Why I’ve just ditched my cloud-based password manager

TL;DR: I’ve ditched LastPass in favour of LessPass. The former stores your passwords in the cloud and requires a master password. The latter uses ‘deterministic password generation’ to keep things on your own devices.


Although I’ve used LastPass for the past six years, I’ve never been completely happy with it. There have been breaches, and a couple of years it was acquired by LogMeIn, a company not exactly revered in terms of trust and customer service. Their ’emergency break-in’ feature makes me feel that my passwords are just one serious hack or government request away.

I read Hacker News on pretty much a daily basis and I’m particularly interested in the underlying approaches to technology that change over time. There are certain assumptions and habits of mind that come to be questioned which lead to different, usually better, solutions to certain problems. Today, the issue of cloud-based password managers was again on the front page.

From the linked article:

When passwords are stored, they must be encrypted and then retrieved later when needed. Storage, of any type, is a burden. Users are required to backup stored passwords and synchronize them across devices and implement measures to protect the stored passwords or at least log access to the stored passwords for audit purposes. Unless backups occur regularly, if the encrypted password file becomes corrupt or is deleted, then all the passwords are lost.

Users must also devise a “master password” to retrieve the encrypted passwords stored by the password management software. This “master password” is a weak point. If the “master password” is exposed, or there is a slight possibility of potential exposure, confidence in the passwords are lost.

Also:

I believe that password management should only occur locally on end use devices, not on remote systems and not in the client web browser.

Remote systems are outside the user’s control and thus cannot be trusted with password management. These systems may not be available when needed and may not be storing or transmitting passwords correctly. Externally, the systems may seem correct (https, etc.) but behind the scenes, no one really knows what’s going on, how the passwords are being transmitted, generated, stored, or who has access to them.

It’s pretty difficult to argue against these two points. Having felt uneasy for a while, I knew it was time to do something different. It was time to ditch LastPass.

I looked at a couple of different solutions: the one proposed by the author of the above quotations (too complex to set up), as well as one which looked promising, but now seems to be unsupported. In the end, I decided upon LessPass, which has been recommended to me by a few people this year.

How is LessPass different from LastPass? This gif from their explanatory blog post is helpful:

lesspass

All of this happens in the browser, without your data being transmitted anywhere else.

Basically, you enter the following:

  1. Name of the site or thing for which you need a password
  2. Your username
  3. A secret passphrase

…and, from these three pieces of information, LessPass generates a password that you can then copy using complex algorithms and entropy stuff that I don’t understand.

lesspass-explainer

The fact that I don’t understand it is fine, because there are people who do, and the code is Open Source. It can be inspected for bugs and vulnerabilities — unlike the proprietary solution provided by LastPass.

The options button to the bottom-right of the LessPass window gives the user advanced options such as:

  • Length of password
  • Types of character to include in the password
  • Increment number (if you’re forced to rotate passwords regularly)

My favourite LessPass feature, though, solves a nagging problem I’ve had for ages. If you have a long passphrase, then sometimes it can be very easy to mistype it. You don’t want to reveal your obfuscated passphrase to the world, so how can you be sure that you’ve typed it correctly?

lesspass-emoji

Simple! LessPass adds an emoji triplet to the right of the secret passphrase box. You’ll notice that changes as you type and, when you finish, it should always look the same. If it doesn’t, then you’ve mistyped your passphrase.

I’ll be making the transition from LastPass to LessPass over the next few weeks. It’s not as simple as just exporting from one database into another, as the whole point of doing this is that there is no one place that someone can hoover up my passwords.

So my plan of action is:

  1. Every time I use a service, create a new password using LessPass.
  2. Delete existing password in LastPass.
  3. Rinse and repeat until most of my passwords are generated via LessPass.
  4. Delete my LastPass account.
  5. Celebrate my higher levels of personal security.

Questions? Ask away in the comments section!


Photo: Crypt by Christian Ditaputratama under a CC BY-SA license

22 Comments

Add yours →

  1. “Neat”, but …

    If one is able to get hands on my master password, they don’t need to have access to my password storage file, to be able to “calculate” all other passwords. That risk doesn’t exists with the “normal” online password managers, like LastPass, that often offer 2FA as an extra layer. Also it’s safer to use a different username for every website. Where do you store them now? And what about notes, like security codes (2FA) and questions?

    So, quete idea, but nah …

    • Anyone can turn off or bypass 2FA anytime they like.

      • Could you elaborate? Say you have my LastPass password and wanted to open my vault. How would you bypass my 2FA?

        • As a member of staff of LastPass, as someone who had hacked their systems, or as a government official with a warrant? Go into ‘settings’ and uncheck 2FA (you only have to enter the LastPass Master password – not a 2FA passcode – to be able to do this)

          • You would have to first get into the account though, which requires 2FA.

          • Right, but to return to my point, there’s no notification it’s been turned on/off so LastPass staff, hackers, and government officials with a warrant have undue access.

            You don’t have to be convinced this is the best solution for you, I’m just pointing out that it’s an improvement for me – and may be for others, too.

  2. This looks great. I have been looking for a good password manager but have always had reservations against the cloud for this type of data.

  3. 1. How are you synchronizing vault across devices?
    2. How are you backing the vault up and how often?

  4. “Remote systems are outside the user’s control”. – a feature and a benefit. Security in the hands of security professionals because they…well…use ” complex algorithms and entropy stuff that [you] don’t understand”

  5. Ummm, I am not sure how you would use this on multiple computers. How does it sync?

  6. What’s your strategy for backing up and securing your local password store? How do you plan to regain access to a service if you lose the new password file before backing it up?

    • The only time that a profile is kept in LocalStorage is when there’s a special configuration required by a website. I haven’t run across that yet.

      In terms of regaining access to a service, I’ve recently had this issue with Kraken (the cryptocurrency exchange). It took a few days to sort things out with customer service, but I’d rather that then have all of my passwords available on-tap.

  7. This is perfect for creating a really secure master password for LastPass 🙂

    Now even though this is quite neat, it is not exactly a replacement for LastPass for a few reasons :
    First you have to type stuff every time and remember login names, even remember sites…

    You cannot have other stuff like credit card info etc saved securely.

    If you need to share or manage passwords of others its going to become impossible.

    However it is indeed ideal for what it does and for specific occasions…. Like for generating a super neat LastPass master password.

    Obviously nothing can replace the cloud based solutions and maintain their convenience at the same time. But just for the sake of arguing I would say that the solution is not to abandon cloud based stuff but rather ensure that they get satisfyingly secure.

  8. Thomas J Klaber

    July 7, 2017 — 9:06 pm

    The biggest issue here is that you need to remember your login, which can be as difficult as rembering your passwords.

  9. I’m committed to 1Password, using the local version. The extensions for browsers, and other intergrations work quite nicely. 1Password is a secure store for much of my private information, which it can fill in as appropriate. Examples include drivers license number, credit card, images of passports, wifi passwords, etc.

    For those who travel, 1Password has the ability (which I haven’t used) to remove all traces of passwords for selected accounts from ones devices. On arrival, these passwords can be restored. Thus border personnel have no indication of your accounts.

    Just a note: The algorithmic password generator shown above is no better than a robust random password generator.

    • Great, 1Password looks like a good solution for you.

      LessPass, and other deterministic password generators, are much better than random password generators as, with the same input, you get the same output.

Leave a Reply

css.php