Post-LastPass ideas for non-cloud password autofill?
December 31, 2022 2:15 PM Subscribe
The LastPass hacks have me thinking of going back to a desktop password storage app like KeePassX or just Mac Keychain. But I wonder how to get my Firefox to autofill passwords from a local password file. What are some good solutions?
A while back I followed Edward Snowden’s advice and relied on good old KeePass. The only thing is I was never able to figure out how to get the autofill working on a non-Windows machine. Is there a recommended Firefox plugin that would pipe KeePass files into my browser?
The other option I have been considering is Apple’s Keychain. But it seems from my initial research that it only autofills on Safari and not on Firefox. Has anyone found a good workaround for this that you like?
A while back I followed Edward Snowden’s advice and relied on good old KeePass. The only thing is I was never able to figure out how to get the autofill working on a non-Windows machine. Is there a recommended Firefox plugin that would pipe KeePass files into my browser?
The other option I have been considering is Apple’s Keychain. But it seems from my initial research that it only autofills on Safari and not on Firefox. Has anyone found a good workaround for this that you like?
Best answer: Bitwarden will let you sync to a server you host yourself (in your house, as an example) and has an app without the flaws that lastpass's had (unencrypted passwords in memory, e.g.) but it is a tech savvy solution. Your profile suggests it might work for you, though.
posted by How much is that froggie in the window at 3:05 PM on December 31, 2022 [3 favorites]
posted by How much is that froggie in the window at 3:05 PM on December 31, 2022 [3 favorites]
Best answer: KeePassXC has a browser extension that works fairly well in Mac versions of Chrome, Firefox, and Tor browser, based on my experience. Versions are also available for Windows and Linux (and the Linux version doesn't require Mono, unlike KeePass).
As far as I know syncing will be roll-your-own, though, and it's understandable if that's something you don't want to deal with. For me this is more of a feature than a...lack of a feature, I guess, as I prefer to store my passwords locally and to only have one device that "knows" my passwords. But you may not be as cranky about this as I am, and that's ok!
posted by pullayup at 4:05 PM on December 31, 2022
As far as I know syncing will be roll-your-own, though, and it's understandable if that's something you don't want to deal with. For me this is more of a feature than a...lack of a feature, I guess, as I prefer to store my passwords locally and to only have one device that "knows" my passwords. But you may not be as cranky about this as I am, and that's ok!
posted by pullayup at 4:05 PM on December 31, 2022
Software engineer here. I have been recommending cloud hosted 1Password to everyone since migrating. I have a lot of reasons why, but I'll try to hit the high points:
1. Unlike LastPass, 1Password has an additional security element: a secret key. The secret key is stored on each device you have enrolled, but not on 1Password's server. As a result, even if someone were to compromise 1Password as thoroughly as LastPass has been compromised (and I don't think that's likely), and the attacker somehow gained access to your master password, they still would be unable to read your passwords. They would need to also gain access to your machine and its secret key.
2. Cloud hosting makes syncing between mobile and desktop possible, and that's very helpful to keep me from falling back on bad behaviors for day to day use. A password solution needs to be secure, but for average security needs it should also be usable.
3. The support is really fantastic. Browser plugins are great, iPhone and Android support is there.
4. 1Password is a more trustworthy company in every way: they have a sustainable business model, they aren't owned by private equity, they have a fantastic working relationship with security researchers, and they don't try to sweep major issues under the rug (like LastPass has and continues to do).
Everyone has different degrees of comfort and standards of security, of course. Having this particular trust betrayed has scared the bejesus out of me, and made me question some of my assumptions. I should've dropped LastPass long ago. What's done is done, though. Good luck!
posted by billjings at 12:10 AM on January 1, 2023 [4 favorites]
1. Unlike LastPass, 1Password has an additional security element: a secret key. The secret key is stored on each device you have enrolled, but not on 1Password's server. As a result, even if someone were to compromise 1Password as thoroughly as LastPass has been compromised (and I don't think that's likely), and the attacker somehow gained access to your master password, they still would be unable to read your passwords. They would need to also gain access to your machine and its secret key.
2. Cloud hosting makes syncing between mobile and desktop possible, and that's very helpful to keep me from falling back on bad behaviors for day to day use. A password solution needs to be secure, but for average security needs it should also be usable.
3. The support is really fantastic. Browser plugins are great, iPhone and Android support is there.
4. 1Password is a more trustworthy company in every way: they have a sustainable business model, they aren't owned by private equity, they have a fantastic working relationship with security researchers, and they don't try to sweep major issues under the rug (like LastPass has and continues to do).
Everyone has different degrees of comfort and standards of security, of course. Having this particular trust betrayed has scared the bejesus out of me, and made me question some of my assumptions. I should've dropped LastPass long ago. What's done is done, though. Good luck!
posted by billjings at 12:10 AM on January 1, 2023 [4 favorites]
I just switched from LastPass to 1Pass - it was very easy. You just export your LastPass vault into 1Pass - there are step-by-step instructions at 1Pass. It probably took me 15 minutes to set up the 1Pass account and export/import that passwords. Then maybe another ~45 minutes to set up 1Pass on all my devices and browsers for extensions etc.
posted by Mid at 3:55 PM on January 1, 2023
posted by Mid at 3:55 PM on January 1, 2023
Response by poster: Thanks, I appreciate all the answers. While I do believe that 1Password seems like a much stronger product with much smarter security practices, I lean closer to this New York Times piece that argues you incur risk any time you trust a password management cloud company.
(People thought their stuff was safe at FTX too...)
posted by johngoren at 4:00 AM on January 5, 2023
(People thought their stuff was safe at FTX too...)
posted by johngoren at 4:00 AM on January 5, 2023
« Older What video games should I play? | How do I get better at journal entries (accounting... Newer »
This thread is closed to new comments.
posted by johngoren at 2:15 PM on December 31, 2022