I’d install it from one or two of my machines, Sync would re-sync and reinstall it. (That’s more an indictment of Firefox Sync than of LastPass — however, it’s also a cautionary tale about what you’re getting into if you’re a Firefox Sync user who wants to use LastPass.)

    After shutting off network connectivity on multiple devices, re-removing LastPass from multiple devices, re-syncing to Firefox Sync from multiple devices (of course, all of them has been bounced out of Sync yet again and I had to reconnect) I now thought I might have all this sorted out.

    Then I started up Firefox today and found that I’d been bounced out of Sync on all my work computers. It’s not that I use Sync for passwords — I don’t; only for settings, tabs, history and bookmarks. But it’s damned inconvenient not to be able to sync these things between devices anymore. Somehow, my association with LastPass has (semi-?)permanently tainted my ability to use Sync.

    It’s kinda like having bedbugs.

    So, I am rethinking my entire password strategy at this point. If I were Mac only, I would use Secret!, which lets you sync a handheld device with a secure desktop client. I used it for years under PalmOS with great satisfaction, but it doesn’t have a Linux variant (unless you count Android). http://www.linkesoft.com/secret/

    Instead, I’m going to use one of the variants of KeePass, with the database stored locally or, perhaps, in the cloud (though with a very long random password). Not an ideal solution, but LastPass sure as hell isn’t either.

  • Richard says:

    I have used RoboForm for perhaps 6+ years and kept it on my thumb drive which I took to work each day with me so I could use it on my home and work computer. They moved to a newer version and wanted more $ which is understandable when there is a complete upgrade. I used the old version for a couple of more years then looked around for something else and ended up with LastPass.
    I have been using it for several years now without any complaints. Occasionally websites will change their log-in procedure so I have to delete/redo the log-in for that site.
    Like everyone else I am concerned that all of my financial log-ins are in the cloud somewhere but at least I can get to them if need be as long as I have an internet connection.
    What else am I to do?
    I have quite a few financial as well as other sites that I have to get to daily and although everyone at work uses the exact same lame password for each site, I do not do that anymore. My home computer could be stolen at any time as could my work computer. I have to securely store these p/w somewhere! I know given enough time anything could be cracked but having 50 p/w written out on my desk next to my computer might not be such a wise idea.
    I think I am using the free version of LP and it works for me. RoboForm cost me a little $ but it did not do the double log-in thing for me on those crazy websites that required it. Same problem with LP. I guess there is no perfect solution. There is no way that I can remember a 12 digit, uppercase, lowercase, number, special character log-in for 50+ sites. LastPass will do it for me with very few glitches.
    Come up with another program that is significantly better and I will jump on it.

  • Eric says:

    I purchased Premium for the Mobile features, which to my admitted lack of research, I found doesnt work with the actual mobile apps. I understand this is not the fault of LastPass, however from a lay persons perspective when you see “down load the mobile app”, you assume that when you open a mobile app in say your iphone that you will be able to insert credentials using LastPass.

    Using LastPass on my mobile phone and logging into websites using a browser (safari) when I have an perfectly good App to access that information doesnt seem to make any sense to me at all.

  • Peter says:

    I used it now for a while and I can say that it is not bad working, better then what I had before.
    Like for example that statement about the mobile phone, on iOS you can set an extra pin code when you the application stops, and after a while it even logs out. About data in memory, this will always be a problem. but I know also that iOS devices encrypt this data by default. (For android I don’t know …, maybe it is a to open system 😉 ).

    Also, why the hell would you let them take automatically money from you credit card ? Are you looking for problems ?
    All these auto payment systems have problems in one way or an other.
    Just set it on your calender once a year and pay it yourself…
    And I bed that in this case they WILL send you an email with a nice payment link… 😉

  • Bart says:

    Hi,
    Thank you for the bug reports and the time consuming overview. Good read. One would at least expect the absurdly irritating and easily fixed UI problems to be fixed.

    some thoughts: Perhaps one could consider to try to make a clone of the concept, indeed use a personal server for the encrypted blob of data, write a portable standalone program that decrypts it somehow safely, and sends it using javascript rules trough MozRepl/ChromeRepl to the respective (form) element. This would be not too hard to do, it could be safer, and probably much faster! A good interface and support section is needed for editing the conditions for input field filling: perhaps you want to wait for a website’s login form to be created, perhaps it is only created after a certain event, perhaps you want implement a little time-out, or perhaps indeed there’s a CAPTCHA or you might want to do something else every login? There could be some sort of inspection tool integration (say Firebug) to quickly get the right input element.

    anyway, cheers, thanks for the review

  • Yinna Harold says:

    This is the only site I found that lists problems with LastPass, so I am adding mine:

    Lastpass forgets usernames and passwords.
    There’s supposed to be a ‘history’ for these things, but a site I use at least once a month all of a sudden has no stored username, and no history of said username.

    Earlier, this happened with the password to my Bank of America account.

    They don’t re-appear either. I’ve logged off, rebooted, waited, but nothing. After the BofA issue, I contacted support. After several back and forths the conversation became too convoluted for me, so I gave up and they closed the ticket.
    I’ve filed a bug report for this new one, too. And I’ve downloaded all credentials for backup, which sort of defies the point of having encrypted passwords stored safely in the Lastpass Vault…

    I just can’t imagine I’m the only person with this problem!

    • Rene says:

      Happened to me too. Quite recently several of my sites got missing. Without a trace. Some I use regularly, other rare.

  • Jim Bob says:

    Don’t laugh, I am Neanderthlithic Luditte, but I found LastPass very usable on my IMAC runnin MAC O/S.

    I expected same or similar experience on the IPAD.

    Not.

    On the Mac auto fill in works. I love it.

    On the IPAD, it does not autofill, it just acts as a storage vault. I have to leave the app, go to LastPass, copy the password and go back to app needing password. Again not even remotely similar to desktop experience,

    Hope it is my ignorance, I can learn.

    Should the platform experience/interface be so different?

    Thank you in advance!

    jimBob

  • Roger says:

    I use lastpass, and will keep using it on my computer. I have never used it on the phone. I use keepass as well, and will keep using that for the important passwords. Some of those more important ones are in my lastpass vault, so I have some work to do, but that will be a matter of time.

  • Scott See says:

    I LOVE LastPass. Okay, LastPass is not perfect, but what’s the point of this article unless you recommend a better alternative?

    Scott See

    • gene_wood says:

      A good question. I wish I had a better alternative to suggest. If anyone has a recommendation I’m more than open to it.

      • Marko says:

        Well how about https://www.passwordbox.com/ that just emerged to great fan fare (money)? Maybe they will have resources to fix all the small annoyances….

        Been using LastPass for a year now and it’s OK, read this article before I committed to a Premium account for sharing. New version is much nicer looking. PasswordBox looks better but its slower on my system. Just got it so didn’t investigate much except that apparently the sharing is included for free (to be tested).

  • Tim says:

    Last Pass 3.0 has lots of cleverness about forms. Trouble is, on a form with a great many input text boxes, it grinds the browser almost to a halt.

    The solution to getting your browser performance back is to turn off most of the automagic features in Preferences:
    General
    Highlight input boxes
    Automatically Fill Login Information
    Notifications
    Offer to Generate Secure Passwords
    Show Form Fill Notifications
    Show Fill Notification Bar

    I removed all the HotKeys, too. Why have it if I don’t use it?

    The good news is page load performance is almost as snappy as before LP was installed.
    The bad news is this makes LP somewhat manual but I’m only signing on to various sites a few times a day. It also prevents LP from signing on again just after I’ve signed off. Right click to get the LastPass / Autofill / site menu to sign on.

    I agree the 3.0 redesign has a nice retro feel. It reminds me of a late 1990’s web page. All text, no color, have to read everything to figure out how to use it, no UI affordances, the feeling of masterful control over menu items (no matter how long I hover they remain shy), the thrill of hunting for items now buried, it’s all so nostalgic.

  • I.M. Pistoff says:

    Not sure which is [more] at fault, but have always had issues using LP with Pale Moon, regardless of versions; sometimes with other browsers too. Worth paying for something else if it works better.

  • wschloss says:

    Agree with all the above. I am a 3-year paid user with over 200 sets of credentials in Lastpass, including many for other family members, some dupes, some dual-factor, some multistage—have used every feature and option, some undocumented.. Unfortunately I spend at least 2 hours per month maintaining, tweaking, etc. Lastpass.

    They don’t seem to get that bugs and seeming nonchalant tech support make their paying customers loose confidence that data really is as secure as LastPass and others assure it is—the heart of the app. You might live in a very secure house, but if you’re worried your teenager will forget to lock the door when you are away for the weekend; you will not sleep!

    Additional problem I don’t see above. Whenever I make any significant change to my system (Win 7, squeaky clean using ccleaner) LastPass extension for Chrome is missing and I have to add it back. This MAY be a Chrome problem not LastPass, BUT it does not happen with other extensions.
    Thanks.

    • wschloss says:

      LastPass no worse than others! As documented here I have had many frustrations with LastPass so last month I switched to Dashlane mostly upon advice of David Pogue.

      Dashlane was no less buggy, frustrating, kludge than LastPass, I used the 30-day free trial on multiple devices. so I went back to the mediocre program I know, rather than the one I had yet to learn, test and discover.

      I now appreiciate LastPass more than before. Also the recent update (2014-02-15 07:53:23) fixed a lot of things and I presume they are working on the next batch of bugs. I will be sticking with LastPass for at least the next year, by witch time I wouldn’t be surprised if they are bought by Google or someone else.

      Hope this all helps someone. Bottom line; LastPass is the lesser of evils.

  • Jason K says:

    It does have problems but is a lot better than all the Ripoff Roboform versions.

  • Dan says:

    I went through almost every password manager and tried it for a week to give it a chance about 6-12 months ago. I thought lastpass was the best by far for the combination of usability and security. I know it has lots of bugs and annoyances (as stated on this site), but I see the same or worse things in all the other alternatives. The only other one I could recommend to friends when I tried them all was keepass, and that’s just if they are really sensitive about their security. For the average user, the extra security of keepass just isn’t worth the usability sacrafice compared to lastpass.

    I’m sure the programs have changed some in the past few months, so if the other applications have made significant improvements that help them surpass lastpass then feel free to share. But when I hear that there is a program that doesn’t have any of the kind of bugs lastpass does, I’m skeptical because it did when I tried it.

  • Steven L says:

    I’ve been a LastPass Premium users for 3 years. The program is filled with idiosyncrasies but I stick with it because its competitors are no better.

    Problems crop up out of nowhere. All of a sudden, LastPass for Chrome now fails to do anything – at all – but only for the first 2 or 3 logins in a session, then it’s working again.

    LastPass for Firefox has started to automatically log me in to websites, even though I tell it not to do this.

    LastPass technical support is always courteous but their only solution is ‘try our latest version’.

    Personally, I don’t care for the 3.0 redesign, which added extra buttons that just get in the way, and a font for passwords that makes it harder to distinguish letter ‘l’ from number ‘1’.

    Thanks for all the posts. There’s no other place (that I have found) where LastPass users can collectively vent their frustrations. I hope the devs see this. Personally, I would pay more for LastPass if I could count on it to work properly.

  • Greg M. says:

    Lastpass IS secure.

    For anyone who has any concerns about encryption and how your data is handled, you need to listen to/read the transcripts of “Steve Gibsons review of Lastpass”

    Episode #256: https://www.grc.com/sn/sn-256.htm

    I have tested and used many password managers out there.

    Currently using Lastpass and Keepass.

    Roboforms ticked me off when they “Forced” us to pay again after saying we have paid for life. Very Bad Form Roboforms!!!! NEVER AGAIN!!!

    They ALL have their issues, but again Lastpass could be Light years ahead of any others if they’d tweak the odd things that bug their users.
    The new 3.0 Layout I don’t care for — you can make it act the same as v2.0 with selections in the preferences.

    Ultimately, Lastpass/Keepass is my combination of choice.
    Primarily I use Lastpass on a daily basis ==> (duplicate everything in keepass – because there are a few things Keepass will do that Last pass won’t, & vise versa)

  • ReneCD says:

    Thanks for the information on this website, very interesting. I have been a Keepass (KeepassX actually) for years, and while I never had any problems with it, it’s dog ugly, particularly the Android apps for it, and automatic form filling sounded cool too.
    However with the problems pointed out on this page I think I’ll stick with Keepass. At least it’s never lost any entries for me.

  • Paul says:

    I agree its not perfect. We use the keyfobs with the master password. I turn off lastpass for phones and tablets because I check the box you must use a keyfob. looking forward to some better two factor authentication. However now that I know the NSA gave RSA tons of money one year to give them access, I just don’t know what second factor to trust. Do they have a way of getting the Google authenticator code. What about the one time password number for gmail, dropbox, teamviewer, etc. The bottom line is you have to trust someone, right?

    I’m also looking forward to the day when better security doesn’t mean less convenience.

  • Dave K says:

    I can’t believe there are so many comments on this page claiming the competition is no better, and yet as I write this 1Password is only mentioned ONCE and is noted to be generally superior.

    I have used both 1Password and Lastpass and I have to admit 1Password is generally superior… the hitch for me though is it doesn’t come for Linux and there isn’t a web based version (for various not very good technical reasons.)

    The hitch for most other people is probably that 1Password is comparatively quite expensive. As I write this in the Apple OS X App Store it’s $49.99 and the iOS app is $17.99 The Windows version will cost you another $49.99 and you can buy a family pack for 5 users which is even more expensive.

    I don’t know about the Apple App Store purchased versions and upgrades, but my experience is with a non-App Store purchased version and upgrades weren’t free.

    • gene_wood says:

      Ya, the cross platform aspect of Lastpass (and the web fallback option) was necessary for my setup (Linux, Windows and Mac).

      Those prices for 1Password are steep. It’s hard to compete on price when Lastpass is $12/year.

      Dave, how is the UI for 1Password as compared to Lastpass (I’ve not used it)?

  • Jim says:

    New purchaser of free version of LP. I really want to like this product and almost bought just so I could benefit from the “better” tech support for paid users. Then I thought WHY ? and am now waiting for a reply to my ‘ticket’. THe FAQ don’t cut it and lack of any phone support is not hepful, I have barely scratched the surface of LP and I consider myself fairly computer literate but I am really FRUSTRATED and confused. Fortunately, I didn’t turn over all my favorites and passwords to LP before I tried it out with a little used email program. It wasn’t long before I was totally locked out of that program. I went to my vault and found a number of “generated passwords” to that account, I tried to reuse them to get into the account. No way! Finally managed to do a recovery and was able to change the password back and access the account, THe real fear I have is that to change or reset a password one needs the old password. I cannot find it in LP. If I can’t find it or change it in LP then I am screwed! I find no way in LP to override that program. My laptop is secure. I dont really worry that I cannot get into it. I also dont worry that anyone else can get into it SOoooo once I am logged onto my computer I want to be able to get into LP and disable it if I like or at least be able to undo something I might have done in error. So that I DO NOT get locked out of that email program I mentioned. I’m hoping someone will get me thru this problem so I’m not fearful of my email accts, bank accts and other sensitive stuff becomes unavailable to me. Thanks for reading and thanks for any help.

  • Jim says:

    Got a prompt reply to my email to Lastpass and initially felt excited. Then I read it and it was apparent that Lastpass didn’t really read my mail. They sent a link about losing or having problem with the master LP password which is not my issue! Then I remembered reading other comments here saying the same thing! So I wait their next reply…..hopefully it’s more helpful.

  • Jim says:

    Got another reply from LP with very easy, straight forward answer and direction for assigning passwords. I created a new favorite with username and password. Then i followed LP instructions and I’m now unable to get into that account. The way I see it if I follow the lastpass procedures I[ve followed so far, very soon I won’t be able to login to any of my passworded sites. There must be something very simple that I am missing here or the program simply does not work correctly. The real worry is that so far I’m not getting any real help from LP. They say I need to upgrade to Premium “for that”. And that makes no sense to me. News at 11.

    • gene_wood says:

      There must be something very simple that I am missing here or the program simply does not work correctly.

      I can say I know the program does actually work, though I wouldn’t say it’s that straight forward to use.

      They say I need to upgrade to Premium “for that”. And that makes no sense to me.

      As far as why they need you to upgrade to Premium is that otherwise they’re providing a help desk for a free product which isn’t really sustainable. Part of what you get with a premium account (if you can even call $1/month non-free) is support.

      I’d say either give up on it and try an alternative solution, or give them the $12 and see if you can get them to help you get it working. Not ideal options but probably the only paths forward.

  • jesstifer says:

    Regarding 1Password: the UI is superior to LastPass. I’m trying to switch to LastPass: I find the interface confusing and yeah, ugly.

    The main drawback to 1Password is that its mobile apps are read-only, and are not integrated with your browser. If you log in from the app, it opens in its own 1Password browser.

    So to login to a site in, say, Chrome, you need to go from Chrome to 1Password, enter the master password (if the app wasn’t open,) then copy and paste your username and password, go back to Chrome and enter. :-\

    The “security” for mobile apps for LastPass indicated here are dire. But they now have a “reauthenticate” option that supports fingerprint security…that should fix the problem, yes?

  • Manyan says:

    This is an excellent post re LastPass – agree entirely. Lastpass has the potential to be truly great but there is a lack of support to questions raised in their own forum. There should be an answer to each query as a courtesy to their users. That courtesy should be extended to credit card malfunctions ALWAYS – most truly professional companies do this as a matter of course. LastPass appear to have a healthy disregard for their users – let us all hope their attitude changes in 2015.

  • Dr. R. Collins says:

    Sucks? Rubbish! I have been using it ever since I kicked Roboform (with its restrictions) out the door. i would not be without it – ever!

  • SlipperyPete says:

    I just got set up yesterday with Lastpass for my new business. Boy does it suck! I’m literally disgusted with my experience so far. I can’t think of a buggier piece of software I’ve ever used before. And they charge money for this app! In less than 24 hours I’ve encountered more bugs/issues than I can remember; at least 10. Only one of them is noted in the original article on this page. I’m planning to see if I can find a better solution before my 30 day money back period expires. Lastpass does not deserve $12 for their Premium version. Honestly, they should be paying me to use it, I mean suffer through using it.

  • Casey2 says:

    Using full version of Last Pass for 90 days. Trying hard to integrate Yubikey-neo into my multi-factor authentication w/my new S-5 active w/NFC. Desktop use is tedious 90 days later. It doesn’t just “work”. I doubt I possess half the skills of most of those commenting but darn if I agree with just what a huge hassle using Last Pass has become, or has remained. Thought Yubico or android was my problem but no. I keep reading, ready to try any alternative to L/P. Of course support is $$$ and you get what you pay for. Had to call Google Play who forwarded my e-mail from their offices (thank you google) but the reply was a link to their PDF instruction manual listing more multi factor options which I have printed and read long before attempting to reach out in an attempt to use L/P fluidly.

    If you are out there Last Pass I would gladly pay a premium for live human support. I’m not reading about solid or even competitive options. Until L/P phone support is available I will be endlessly looking for other services. security is needed badly but if they don’t take it seriously I will find a service that does and that includes UI. And why can’t I use it with Firefox? Why the constant push to use Dolphin-HD and all of it’s associated apps? Thanks for your time.

    Casey

    • Jacob Sommerville says:

      If you are out there Last Pass I would gladly pay a premium for live human support.

      Yeah, well, I found their phone support.

      $1500/yr gets you 2 hours of phone per month support during business hours

      $2500/yr gets you 4 hours 24×7

      $5000/yr gets you 6 plus 24×7 and an account manager

      That’s almost $70 an hour for support that is most likely no better than what you are getting through the support ticket system.

      Some of my issues, I’m not sure can be solved through support without some coding changes, so I’m afraid to throw down that chunk of change just to be told over the phone that it doesn’t work.

  • Andy Hundt says:

    My issue is that I have several Office 365 accounts. Whenever I change the password for one of them in my web interface, LastPass prompts me to update all the other Office 365 account passwords at the same time. I find that alarming and wish I could disable that feature.

    My comment is that I have been using LP for a year and mostly like it. I also like the Enterprise version for handling multiple users in an organization.

    My solution for the mobile security problem is to use the MessageEase keyboard to make entering my long random passphrase easier. As with any mobile keyboard, you will need to disable word prediction to prevent it from storing your passwords.

  • Robert Stanton says:

    I have just started using LastPass. Here are some suggestion that make me feel better:
    1) For Banks and Brokerage Acccounts I do not keep the entire password in LastPass – I have a 3 character suffix that I add to passwords. Even if someone has access to my LastPass account they cannot have access to my critical accounts.
    2) I was shocked that after leaving my computer and closing my browser and coming back to it that my LastPass Vault was still available without re-entering a password – there is a hard to find setting that is ‘Preferences’ that is only available from the desktop browser (I think) that allows auto logoff after the browser is closed and/or if idle. A must setting.

    I am using the free version as I cannot imagine logging into important accounts over a cell phone-I have seen comments here and everywhere that is risky.

  • Garry says:

    Hi All, Is there a simple fix with lastpass premium. Every time I log on I have to refresh my sites before I can activate them. it takes me to each site but the login spaces are not auto filled in.

  • Mark Comin says:

    I just upgraded to LP Premium and now only a few of the dozens of saved credentials work even though they are all saved with auto log on checked. I have to open my vault and copy/paste my passwords. I don’t even now where to begin to try to fix this. Suggestions are welcome

  • C A says:

    I know this article is dated, but I would be remiss if I didn’t point out Keeper as a better alternative to Last Pass!

  • B B says:

    Two factor authentication is useless in LP! Of course someone needs your password to get to the second authentication stage but if they do, it really doesn’t matter because as long as you are on the login page for a website, the credentials are filled in even before you get the authentication popup :/ And then all you have is an annoying popup in the middle of your screen that you can remove without putting in the key

    • gene_wood says:

      My understanding is that when you first sign in you’re merely proving control of the master password by signing a nonce. Then when LP believes you control the master password, they give you the 2nd factor challenge. If you pass the second factor challenge, they will send you a copy of the encrypted blob containing your vault which you can then decrypt client side. Can you give more detail on the sequence of steps that allow you to log into your Lastpass vault with two factor auth enabled, bypassing the 2nd factor?

  • Bob Kline says:

    Very interesting and thorough article. I found it when I was searching to find out if anyone else has run into odd behavior of LastPass which I’ve seen more than once. I’ll open up the record for a site and instead of the password for that site I see the master password. As you can imagine, I found this pretty unsettling. Unless I missed it when I scanned through your article, this is not one of the bugs you’ve run into. Makes me wonder what my environment is doing which could be triggering this anomaly. I’m using the software in browsers on Linux, OS X, and Windows, as well as the desktop app on OS X (the latter probably the least common factor with the LP user base, so the most likely place where the bug resides). Perhaps I’ll follow in your footsteps and file a bug report.

    • gene_wood says:

      Bob, is it possible you have a browser based password manage also enabled (for example the build in Firefox or Chrome password manager) and you’ve configured that password manager to fill in your Lastpass master password? If so your browser password manager could be trying to fill in your master password into the Lastpass UI. If that’s the case I’d recommend against storing your Lastpass master password in your in-browser password manager as it’s risky.

  • Jim says:

    I’m a long time (and happy) lastpass user. I have a strong master password and I use Yubikey for 2 factor authentication. Overall I’m content with the solution. However I have a question. If my laptop has been compromised unbeknownst to me, and a nefarious agent had managed to get the local copy of the cached (encrypted) data. Would they be able to use this, along with the master password, no doubt gained through a keyboard logger, to decrypt the file? Or do they need the next Yubikey code?

    • gene_wood says:

      Jim, yes, if the attacker has access to your machine, then they have access to the encrypted blob which lives (potentially ephemerally, but it has to be there at some point) on your machine. The yubikey OTP is used to authorize Lastpass servers to send your client a copy of the encrypted blob. The attacker, already having access to the blog, and running a keylogger to get your master password, can decrypt your blob.

      The second factor is to protect you from an attacker that gets your password through some means other than compromising your local machine.

  • Clarence Brown says:

    Lastpass locked me out my vault and I can’t get back in for hell or high water. Add to that, there is no way to contact them (that I could find- maybe they don’t want feed back), Now I have to go back to all my sites and change the passwords. Thanks a lot, Lastpass- which stands for this is the last time I will use this program.and I will pass on recommending it to everyone I know.

  • Leslie Gordon says:

    I was pretty excited to download LastPass and finally get a password manager at the egging on of my IT helper-person. However, after I had added a few sites to my Vault, left to take a shower, and then went back into the Vault, I was scared to death that all I could see what a white page! Yikes!! I uninstalled Last Pass as fast as I could.

  • Simon says:

    I stopped using lastpass and use open-source and free password manager instead: https://medium.com/@gagarine/open-source-password-manager-a-viable-alternative-to-lastpass-and-dashlane-435ad92ff716

    It’s more stable, more secure, simpler, faster, better…

    • Ron says:

      It’s not simpler. For people who doesn’t use computer very often and non-tech savvy, should not be considering KeePass. This why LastPass exists.

1 Trackback

Leave a Reply to B B Cancel reply

Your email address will not be published. Required fields are marked *