Blog entries from December, 2022

For a long time (until a few years ago) my technique to avoid repeating passwords was to use a bookmarket called SuperGenPass which would generate a password for me based on the website’s domain and a master password. For important things like email and banking I had specific unique passwords, but the numerous other accounts used this method.

I also avoided using the same email address for new accounts by never using the “login with Google/Facebook” option and as much as possible created a new unique email alias for each one. I don’t actually see much spam but when I do it is always interesting to note which address was being used. Did company A have a breach or did they just sell their customer data?

Back to the passwords… it was nice to have a quick way of ensuring that my passwords were different, but over time I noticed a flaw in this process and that was to do with data breaches and forced password resets.

If the account wasn’t important, such as something that was needed for a specific purpose but no longer, then one option was to delete the account and move on. However if I needed to keep using the account then the password needed to change, but because it was generated from my master password and the domain of the site, it couldn’t. For a short time I had two master passwords, one for most accounts and then a second for accounts that I remembered had needed to be changed. This wasn’t working so I switched over to a password manager.

I didn’t want to have to manage a password file myself so based on recommendations I had a look at both 1Password and LastPass, deciding on LastPass as it felt easier to use. There were plugins for both Firefox and Chrome, as well as an Android app.

This was working out well for a couple of years, until LastPass announced that they would essentially start taking features away from the free version. The main change I remember affecting me was that free accounts would be locked into either desktop or mobile access. Not that big a deal as I rarely used the Android app, and desktop still meant that I could still use it across multiple browsers and computers.

I also started to notice the interface changing, and not for the better:

• Something I really liked about the LastPass plugin was that I could click the toolbar icon, type part of a website name and press enter. It would then load the site and automatically login for me. This was very convenient, until it became glitchy, by which I mean that sometimes it didn’t take the keyboard input. So I would have typed the name and pressed enter, but nothing happened so I would have to click the icon again, then ensure the cursor was within the search field.
• Not that long ago the plugin prompted me to save credit card details, I decided to give it a go and then removed my card details because it was just broken. I couldn’t see how the LastPass would be able to populate the card details when the forms on different sites are so varied, is the expiry date one field or two, is the year two digits or four, is the month a number or a name, it is a text input or a drop down? After having it enabled while I made a couple of online purchases, it insisted on four different entries for the same card. It also wanted the CVV, so nope.
• About a week ago LastPass started prompting me to save the password for my email and my bank, these are the accounts that I never put into LastPass. I double checked that they are still listed under “Never URLs” in my account settings, however the plugin is still prompting me.
• Another odd thing I discovered last year while listing a few items for sale on eBay was how the plugin interacts with websites. As I was listing items I kept getting an error saying my description contained javascript. I was hand typing the simple HTML, but it turned out that the LastPass plugin was fiddling with the form input, a problem that had been known about for a while. Any plugin of this nature does need to scan the page for login forms and possibly modify those, but it doesn’t make sense to insert javascript into the eBay listing description.

So… all of this has meant that I have been becoming less happy with LastPass over time, and this isn’t touching on the security problems that I had been kind of ignoring. I didn’t know that despite their marketing claiming zero knowledge of the data in my vault that URLs and other data is not encrypted.

So I need to swtich, but switch to what?

For convenience I want a cloud based solution and 1Password does appear to be the recommended alternative (these days I need to be prepared to pay for important things, not just go for free but limited options), though Bitwarden has also been suggested. Looks like it need to do some more reading…