Yesterday LogMeIn Inc, the company behind the very popular password manager and 2FA authenticator LastPass made a very sad announcement that is going to have some pretty profound effects on internet security in general for a lot of people, Zimbabweans included. If you are a free tier user you will only be able to use LastPass on one device type.
What makes LastPass great
Memory is often fickle, so when it comes to usernames and passwords you have two options both of them unpalatable:
- You either defy basic security advice and reuse username and password for various unrelated and sometimes related services or
- You attempt to be a security-conscious ninja and try to use, at the very least, a unique password for each service that you use. This means spending half your life clicking that “forgot password button”
I have never had to do neither for the past six years. I discovered LastPass in 2015 and it has been a blast. At any given time I just need to remember one very complex password that would be very difficult to crack. I then use unique generated and equally complex passwords for all the sites that require me to log in.
LastPass then takes care of the rest. Every time I sign up and generate a password, LastPass includes a handy password generator that comes with options that I can change to suit the finicky needs of that particular site, like my bank which only accepts letters and numbers or my cloud services providers with strict 16 character password requirements with a set minimum for letters, numbers and other characters.
LastPass automatically prompts me to save the password in its cloud vault. The same happens when I log into a service for which there is no stored password or I use a new username-password combination. With a click of the button, the encrypted version of my password is saved into LastPass’ vault. Whenever I visit the site or open the app again LastPass either automatically fills in the username or password field or prompts me for the master password before it does so depending on your settings and how well you trust the computer.
Thanks to that, I have rarely needed to click on the forgotten password button these past five years or so. If a site says my username and password combination is wrong it probably means it is wrong. I am looking at you myZOL. Or maybe there was a breach in which case the damage is limited to the affected site. Add the fact that I always opt for two-factor authentication whenever it’s available and I can say I have a pretty solid and sweet setup that has spared me many heartaches and security concerns.
The new changes are pretty devastating
LastPass has always had a free tier and paid packages that include business, personal and family packages. The free tier used to be useless until 2016 when they made some changes in a bid to stave off some bad publicity after LogMeIn Inc acquired LastPass. Then they made the free service so good you didn’t even really need to pay in order to enjoy the good features of LastPass.
Prior to 2016 free users could only use the service on one App. After the changes, you could now use the app and it’s browser addons on both phones and desktops at the same time. Now starting 16 March 2021 you can only use the service on one device type. What does this mean? LastPass have an explanation of the change on their blog.
To further clarify what we mean by active device type, we’ve included two examples below:
Sarah is a Free user with Computers as her active device type. She can use LastPass on her laptop, desktop and her dad’s laptop (anyone’s computer!), but she can’t use LastPass on her phone, tablet, or smartwatch unless she upgrades to LastPass Premium, which has unlimited device type access.
Steve is a Free user with Mobile Devices as his active device type. He can use LastPass on his iPhone, Android work phone, tablet, and smartwatch, but he can’t use LastPass on his desktop or laptop unless he upgrades to LastPass Premium, which has unlimited device type access.
Most people, including me, use two device types. I have LastPass on my phones and on my Laptop as well. With these changes, I have to choose where I want to use LastPass. I either go for the app on my phone or opt to use browser extensions on my Laptop and lose LastPass services on my phone. I am probably going to opt for the later.
Most Zimbabweans will not be able to make the US$2 per month charge that is billed annually and translates to about US$28 per month if you include prepaid card charges.
Sidenote… FBC, do you have to take US$3 every time someone does even a micro-payment?
There is just too much friction involved in making the LastPass payment and not a lot of people will be able to make it; at least not in this country. If it’s not a matter of affordability then it’s a matter of the hustle involved. While a lot of people enjoy the convenience it affords them, they are unlikely to see it’s value because of the hoops involved in making that payment.
You can still use LastPass on both devices
The way I read the blog post announcement, the changes only affects the browser extensions and apps which of course do offer a lot of conveniences. However, if you choose your preferred device type you can still access LastPass by visiting the LastPass vault in your browser.
True, you will no longer get autofill this way but at least you can still copy and paste both your username and passwords whenever required. All you need to do is open a browser on the unsupported type. Type in https://lastpass.com, login using your email and master password and you will access your vault. You can then manually copy and paste passwords.
Another potential route would be to go the family route but this can be dangerous if your “family” is unreliable. It’s a package that allows several individuals to split costs but there is potential for privacy breaches if members of your “family” decided to access your accounts. This package is however useful to SMEs who want to save costs.
Don’t want to pay but also want the good stuff, you can try LastPass’s alternatives but don’t expect them to be anyway as close as LastPass in terms of features and ease of use. There is also the security feature, Password Managers are lucrative scalps for hackers. LastPass themselves have been targeted in the past but the company has been open about breaches and vulnerabilities which they have been quick to patch.
You can also use FOSS alternatives like KeePass but these tend to be not very accessible to the less techy or those with limited skills. Whatever route you choose, LastPass has given us a month to make adjustments.
This is more than enough for some of us who live in a certain tea-pot shaped country where devastating legislation is introduced in the morning, zealously enforced in the afternoon and is scrapped before the sun sets.