LastPass Publishes More Details about Its Data Breaches

Article Comments
1

Originally published at: LastPass Publishes More Details about Its Data Breaches - TidBITS

LastPass was heavily criticized for communicating insufficient details after it lost customer vault data in a breach. A collection of new posts attempt to rectify that mistake—but it’s not enough for Adam Engst, who shares his experiences switching from LastPass to 1Password.

2 Likes
2

I was shocked to read this given all the criticisms about 1Password 8 moving to Electron.

In addition to using your Watch for 2FA, you please share some additional examples of how 1Password is more “elegant” than LastPass?

3

1Password is undoubtedly the tool which acccomplishes the tasks of a password manager with least traction for users. Definitely much smoother than others. I’m using Enpass which is crude in comparison.

4

Sure!

  • I can do a search in 1Password and hit Return to display the top hit, or press Command-Return to see all the results. I like the latter for seeing all the duplicates and random logins that I need to clean up.

  • 1Password distinguishes between deleting and archiving. I want to delete all my duplicates, but I prefer to archive logins for sites that have gone under or that I never plan to use again, just so I’m not losing the historical data. I’m funny like that.

  • I really like 1Password’s Quick Access pop-up interface for finding passwords for apps. In LastPass, I’d have to search my vault in my browser or, more generally, load the associated Web site so I could more quickly find the related password.

  • 1Password has an option to show always show passwords and full credit card numbers. When I’m doing duplicate removal, it’s very handy to be able to see which logins use the same password without having to reveal it manually for each one individually. There’s also an option to toggle revealed fields by holding Option, which might be more generally useful after I finish cleanup.

  • 1Password on the iPhone lets me add a TOTP to recognized sites easily by simply tapping a purple banner and scanning a QR code. No need to even edit the login.

6 Likes
5

Adam: Right on!!

I have been a 1Password user since version 2.0 in 2009.

I followed the “abandon 1Password” discussion very closely and hung onto version 7 for dear life.
I even purchased and installed several of the suggested alternatives – but either they didn’t have all the functions I needed or didn’t work as well – and I figured I’d try again when I had to.

We have a “family plan” and my grown son went ahead and switched to v8 and reported no problems or concerns.

Then early this month Joe Kissell (who took over the Take Control series from Adam – and has done a truly spectacular job) issued TC of 1Password v6.0.1 – devoted exclusively to version 8.

I dove into the document. To my surprise all the commotion about Electron and no local backups is barely mentioned, much less given front row seating. I wrote Joe directly and asked those questions. His reply was analogous to Adams – there just isn’t any problem. Certainly no functional loss is apparent due to Electron and while he understood some folks had concerns about no local backup, in his opinion, the 1Password backup systems were as good as anything going and not a basis for rejecting the software.

I made the switch – it was easy to do – the software has performed flawlessly since – the speed and function are as good as ever and maybe better.

In retrospect, I think the intensity and repetitiveness of the objections were substantially overblown. I don’t expect anyone who voiced them to acknowledge that now. I do expect to be blasted for my position.

My real concern is that even in a forum as open, balanced, and thoughtful as TidBits – that discussion tolerated little if any dissension.

As regards my experience, technical knowledge, hands-on time. I can only say I bought an Apple ][+ before IBM issued a personal computer and have upgraded thru virtually every generation of Mac since then, including into silicon. I maintained an entire household of computers, did many hands on upgrades and repairs, had multiple on site and off site backups, and never had anyone have a critical data loss.

I will not respond beyond that to the criticism I expect.
I will shake my head and bemoan it – in silence.

Thanks again to Adam for “Sure!”

Bob

2 Likes
6

I’ve tried v8 a couple of times now and I think the Electron thing is overblown. It is a different interface than v7 but mostly it’s just different and there were or still are some minor UI inconsistencies that folks pointed out and my guess is that those will eventually get fixed. There were also comments that it Ian macOS like…which are valid but mostly I don’t use the app anyway but the plug-in. They made a choice to use Electron to have a standard client so they say…but then they wrote t least 1 or 2 clients in native format IIRC…so the standard client thing was a cost and profit related business decision…I don’t necessarily agree with that…but it’s their decision to make.

The loss of what any security professional would consider critical features is a much bigger deal…no backup and restore capabilities with automated backups that the user can restore without their servers is the biggest one. Loss of DropBox or iCloud support is another…but they claim their Secret Key is better than just another password to get access…I disagree, it is just a second password and no better than DropBox being the second password outside of the forced length of the Secret Key.

I’ve evaluated Enpass and BitWarden…and neither is as fully featured as 1PW is…but am yet to decide when/if v7 dies whether to move or not. I already have a subscription anyway but keep my vault on DropBox and use their server for an additional backup and for emergency access by our son…so money isn’t the issue. But I get the feeling that their VC investors who own a considerable amount of the company are driving the train now and they’re interested in ROI…which pushed the company to go after the corporate enterprise market and that will only have detrimental effects on features and support for individual users.

neil

7

in his opinion, the 1Password backup systems were as good as anything going and not a basis for rejecting the software.

Have they restored the backup and restore to other than their servers yet and if so is it automated? That’s the biggest drawback…I’m sure that they have all sorts of backup options on their end…but as a long time IT security guy having your own is simply common sense and non negotiable. Vault corruption on their server is certainly possible and since everything syncs to all devices…that corruption would overwrite the good data on a phone or laptop…and then the user is screwed unless he can restore his own backup which will repopulate their servers and get synced elsewhere.

I realize their whole Secret Key makes this hard…but just require both passwords to do the restore…it ain’t that hard. I’m sure the local copy is kept in SQL or something similar…but the vast majority of us including me ain’t smart enough database wise to backup and restore outside the app.

8

Not having a local backup makes 1PW v8 a non starter. I’m still using 1PW v6.

9

Do you mind explaining why?

Are you worried about hacking, data loss, or losing access? Can’t you just periodically export your vault and store it encrypted as your own manual backup? Then if something happened to 1P, you’d still have your own copy. Your vault doesn’t change that often, so I don’t see the drawback here.

10

Thanks to the comments here since Adam switched to 1Password, I plan on doing the same.

I chose LastPass as my first password manager because a TidBITS article years ago mentioned Adam preferred it to 1Password because it (at that time) integrated into his browsers better. When Adam recently switched to 1Password, I was hesitant to do so because of all the previous negative comments concerning version 8. But it seems, not having used version 7 or prior, I apparently won’t know what I’m missing. It will certainly be better than LastPass, at this point.

As for local backups, I never trusted LastPass from the start. (To be fair, I didn’t trust any password manager to not malfunction and lose all my passwords.) So I’ve kept a running, current database of all my passwords within an encrypted sparse disk with a unique, complex, long password locking it. (No, not anything in Keychain either. Just in my head.) So now I’m a lot more confident to switch over to 1Password, knowing I’ve got every password safe in my own personal database, regardless.

Which I’ll continue to maintain during my time using 1Password. Until PassKeys finally becomes ubiquitous and passwords will be obsolete.

11

Do you mind explaining why?

Are you worried about hacking, data loss, or losing access? Can’t you just periodically export your vault and store it encrypted as your own manual backup? Then if something happened to 1P, you’d still have your own copy.

I have the same issue as David…and it’s a matter of data loss…say something happens which corrupts the database on their servers and that gets synced to all users devices…and because they were hacked or ransomwared or whatever they are down for some unspecified period. Users in this case ar screwed…unless they have their own backup to restore to their device.

Yes…one can export the vault but if the export is like that in v7 and earlier it is somewhat incomplete since attachments don’t get included and it is a manual process. Earlier versions do automatic export of the entire vault to a location of the users choice…and restoration of those backups is trivial. A manual only less than full contents export is obviously inadequate. I’m sure that the company thinks they’ve done a good job in preparing for bad things…but as a long time IT security guy…backups need to be complete and automated to ensure they happen.

However…their forced subscription model with only their servers allowed is designed for profit…not individual user security…and their focus isn’t on you and I any more…it’s on enterprise where the profit is greater.

It is still the best product available…but is crippled compared to v7. They claim it is more secure because of their 30something character Secret Key…and while that is better than say a 20 character DropBox second password…better is the enemy of good enough…and if the Master/DB password takes 10,000 million centuries to crack security is not improved by their Master/Key taking a million million centuries…it’s already good enough.

12

From the 1Password discussion forum, September 2022:

"1Password 7 can only export “attachments”, not Documents. Are your PDFs in question saved as Documents in 1Password?

1Password 8 can export both, but its export will contain all vaults in an account, and therefore all the files in each of those vaults. There’s no option to select a single vault or selection of items within a vault."
https://1password.community/discussion/133639/exporting-attachments

1 Like
13

Thanks, that may be a viable workaround for me since otherwise I have no major issues with v8…but still not as food as earlier versions auto backup.

Edit. Actually…I have no idea what the guy in that post on their support forum is talking about since there is no ‘document’ storage in 1PW v7 other than an attachment to another type of record. So the comment being replied to there was strange as the only way to have a pdf in v7 is as an attachment.

Assuming that attachments get properly exported along with everything else…and assuming that the export is encrypted (which in v7 it is not and it’s the same 1pif file so I imagine v8 is the same) then it would sort of work as a manual backup. However…the lack of (a) encryption on the exported/backedup file and (b) the lack of automation so it just happens makes this not really a viable work around other than weekly or monthly as opposed to the current (v7) daily automated encrypted backup copy. I realize their Secret Key may have something to do with this lack…but it’s on them to solve the problem I believe.

14

From Joe Kissell, “Take Control of 1 Password” ver. 4.1 (which focuses on 1Password 7), p. 98:

“Documents and Attachments
Vaults in 1Password accounts include a Documents category, which is just what it sounds like—when you create a new document (File > New Item > Document on a Mac, or plus button > Document in Windows), you can navigate to a file on your computer and store it in 1Password.”

This is not the same as attaching a file to an item.

15

Ah…it’s only for the only vaults that Document is a category…doesn’t exist for a standalone vault which is what I’m using and will continue to use due to the complete lack of any local backup/restore capability in v8 (or v7 for online vaults for that matter) and the apparent complete uninterest in the company in providing that capability to users for online vaults. Their attitude on backups seems to be “trust us, we’re smarter than you are”…but any long time (or even short time) IT security guy will tell you that relying on any single entity for your backups is pretty dumb.

I hadn’t looked at online vaults since I don’t use them but see the Document there now that I looked.

16

Not sure if this answers all your needs, but from the 1Password discussion forum, October 2022:

"Do you happen to use any full-disk backup software like Time Machine on your Mac? If you do then that full-disk backup will also contain a copy of your encrypted 1Password data. If you did need to restore it in the future then you can drag and drop the following folder from the backup to your Mac:

~/Library/Group Containers/2BUA8C4S2C.com.1password/Library/Application Support/1Password/Data

The benefit of a Time Machine backup is that it’s done automatically and is versioned."

EDIT: Citation link https://1password.community/discussion/129532/backup-1password-8-vaults#latest

1 Like
17

~/Library/Group Containers/2BUA8C4S2C.com.1password/Library/Application Support/1Password/Data

The benefit of a Time Machine backup is that it’s done automatically and is versioned."

That’s actually good news…but at least until recently their support people weren’t putting out that info anyplace that I know of. Assuming that the data there is encrypted and only decrypted in RAM…then TM or CCC and my other backup routines will solve the problem of backups. The other issues…subscription, Electron, no DropBox support are less critical…and as I stated in another reply 1PW is still better and more fully featured and user friendly than their competition.

18

I never used LastPass but have used 1Password for 15 years. If LastPass required their users to store their password data on LastPass servers that were breached, I’m glad I did NOT go to 1Password 8 since they seem to be setting themselves up to be hit like LastPass. I’m staying with 1Password 7 standalone and keeping my data on my own equipment.

19

:+1: I agree 100%

20

I am curious why everyone seems to be moving to 1Password. I too have been a longtime user of Lastpass, but I did a trial of 1Password and when I saw the cost for a family plan I balked. I’m now trying out Bitwarden, which seems to get high ratings for security, and I like that it’s open source. 1Password seems to be pricing their product higher than before, and it was off-putting to me given the circumstances of having to find an alternative to Lastpass. Has anyone else on this thread tried Bitwarden? I’d be interested in anyone’s experience with it. Thanks.