Why I’ve just ditched my cloud-based password manager
TL;DR: I’ve ditched LastPass in favour of LessPass. The former stores your passwords in the cloud and requires a master password. The latter uses ‘deterministic password generation’ to keep things on your own devices.
Although I’ve used LastPass for the past six years, I’ve never been completely happy with it. There have been breaches, and a couple of years it was acquired by LogMeIn, a company not exactly revered in terms of trust and customer service. Their ’emergency break-in’ feature makes me feel that my passwords are just one serious hack or government request away.
I read Hacker News on pretty much a daily basis and I’m particularly interested in the underlying approaches to technology that change over time. There are certain assumptions and habits of mind that come to be questioned which lead to different, usually better, solutions to certain problems. Today, the issue of cloud-based password managers was again on the front page.
From the linked article:
When passwords are stored, they must be encrypted and then retrieved later when needed. Storage, of any type, is a burden. Users are required to backup stored passwords and synchronize them across devices and implement measures to protect the stored passwords or at least log access to the stored passwords for audit purposes. Unless backups occur regularly, if the encrypted password file becomes corrupt or is deleted, then all the passwords are lost.
Users must also devise a “master password” to retrieve the encrypted passwords stored by the password management software. This “master password” is a weak point. If the “master password” is exposed, or there is a slight possibility of potential exposure, confidence in the passwords are lost.
Also:
I believe that password management should only occur locally on end use devices, not on remote systems and not in the client web browser.
Remote systems are outside the user’s control and thus cannot be trusted with password management. These systems may not be available when needed and may not be storing or transmitting passwords correctly. Externally, the systems may seem correct (https, etc.) but behind the scenes, no one really knows what’s going on, how the passwords are being transmitted, generated, stored, or who has access to them.
It’s pretty difficult to argue against these two points. Having felt uneasy for a while, I knew it was time to do something different. It was time to ditch LastPass.
I looked at a couple of different solutions: the one proposed by the author of the above quotations (too complex to set up), as well as one which looked promising, but now seems to be unsupported. In the end, I decided upon LessPass, which has been recommended to me by a few people this year.
How is LessPass different from LastPass? This gif from their explanatory blog post is helpful:
All of this happens in the browser, without your data being transmitted anywhere else.
Basically, you enter the following:
- Name of the site or thing for which you need a password
- Your username
- A secret passphrase
…and, from these three pieces of information, LessPass generates a password that you can then copy using complex algorithms and entropy stuff that I don’t understand.
The fact that I don’t understand it is fine, because there are people who do, and the code is Open Source. It can be inspected for bugs and vulnerabilities — unlike the proprietary solution provided by LastPass.
The options button to the bottom-right of the LessPass window gives the user advanced options such as:
- Length of password
- Types of character to include in the password
- Increment number (if you’re forced to rotate passwords regularly)
My favourite LessPass feature, though, solves a nagging problem I’ve had for ages. If you have a long passphrase, then sometimes it can be very easy to mistype it. You don’t want to reveal your obfuscated passphrase to the world, so how can you be sure that you’ve typed it correctly?
Simple! LessPass adds an emoji triplet to the right of the secret passphrase box. You’ll notice that changes as you type and, when you finish, it should always look the same. If it doesn’t, then you’ve mistyped your passphrase.
I’ll be making the transition from LastPass to LessPass over the next few weeks. It’s not as simple as just exporting from one database into another, as the whole point of doing this is that there is no one place that someone can hoover up my passwords.
So my plan of action is:
- Every time I use a service, create a new password using LessPass.
- Delete existing password in LastPass.
- Rinse and repeat until most of my passwords are generated via LessPass.
- Delete my LastPass account.
- Celebrate my higher levels of personal security.
Questions? Ask away in the comments section!
Photo: Crypt by Christian Ditaputratama under a CC BY-SA license
“Neat”, but …
If one is able to get hands on my master password, they don’t need to have access to my password storage file, to be able to “calculate” all other passwords. That risk doesn’t exists with the “normal” online password managers, like LastPass, that often offer 2FA as an extra layer. Also it’s safer to use a different username for every website. Where do you store them now? And what about notes, like security codes (2FA) and questions?
So, quete idea, but nah …
Anyone can turn off or bypass 2FA anytime they like.
Could you elaborate? Say you have my LastPass password and wanted to open my vault. How would you bypass my 2FA?
As a member of staff of LastPass, as someone who had hacked their systems, or as a government official with a warrant? Go into ‘settings’ and uncheck 2FA (you only have to enter the LastPass Master password – not a 2FA passcode – to be able to do this)
You would have to first get into the account though, which requires 2FA.
Right, but to return to my point, there’s no notification it’s been turned on/off so LastPass staff, hackers, and government officials with a warrant have undue access.
You don’t have to be convinced this is the best solution for you, I’m just pointing out that it’s an improvement for me – and may be for others, too.
This looks great. I have been looking for a good password manager but have always had reservations against the cloud for this type of data.
Awesome, glad to be of help 🙂
1. How are you synchronizing vault across devices?
2. How are you backing the vault up and how often?
There is no vault to synchronise, unless special profiles are required. I haven’t needed this functionality yet.
“Remote systems are outside the user’s control”. – a feature and a benefit. Security in the hands of security professionals because they…well…use ” complex algorithms and entropy stuff that [you] don’t understand”
Indeed, but the people making LessPass are also security professionals – and provide a zero-knowledge solution.
Ummm, I am not sure how you would use this on multiple computers. How does it sync?
I think you need to re-read the post, perhaps more slowly this time 🙂
What’s your strategy for backing up and securing your local password store? How do you plan to regain access to a service if you lose the new password file before backing it up?
The only time that a profile is kept in LocalStorage is when there’s a special configuration required by a website. I haven’t run across that yet.
In terms of regaining access to a service, I’ve recently had this issue with Kraken (the cryptocurrency exchange). It took a few days to sort things out with customer service, but I’d rather that then have all of my passwords available on-tap.
This is perfect for creating a really secure master password for LastPass 🙂
Now even though this is quite neat, it is not exactly a replacement for LastPass for a few reasons :
First you have to type stuff every time and remember login names, even remember sites…
You cannot have other stuff like credit card info etc saved securely.
If you need to share or manage passwords of others its going to become impossible.
However it is indeed ideal for what it does and for specific occasions…. Like for generating a super neat LastPass master password.
Obviously nothing can replace the cloud based solutions and maintain their convenience at the same time. But just for the sake of arguing I would say that the solution is not to abandon cloud based stuff but rather ensure that they get satisfyingly secure.
It’s a replacement for my use case for LastPass 🙂
The biggest issue here is that you need to remember your login, which can be as difficult as rembering your passwords.
I agree, in some situations. However, almost everything I login with is the same username, or my email address.
I’m committed to 1Password, using the local version. The extensions for browsers, and other intergrations work quite nicely. 1Password is a secure store for much of my private information, which it can fill in as appropriate. Examples include drivers license number, credit card, images of passports, wifi passwords, etc.
For those who travel, 1Password has the ability (which I haven’t used) to remove all traces of passwords for selected accounts from ones devices. On arrival, these passwords can be restored. Thus border personnel have no indication of your accounts.
Just a note: The algorithmic password generator shown above is no better than a robust random password generator.
Great, 1Password looks like a good solution for you.
LessPass, and other deterministic password generators, are much better than random password generators as, with the same input, you get the same output.
KeepassX is also opensource and is the most popular option for those that don’t like Lastpass. Similar features. 1pass is closed source
Checking in a year on, as I’m considering moving to Lesspass myself.
How did you find the transition? My current vault has over 700 accounts. I suspect I can trim that a fair bit, but did you find this a difficult process? How long did it take you to move everything, or at least enough for you to ditch Lastpass?
Hi James, thanks for the follow-up question! Yes, I’m still using LessPass and it’s working well.
I gave myself a few months to make the transition but about 80% of it was done in a few weeks. Every time I logged in to a service or platform, I reset my password and deleted the LastPass version.
I’ve had three minor problems:
1. Some sites, notably for airlines, don’t accept the full range of characters that LessPass uses. I therefore have to remember to turn off non-alphanumeric characters when generating passwords for those sites.
2. I share passwords with my wife for some things. For these I’ve either found a different way to share or given her the new LessPass-generated password.
3. The LessPass extension for Firefox has been behaving strangely, but the Chrome one is fine (and I can always use the LessPass website in a pinch)
Overall, I’ve been very happy and would recommend LessPass to most people.
Hi Doug. Thanks for the awesome article. I’ve read it about a year ago and now I’m trying to switch to LessPass from LastPass. Since I’m a software engineer, I understood how it works immediately.
The issue you have with some airline companies that you have to remember the password option can be solved using the database which can be synced in cloud. The difference is that this cloud database doesn’t store the passwords, it stores site name, username and password options.
There’s a problem that makes me feel uncomfortable. Your quoted article says that master password is a weak point for the cloud based solutions. But master password is more critical weak point for LessPass, because all passwords can be generated from the master password and some easy-to-get/guess metadata.
Several ideas come to my mind now but they are all incomplete.