LastPass is a standout candidate for worst password manager, as has been the case for many years. The other popular password managers, like 1Password and Bitwarden, are certainly not perfect but they're leagues ahead of LastPass.
LastPass is garbage because it's LastPass, not because it's a password manager. The only thing LastPass has ever done well is somehow remain relevant despite being terrible: that's an achievement.
i’d just like to say thank you for linking to that white paper. really a fascinating read, and nicely written.
i’m a long-time 1password user and absolutely love it. sure, it involves placing some degree of trust with AgileBits, but for the incredible level of practicality it offers, i view it as a decent trade-off. reading that paper now also makes me a great deal more confident in their security standards.
I still use KeePass, albeit with a ridiculously high iteration count to protect against brute-forcing. It's completely client-side, so no cloud involved and nobody to blame other than you if your vault gets into the wrong hands ;-)
Although personally, I use OneDrive to sync it across devices
For me, 1password continues to work and improve on its features in a good way with biometric unlock support (Windows Hello, iOS/MacOS biometric unlock) and the SSH Agent is nice, so I use it and was paying the yearly subscription for it before my work started to give me a license for free. While it's my choice, I can see why most don't like 1password 8's subscription-only and cloud-only model (you effectively have to use 1password.com, can't store your vault on dropbox gdrive etc).
Cheers, I'm also currently on 1P and it's fine. Although I'm not nearly as positive about their improvements as you, it's still a fine product from the user's pov.
My question is related to the OP though, I'm not looking for UX/UI or feature comparisons.
I moved from lastpass to bitwarden about 2 years ago, then to self hosting vaultwarden about 6 months ago. Bitwarden wasn't as feature-full as lastpass at the time, but I liked it a lot. My father was using lastpass in the meantime and I saw it devolve into an unpleasant mess UX wise and these days, ignoring the elephant of the hack, am confident bitwarden is a much better experience overall compared to lastpass.
I have moved away from LastPass as soon as they were bought by LogMeIn. It was already a UX shitshow and it only got worse.
I now mostly use 1Password but I also host a VaultWarden instance. I haven't yet moved to it fully because even though 1P is also devolving and I don't like having my passwords db on a 3rd party server, I still find BW's clients clunky especially the browser integration.
My question was specifically about the kinds of issues in the OP though. I poked around my Firefox profiles and haven't found much but I don't really know what I'm looking for.
People have been dunking on LastPass for a very long time. I haven't seen the same infosec people do the same with 1Password and Bitwarden. The constant criticism was a bit push to finally get me to move to 1P.
The one good thing about LastPass was basically how easy it was to set up. Everything else was a bit of a mess. 1Password was tricky to set up, and they took a bit longer to launch a cloud service.
One thing that bothers me about 1Password is that they only let you set up one security key, which is very impractical for people like me. OTOH, this is not unusual, and I assume part of it is to keep bad actors from adding more security keys to your account or something like that. Still not great when you can lose access to everything if you lose your key.
> People have been dunking on LastPass for a very long time. I haven't seen the same infosec people do the same with 1Password and Bitwarden.
This is my impression as well. What I wonder is whether this is because they haven't tried to find these issues with the other products, or they just failed to find them so nothing ever got published, or if it did no one noticed it. I find the latter hard to believe as I suspect marketing departments would have been all over it.
That said, to me LastPass was always terrible. Back in the day I moved from KeePass to LP for the browser integration but everything was so buggy and unreliable that eventually I moved away.
1Password was better but the cloud service brings some of the same worries as LastPass.
Google/Chrome is probably the most secure password manager. They have the greatest incentives to keep it secure along with the largest bug bounties and number of people attacking it.
Thanks but I stay away from Google products in general and especially don't install any software written by them on my computers (with the exception of the gcp CLI).
Aside: I never really understood distributing just slides from a talk. Any good talk most of the information isn’t in the slides.