topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 5:35 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Last post Author Topic: LastPass alternatives with two-factor authentication? (including premium LP)  (Read 41610 times)

TomD101

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 48
    • View Profile
    • Donate to Member
Hello all,
I contributed a short impression about Dashlane in the following thread under General Discussion:
https://www.donation...ndex.php?topic=41048
Won't repeat it here, but be aware, that it is NOT answering specific questions.
Best
Thomas
Berlin, Germany
The more things stay, the more they change the sane.

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,747
    • View Profile
    • Read more about this member.
    • Donate to Member
I recently explained my frustrations with LastPass and asked for alternatives:

So, recently I've been a bit unhappy with where LastPass is going. My subscription is due for renewal soon, so I figured I'd consider alternatives.

Things I'm not liking about LastPass:

  • The mobile (Android) app is now asking for location permissions. I feel there's no need for a password manager to need my location. I wrote to LastPass support about this and they said it was for their stupid LastPass browser that is also built into the app. I told them the browser was superfluous and that they should separate it into another app if they wanted to include that functionality, because all I wanted from them was to be able to store and retrieve my passwords. They didn't really respond to that.
  • The browser add-on is now nagging me to "try LastPass Enterprise!" I'm already paying for LastPass Premium, and I'm just one person. Stop nagging me to try something meant for large companies!
  • Every so often, the browser extension's auto-form-fill functionality stops working on sites where it has worked for months (or years). The only way I've found to get it to start working again is to delete the "site" and create it again.

I pretty much only pay for LastPass Premium to access my passwords on Android. And I don't use any of the features of the LastPass app (on Android) other than simply retrieving my passwords. I don't use their stupid browser. I don't have it auto-fill passwords or prompt me with login info, nor generate passwords on Android. Is there anything out there that provides the convenience of LastPass (secure cloud storage/retrieval) for Android without any of the extra crap?

40hz suggested Enpass, which I tried out and was liking alright.

I'm currently using Enpass (www.enpass.io)

I'm liking Enpass thus far. Thanks 40hz!

Of course, as my luck would have it, I purchased Enpass earlier this month and today they released an update to the Android app which requires the Location permission. Considering that's the primary reason I wanted to switch away from LastPass, and how Enpass is just really clunky and not nearly as convenient or useful as LastPass, I guess I might as well just stick with LastPass.

I've contacted Enpass for a refund. Good timing, since my LastPass subscription would have expired today.

4wd

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 5,641
    • View Profile
    • Donate to Member
You could try using the free version of APK Permission Remover to remove what might be unneeded permissions from the APK before installation.

https://play.google....eagoo.apkpermremover

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,747
    • View Profile
    • Read more about this member.
    • Donate to Member
You could try using the free version of APK Permission Remover to remove what might be unneeded permissions from the APK before installation.

https://play.google....eagoo.apkpermremover

That looks interesting and potentially useful. Thanks! But how do you get the APK of Google Play Store apps without first granting permissions/installing them?


As I said, I got in touch with the folks at Enpass asking for a refund. They got back to me and said that they don't use the location permission, but somehow through their use of Google Play Services, the Google Play Services library automatically added the location permission (against their will/knowledge). So they're working on releasing a new update without the location permission.

In summary: I'm giving Enpass some time to remove the permission before I continue with my stink about it. Hopefully they make it right. :) :Thmbsup:
« Last Edit: March 29, 2017, 05:34 PM by Deozaan »

4wd

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 5,641
    • View Profile
    • Donate to Member
Do a search for online APK download and you'll get hits for a number of sites that let you input the Play Store link and will download the APK file. (eg. http://apkpure.com/s...ils?id=io.enpass.app )

There's also a Chrome extension that will do it from within the browser.

While I haven't looked, I think Titanium Backup can also grab the APK off the system.

And if that all fails, APK Permission Remover can try to modify the permissions of an installed app by making a copy, modifying, and then uninstalling/reinstalling it.
« Last Edit: September 18, 2015, 11:16 PM by 4wd »

tomos

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 11,959
    • View Profile
    • Donate to Member
Notes on trying to use a Windows phone authenticator/authentication for LastPass:

Duo Mobile did not work for me. Got into a loop trying to register it with lastpass: "An error occurred. : A" :( :)

Microsoft Authenticator (AKA 'Authenticator') is not on Lastpass's list of possible authenticators, but they cleverly disguised it as 'Google Authenticator' i.e. pretend that is for the Microsoft App and it will work.
Lastpass link with more info:
https://helpdesk.las...t-authenticator-app/
Tom

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,747
    • View Profile
    • Read more about this member.
    • Donate to Member
Enpass was recently mentioned in the thread on recent LastPass vulnerabilities so I figured it was a good time to update any interested party on my use of it since I last mentioned it in this thread.

I've been using Enpass since August 2015, so about 1.5 years. (Which is also almost as long as it has been since anybody posted in this thread.)

It does enough right that I'm still using it. But the experience can be somewhat cumbersome at times, especially on mobile or where browser extensions come into play (at least on Windows). I've found it works great on Linux, and will quickly fill out forms with the press of a hotkey (Ctrl+\ by default). But that hotkey doesn't work for me on Windows, and the browser extension requires many extra clicks just to copy the password to the clipboard compared to LastPass.

Often times when there's a new update, a dialog will pop up telling me there's an update, and showing the changelog. Except the changelog text area is almost always completely blank.

Enpass Update.pngLastPass alternatives with two-factor authentication? (including premium LP)

And on mobile I have it configured to allow me to unlock my database with a PIN within X hours after I use my master password to unlock it. But because my device is getting a bit long in the tooth (Nexus 7 2013) it often closes Enpass in the background to free up memory/resources for whatever app is currently in use. This means I frequently have to type my long and secure master password on my mobile device, which isn't fun using a mobile keyboard, and is made even worse when using Enpass' provided keyboard, because it hides numbers and symbols behind "alternate character" displays. So even though Enpass does provide a mobile keyboard that technically supports autofill, I most often find myself switching tasks to the Enpass app itself to login and copy my username/email then switch back to the app and paste, then switch back again to Enpass to copy the password, then switch back to the app to paste and finally login. And maybe a third switch back and forth if the site/app also requires 2FA TOTP.

Mostly I just wish things were more streamlined in it. Especially the browser extensions. As I said, on Linux, it's great. I just press Ctrl+\ and if I've logged into Enpass recently it will autofill. Otherwise a small dialog will popup where I type in my master password and then it autofills. I rarely interact with the main application itself on Linux, and I wish the experience was similar on Windows (and Android). As it is, getting a password from the browser extension often requires:

  • Clicking the extension icon.
  • Searching for the site if it didn't find/list it automatically.
  • Clicking on the little "i" symbol on the side of the list for the site to display the saved login details (with password(s) still masked).
  • Clicking on the two overlapping rectangles symbol which represents copying to the clipboard.
  • Clicking into the form and pasting.
  • The previous step closes the extension popup, which means I may have to repeat the process 2-3 times in order to fill out username, password, and sometimes 2FA TOTP.

Whereas with LastPass, it takes two clicks. I really wish Enpass would get me straight to the info I want instead of hiding it behind extra clicks. One or two clicks doesn't seem like much of a difference, but multiply it by 2 or 3 for each login and then consider all the times you ever have to login to anything and they add up and become frustrating over time.

All that said, I'm still using Enpass. I like the cost (free on desktop, one-time purchase on Android). I like that it handles TOTPw so I don't need yet another app/device. I like how it all runs locally and doesn't require a connection to some master server. I like how it can also optionally sync across devices using a variety of cloud storage options. I like how it allows you to customize how it generates your password, or add other fields to be saved with your passwords, etc. There's a lot to like about it. But there's also plenty of room for improvement.

If you're looking for a password manager, I'd recommend giving Enpass a try. But if you're satisfied with your current password manager, I certainly can't say it is by and large the best one out there and worth transitioning over to.

Perhaps we could also hear from 40hz to see if he's still using Enpass, and why or why not.
« Last Edit: March 30, 2017, 06:56 PM by Deozaan »

IainB

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 7,540
  • @Slartibartfarst
    • View Profile
    • Read more about this member.
    • Donate to Member
Thought this could be relevant: (cross-posted from separate discussion thread)
...Not sure how service vs software distinction is relevant here. All I meant is online is bigger risk and therefore online options are the poorer option unless your use case demands it...
...KeePass can have vulnerabilities but installed in a folder locally the chances of it being hacked is lower, not sure how that is debatable.
__________________________

Thankyou for that. Yes, that (emboldened) all seems to follow. Yet, despite the truth of the third emboldened clause and my having known that, I am still a LastPass user, and accepted the risks, thinking them to be miniscule.

That's probably about to change though. I have to face up to the fact that the apparent flaw/weakness identified in the software (binary component) of some versions of LastPass would not be of such concern nor present such a risk and be so susceptible/vulnerable to attack if said software was not necessarily keyed/tied into the LastPass Service component.
Bother! LastPass was so convenient too.