Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

LastPass Hacked for Second Time This Year

willzyx said:
Because 3rd party password managers (1password, keeper, bitwarden) offer a lot more flexibility and security than Apple's built-in manager. Apple's version is good enough for basic functions, anything more and a dedicated manager is far more advanced. Everyone knows that LastPass is trash and has always been trash.
Click to expand...
I've been using LastPass for some time now. Looking for a replacement now. What would you recommend?
 
montuori said:
A password manager discourages password reuse. In a very trivial case: each time you submit a password to a service that password is known to a third party; noting prevents a website operator from collecting those passwords in plaintext in order to try them against other services. Remembering the 600+ passwords I currently have in use -- most of which are 20+ characters -- would be impossible but I can remember my lengthy and complex 1Password secret pretty easily.
Click to expand...

Just have to say: properly done, most places should never see the password, they should only see a hash of the password. Perhaps salted. Then the web site operator can’t access the plain text one. And that is the minimum. 😀
 
  • Like
Reactions: inkswamp and TheYayAreaLiving 🎗️
centauratlas said:
Just have to say: properly done, most places should never see the password, they should only see a hash of the password. Perhaps salted. Then the web site operator can’t access the plain text one.
Click to expand...
At some point the client must present a cleartext password token of some sort (in a password auth scheme anyway; OAuth flow, certificate exchange, and so on are obviously a different matter). Even in the case where a password is hashed client side the resulting digest is itself a cleartext password, just not one that the user knows.

The cleartext should indeed be salted + hashed for storage and comparison of course.
 
Can we hurry up and get rid of passwords already? Sheesh. I got rid of 1Password, just use Keychain...
 
Been using 1password for years .. not really a fan though of the subscription model. Might just delete my account and move over to icloud keychain.
 
  • Like
Reactions: msackey
willzyx said:
Because 3rd party password managers (1password, keeper, bitwarden) offer a lot more flexibility and security than Apple's built-in manager. Apple's version is good enough for basic functions, anything more and a dedicated manager is far more advanced. Everyone knows that LastPass is trash and has always been trash.
Click to expand...
I didn't know LastPass was trash, so not everyone. I've used LastPass since 2015 and haven't experienced any glitches. The two recent hacks are concerning, of course, and these have my attention.

I'm always interested in something better. What third party password manager do you use, and how is it better than LastPass?

Thanks.
 
Last edited:
I'm a long-time user of 1Password. I love the service. I have family sharing with my wife and it makes everything a breeze. She is not technical at all, but having a shared vault and the ease of use from 1Password has made her using complex randomly generated 50-character passwords, a different one for each service.

I have considered trying out Apple Keychain. But from what I understand it has no way of having a shared family vault. And from what I've seen the Windows integration using the iCloud for Windows app looks terrible, just like all services Apple offers outside their own ecosystem. I use primarily Apple devices, we are heavily integrated within the Apple ecosystem. But both I and my wife have to utilise Windows in our professional lives so it can't be Apple only.

I don't think Keychain on macOS lets you autofill anything outside Safari either? I mostly use Firefox on macOS, having to manually go into Keychain in order to copy passwords would be a huge downgrade compared to having the 1Password extension in Firefox. 1Password also lets me save software license information, notes, and MFA codes. When logging into Macrumours, 1Passworld will autofill my username, password and my MFA authentication code automatically.

I don't think you can use Apple Keychain as an MFA generator for OTP/MFA?
 
  • Like
Reactions: ignatius345, NightOne and burgman
LastPass already had a terrible reputation...
Now it's definitely compromised, the service should just close down at this point.

I'm with 1Password and I love it (no problems at all), but eventually I'd prefer to switch to a 100% local system once I have the time to set it all up.
 
I've chosen 1password. I've tried LastPass but the interface was clunky in comparison. I believe that LastPass also had a leak a few years ago. 1password is a joy to use and has always been Apple-centric.
Apple's built-in solution - nice that it's there - but it has a long way to go both in terms of interface and options to catch up to 1password.
But this does make me worried about security. Imagine someone having access to the complete vault.
Any thoughts anyone about how secure 1Password is? Is there a more secure solution?
 
In the past, I've thought about using Keychain Access because it syncs passwords between my Apple devices. The main problem is that if you have a non-Apple device, it won't sync passwords to it.

Then there are the FIDO Alliance Protocols (passkeys) that Apple has started to implement. I'll be interested in how these change the conversation.
 
owaint said:
I just have the passwords section of settings open up from an iOS shortcut - icon on my home screen takes me straight there, opens with faceid faster than 1password. Doesn't have all the features of a dedicated password app but it's pretty close and free.
Click to expand...

Care to share that shortcut???

I have one but it fails for me.
 
Last edited:
I migrated from LastPass to a self-hosted instance of BitWarden when they changed the features available to free-tier users.

As it’s open-source, self-hosted BitWarden provides access to the features usually only available to paying, premium subscribers to their cloud version.

It’s running in a docker container on my NAS so all my devices sync with it perfectly when they’re connected to my home network and the data volume is backed up nightly to both a separate NAS and to an encrypted cloud service. There is no external access to my home network.

Hopefully I’ve got all bases covered. It requires some hardware and some technical know-how to set up but it is a quite a neat solution. It could probably be run just fine on a cheap raspberry pi too.
 
  • Like
Reactions: cjgrif and ValerieDurden
Nozuka said:
Been using LastPass for a long time. 1Password didn't even exist back then.
Click to expand...

I have been using 1Password since early 2008 and still using it today. The best one!
 

Attachments

  • A8336E58-9868-4FB1-88B3-4075939BAEC8.jpeg
    A8336E58-9868-4FB1-88B3-4075939BAEC8.jpeg
    398.8 KB · Views: 86
  • 23CCBF51-B212-44A3-93F1-07409C9931A1.jpeg
    23CCBF51-B212-44A3-93F1-07409C9931A1.jpeg
    315.3 KB · Views: 71
clipperz.is has been around for about 15 years. It's shareware. The company doesn't know who you are and doesn't have access to ANY of your information due to their "Keep It To Yourself" policy. To quote their site: "Everything you submit is locally encrypted by your browser before being transmitted to Clipperz. The encryption key is a passphrase known only to you! It is impossible for anyone without that key to decrypt your data."
 
The last time it was hacked, I removed all my passwords...

This time I removed my account.

To anyone interested, here are the steps to completely remove your account:
  1. Open your browser of choice and go to lastpass.com.
  2. Log in to your LastPass account.
  3. Go to lastpass.com/delete_account.php.
  4. Tap the Delete button.
  5. Tap Yes from the pop-up to confirm you have your Master Password.
  6. Enter your Master Password.
  7. Select Delete.
 
If I was looking for a password manager, I would not choose LastPass for a lot of reasons. The hacking incidents are not the only showstopper for me. I also do not like its corporate stability, privacy practices, and revenue model. These problems are nicely detailed here (as well as some recommended services for anybody looking to switch):

Wirecutter-Password managers
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back