The free version of a widely used password manager is about to get much less flexible.
Starting March 16, users of LastPass’ free tier will need to anoint a category of device – “mobile” or “computer,” a distinction better phrased as “touchscreen” or “keyboard” – on which to keep using that tool.
They then must renounce using LastPass on the other category – not just in its apps but even through its website – unless they upgrade to paid service. That costs $36 a year for individual use, $48 annually for families.
That may make some of LastPass’ 20 million-plus users want to leave after exporting their saved data. But they should not quit using a password manager to save passwords, generate complex ones and securely store and synchronize them using end-to-end encryption. That defense ensures even the password manager service – and anybody who breaks into it – has no key to decrypt them.
More emoji changes: Apple updates its syringe emoji as COVID-19 vaccines roll out
We humans struggle with this work and often succumb by abandoning the basic hygiene of using a different password at every site. Password reuse turns a data breach at one site into an opportunity for attackers to try your exposed password at others.
“I don’t know anyone who thinks they can keep complex and different passwords memorized,” emailed Lorrie Cranor, director of the CyLab Security and Privacy Institute at Carnegie Mellon University. “If you adopt a password manager, you don’t have to think about coming up with unique and strong passwords anymore and you don’t have to figure out how you are going to remember them.”
Two particularly easy free alternatives come from Apple and Google, both with the helpful feature of automatic warnings about weak, reused or exposed passwords. But each has hang-ups.
Apple’s iCloud Keychain works in Windows with its new Chrome extension, but it ignores Android and Chromebooks. Relying on Google Password Manager risks turning what may be your most vital account into a single point of failure should you forget your Google password and get locked out.
Among competing password managers, Bitwarden stands out for a free tier without serious usage limits, plus low rates of $10 a year for individuals and $40 a year for families. This Santa Barbara, California, firm’s open-source code, available for anybody to inspect, is a point in its favor.
For users willing to pay for a more polished interface and better password coaching, 1Password just beats LastPass solo rates, at $35.88 a year; its annual family rate of $59.88 is higher. This Toronto firm’s service regularly subjects itself to third-party security audits and draws compliments from such reviewers as Consumer Reports, which picked it as its top choice last year.
With any password manager, you must choose a complex master password, write that down in a safe spot and enable two-step verification to confirm any unusual login. That’s safer with a free code-generation app such as Google Authenticator and safest with a USB security key, a $20-ish encrypted pod you plug into a computer to verify your access.
This may not be enough if you actually have intelligence agencies hacking you. But as Cranor noted, that’s rarely the case: “Many attackers don’t care who they attack, they just want to compromise as many accounts as they can.”
The views and opinions expressed in this column are the author’s and do not necessarily reflect those of USA TODAY.
This article originally appeared on USA TODAY: LastPass alternatives: Try these free password managers like Apple