LastPass was my very first password manager. Before LastPass, I remembered many passwords in my head, and I realize that the security of my accounts was severely compromised. For essential accounts like Google, I used a separate password, and where possible, I also turned two-factor authentication. However, the reality was that many accounts didn’t support 2FA, and I shared several passwords with multiple sites.
LastPass solved all of these issues, and back in the day, it was the best solution known to me for password management. Gradually, I added all my accounts and set a new strong password for each of them individually. This approach reduced possible damage if a password gets compromised to a minimum. Then, I went further; as I found out, LastPass supported YubiKey sticks for adding another layer of security to the password vault. This feature was (and still is) available only to LastPass Premium. At the time, about three years ago, the price for premium was about $12 per year, and I was more than happy to pay for the comfort.
Before I started using LastPass, I did my research, and I knew about KeePass. It is a great solution, but it lacks several features I need:
- An ability to store arbitrary data values, not just name-password combinations (private GPG keys, photos of my ID and passport, and other files)
- An ability to flexibly add new fields to the entries, like notes, security questions, PINs
- A standardized browser extension that works on every platform the same
- An auto-fill feature (in all my devices); support for Android autofill API
- An automatic backup of my encrypted vault
- A convenient generator of secure passwords
- A security audit (a way to find weak passwords, passwords used on multiple accounts, pwned passwords)
KeePass is not homogenous. There are many applications with a variable degree of support, and with various features. However, many features listed in my requirements are still not present. On the other hand, KeePass gives you full control over the encrypted vaults. Vault is just an encrypted file, and you’re responsible for backing it up. It won’t get to the cloud unless you upload it there.
Security vulnerabilities and outages
During the years, I heard about several vulnerabilities inside LastPass browser extensions. Hats to the developers, they were usually quick in fixing those. However, one of the main drawbacks, in my opinion, is that LastPass depends on the Internet connection and its cloud. If you don’t have connectivity, you face a hard time getting to your passwords.
I got several times into a situation where I couldn’t log into my vault to access my passwords. Quite possible, the LastPass servers had an outage. What’s an inconvenience in other services, it’s a nightmare here. I don’t store passwords in my head anymore.
For over a year, I experienced small quirks, which made using this solution not as pleasant. Maybe Firefox increased security for the extensions, and LastPass was not able to cope with that without hassle, I don’t know. However, each time I turned on my computer and opened a browser, I had to enter my master password. Sometimes, it was not enough, and the extension asked for the password several times before I got logged into the vault. Often, the browser extension asked me to insert my YubiKey despite marking my device as trusted for 30 days.
Continuous price increse
Since I started using LastPass, its yearly premium plan got pricier each year. What started as a convenient service for $12 per year costs currently $36 (May 2020). I don’t mind paying higher costs if I get a perfect product where everything works without hesitation — LastPass isn’t that case anymore. As my premium plan approached its end, I actively started looking for an alternative.
And the winner is Enpass
Recent years were very turbulent in the market of passwords managers. LastPass got many competitors; many of them offered comparable features for the same or lower price. When I decided to migrate away to a different solution, I did my research to find out what solutions are good for me. A few days ago, I read a blog post from Nextcloud comparing different password managers. They listed some excellent options, and Enpass seemed promising. Just recently, its authors added support for WebDAV, which allows me to use my local Nextcloud server as a “cloud.” In other words, I have full control over my passwords.
- Allows to synchronize passwords with local Nextcloud server
- Supports multiple vaults
- Provides desktop apps for all major platforms
- Vaults are encrypted and stored locally; synchronization to the cloud is entirely optional
- Supports autofill API and fingerprint vault unlock on Android
- Browser extensions are not needed. If you use them, they don’t send data to Enpass. Extension communicates directly with your locally installed app
- Allows to store any data in the vault, including arbitrary files
- Its apps are very modern, and I like their UI
- One of the best features is support for TOTP
- It offers a lifetime subscription, which costs less than one year of LastPass Premium
Enpass’s lifetime subscription and the ability to synchronize vaults with my Nextcloud server were a dealbreaker. I decided to buy the app only a few minutes after I got it installed. Synchronization is rapid. When I update my vault in an app, it takes less than 30 seconds to see the changes on other devices like my phone. Once you buy their app, you need to give Enpass your email address. It pairs your payment with your email so that you can restore your license on other devices. That’s it — an email address is all Enpass needs, and only to restore your purchase later.
A free version of Enpass is limited to 25 entries in a single vault. It requires no registration whatsoever, so I encourage you to try it for yourself, especially if you don’t use a password manager yet.
Each time you start your computer, you need to enter a full master password. Once in a day, that’s acceptable. Enpass locks the vault after a defined period of inactivity. To unlock it, by default, it asks for the password again, but there’s a better way; you can set up a PIN to unlock the app instead. In my case, a PIN is much shorter than my master password, and I don’t mind entering it when I need it. On my phone, I unlock the app with my fingerprint. This unlocking with a fingerprint is a bit buggy, sometimes the field to put my finger doesn’t show up. But when I swipe out of the app and go back, in most cases, it starts working. It’s not a big deal, because I interact with the app with the Android autofill feature most of the time.
One of the newer features is the support for TOTP authentication tokens. Now each account can contain its password and token in one place. I still keep Authy as a backup, but I won’t use it much. When you try to log into a service that requires a password and a time-dependent number code, Enpass puts all the info for you.
I split my passwords into two separate vaults. One is for work, and the other is my personal. Physically, the passwords are stored in separate files, but Enpass can list entries from all vaults in one place.
LastPass supports exporting of your entries in one large JSON file. Enpass should support the importing of such a file; however, I can’t tell for sure. I decided to go through all my entries and to enter them manually. My main reason was that I had a perfect opportunity to review my accounts, update passwords, and remove the accounts I don’t use. GDPR “right to be forgotten” comes handy sometimes.
Once I installed the Enpass browser extension, the migration went fast. As soon as I logged into a webpage with credentials from LastPass, Enpass captured the data and offered to store them into its local vault. All I had to do was to review the entry and hit the “Save” button. Sometimes I corrected or put additional info. Many entries in my LastPass vault contained supplemental notes like a list of recovery codes.
Enpass allows you to add custom fields. Hence I defined fields like Recovery codes and put all the codes as a single text line. Enpass has an option to mark fields as sensitive to prevent an accidental leak of information further. Instead of the code, you see bullets like in password prompts.
A great feature is tag support. You can assign multiple tags to an entry, which makes it very easy to find. For example, I tagged my MailChimp account as Productivity tools, Blog, Business, and Mailing list. LastPass had categories, and the entry could be in only one category; tagging is much better.
I completed the migration in a couple of hours. When I migrated all my data, then I finally got into my LastPass account management and asked for complete account removal.
Enpass is the solution to my needs! A simple but powerful tool with a lifetime license. I miss features like YubiKey support, but they may come in the future. Because everything runs locally on my computer, a strong master password should be more than enough to maintain security.
Feel free to write in the comments what solutions do you use for managing passwords and why? It might be an insightful discussion.