1. 35

  2. 5

    Ouch. As someone who is constantly switching platforms because of work, Lastpass has been a good solution because of their excellent cross-platform support. But this is extremely dangerous, and it is on top of UI bugs that have been growing more noticeable. Time to start shopping.

    1. 1

      This seems like a classic look-alike phishing scam… doesn’t appear to be a new vector or anything. Requires an exploited site and redirects you to a look alike. I guess the point is that LP shouldn’t use the browser-viewport, and with that I agree. Seems to me that both the ways listed in the articles would be decent fixes… a special interface for plugin prompts in Chrome, or the ability to turn off that overlay in LP.

      This to me is far less an “Ouch” and more an “oh, interesting”.

      1. 3

        I’ve always wondered why they sometimes use viewport and sometimes the extension interface. Maybe this will get them to move to only using the extension’s interface.

    2. 2

      This is one reasons that I switched to 1Password from LastPass. The idea of keeping my passwords on a website and using a different website to authenticate made me nervous.

      1. 1

        I thought the password database was local and only synced between devices.

        1. 1

          LastPass only syncs to and from their servers. 1Password has a few options for transferring without hitting their servers.

      2. 2

        Is there a comparison of the features of the various password managers somewhere? I’ve used LastPass Premium for years, mostly because of how integrated into my workflow it is. I’ve more than 500 individual items, more than a dozen of which are ~irrecoverable in the event that LastPass fails. I’ve periodically exported and stored encrypted backups just in case. Any alternative would need some kind of a migration tool that I could be confident works, and would work without an Internet connection: I’d fire up a non-networked VM, migrate, and handle the new system’s sync somehow.

        What I need is this:

        • Available with as much as a simple install on OSX, Windows, and Linux
        • Android and iOS app
        • Preferably available via a web browser, but I’m willing to compromise on that because I’ve only ever really had to use it a handful of times when my phone battery had died
        • Syncs somehow immediately and efficiently, so that a password generated/saved on one device is ~instantly available to another.