From LastPass to KeePass
I’ve been using LastPass for the last 5 years and have been happy with it. I recommended it to friends, family, and co-workers. I tried to sell it through its convenience: once set up, LastPass auto-fills the user and password fields, and can even log you into a website directly. LastPass creates complicated passwords automatically and is available on every major browser, iPhones, and Android.
But it seems like even LastPass’s time has come.
As we know, Convenience usually comes at the price of Security. LastPass auto-fill is quick and effective but also makes it easy for someone else to grab your laptop, find your bank website in your history, and log in with your saved credentials. To resolve this issue, LastPass has a couple of built-in options such as logging you out after a certain amount of time or logging off when the browser is closed. These features need to be activated in each new installation of LastPass.
LastPass was an obvious choice for my mom’s new Chromebook. I thought I’d set her up with a new account and share passwords with her this way. I wanted her to learn to trust the app and start creating new secure passwords instead of using the same two or three she’s been using for years. But instead, I discovered a problem.
The option to log off automatically if chrome is closed was ignored. I’ve checked and asked other users on Reddit, but all I got is the generic troubleshooting advice to make sure Chrome completely exists for the auto logoff to work. Exiting Chrome is possible on Windows, Mac, and Linux (for which the guide was written) but, as it turned out, not possible on a Chromebook. I summoned the ChromeOS task manager with shift+esc
(this is different than the Chrome browser’s task manager, which is accessible from inside Chrome) and saw that Chrome was still running even after I exited the app. I couldn’t force chrome to quit either: The button to do so was grayed out when I had Chrome highlighted on the list.
This means the only thing blocking someone from accessing all your passwords is your Google Password with a lock screen enabled. Perhaps I’m paranoid, but for me, that’s not enough. I disabled the extension and asked myself these two questions:
- Is it worth using LastPass over Chrome’s built-in password manager?
- Is LastPass a good option to save passwords securely?
The first answer is “not really.” If you’re a LastPass power user with a family plan (which allows you to share passwords), then yes, LastPass gives you more features. However, Chrome’s Password Manager now allows you to create secure passwords and sync them with your Google Profile, which means you will have access to those anywhere you log in, including your Phone. Since on a Chromebook your security is already handled by Google, there’s not much sense in creating another account with LastPass which doesn’t offer much.
The second question is harder to answer. LastPass is a company that makes its business in securing passwords all day every day. They have a good product. They are, overall, pretty transparent with their security breaches when they happen and apply patches and fixes fast.
But LastPass' browser extension is also its weakest point. To be fair, the same can be said for any password manager that has an extension built into the browser. Various vulnerabilities have been listed before and some were listed by LastPass themselves. If you’re really concerned about the security of your passwords, you should not use a browser extension. However, if I am hard-pressed between choosing Chrome’s built-in password solution and a third party’s solution that is built into Chrome, I will go with Chrome’s built-in solution. It’s native to the application and hence (hopefully) more secure.
But. The real answer here is that you shouldn’t use a browser extension at all. And that’s what I do these days.
My favorite solution is to use good ol' KeePass, which has been around for about 15 years. I like KeePass for a couple of reasons:
- It’s a standalone program with a simple GUI and flexibility. It works and looks better than LastPass’s more complicated controls and does not rely on cookies.
- The only person with my passwords is me, which makes me sleep better at night. This has been my general trend since I started using Linux. It’s not about privacy and less about security, a proud feeling of owning my on data, something I feel we don’t do enough these days.
- KeePass is old, open-sourced, free, and probably not going anywhere. I’d like to say the same thing about LastPass, but companies such as these constantly get eaten by greedy corporations that inject them with crap in turn.
- With its combination of using key files and different ciphers (at least via plugins), it feels solid and secure. Not that LastPass security is not good enough. It should also be mentioned that LastPass has two-factor authentication.
Because KeePass doesn’t have a browser extension (at least not out of the box), I use xdotool to auto-type passwords into websites' text fields. The workflow: I click the user field on a website, Alt+Tab back to KeePass, hit the auto-type shortcut, and watch KeePass putting in my credentials as if I’m typing them from memory. Because I can customize the auto-input macro (KeePass2 and up), eventually this makes it even more reliable than LastPass' auto-fill feature, which sometimes doesn’t work well with fancy animated menus.
LastPass is another tool I didn’t think about replacing when I transitioned into Linux, and for a long time, I kept using it in Linux as well. When I switched away from Chrome and stopped being logged into Google all the time, Chrome’s extensions stayed behind. Like many other products (Gmail, Google Docs, Dropbox…) I’m slowly but surely finding good open-source options which are often better.