Popular Password Manager LastPass Doubles Price of Its Premium Plan, Removes features From Its Free Service Tier (neowin.net) 156
An anonymous reader shares a report: In November, LastPass made a big change to its service, allowing users to keep track of their passwords across all their internet-enabled mobile and desktop devices, free of charge. In addition to the free tier, the cross-platform password manager - available on iOS, Android, and Windows 10 -- also offered a Premium plan with additional features, priced at $12 per year. Today, LastPass announced another wave of changes to its lineup for individual users -- but this time, the changes are unlikely to be welcomed with open arms by its customers. LastPass Premium has now doubled in price to $24 a year, which includes "emergency access, the ability to share single passwords and items with multiple people, priority tech support, advanced multi-factor authentication, LastPass for applications, and 1GB of encrypted file storage," along with all the other features of the Free tier. In a statement, the company said, "While LastPass Free continues to offer access on all browsers and devices and the core LastPass password management functionality, unlimited sharing and emergency access are now Premium features. Free users will be able to share one item with one other individual.
Re: (Score:2)
That post is almost illegible. Did you do that on purpose?
And please, don't start crying about unicode
Re: (Score:2)
Re: (Score:2)
Not a bad idea, if one is afraid of the browser quitting any time and eating that composing time w/ it. A lot of people, after being burned, adapted this policy. And yeah, it's perfectly legitimate to scream about Unicode: Android, iOS and even Windows 10 supports it, but Slashdot doesn't. And renders posts in ridiculous ways out here.
Actually, I *did* type it in Word on Windows 10, but what's interesting is I pasted it into Notepad and replaced all the Unicode, but apprently Notepad really didn't replace them...
Re: (Score:2)
Re: (Score:1)
Android, iOS and even Windows 10 supports it, but Slashdot doesn't.
Yes, and that is a feature. There is no need to take unnecessary risks [unicode.org].
Re: (Score:2)
It doesn't help matters that the edit box in which one creates such posts will happily accept such characters as input and display them appropriately there.
Re: (Score:1)
That part is not a feature. The text box should sanitize input also, or maybe not since it is not stored on their server yet. That's where preview comes in? And it's a bit trickier in journals, but I did find a preview that works there.
Re: (Score:2)
Re: Well, i don't know... (Score:2)
Re: (Score:3)
I use passwords.txt. (Score:1, Insightful)
Format:
# SomeShittySite
username / password
# AnotherShittySite
username / password
# AThirdShittySite
username / password
$0/year. You can have this "service" for free.
Re:I use passwords.txt. (Score:5, Funny)
I do the same, except I have the same 6 byte prefix for all the passwords. So if a password is listed in "passwords.txt" as "correctHorseBatteryStaple" the real password is "7Rz8t5correctHorseBatteryStaple". If anyone gets access to my list, they won't know the prefix, or even know that there is a prefix.
Re: (Score:3, Insightful)
It's misdirection all the way down.
His password is Hunter2
Re: (Score:2)
Re: I use passwords.txt. (Score:1)
Re: (Score:1)
That is assuming someone gaining access to those passwords would know about that prefix in the first place, which is unlikely.
So without that knowledge they would have to test both prefixes and suffixes, without knowledge of the length or of what characters can be in the prefix or suffix. Of course if someone is dedicated enough to brute force a password with an unknown modifier it is not that secure, but it is probably less trouble than dealing with a password manager.
Re: (Score:2)
Six characters that are alpha numeric is not that much entropy.
(26 + 26 + 10) ^ 6 = 56800235584
If they know the word from the text file and your convention ...
1. They don't know the convention
2. They have no way to do offline search, so each attempt will be online and take a significant fraction of a second.
3. All the accounts I care about shut down after 3 to 5 unsuccessful attempts and require 2 factor to re-enable.
4. Most important accounts don't allow ANY attempts from an unrecognized device without 2 factor.
Re: (Score:2)
Re: (Score:2)
I do something very similar except my prefix is a calculation,
I used to do that. Then sites started having breaches, and that would require me to change the password I used, and the calculation method doesn't cope with that well.
And other sites with goofy rules about password expiration/rotation, or stupid lenth requirements (forcing me to use shorter passwords than i want, or omit punctionation etc...)
It started to be much too difficult to keep in my head all the exceptions to the "rule".
Re: (Score:2)
This is where the 'tiers' come in. Lax password requirements/burner email addresses? Low tier. Most stuff? Medium Tier. Online banking/Sites with crazy requirements? Multiple 20 digit alphanumerics.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
It's a good idea, but you should make the prefix 8 characters long.
Some sites only allow 8 bytes. So the prefix would be the entire password, leading to the same repeated password on all these sites.
A few years ago my bank limited passwords to 8 bytes ... and insisted that they be changed every 3 months to show they were serious about security.
Re: (Score:2)
Re: (Score:1)
And you have to enter the password using the mouse and an on-screen keyboard so you can't copy/paste the password from a password manager.
Re: (Score:2)
If you're gonna store your passwords locally, it needs to be encrypted with a single master password which you never write down.
Re: (Score:3)
Re: (Score:1)
"Lastpassholes hobble free tier, jack prices" (Score:1)
FT headline FY.
Never understood the whole, "here Internet, take my passwords" mentality anyway.
Re: (Score:2)
They only hold blobs of bits that you can ask them to retrieve and resend to you. Everything is done local on your device (cellphone, laptop, PC, etc.).
Given that it's a web application, you potentially download new application code each time you use it.
It would be pretty trivial for them to sneak in an update that doesn't do what you expect it to do, and even to serve just targeted individuals malicious code.
So ... If the site were ever compromised, or under NSA gag etc, they could inject code, and collect master passwords without you ever knowing.
Of course, these are risks with any web app; but other web apps aren't the master repository for my security
Re: (Score:1)
Sure, LastPass may do everything is done on the local device - but it's done with a non-open-source app that they distribute. So we can just trust them that they would never ever do anything with my passwords.
A fantastic solution, which works fantastically for me, is KeePass + Syncthing (or you can use KeePass + DropBox/Box/anything). My password database file is distributed across all the devices which use it by Syncthing. I happen to control the communication path end-to-end with a hosted virtual serve
Re: (Score:3)
Never understood the whole, "here Internet, take my passwords" mentality anyway.
They don't have your passwords---at least, not in a usable form.
You create a master password for the application. It encrypts your unique, per-site passwords and syncs them. LastPass only sees encrypted data.
Meanwhile, you can create a strong, unique password for every site that you use. You can even use unique names to obstruct doxxing.
The application acts as a local database so that you don't have to remember each and every logon. Your security is a little easier, and they have nothing useful assuming the
Re:"Lastpassholes hobble free tier, jack prices" (Score:4, Insightful)
I wouldn't trust them, since they're located in Washington D.C.. I've written my own password manager 20 years ago and still use it. Less features, but at least if there is a flaw in it, then it's my own fault and not some intern's at random company XYZ.
rent seeking as inevitable as gravity (Score:3)
1GB? (Score:2)
A hosted 1GB of storage is kinda dinky compared to all the providers where one can get cloud storage but the infrastructure to provide it properly isn't all that cheap. I can't help but wonder why they thought to tack this on to their service.
Re: (Score:2)
Maybe it's meant to cover all your stored password data, notes, etc in aggregate.
Because there are people who will look at it as a kind of steganographic file system and try to store a bunch of non-password data in LastPass under the idea that it's more secure than most file sharing systems, an unconventional place to put it, and possibly provides greater legal protection that file sharing specifically (I don't know if this last bit is true, but I guess I'd see it harder for the cops to get a warrant for yo
Re: (Score:2)
My only thought is simplified remote encrypted storage? Something I don't really see the other providers doing. For basic personal documents, I think this would be worth it (think life insurance, social security, etc)
Re: (Score:3)
For basic personal documents, I think this would be worth it (think life insurance, social security, etc)
Agreed but both the local and remote copies need to be encrypted and require password access. My current solution for this is an encrypted disk image on Dropbox which works fine as long as the image can be kept reasonably small (few 100 MB).
The Drawback of the Cloud (Score:5, Insightful)
Once you become dependent on cloud services, they are no longer in your service, you are in theirs.
Re: (Score:1)
And, as a bonus, they know all your passwords.
Had no idea this was even a thing (Score:2, Informative)
Re:Had no idea this was even a thing (Score:5, Informative)
They don't. They keep encrypted versions of your passwords. All encryption/decryption happens locally.
Re:Had no idea this was even a thing (Score:4, Insightful)
Ummmm...yeah. I'm sure they do. And I promise I won't cum in your mouth. Pinky promise.
So do you work for a competitor or did you just want to comment without reading up on how the encryption is done locally with audited viewable-source code in the browser extensions?
Re:Had no idea this was even a thing (Score:5, Insightful)
The real issue with LastPass is that it runs in a browser. The most common way of using it is a browser add-on, and it's been found vulnerable in the past.
Much better to have a separate app and copy/paste. Javascript is not secure.
Also, KeePass is free and you can sync the database via your own server or any number of free services.
Re: (Score:2)
Unfortunately, copy/paste isn't so secure either.
Re: Had no idea this was even a thing (Score:1)
KeePass has at least two ways of password-transfer that do not involve copy/paste:
1. Auto-fill using global hotkey: press hotkey, enter master password, username+tab+password+enter is "typed" into the active window.
2. Drag-and-drop text using the mouse pointer.
Neither of these are KeePass-specific, but KeePass does them very well.
Re: (Score:1)
JS isn't the root problem here. The security context is. If the browser gets compromised so is any code that it runs, or any memory that it has allocated, as a result. If it can launch a new process, so is that process and any descendant it makes. Anything on disk that it has permission to open is compromised, anything it has permission to write is infectable. Any connection it has the ability to listen on is compromised, any connec
Re: (Score:2)
Re: (Score:2)
Re:Had no idea this was even a thing (Score:4, Insightful)
It is a gamble. For a lot of users, having randomly generated passwords that are stuffed in a PW database is more secure than having them have "hunter2" for their bank, "swordfish" for their Facebook account, etc. The chance of a mass compromise of a Lastpass is definitely less than having one's password revealed to the world the next time some company's list of hashed PWs gets snarfed.
Even with the potential hazard, if combined with 2FA, the hazard of a compromised password is reduced significantly.
To boot, longer, hairier PWs can be used as well, as the user doesn't have to remember them.
Re: (Score:2)
Re: (Score:2)
> Furthermore I can't comprehend why anyone would think such a service is safe to use in the first place
It's safe because the data is encrypted on your local computer/device. The encrypted data is sent up to the cloud. The company doesn't have any key that can be used to decrypt it.
You do have to guard your master password! But most of us can memorize one good password.
Re: (Score:2)
Re: (Score:2)
You also have to trust the company to not have their product leak your master password to them.
$24 seems kind of high (Score:4, Interesting)
I just renewed recently while it was still $12/year. I feel that $24/year is a bit high. But on the other side, I would never need any of the premium features. That said, I'm happy to pay $12 per year for their service to help a great company. Lastpass has been solid and their service is indispensible.
Re: (Score:2)
You *should* be using two-factor auth, which comes at premium sub.
Wrong. Multifactor is in free teer. Advanced multifactor is extra. Read next time
Re: (Score:3)
I can remember a few passwords. I can't remember a 24 digit random alpha-numeric-symbol string.
You know what I do when I get one of those "Geez, sorry guys, we hashed our data with md5 and posted it on our fridge and someone got all your passwords. Change them quick!" emails form SecurityWazzat.org? Giggle as I imagine someone chewing up cycles trying to dehash my random gibberish... Hope they enjoy waiting forever for my password to turn into something readable. Oh, and since I use a different random p
Re: If you need a password manager (Score:3)
Or youâ(TM)re a network admin and need to share hundreds of network credentials for internal and vendor systems with your team. Thereâ(TM)s a lot more use cases than what you are magically aware of.
No objection (Score:4, Interesting)
I've been using LastPass for many years. I used to use Password Safe, which is strictly local. But they had me at "all popular platforms including Linux".
I have no objection to the price increase. They deserve it, and no doubt will use the money to make the product even better.
Re: (Score:1)
EnPass (Score:3)
I switched to EnPass, which runs locally on your machine (encrypted) and a browser addon uses a websocket to connect the two. Which means it doesn't inject itself into every page like Lastpass. Also LastPass tends to cause Firefox to take fits.
EnPass runs on pretty much any platform:
Great - count me in (Score:4, Interesting)
I was a Premium user since they launched. The changes to the free tier last year caught me by surprise, and sure enough, since I had no reason to pay for Premium I stopped. I remember getting an automated questionnaire as to why I stopped being a Premium customer and I explained clearly that they now offered the full feature set I was interested in in the free tier.
Now they're apparently changing it so that one feature I want (emergency access) becomes part of the Premium package. Fair enough, they'll get me back as a Premium customer. LastPass is one of those tools I happily pay for, no questions asked.
I use KeePass (Score:5, Informative)
I've used KeePass for years now, and while I don't have all the fancy password sharing features I do have my passwords, in a format I trust, available on my PCs and phone. I haven't yet seen a reason to switch.
Re: (Score:2)
Re: (Score:1)
Last i saw Minikeepass on iPhone still did not support the new Keepass XML format or encryption. You found anything else for iOS? Still looking for my iOS friends. Android was easy.
Just use KeePass (Score:5, Insightful)
Re: (Score:2)
Re: (Score:1)
Keepass & NextCloud.. (Score:5, Interesting)
So why not use a local app and cloud storage service? I use Keepass and NextCloud but could easily use GoogleDrive or DropBox or somesuch. The encrypted file doesn't take up that much space and you can sync it to whatever device you want.
Re: (Score:2)
Re: (Score:1)
KeePass does have browser integration for the record. It's not built in but it's as simple as download a plugin, install an extension and then approve the extension and it's basically working anytime you have it open and not when you don't.
Which is cool because it means you can for instance put your key file on a flash drive and no one can access your passwords with your computer even with your database.
Re: (Score:1)
For me, it's a matter of accessing my passwords at home and at work. I use LastPass because it runs in the browser. At work, we can't install third party applications. But I can install a browser plugin.
So I can't use KeePass at work, because that's an applicaiton. But I can use LastPass at work. So I'm using LastPass.
If you're happy with LastPass then this probably doesn't matter, but it may still be possible for you (or anyone in your situation) to still use KeePass.
You said you can't install applications, which is fairly common, but can you run executables?
(By "can" that would be both technically and allowed to by policy)
There is a standalone "portable" version of KeePass that doesn't require any installation.
It's one program executable and one config file read from the same directory, which typically is where you'd a
Re: Keepass & NextCloud.. (Score:1)
Keepass does not have to be installed. Use the portable download. Unzip and run.
Install keepass apps on your phone and with cloud drive apps you have access to the same data. Android use keepass2android.
You should report the hole in the company policy about third party application installation. A browser plugin is as dangerous to security and stability as installed applications.
OS policy on installing is easy to get around. OS policy on application execution may not.
Why use a password manager? (Score:2)
in other news... (Score:2)
So basically, they just went all Netflix..... (Score:2)
If I'm understanding things right, what they're doing is basically pulling some features out of Free and making them Premium only (I'm ok with this), but they're doubling the price of Premium without actually adding any additional benefit to the users.
I cancelled my Netflix account when they tried this same stuff lo those many years ago. I understand the need to raise prices, but generally speaking, a naked money grab doesn't tend to go over well with users, A moderate raise in the yearly price, ok, not tha
Proprietary software for passwords? (Score:1)
Mobile (Score:2)
NOT stuff that matters (Score:2)
I use Codebook (Score:2)
It used to be called STRIP and they have been around since Palm was popular. It doesn't sync to their servers. If you want to sync between devices you log into Dropbox or Google Drive or you can sync over Wi-Fi from the mobile device to the desktop app. It stores the passwords in an strongly encrypted file on your account.
The application itself could use polish but it is very stable and it does everything that I need. It lets you add custom fields. The developers are quick to respond to queries. It's stable
LastPass cut off access 2 password with no warning (Score:2)
password just stopped working in the middle of the night
LastPass websites now demanded a full year payment up front to get access to MY PASSWORDS on their servers
Disabled person SSD cut off from online banking in the lat on Friday night
Not one email sent to warn me
Re: (Score:2)