marahmarie: my initials (MM) (Default)

Last night I decided I was so unhappy with KeePass and that Firefox's performance was so dismal that I gave the same email address I deleted from LastPass last week back to them and (initially) exported my KeePass database back to Lastpass via .csv file. Then I stopped for a while and just read reviews of the top five password managers. I even read the reviews on LastPass's Firefox page again (they continue to suck).

Lifehacker's poll and conclusions last week were decisive for me: when I realized all the glowing praise for KeePass just makes my eyes roll, I knew it was out. KeePass is aspirational: carrying your entire database(s) around on a USB stick in order to make it/them "portable" or so it/they can "sync between devices" is not a good idea...you can lose the stick and with that, everything you ever knew about logging into websites. The tool is stuck in the XP zone style-wise, and I don't need multiple databases though it's kind of a neat idea (separate "vaults", in LP lingo, that can be shared or kept to yourself).

Not to mention I can't count all the database entries that were corrupted after importing them from LastPass...I lost logins on multiple websites wherein my usernames were mysteriously replaced with short strings of numbers or blanked out altogether and passwords went missing or got swapped out for others...which I learned simply by watching my KeePass autofills. I never did get that feature to work; between corrupted entries and KP's inability to remove pre-filled instruction text and usernames from form fields (ie, Outlook.com, eBay) - it would just write my username and password over the pre-filled text, causing Outlook, eBay and other sites to declare wrong user/pass - it was a no-go. I had to use the KeeFox add-on to manually copy/paste user/pass for every website, and it only took a few days of that to burn me off KP.

Which left only Dashlane and LastPass to ponder, since I'm only considering the top three password managers as judged by web reviews, but Dashlane offed itself from the running by allowing you to use it for free on only one device (they're kidding, right...I run LP on pretty much every device I look at, another reason why KeePass could never work; it's free to use on multiple devices, but *you* are what makes it portable, and *you* are how it "syncs" and I just can't even) and by charging $40 per year, which is roughly $25 more than I'm willing to pay.

At that point I decided I had to go back to LastPass. I figured copying/pasting from my Vault was not much worse than copying/pasting from KeeFox (which, strangely enough, wouldn't always offer the hamburger icon to do so, so I'd be left right-clicking on blank space) and that KeeFox's errors - beside all the others, it was also trying to save almost every form field on every web page as a username/password combo, and ignoring the first offer on pages I had to re-load multiple times would just make it offer multiple times, until it really gunked up the works and slowed my work down.

My first KeePass export into LastPass failed, likely because I exported in KP 1x database .csv format, but then I read the instructions on LP's tin and realized they wanted an XML file, so I put that together and had my stuff back in LastPass a few minutes later. Then I spent about an hour manually fixing all the broken database entries from KeePass, deleted tons of log-ins I don't use anymore, but before I even got that far, I uninstalled the 32-bit version of Firefox that was my failed workaround to LastPass's previous issues, did a true Firefox refresh and winnowed down the remaining add-ons in the x64 version, as compared to what was on my list last week. The next step was to see if LastPass would tear itself apart again on browser restart. It didn't.

It was about 3am and I was exhausted, but I was so excited that LastPass didn't disassemble itself I kept restarting Firefox just to watch it not fall apart again. There it was: I could search and not get a frozen panel; I could click "Show matching sites" and get an actual dropdown list of matching sites, not a blank panel. And all those huge favicons! After what I'd been through, they were the most beautiful things I'd ever seen. But I didn't trust it, so I shut my laptop down soon after, pretty sure that was the last of a working LastPass in Firefox I'd see again. But lo and behold, I restarted the laptop tonight and it still works!

The only thing I can point to this time is I used LP's Universal Windows Installer, after reading a tip in Firefox reviews that the LP for Applications installer fixed this same, entire mess. They're both "universal", right...And fast? For Firefox, this is blazing, even with LP installed. After the initial "Not Responding" white title bar bottlenecks on first run tonight, which cleared after a minute or two, everything settled right down.

So, whew, close call there, LP...now if Web of Trust would just be 57-compatible, I'd feel like I had Firefox pretty much back together (well, I miss Web Dev, but I can still use it in Chromium or Opera, so not the end of the world. Yet.).

marahmarie: my initials (MM) (Default)

I had to Google myself to see how long I had LastPass. I can't recall but it seems like forever. I think it was since I still had a LiveJournal, and I deleted the last one of those (this blog) back in 2008. Google tells me I first wrote about it on Anti-AOL in 2009 and my Dreamwidth tags tell me I did so here in 2010, so I'd guess I've used it for at least 7 but possibly as long as 9 years.

Page confirmation after deleting LastPass tonight

But realizing there is no fix for the blank site list dropdown and blank search results in the Firefox add-on really does kind of enrage me - enough to delete my account, which I did just before posting this.

  • Basic functionality - lists that populate on demand, search results that display as you type - have been missing for weeks, no one knows why and devs won't respond to or fix issues
  • There's no workaround; the only workaround others advise (using the latest beta version) doesn't work for me
  • My own workaround doesn't work for me
  • We shouldn't have to scratch around for fixes or workarounds - LastPass has a paid and premium version, so the add-on owner makes money while bugs that wreck basic functionality go unfixed and people like me go nuts for all the fiddling with and wasted time trying to make it work or working around what's broken

Also unfixed (that I've dealt with personally; there's probably more)

  1. LastPass keeps telling you your Master Password is wrong though you watch yourself type it correctly; keeps giving you a big black X next to the password field (workaround: quit Firefox; restart and try again)
  2. If you get your Master Password wrong the password form field goes blank the second time and the search box goes blank on all successive tries (workaround: quit Firefox; restart and try again)
  3. LastPass will go weeks throwing an error on my Dreamwidth password (it literally autofills the wrong password or adds an extra character or characters; something goes wrong, I just can't see what) for this blog, then will go just as long without throwing it, alternating with throwing the error only on my first log-in per session, but not on any successive log-in, alternated with throwing errors on every log-in

Not a bug, but weird (1) or flat-out inexcusable (2):

  1. LastPass has different login dropdown styles on Dreamwidth; one is a long, stylish list in greyish-beige with a unique font that I see maybe once every 10 logins for no discernible reason on this site but no other; the other is the standard white background
  2. And I now think LastPass is what's hammering Firefox's memory usage and slowing it to a crawl, not Wordpress and not Firefox itself, like I previously thought

I am just *gaaaah* so fucking done with LastPass.

marahmarie: my initials (MM) (Default)

Update, 8-21-17: the fix below (switching back to 32-bit Firefox) works great until you restart Firefox, then tada, it never works again. So I guess there is no answer short of trying every version of the LastPass add-on - really not a good idea when latest versions are patched for security vulnerabilities and so on and oh, LastPass, how completely unusable you are, let me count the ways.

Since discovering my fix only works until restart I've disabled LastPass and installed KeePass/KeeFox because I had online work to do and wasn't about to keep playing games with a broken password manager. KeePass has its own issues (mainly, when it stores more than one login for a site it tends to autofill the wrong one, leading to a lot of "copy username/copy password" clicking and pasting) but though it's not for the faint of heart (it's sort of an old-school program with about a gajillion options I haven't even glanced at yet) it does seem less batshit fucking insane to deal with, overall.


So, the LastPass blank dropdown menu and blank search results panel is very annoying. The dev hasn't updated the add-on since June and is responding to exactly zero complaints about this and other issues on his Firefox review page, though there might easily be dozens.

Which came to bite me, too, when Firefox finally let me have their latest multiprocess (e10s), 64-bit compatible version earlier this week (e10s is still automatically disabled if you install any add-on that isn't yet e10s capable); ever since I've had both LastPass problems, and saw others are having them, too [Example 1, Example 2, Example 3].

To fix these issues, just switch back to Firefox 32-bit. It's not even necessary to remove Fx 64-bit. It's actually better if you don't, so Firefox can just poke around in your profile folder and recreate the Firefox you've got in the 32-bit version you're about to get (just be sure to create a shortcut or a target that you can easily tell apart from the 64-bit icon).

32-bit Firefox runs LastPass perfectly, fixes the blank dropdown list of log-ins for each site and fixes search result panels showing up blank.

For everyone leaving bitter reviews [Example 1, Example 2, Example 3] and sharing the version number that allegedly works better [Version 4.1.62a]: I tried it in 64-bit Firefox, but it gave me all the same blank dropdowns as before.

My guess is the problems are not confined to any particular version. After I installed the May 31st version and saw the same issues it became clear the latest version is not at fault - it's 64-bit Firefox - and I'll gander that's no matter which version of LastPass going back to the earliest 56*-capable version you pick.

So if you've got 64-bit Firefox, try going back to 32-bit (here are the 32-bit installers. If you have automatic updates turned off, keep checking the directory for the latest). Run Firefox 32-bit with whatever version of LastPass you have and see if that fixes the problems.

marahmarie: my initials (MM) (Default)

I wanted to post this over a week ago (7-24, according to my computer when I screencapped the relevant messages) but life's got a way of getting in the way. I'll assume (though perhaps in error) that it's untriaged/unfixed/unpatched after doing a quick search on Google, but I'm not going to trawl the results any deeper tonight; if this is a dupe report or has already been fixed I might find out and update this post at some later point.

Anyway, it starts out like this: you switch your IP address to a new one (in our case that's because our Comcast modem, the one I need both arms to carry around, took a crap on us last week, so now we're working on the third iteration of this modem in the past year, with a different IP) and LastPass suddenly doesn't recognize the device you're on or the location you're at (it's not sure which), though it's the same device as always (my HP laptop, which has somehow lived another year without the graphics card destroying itself like the last one did, though pixels are beginning to blow out left and right).

When the LastPass add-on (in Firefox latest on Win 10 Pro - not an Insider build) sees your new IP address as a "new device" or "new location" (though that sounds like a bug in itself, it's not the bug I'll be talking about) it looks like this:

When I switched my IP address recently, LastPass displayed an infobar in Firefox that says: LastPass does not recognize this device or you are at a new location. Please check your email to grant access

The text in the info bar my screen got splashed with says (emphasis mine): "LastPass doesn't recognize this device or you are at a new location. Please check you email to grant access to your new device or location."

See the part where LastPass asks me to check my email? Which means I should literally be unable to use LastPass to log into websites until that one little detail is taken care of? Heh, about that...I just ignored or dismissed the infobar (I forget which), opened the LastPass add-on dropdown menu and finished logging into my Live account like nothing had happened. No checking my email. No granting access. I just went on and used LastPass normally. Which I should not have been able to do!

After logging in, I checked for the email from LastPass just to see what it said, because them even sending it was like, totally useless. It looks like this:

LastPass sent an email intended to grant access to my account which I never needed to read because I got around it, which said: Someone, hopefully you, recently tried to login to your LastPass account from a device or location that we did not recognize. We prevented access until you have reviewed the details of the login attempt

This is where things get funny - if your idea of a good time is when your device gets stolen and your online security is compromised by, of all things, not the thief, but a buggy password manager. What a laugh! The email reads (emphasis mine): "Someone, hopefully you, recently tried to login to your LastPass account from a device or location that we did not recognize. We prevented access until you have reviewed the details of the login attempt."

See the part where LastPass tells me they prevented access until I could review details of the login attempt? Lies, tall tales, and made-up stories because they prevented nothing. I could use LastPass just by continuing to use it. I saw a few more infobars saying the same thing, but I just kept ignoring or dismissing them and like, logging into things. Which, again, I should not have been able to do!

I'm posting this mostly to remind myself to check the LastPass forums and search results more deeply one day for any other news of this issue, and to warn anyone else who comes across this post who might also be using LastPass.

marahmarie: my initials (MM) (Default)

These days, it...

  • Let's you use it on all devices for free (which used to be a paid feature; I think you could use it on up to two different devices for free but beyond that, you had to pay)
  • Has apps for everything (authentication, Windows phone and all other common devices, though I'm not sure about Mac/iOS)
  • Can be used with many forms of authentication for two-factor
  • Has its own security challenge tool that...
  • Checks if email addresses are involved in known website hackings
  • Checks length and overall security of passwords, and for password duplicates
  • Automatically changes duplicate passwords and passwords on known compromised sites by running what appears to be a macro (which is pretty neat to watch, but sort of hammers Firefox to a crawl)
  • Only costs $1 a month to upgrade to Premium, I mean...*smh* that is cheap (if Dreamwidth were that cheap I'd be like, "Fine, treat me like crap, here's more paid time")

It also does minor things which fill me with joy: if you manually copy a website password from the add-on dropdown or from within the vault (and I do this a lot for cross-browser website testing) it only lets you paste it once before destroying it (of course, if the paster pastes it into Notepad or similar then all bets are off, but if they don't - and I'd imagine the majority of home hackers stealing your password won't even think to - it's yet another way to minimize disaster).

And it destroys your add-on dropdown searches as soon as you complete them. And it keeps a list (if you want; this is opt-out) of recent sites you've logged into in the add-on so you don't have to visit them directly to log back in. And I could go on but there's other things I want to do tonight.

People will always find vulnerabilities in password managers (which I say because all code has holes in it). In fact, I'm surprised most of the vulnerabilities in password managers popping up these days weren't exploited years ago*. The only things I can think to thank for the discrepancy between potential for exploitation and zero-hour are increasing code knowledge and increases in processing power, which was not great enough until recently to get such holes out into the open.

*In the Lastpass forums anywhere between 2007-2010 people who claimed to be home users and/or pro hackers would say: "Look, there's got to be holes in this code somewhere" and the Lastpass owner himself would jump in to deny it and I would spend days wondering how anyone who codes could do so. It's like denying shoelaces need to be tied lest you trip on them: you can deny there are holes but keep that up long enough and you'll just fall in.

marahmarie: my initials (MM) (Default)

The Lastpass 4.0 Windows installer is convoluted; first you have to download a 10.9MB file for global (cross-browser) installation, then the installer, once running, insists you have to download the Firefox add-on separately (strangely enough, it made no such protestations for IE/Edge, perhaps because it installs an API (?) as opposed to an add-on - also, the API - or whatever it is - installs in Internet Explorer 11 but NOT in Microsoft Edge, which, if you're an Edge user, forces you to use IE11, despite your preference).

And while many, many Firefox add-ons are restartless, Lastpass is not, which never fails to amaze me, as it's one of the few full-fledged programs delivered via add-on that Firefox has. You'd think it'd be a bit more polished by now.

Once you restart Firefox, the GUI is different; it has bright, smooth red backgrounds, bigger fonts, and larger, more clearly defined boxes to type usernames and passwords into, but instead of the boxes appearing dead-center in the middle of the page like they used to, they appear in the upper right corner, which really isn't as easy to get to.

The strangest part, though, is logging into a website when you have to retype your password like I do (because I use the super-paranoid-everyone's-out-to-get-me settings, which require logging into Lastpass with username and password, then retyping my LP password for each website I log into - and yes, it's a huge PITA, but if I drop dead between logins, or a coming earthquake causes me to run down the road screaming in terror and someone breaks in while I'm gone, or else, you know, whatever, no one can finish what I started unless they get my Master password).

What's strange in LP 4.0 about retyping my password is that instead of retyping into the box I'd normally get on-page, a new tab opens up with the address: resource://support-at-lastpass-dot-com/lastpass/data/tabDialog.html?dialog=reprompt with a box with a space to type your password into. It's quite distracting because then you have to go back through your tabs and try to remember what tab you wanted to log into. What's even weirder is the above URL does not show up in Firefox's history (I had to copy it by visiting another website while typing up this post).

Another issue is that when you first open Firefox and visit a web page that you log into, then log into Lastpass, instead of the page you're on refreshing with your LP log-in options, you have to manually refresh it yourself OR log in from the options up in the Lastpass dropdown menu. I'm hoping it's a bug and not a permanent "feature" because it's another distracting waste of time.

Yet another strange feature is the new Emergency Access option. With this feature access is granted to a "loved one" within an amount of time you specify. Your options are Immediately, 3 hours, 6 hours, 12 hours, 24 hours, 48 hours, 3 days, 7 days, 14 days, 21 days, and 30 days. There is no Custom setting, so if you want to grant access 4 days and 15 hours or two full months from now, you're out of luck. I also don't find it useful when I can't predict when I'm going to need it. Let's go back to an earlier paragraph, which has me dying between logins (this sounds like something I'd do) or running away in terror from an earthquake.

Emergency Access, the way Lastpass has it set up now, is not helpful for scenario #1. If I drop dead between logins and need someone to tell my DW buddies, "Hey guys, MM bit the dust, so this a memorial account from now on, peace out", who's going to do that? I can't set up emergency access to say, "Mail access code to someone@example.com after I don't log in to Lastpass for n days". I can't set it up to allow someone access at some far date in the future (in case I die slowly but predictably enough, but don't feel like tooling around with LP settings in the meantime).

I guess the options in place now are better than nothing, but I think they're open to misinterpretation, are confusing, and could easily be expanded to give users more options explained in a much clearer way.

And that was just my first three minutes with 4.0! I bet you'd all hate to see my review after another hour or so.