LastPass is among the greatest third-party password managers on the market and it used to carry that place for an excellent motive. The free LastPass plan supported a number of kinds of units, the paid plan was a worthwhile improve for $12 per yr, and it was decently easy and straightforward to make use of. Even when the corporate suffered from quite a few safety incidents, its responses appeared to warrant the advantage of the doubt.

But over time, options acquired reduce from the free plan and the value of the paid plan went up. Rival password managers additionally began pushing extra progressive options. And then got here the most important breach in 2022, one by which information in prospects’ vaults had been stolen and revealed as not absolutely encrypted. Oof.

A protracted whereas again, I began an account with LastPass to take care of the passwords for a liked one and even after final yr’s hack, I didn’t go away instantly. (Change is tough for this individual). But after some light, extended coaxing, I acquired the inexperienced gentle to change them to a different password supervisor ultimately, and I’m so glad to lastly transfer on to greener pastures. LastPass’s issues are simply too quite a few to stay it out…together with while you’re truly within the strategy of leaving.

If you’re nonetheless with LastPass and been questioning should you ought to leap, right here’s what tipped me over the sting and why I don’t plan on ever returning.

If you’re seeking to choose up a password supervisor, you need to try PCWorld’s roundup of the best ones available today.

The 2022 safety breaches

PCWorld

LastPass’s disclosures about its 2022 safety breaches was like watching a prepare wreck in gradual movement. First got here the initial announcement in August, which claimed that no buyer information was affected—only a developer surroundings. Then three months later got here an replace that buyer information was affected. Nearly a month after that, the corporate revealed that buyer data and password vaults had been stolen. Not solely that, however components in these vaults (together with URLs) had not been encrypted.

As talked about above, LastPass was no stranger to safety incidents earlier than this breach, however none had been as surprising as this one. Customers of on-line password managers typically belief that their service is safeguarded sufficient that their information—even when encrypted—can’t be accessed by unauthorized events. Hearing after a breach that vault information was unencrypted was a bit blindsiding. 

And maybe there’s good motive from an engineering perspective for why some particulars—like URLs, how typically you utilize an entry, while you final up to date an entry, and many others—wouldn’t be encrypted. But that brings us to the second means LastPass skewered my belief in them, which is…

Bad communication

PCWorld

So, clearly, I don’t know what it takes to run a enterprise the place you’re not solely safeguarding actually delicate information, however you’re actively coping with threats to that information frequently. 

But good communication is fairly primary—immediacy and full transparency go a great distance. A wholesome dose of preemptive notifications works wonders, too. The means LastPass breaks its information to prospects may use a whole lot of enchancment on all three fronts.

Let’s take a current instance. In mid-July, I logged in to make a final verify of the account I used to be abandoning, solely to see a message that my password iterations had been raised to 600,000. 

The next variety of password iterations is in principle an excellent factor. It’s supposed to assist decelerate the flexibility to rapidly guess what your password is. Modern cryptography requirements recommends 600,000 iterations, which might be why LastPass selected to spice up prospects universally to that degree. 

But this occurred in July 2023. That is, six months after the disclosure in December about everybody’s vault information being stolen. A half yr handed by which individuals who didn’t verify that setting again in December (like I did) and elevated it (like I additionally did) had been left with a lot decrease iterations (like mine was earlier than I fiddled with it).

It says lots that my first thought was, “What kind of security issue did they have this time to prompt this?” Also, that my second one was, “Why is this happening now?”

The e mail explaining this modification got here a number of hours after I made a rapid on-line search to determine simply what the heck was occurring. Then one other copy got here within the subsequent day. The contents didn’t clarify the timing nor the motivating motive behind the rise.

The internet interface is disappointing

PCWorld

Once upon a time, LastPass’s internet interface was moderately first rate. Maybe not the slickest, nevertheless it felt fashionable sufficient.

Nowadays, it feels rather more bare-bones in comparison with rival password managers. Small modifications over time has degraded the net interface, too. My greatest beef is that it depends closely on persistent cookies to take care of settings. Incognito looking signifies that your structure won’t ever stay saved—it all the time reverts the view to LastPass’s default. 

Banner messages seem repeatedly, too. Perhaps that is petty of me, however when a everlasting banner message appeared for the browser extension, that was after I lastly reached my restrict. LastPass has the logs of what units I’ve used and my constant, unrelenting use of the net interface for years and years. Being nagged persistently just isn’t going to make me change that behavior.

Exporting your vault is a nightmare

PCWorld

This part was crammed with far saltier language till I remembered you all (and my editor) could be studying it. Roll up your sleeves, as a result of we’re stepping into the soiled particulars with this one.

You’d suppose that maybe, should you had been leaving a service, the enterprise could be incentivized to make the method as simple as potential—thereby rising the possibilities you may return sometime. LastPass tries for this, nevertheless it doesn’t do it persistently. And fortunate me, I acquired caught up in no matter growth gap that enables for sloppy password exports.

Generally, while you change password managers, you’ll export your vault information to a CSV or XML file. They’re primary file codecs that may be simply learn throughout totally different applications (in principle, anyway). LastPass solely exports to CSV for this objective and the defining attribute of the comma separated values format is that (as you’d count on from the title), commas are used to point separate information fields.

Note: If exporting all of your passwords to an unencrypted format like CSV or XML, saving it to an encrypted folder on your PC will assist safeguard them as you transition between LastPass and a brand new password supervisor.

I wish to be clear—I’m the form of person who if one thing goes wonky, I like to know why. And when my export got here out a large number, with a bunch of entries containing orphaned information, I attempted to make sense of what I used to be seeing.

At first, I believed the basis trigger was commas within the textual content fields. That maybe they had been inflicting entries to be cut up up and skim as totally different entries (with information ending within the mistaken fields, in addition). But that didn’t clarify why some entries with no commas in any respect acquired cut up up. Or why different entries had been simply plain lacking.

PCWorld

I nonetheless had no clear solutions by the point I completed manually cross-checking each single entry in opposition to the originals in LastPass, a obligatory evil as a result of the information was untrustworthy, however importing and cleansing up the mess was nonetheless quicker than creating all of the entries from scratch within the new password supervisor.

Trying totally different browsers and strategies of export (i.e., initiated by means of the net interface vs the browser extension) didn’t clear up the confusion. Turns out the net interface doesn’t export all entries (Firefox) or straight up returns a clean CSV file (Chrome), however each Firefox’s internet interface export and the Chrome browser extension had the identical points with information integrity. Meanwhile, after I tried exporting on a check account, the information fields for every entry got here out excellent (even when some had been nonetheless lacking within the internet export).

As finest as I can inform, both the age of the account influences how the information is saved and parsed on the servers, or the usage of sure particular characters in non-password textual content fields triggers some form of bug within the export script. Either means, you may’t belief you’re truly getting all of your passwords out intact. Hours into the tedious strategy of salvaging my import, I critically thought of abandoning the method in favor of password resets for each service, and letting the brand new password supervisor seize them. I imply, I used to be going to have to do this anyway as a closing precaution given the LastPass safety breaches, proper?

Never once more.

If you’re seeking to choose up a password supervisor, you need to try PCWorld’s roundup of the best ones available today.