Today I finally migrated away from using LastPass as my password manager and am instead going to use KeePass. My reasons were the following:
In this post I'll share my experience with migration, complaints about LastPass and how my current setup looks for syncing my passwords between my phone and computers.
Updated (6/1/18): Syncthing is a good way to synchronize a KeePass DB between my phone and computers.
Several months ago, the Firefox extension for LastPass lost the ability to "Copy Password" from LastPass.
It used to be that you could click the LastPass icon, click "Show Matching Sites", right-click one of the login entries, and click "Copy Password" if you needed to copy the password.
An example where this is very useful is when logging in to Amazon Web Services:
The AWS login page has three login fields: Account Number, User Name, and Password.
Most sites only have Username and Password, and this is the only use case LastPass knows how to support.
If I use LastPass to "Auto-fill" this login, it will paste my username into the "Account Number" and "Username" fields, which then makes it so I can't log in. So, really the only option is to "Copy Password" and manually type in my username and paste the password.
The Firefox extension lost this ability.
So now I have to click the LastPass icon, "Show Matching Sites", right-click the login entry, "Edit" which opens a new tab to my LastPass Vault, click on the icon to "Show password", select the password, Ctrl-C
, go back to the AWS login tab, Ctrl-V
and continue.
I waited for months to see if LastPass would bring back the "Copy Password" feature but it seems they don't care to. The Chrome extension still has it, but I don't use Chrome as my primary browser.
Web browsers are complicated apps and I don't trust the security of a browser extension that manages my passwords.
The default setting for LastPass apparently causes it to remember your master password for a very long time, even between completely closing and restarting your browser or rebooting your computer. If the LastPass extension has such ready access to my unlocked, decrypted password database, other software on my computer might as well. If any program I use has a vulnerability exploited that gives it any kind of filesystem access, it could probably find where LastPass keeps its data and get into it.
I'd prefer a separate, dedicated app where unlocking and locking my password database is an explicit action, and it isn't just sitting there with its pants down waiting for any malicious app to steal its secrets.
In LastPass on Firefox, I clicked the "Export" button which opened a new tab and showed me my entire password database, in CSV format, which I then apparently had to copy/paste into a text editor and save as a *.csv
file.
One thing I discovered was that the CSV file wasn't directly usable by KeePass just yet!
Everywhere that I had an &
symbol in a password, LastPass encoded that as &
, and if I were to just import the CSV into KeePass directly, it would see the string &
in my passwords and think they should be taken literally. This meant some logins to sites would fail because the password didn't match exactly.
I did a find/replace in my text editor to convert &
into &
and then it was ready for KeePass.
I'm using the KeePassXC client for KeePass on my desktop PCs. It's a cross-platform app that runs on Linux, Windows, and macOS.
Importing the LastPass CSV file was pretty straightforward. I told KeePassXC that the first row of the CSV were the headers, and then told it which column to pull each data point from: usernames, passwords, group names, labels, and so-on.
KeePassXC is a cross-platform desktop app that runs on Linux, Windows, and macOS.
The official KeePass software only targets Windows and runs on Linux via Mono, but looks non-native and clunky. KeePassXC uses the Qt GUI framework and looks nice on all platforms, and is compatible with the same KeePass database files.
For my Android phone, I'm using Keepass2Android Offline because I don't need cloud sync services, nor do I really want to use them. There is also Keepass2Android that supports cloud services, if you want to sync your database via Dropbox or Google Drive or some other services.
To sync my password database between devices, I set up a Syncthing instance on my web server (as the centralized host) and my various devices, including my phone. The password DB itself is managed in a Git repository, so after I make changes, I commit it to git to ensure that there is an 'out-of-band' good copy of the database that doesn't get automatically pushed around between devices. Just in case something happens.
I hear that it's okay to host your KeePass DB on cloud providers like Dropbox, if your master passphrase is sufficiently strong, because somebody having your encrypted database is only part of the battle of them cracking into it. My choice not to use Dropbox doesn't have anything to do with the security of my password database, though; it's just because I don't want to use cloud services. With such nonsense as the CLOUD Act, I'm trying to keep as many things close to me as possible, and the "cloud" is really just "other peoples' computers."
There is 1 comment on this page. Add yours.
Just a comment about your AWS case: in LastPass you can add custom fields (editing the entry in your vault) so they match the name of the inputs in the page. It then auto-fills as many fields as you want, even checkboxes and options.
That said, LastPass keeps getting worse as time goes by, so moving to Keepass is still a good idea (that's how I ended here!)
0.0480s
.