Hi everyone,
I just came across this project called LessPass, which doesn’t require a database as a back-end and can compute passwords on the fly instead of storing them. The idea really intrigued me, and I wanted to know from the community about the experience of using it - did you run into any troubles with it? How does it compare to more traditional password managers (which would need me to think of a back-up strategy)?
Is it possible to back up your passwords from LessPass? Can you use your own passwords when you prefer to? How are the client programs?
Thanks!
It’s a cool concept that quickly falls apart in my opinion:
- It’s not really stateless as soon as a website has certain password requirements. You probably don’t want to remember the configuration of all passwords in your head.
- If the password for a website gets compromised, you have to set the “counter” + 1. Again, not stateless.
- If you have multiple accounts per website, you’ll have to store the site differently (for example including www, not including www) or interlace the counter (odd/even) between the two. This gets more and more messy the more accounts you add, and again, it’s not stateless.
- The master password is the only thing an attacker needs (plus the state mentioned above, but it’s easy to brute force a simple counter). With most other password managers, the attacker needs access to the vault/database and potentially a keyfile, secret and/or some form of second factor.
- Changing your master password because it got compromised or ideally before it gets compromised changes the passwords for all websites.
- You still have to remember your username or login email, so that’s again not stateless if you’re saving it in some sort of LessPass client.
I could probably list a lot of other reasons why it’s not a good idea to use it. There are probably some edge cases where it’s good, for demonstration purposes or training sessions where the participants all need unique (temporary) logins for several services.
You also cannot use it to store secret information like bank account/credit card details, API keys, etc.
Despite what others are saying, I’ve been using it for a couple years and it can work great if you’re okay with the trade-offs.
Of the three (Integrity, Confidentiality, Availability) it has better availability than cloud storage which is what I care about. Even when the LessPass site is down, there’s an IPFS version, mirrors, local cache, etc so it’s basically always possible to derive any password.
At a user level, it’s very impractical (and a slight risk) to always retype the master password at every single login screen. However, letting the local autofill save the password doesn’t defeat the point of LessPass. Why? because, if you only use local storage, and you’re traveling and your phone breaks, you’re now locked out of every account. With LessPass, you’re fine as soon as you get an internet connection.
There are a few caveats.
- There’s no global 2factor. Loosing the master password means every site that doesn’t have its own 2factor is instantly fully exposed.
- I do agree there are a few sites where the default options don’t work because of the character restrictions. It’s about 1.2% of websites in my experience, but they are painful exceptions. Basically you have to rely on memory to be able to pick those same settings again. I recently wish there was a unified dataset of which websites had password requirements, and then LessPass would auto check the necessary boxes when the website URL was pasted in. Maybe one day.
- Changing your master password requires changing every single website. If you don’t, then it’s impractical to remember what password was used for what site.
deleted by creator
