Review of LessPass

Submitted ⁨⁨11⁩ ⁨months⁩ ago⁩ by ⁨MigratingtoLemmy@lemmy.world⁩ to ⁨selfhosted@lemmy.world⁩

Hi everyone,

I just came across this project called LessPass, which doesn’t require a database as a back-end and can compute passwords on the fly instead of storing them. The idea really intrigued me, and I wanted to know from the community about the experience of using it - did you run into any troubles with it? How does it compare to more traditional password managers (which would need me to think of a back-up strategy)?

Is it possible to back up your passwords from LessPass? Can you use your own passwords when you prefer to? How are the client programs?

Thanks!

source

Comments

Sort:hotnew top

narc0tic_bird@lemm.ee ⁨11⁩ ⁨months⁩ ago
It’s a cool concept that quickly falls apart in my opinion:

It’s not really stateless as soon as a website has certain password requirements. You probably don’t want to remember the configuration of all passwords in your head.

If the password for a website gets compromised, you have to set the “counter” + 1. Again, not stateless.

If you have multiple accounts per website, you’ll have to store the site differently (for example including www, not including www) or interlace the counter (odd/even) between the two. This gets more and more messy the more accounts you add, and again, it’s not stateless.

The master password is the only thing an attacker needs (plus the state mentioned above, but it’s easy to brute force a simple counter). With most other password managers, the attacker needs access to the vault/database and potentially a keyfile, secret and/or some form of second factor.

Changing your master password because it got compromised or ideally before it gets compromised changes the passwords for all websites.

You still have to remember your username or login email, so that’s again not stateless if you’re saving it in some sort of LessPass client.

I could probably list a lot of other reasons why it’s not a good idea to use it. There are probably some edge cases where it’s good, for demonstration purposes or training sessions where the participants all need unique (temporary) logins for several services.
source
- ThetaDev@lemm.ee ⁨11⁩ ⁨months⁩ ago
  You also cannot use it to store secret information like bank account/credit card details, API keys, etc.
  
  source
- ogarcia@lemmy.world ⁨11⁩ ⁨months⁩ ago
  In my view, both a password file (vault/database) and LessPass are potentially attackable via brute force. I don’t see that one is safer than the other.
  
  source
  - narc0tic_bird@lemm.ee ⁨11⁩ ⁨months⁩ ago
    Point being that an attacker also needs access to said vault.
    
    source
- jeffhykin@lemm.ee ⁨11⁩ ⁨months⁩ ago
  #3 isn’t true. There’s a username field, so you just put in the username of the alt accounts.
  
  Your point about the master password and two factor is a good one though.
  
  In practice the password requirements are rare (like 1% of sites), but problematic when they happen because there’s so many different ways to restrict passwords and trying all combinations is impractical. Needing the counter is exceedingly rare. Remembering the username isn’t a problem, but if you don’t have a consistent policy of always-using-a-username or always-using-the-email (as the lesspass username) it can be difficult to remember that. Similar situation with the URL, if it’s not abbreviated consistently, then it’s a problem.
  
  source
- MigratingtoLemmy@lemmy.world ⁨11⁩ ⁨months⁩ ago
  Thanks, I’ll keep this in mind.
  
  source
kia@lemmy.ca ⁨11⁩ ⁨months⁩ ago
The fact that all your passwords change if you change your master password is not great.

source
- winterayars@sh.itjust.works ⁨11⁩ ⁨months⁩ ago
  They need to use a key to generate the passwords that your master password unlocks or whatever, then you can change the password.
  
  Buuut then you’d have to store the key…
  
  source
HubertManne@kbin.social ⁨11⁩ ⁨months⁩ ago
don't use but sorta concerned about it using the url as those have a tendency to change.

source
- MigratingtoLemmy@lemmy.world ⁨11⁩ ⁨months⁩ ago
  Agreed, if the service changes its name/domain, the password manager basically creates a new password for it whilst the old one becomes irretrievable without some special trickery
  
  source
  - jeffhykin@lemm.ee ⁨11⁩ ⁨months⁩ ago
    The abbreviation method LessPass uses works pretty well. Its usually only a problem with a re-branding, like how wefwef changed to voyager. When that happens it’s not too big of a deal, I just change it to the new thing.
    
    What is a big problem with the URL though is login portals. Like when it’s some conglomerated system that involves a million redirects, and/or a “login with XYZ”. They can get some really weird URLs that have nothing to do with the actual site and those are a real pain.
    
    source
Nibodhika@lemmy.world ⁨11⁩ ⁨months⁩ ago
I use it, but it has issues, for example you need to remember how you wrote the website name, and if you ever change your master password you need to change the password of every site, and if you must change the password of a single site, you need to remember the counter for each site.

It’s a cool idea, and worth it to generate passwords, but I would still advise to have other methods, and if you have those other methods it becomes kind of pointless. Still a very cool idea and very manageable for a low number of sites.

source
Moonrise2473@feddit.it ⁨11⁩ ⁨months⁩ ago
I won’t use it as there’s always some website with some ridiculous password requirements like “can’t use symbols or numbers, must start with a capital letter, maximum 8 chars”

source
tagginator@utter.online [bot] ⁨11⁩ ⁨months⁩ ago
New Lemmy Post: Review of LessPass? (https://lemmy.world/post/8715337)
Tagging: #SelfHosted
(Replying in this thread will appear as a comment in the lemmy discussion.)
I am a FOSS bot. Check my README: https://github.com/db0/lemmy-tagginator/blob/main/README.md
source
ogarcia@lemmy.world ⁨11⁩ ⁨months⁩ ago
LessPass has the possibility to connect to a database (via its API) to store the configurations made for each site. This API can be used from any of the clients (either the browser extension, the mobile application, etc.).

You set up the DB server wherever you want. If you want something light you can use this implementation. And if you are interested, there is also a command line client.

source
- MigratingtoLemmy@lemmy.world ⁨11⁩ ⁨months⁩ ago
  Great to see you around! Thanks for the comment, I’ll take a look at those!
  
  source
qaz@lemmy.world ⁨11⁩ ⁨months⁩ ago
Cool concept but it doesn’t seem practically viable.

source
jeffhykin@lemm.ee ⁨11⁩ ⁨months⁩ ago
Despite what others are saying, I’ve been using it for a couple years and it works great.

The key is to save the passwords locally in the browser, which significantly minimizes risk compared to a cloud storage system, while making lesspass practical. Using the broswer extension on desktop, instead of saving them locally, can also increase security.

Then when I’m out, or using someone else’s device I can still always get my password.

The one caveat I’d say is you keep an offline copy of the lesspass webpage. For the first time in two years their site was down for me a couple weeks ago. I had an offline copy so I was fine, but without it you’d be screwed.

source
- MigratingtoLemmy@lemmy.world ⁨11⁩ ⁨months⁩ ago
  I don’t understand. Why would I save my passwords in the browser of I’m using a password manager?
  
  source
  - jeffhykin@lemm.ee ⁨11⁩ ⁨months⁩ ago
    If I’m out somewhere, with no device on me, I can still access my passwords.
    
    It avoids the need for cloud storage
    
    source