from Hacker News

LastPass appears to be holding users' passwords hostage

by tytso on 1/11/22, 6:03 PM with 217 comments

• by bostik on 1/11/22, 6:51 PM

  I can say with full confidence that this at least has nothing to do with their hostage situation:

  > Having no formal support channel

  When I last had to deal with their so-called support, all contact details were very efficiently hidden. Once you found a page with a phone number, and the hours you could call them, there was one final surprise:

  "The phone number you are trying to reach is not in use". The only contact that works reliably at LastPass is their billing department. Make of that what you will.

• by jmrm on 1/11/22, 7:53 PM

  Watch out! Another "bug" of the LastPass happens when you export your accounts.

  I have exported all my accounts via the web interface, and the three times I've done that it export a truncated CSV file with about 30 lines, while printing the whole file content in the web page you access. That means the CSV you downloaded probably is not complete and you have to copy some lines from the web.

  I was lucky to investigate a weird warning, about some missing fields in the last row, that SQLite gave me after importing all the accounts to a database.

• by wiether on 1/11/22, 7:12 PM

  When they were acquired by LogMeIn a few years ago, the thread on HN about it was recommending switching to Bitwarden. Which I did. In a few weeks, I'll have to pay $10 to renew it. Meanwhile, since December we have those kind of worrying news from LastPass which is almost 4 times more expensive than Bitwarden.

• by futhey on 1/11/22, 6:49 PM

  Confirmed working 10:46am PST:

  Sign in to LastPass web -> Advanced Options -> Export -> Verify export by email -> Advanced Options -> Export (again) -> List of passwords in CSV format.

• by rodmena on 1/11/22, 7:02 PM

  I don't understand why people should use LastPass while there is this robust multiplatform and totally free "BitWarden" is available. Marketing power.

• by efitz on 1/11/22, 6:38 PM

  When LastPass was acquired a few years back, I saw the writing on the wall and changed to 1Password. Thank goodness I dodged this bullet.

• by AlexandrB on 1/11/22, 6:44 PM

  Neither a bug nor an intentional ploy would surprise me. When I last used LastPass (2018) the web UI was quite buggy and difficult to use. Since then they have been acquired[1] by a PE firm and are about to be spun off again[2] as an independent company. Heaven knows who's steering the ship over there.

  [1] https://www.ghacks.net/2019/12/18/logmein-lastpass-to-be-acq...

  [2] https://www.theverge.com/2021/12/14/22833319/lastpass-indepe...

• by stelonix on 1/11/22, 7:25 PM

  I don't know, maybe I'm old-fashioned, but I never used and never will use a password manager. I can't think of a reason to let a business know all my passwords while also making it my single point of failure.

• by gilbetron on 1/11/22, 7:05 PM

  As a LastPass user, I'm getting a bit nervous. I've looked through various other threads on suggestions, but, since it is inevitable - what do people recommend and why? I'd prefer only answers from people that have been using their solution for at least a couple of years, and even better, people that have been using theirs for even longer and through multiple iterations of "weird things happened to password manager X" cycles :)

• by johnmarcus on 1/11/22, 6:38 PM

  LastPass has become garbage since it was purchased by LogMeIn (or whatever parent garbage company owns them these days). I can't comprehend why anyone would use them.

  I can only personally recommend Bitwarden instead - it's open source and can never decrypt your passwords on prem. Browser plugin, mobile app, enterprise versions, etc. It has it all, and hasn't been a cunt to it's users from day 1.

  Also, unlike LastPass, they haven't been hacked multiple times. I can not comprehend why anyone trusts them with their passwords - the company I work for included I'm afraid.

• by 4ec0755f5522 on 1/11/22, 9:39 PM

  I use Firefox / Safari built-in password management. I do not know how secure they are but no issues in 10+ years and I certainly have access to all passwords in my keychain/account. Not locked behind some corporate service. They are saved locally.

  Both easily generate long random passwords, etc.

  For me this is a solved problem (until Firefox's service is hacked, of course) to the point that my real pain point is remembering the random strings I use for "security question" answers. For that I use a KeepPass database. But I wish FF/Safari would see the need and add security questions fields to their management.

  No way am I giving real information for those. Why yes my mother's maiden name is cd559b1085b94b2dad32bb9e458e2422 so sorry to hear it was leaked, SONY.

  https://en.wikipedia.org/wiki/2011_PlayStation_Network_outag...

• by pleonasticity on 1/11/22, 6:39 PM

  I just tried exporting my LastPass database without any issue.

• by pmlnr on 1/11/22, 9:49 PM

  Keepassxc + syncthing. Password managers are too important to rely on someone else's computer.

• by komadori on 1/11/22, 8:44 PM

  The problem I had with LastPass is that if you have any billing problem then you're immediately kicked down with to the free tier with all the problems that entails, including loss of access to regular support. Worse, they had a bug that prevented me upgrading back to premium with new payment details. The special contact form for billing support was non-obvious and they were not especially prompt or helpful. I've since migrated to BitWarden. No problem exporting, thank goodness, but it wouldn't have suprised me!

• by yoav on 1/11/22, 6:37 PM

  This is exactly why I switched to another password manager when they announced LogMeIn had bought them.

  Same gross tactics and lock in. IIRC LogMeIn refused to let me delete my credit card details or cancel my plan and their “support contact” was completely unresponsive.

  Can’t remember if I just used fake card details or blocked the transaction by locking/cancelling the credit card but it was a real nightmare.

• by JackMcMack on 1/11/22, 7:10 PM

  Root cause of this issue: export is only possible from the desktop browser plugin, but lastpass locks free users to either desktop or mobile. If your account is locked to mobile, you can't export your passwords.

  I have another related issue: it is not possible to export your TOTP seeds from lastpass authenticator.

  I contacted the lastpass/logmein dpo, which (in my case at least) got forwarded to their generic support-by-email. They were slow to respond, and eventually claimed they could not export my one time passwords because they are encrypted. This is obviously false, they can decrypt the data just fine (I actually switched to a new phone, authenticator data got synced as you would expect). And other apps such as Google Authenticator allow you to export your data.

  I filed a gdpr complaint with my national Data Protection Authority, which after a long response time got accepted, and is now forwarded to the Irish DPA.

  If you want to assert your rights, contact Lastpass/Logmein at privacy@logmein.com or via their support page [0] (from their privacy page [1]), and demand access to your data. If they refuse, or do not respond within 30 days, file a complaint with your DPA [2], with proof that you requested your data but got denied.

  [0] https://support.logmeininc.com/contactus

  [1] https://www.logmein.com/nl/legal/privacy/international#right...

  [2] https://edpb.europa.eu/about-edpb/about-edpb/members_en

• by lini on 1/11/22, 6:45 PM

  I had issues exporting my LastPass database to a CSV file a couple of weeks ago from a browser (no plugin installed). They seemed to render the CSV data inside a <pre> tag in an HTML page (I have no CSV browser plugin installed). I had to copy the text manually from the HTML source and paste/import it in another password manager.

• by riffic on 1/11/22, 7:07 PM

  This company is so rotten. Just look at their recent track record showing pure user hostility. Why is anyone still using them?

• by u2077 on 1/11/22, 10:24 PM

  Any subscription based password manager is holding your passwords hostage. Not sure why this is news.

• by AndrewHayes on 1/12/22, 4:54 AM

  I was just able to export mine.

  As some have said the web export gave a truncated set. However the chrome browser plugin export function worked just fine and gave me a full export from two separate accounts.

  This included one account that was seemingly locked in the web browser because I had cancelled my subscription and was locked into a re-subscribe page with no other options to proceed that I could figure out.

  Just painlessly (finally) deduplicated my pwds in excel and imported to a bitwarden family plan. It's been so painless. The features I'm seeing make me fairly certain I'll be paying for a family org plan.

• by acheron on 1/11/22, 6:52 PM

  The export works fine, I just did it about a week ago.

  Lies, on Reddit? Shocked pikachu face.

• by tiku on 1/11/22, 6:47 PM

  I was removed from a team account, after that I could no longer access my account until the company reinstated me temporarily. Very weird behavior because it was a private account first..

• by SavantIdiot on 1/11/22, 9:05 PM

  I've been paying for one license of LastPass to use on multiple computers and phones since 2012. Never any problems. What the heck are y'all doing with it that makes it so unreliable for you?

  The only problem I have is that my iPhone 7 doesn't always detect my USB-C UbiKey NFC, but I think that's a UbiKey or iPhone problem.

• by Havoc on 1/11/22, 8:41 PM

  One more to add: Not only do they limit switching between phone and desktop, if you request desktop site on a phone you get a css render salad.

  Got mine exported during the recent scare without too much pain.

  But yeah - going to move away from Lastpass. Everything about them seems to be going sour fast

• by iratewizard on 1/11/22, 6:35 PM

  I'm glad I can point to things like this after years of telling people to drop logmein jr

• by turblety on 1/11/22, 6:38 PM

  > If this is true, they are in major violation of Article 20 of the GDPR.

  I honestly have no idea how the GDPR got implemented. A true policy that actually benefits the citizens of Europe, in a world where most policies are to screw over everyone but the rich.

• by whitepoplar on 1/11/22, 6:52 PM

  Last time I checked (a couple years ago), the only seemingly trustworthy password managers were 1Password and pass. Has this changed?

• by bborud on 1/11/22, 9:09 PM

  So a company that requires users to trust them decides to be sneaky and untrustworthy.

  I just got a strong incentive to check out the competition.

• by londons_explore on 1/11/22, 6:36 PM

  All it takes is for someone to write a little chrome extension to export everything and import it into competing software...

• by anm89 on 1/11/22, 8:19 PM

  So happy I jumped shipped to a different password manager and got away from this dumpster fire

• by meta-level on 1/12/22, 6:58 AM

  Maybe they should just change their name to LostPass and everything's fine again

• by hcurtiss on 1/11/22, 6:44 PM

  I recently exported to Microsoft Authenticator/Edge without any trouble at all.

• by dahart on 1/11/22, 9:00 PM

  > If this is true, they are in major violation of Article 20 of the GDPR.

  Is this reasonable, or trying to whip up resentment based on speculation? It partly feels questionable because the author is a US resident, and the company is a US company - of course that’s no reason not to discuss/comply with GDPR - but paired with the lack of specifics and the explicit speculation with words like “appears” and “likely knowingly” that have no accompanying proof, it feels like more hit piece than valid legal concerns.

  There may be real, valid, and large reasons to have resentments here, I have no opinion on that. But LastPass doesn’t necessarily “have” everyone’s passwords, because many are encrypted and LastPass can’t decrypt them.

  Does article 20 really apply to data encrypted such that the company has no access? That seems unlikely. Article 20 might require that LastPass export someone’s user profile and credit card information, but it was not designed as way for people to demand UI features they want or force companies to offer service for free, right?

• by zerof1l on 1/11/22, 7:59 PM

  That's why I never used LastPass and never will. KeePass ftw!

• by staticassertion on 1/11/22, 6:40 PM

  I just exported all of my passwords using only the extension.

• by jarbus on 1/12/22, 2:51 AM

  So glad I switched to pass years ago

• by alfiedotwtf on 1/11/22, 9:41 PM

  vi ~/.passwords.txt

  ... problem solved

• by OptionX on 1/11/22, 8:27 PM

  Glad I dropped them as soon as they made the change to limit the number of connected clients behind a paywall. Changed to bitwarden. Same functionality (at least for my uses) free and with the option of you spinning up your own server for your personal use (versus the cloud option).

• by zucked on 1/11/22, 6:38 PM

  This is going to turn into a thread full of recommendations for PW managers before long, so here's my plug for Bitwarden.

• by msoad on 1/11/22, 6:52 PM

  I use iCloud Keychain because Apple is not in business of making money off a password manager. They charge me more via their hardware sales scheme but at the end of the day it’s a good experience overall