Published by marco on
Over the last several months, I’ve been asked for advice on password managers. I am not a security researcher. I can only tell you what I do, and why. My experience and context are that I primarily use MacOS and iOS, as well as one Windows laptop. I was a LastPass user for a decade, but switched this year to ProtonPass.
At one point, I put together a small evaluation matrix for a colleague, shown below.
As you can see, I don’t know that much about BitWarden, nor am I familiar with the UI/UX of Google or MS Authenticator as integrated into their respective browsers. What I do know is that any browser-specific solution—this applies to Firefox as well—is quite limiting, in that you generally can’t use the password managers in other browsers or contexts. An ideal solution is to have passwords auto-filled in whatever context you find yourself in.
LastPass works well, as you can see above. I used it for about a decade. Why did I stop?
What’s still better about LastPass?
Those advantages come with a caveat, though: sometimes it pastes too much information, or information into the wrong boxes. The whole “paste and go” has become increasingly shaky, as UIs change and no longer reliably present patterns that password managers expect.
ProtonPass does everything that LastPass does, but with a few UI and feature improvements.
As noted above, ProtonPass is less aggressive about picking up changed passwords or filling in existing ones. I imagine that this is because they try less hard to detect every possible pattern that a site might use. I kind of agree that it’s better to make a good, stable UI that lets you easily copy/paste information than to try to keep up with the myriad ways that web sites are making authentication inconvenient for password managers.
For example, when I updated a password recently, I noticed that LastPass would pop up and ask me to store the password … but it was kind of annoying because it would ask too often. But I noticed that ProtonPass doesn’t ask nearly as often—though always more, with each update.
Even if it doesn’t offer to let you generate password, you can generate one manually.
When you add a password with ProtonPass, it hangs onto it for a while in the “generated passwords” area:
ProtonPass recommends reversing your workflow. Instead of clicking in the popup to generate a password, you should go to the “change password” page, then click in the plugin and generate a new password from there. It’s pretty easy, and it can auto-fill it from there. Here’s a little video:
I’m going to repeat that, while I’m quite technically adept, I’m not a security expert. I read a lot about it. I haven’t caught wind of any problems with the implementation of either LastPass or ProtonPass. I wrote the following to a colleague about a month ago.
The primary thing for any of these providers is to keep the data encrypted at rest, in transit, and, as much as possible, in memory. Decrypting should only ever occur on a client device. That information should only remain decrypted long enough to use it—with an appropriate timeout.
Both their algorithms are solid and the number of cycles they require ensure that it would take more computing power than anyone has centuries to crack with brute-force. In this way, they’re the same as any other provider, like Apple, Google, 1-password, BitWarden, ProtonPass, Keepass, etc.
That’s the most important protection that any of these providers give you.
The algorithmic protection is, as noted above, only as good as your password. The algorithms together with a strong password, protect you from brute-force cracking. If you have a weak password, then attackers don’t need to use brute force because they can guess your password more quickly, without trying them all.
Another protection they give is to not allow access to your data to anyone but you. LastPass has failed to do this for a certain number of customers. It’s unknown whether any of the other providers have done the same—they might have kept the data safe, or … not yet been outed.
It’s known that some people’s password data has been expropriated. This shouldn’t matter because it’s just a pile of bits that is undecryptable without the password.
If you had a weak master password at the time that your data was known to have been stolen, then you’re at risk. You still have a chance to change all of your important passwords, though, before someone guesses your master password and gains access to the current passwords. If you’ve managed to change your passwords before they guess your old master password, then getting access to your old passwords gives them nothing.
Some providers (and security analysts) recommend keeping your ball of data locally, never uploading to the cloud. This is much less convenient and not something I’m personally willing to do. I would rather have a super-strong password that makes obtaining my encrypted data useless.
Layers of security:
Algorithmic protection is only as good the password. “No access to data” is a secondary layer. If it’s compromised (as was the case for some users at LastPass), then you’re left only with algorithmic protection + strong password. If you didn’t have a strong password, then you’re compromised, but you should have never been relying only on “security by obscurity” anyway (i.e., the fact that no-one had access to your data but you).
So, to sum up:
I finally got around to deleting my LastPass account. I switched half a year ago to ProtonPass and never looked back.
“I have, after many years with LastPass, switched to ProtonPass. It’s included with my other Proton tools. The UI is more straightforward and friendlier (even if it’s not yet as good at detecting password changes and account-creation as LastPass). There is also the issue of LastPass having been infiltrated a few times. Thanks for the service over the years.”