Given the recent spate of more bad news about using LastPass (losing access to their backup vaults) I am wondering if anyone can provide me security assurances around using Keychain as an alternative. I see lots of folks recommending a switch to Bitwarden or 1Password for example, but few discussing the merits of simply using the existing Keychain as their default password manager. I understand Keychain is a more “bare bones” password manager, but it is a technically secure as the other commercially available ones? I am willing to sacrifice some UI ease in exchange for increase security. Thanks!
LastPass is disclosing they have been phished and the bad guys made off with lots (all?) of their customer vault backups. Because of poor management or programming, even the URL’s and Notes fields are in clear text so that a threat actor could use that information to create sophisticated spear-phishing attacks, even without the simple brute force cracking of a customers Master Password (which may or may not be very strong). Also, there are many known issues with LastPass in general (including but not limited to a number of security breeches in the past decade, allowing a low number of iterations, not informing users to increase the complexity of their master passwords, poor communication on this and past issues, and more) In summary, they have exceeding my trust factor and it’s time to move on. Ideally, I would like to use Keychain and Keychain Access but need reassurance beyond their end to end encryption capabilities. Do you think iCloud is as secure as say, AWS, Azure, etc.? I know this is probably an impossible question to answer but I am curious as to why I hear so little, relatively speaking, about using Keychain vs. other cloud based PW managers. I don’t use Windows devices (too insecure for me) and I really only use Safari.
Sorry if this is sort of a broad ramble but judging from the Reddit boards on this topic there are thousands and thousands of users like me who are wondering what to do next.
Thanks for all you do Gary, you rock.
a concerned Vermonter
—–
Chris in VT
I don't have much to add, but I'll post this to maybe see if others want to chime in. I'm already a 1Password user. Never used LastPass. I use Apple's system too.
I few things to note. First, the main concern about LastPass' problem is that "some" password vaults were stolen. But they are encrypted. And the encryption used should make them invulnerable and useless to anyway. Still disconcerting that it happened. More so that they went from having excellent transparency to having "so-so" transparency. They should alert the specific people who had vaults stolen by this point. But they still could have been worse. Will people switch now and find themselves with a new provider that will be even less transparent? Hard to say.
Switching to Apple's password management solution should be as safe as any, and probably safer than most. But it still isn't convenient for those who like to use other browsers or devices from other companies.
I did use LastPass for years and it was fine. But lately, and I mean before this mother of all breaches, there's been trouble there and so I left it a few months ago. I now use Keychain for everything, including 2FA. I'm not sure that is a good idea having your 2FA in with your passwords as opposed to using a secondary Authenticator but where does the worry end? I was going to leave LastPass anyway when Apple added notes to Keychain which made it a much more usable password manager, but this deb
debacle has just accelerated everything.
What does anyone think of using a secondary Authenticator - which one, how secure and why?
It colors my comments that I am not as security conscious as some; 40 years with computers has convinced me that if they want it, they'll take it.
I found LastPass lacking some years ago and switched to BitWarden. It works on all my devices regardless of OS. I don't want an Apple-only tool since I also use a Linux computer, and don't use Safari at all.
I stopped using 1Password when it changed to the subscription model. Instead I have been using Minimalist (available on the app store) ever since with no regrets.
I was a LastPass user until last weekend. I exported everything and moved it to BitWarden. The process couldn't have been easier. I'm also using the Authy authenticator app.
I decided to switch to Keychain about 3 weeks before LastPass breach so I lucked out in that part. Keychain has worked well so far though it does not work with all websites. Also, it doesn't always detect keychain and have to manually lookup and enter info. Anyone know how to fix that part?
Ralph: Which sites doesn't it work with? Have you tried to force autofill with those sites?