CTO against LastPass so option
Posted by flashx3005@reddit | sysadmin | View on Reddit | 126 comments
Hi All,
More of a discussion on what you all have done with your password managers regarding sso. The current CTO here is against SSO saying that it might cause more vulnerability in tieing it with Entra vs the current non sso integrated "local" LP password for users.
Curious as to what you guys have done with your password vaults?
bakonpie@reddit
Bitwarden Enterprise hosted yourself with SSO and the key connector is a solid solution
ComeSwirlWithMe@reddit
The benefit to self hosting is obviously full control of the data. The downside of course is your network/server is breached or some type of ranomeware and you lose the data.
Bitwarden allows both self and cloud.
kuahara@reddit
I use self-hosted bitwarden with MFA required and email mfa not a permitted option.
TheNotSoEvilEngineer@reddit
Just realize at the end of the day, all your super secret passwords are sitting on someones notepadd++ tab.
kuahara@reddit
I did a scan for plain text password files in one of our user folder repositories.
It revealed exactly what you'd expect it to.
ouchmythumbs@reddit
passwords.txt on a desktop?
Have seen that one before during post-breach incident review.
ComeSwirlWithMe@reddit
I prefer to name my plain text password document "not-my-password-list-dont-look-here.txt."
ComeSwirlWithMe@reddit
Bitwarden. Open source, and one of the cheapest options for home or business.
The-Old-Schooler@reddit
Please don't use Lastpass anymore.
flashx3005@reddit (OP)
Yea I'm beginning to think our 3 year renewal done last year was a mistake. What are you using for password manager?
Tessian@reddit
Most any other managers are better. Bitwarden and 1Password are the ones I hear most often.
blahyawnblah@reddit
Keeper
ender-_@reddit
This Keeper: https://www.techdirt.com/2018/03/09/keeper-security-reminds-everyone-why-you-shouldnt-use-it-doubles-down-suing-journalist/ ?
blow_slogan@reddit
Yes, that Keeper.
Look, we tried 15+ options and that was rhr only real issue I took with the. Unfortunately, many password managers are not designed well enough for enterprise, lacking granular controls, latest features, ease of use. Migrating from LastPass, there were only a small handful of options, mainly Okta, 1Password, and Keeper, with Bitwarding lacking a bit for business use.
For a proper Okta setup, you’re looking at $30+ per user per month and with some of the worst support in the world when things break.
1Password was my suggested option, but I believe it was around $8/user/
Keeper checked all of the boxes and offered to bring us in at about $2/user/month and upgrading us to their enterprise plan at no cost. This happened at the height of the LastPass outrage years ago.
It was a complete no-brainer from the c suites. And I could agree. I spoke with a rep about the specific incident you brought up and the confirmed that it is a stain which they’ve tried to rectify. They began a bug bounty and disclosure program afterward I believe.
It’s a strike, of course, but not a complete deal breaker. Their pricing and features offered is too competitive to rule out entirely.
DeviIstar@reddit
My org just swapped from an on prem bitwarden to cloud 1password - just wish 1pass had custom categories but tagging is working so far
gehzumteufel@reddit
What do you mean by custom categories?
DeviIstar@reddit
They have categories like sites, credit cards, addresses, etc - I wanna make my own and use the built in as templates - like “lab” or “my org sites” etc..
JwCS8pjrh3QBWfL@reddit
1p uses tags rather than categories.
gehzumteufel@reddit
Oh right yeah I have the same complaint too. Custom type templates would be so nice.
acorn222@reddit
I'd second this, they seem like the best. Don't go with a smaller password manager.
To be fair too, I think lastpass has cleaned up their act since the breach.
ConsiderationSuch846@reddit
Moved org from last pass to 1password and couldn’t be happier. Especially its ability to include MFA’s and pass keys, short term credential sharing.
CTO myself.
Rakajj@reddit
How's the pricing for you? Get it bundled or through a reseller?
I've used 1P personally for...maybe 10 years...but it's a tough sell to mgmt due to subscription costs.
ConsiderationSuch846@reddit
We pay about $70/head/year.
Ask you're favorite AI for the list of security incidents over time. Show that to management..... ask for a risk acceptance from security/legal or if mitigating is preferred...
May 2011 LastPass detected unusual network activity suggesting a possible server intrusion. No evidence of data exfiltration was found, but all users were required to reset master passwords. Encrypted vault data was not compromised. Wikipedia
June 2015 Suspicious network activity was discovered and halted. Account email addresses, password reminders, server per-user salts, and authentication hashes were compromised. Encrypted vault data was not affected. Wikipedia
January 2016 Security researcher Sean Cassidy disclosed a method to steal login credentials and even 2FA codes via a phishing attack. Silicon UK
July 2016 Detectify published details of a vulnerability allowing plaintext passwords to be read from a user's vault when visiting a malicious website, caused by poorly written URL processing code in the browser extension. LastPass was privately notified and patched it before public disclosure. AlexIn Tech
March 2017 Tavis Ormandy discovered a vulnerability in the LastPass extension AlexIn Tech (part of a broader set of flaws that year).
August 8–12, 2022 — Incident 1 A threat actor compromised a software engineer's corporate laptop to access a cloud-based dev environment, stealing source code, proprietary technical docs, internal system secrets, and 14 of \~200 source-code repos — including cleartext embedded credentials and stored digital certificates. Cybersecurity Dive
August 12 – October 26, 2022 — Incident 2 The threat actor pivoted from Incident 1, using stolen credentials from one of four senior DevOps engineers to access a shared cloud-storage environment. Reconnaissance, enumeration, and exfiltration of cloud backups ran undetected until GuardDuty alerts fired in October — alerts that were missed due to a misconfigured mailing list. Uptycs
December 15, 2022 AWS confirmed to LastPass that the threat actor had downloaded a copy of the backup database, which contained both unencrypted data (e.g., website URLs) and encrypted fields (passwords, secure notes, form data). Wikipedia
Post-2022 fallout: According to TRM Labs, stolen vaults continued to be cracked offline for years after, with approximately $438 million in cryptocurrency reportedly stolen through late 2025. Deshittify
flashx3005@reddit (OP)
Gotcha. We did sign up for a 3yr plan last year for LP, so I'm not sure we can break that easily. I'd have to find that out.
IdiosyncraticBond@reddit
Take the loss and move before they get breached again
manapause@reddit
Bitwarden is great and you can run your own server.
flashx3005@reddit (OP)
Ah so you can technically keep your passwords "in house" of sorts? What would be the DR scenario around that or if that server were to go corrupt? Easy enough to restore from backup and good to go?
sp-rky@reddit
The official Bitwarden clients cache credentials locally, so even if everything is on fire, you can still get the passwords you need.
Source: I use vaultwarden for my personal password manager, and I've taken the server down for hours at a time with very little disruption.
mnvoronin@reddit
The official Docker image makes a full database backup nightly and puts it into a folder for you to back up with the rest of your data. Or do image-based backup of the VM it's running on.
RavenWolf1@reddit
Keepass2.
br01t@reddit
Bitwarden
reserved_seating@reddit
1Password is nice so far in my trials and looking to switch over from LP. It’s always recommended that or Bitwarden and I found Bitwarden a bit to confusing to use so I didn’t see mass adoption taking place.
aew3@reddit
Just curious here - what exactly is confusing about Bitwarden. It's really no different to use than anything else, with the exception of something like KeePass which uses a local-first model. I find the UX of all of these hosted password managers almost identical. The differentiation these days between managers is entirely in additional tacked on services like "secure file share" or haveyoubeenpwned style "you were in a leaked db" notifications.
reserved_seating@reddit
The interface, to me, was not nearly as clean. And when something is perceived as ugly or hard to use, it will just not be used.
Ok-Double-7982@reddit
Bitwarden org here and yes, it is clunky and not intuitive. Several years in and I know my way around it, but it was not a breeze as far as most software with ease of use.
CaesarOfSalads@reddit
Keeper is what we moved to, and it's been great, other than their predatory intro pricing. They get you in the door with a sweet discount and then try to take it away each year.
cfrshaggy@reddit
Yeah also agree we are largely happy with Keeper but also have to fight for our discount as a nonprofit.
doubleopinter@reddit
1Password is my favourite. Their approach to passwords is unique. They append a key that you must keep to every users password when the login. I think in that key is cached on a users device. Anyway, the result is that even if a user chooses monkey123 as their master password it doesn’t matter, their password is actually long gibberish with monkey123 at the end.
blow_slogan@reddit
Tried a bunch of them. For business you should go with keeper.
ImLookingatU@reddit
Bitwarden
Affectionate-Cat-975@reddit
This LP has been hacked numerous times. This is a bigger vulnerability than SSO
Killbot6@reddit
LastPass is disgusting.
One fuck up? Sure that happens… But they're consistently getting breached.
Just move on to something else, anything else. Really.
TraditionalSuit3364@reddit
This is an interesting question because it raises an important consideration—whether implementing broad SSO is truly safe. I’m the IT Administrator for a small financial firm with 35 users. Our team relies on a variety of tools daily, including Adobe, DocuSign, Fidelity, Schwab, and LastPass.
After an employee left unexpectedly, we struggled to promptly offboard them from several platforms containing client PII. That situation led us to explore setting up Entra SSO, since nearly all our tools support it. Had we already been using SSO, simply resetting the employee’s password and suspending their login would have immediately revoked access across integrated systems.
However, we recognized the serious downside of that convenience. If an employee’s Entra account were ever compromised, that single credential could unlock every SSO integrated system we use—LastPass arguably being the most sensative. This is a risk we weren’t comfortable accepting. Instead, we chose to consolidate administrative controls, allowing company administrators to quickly and efficiently revoke access to all platforms without relying on a single point of failure.
Cigam_Emot@reddit
Go with 1password, which has less breakin than lastpass.. and also give a family account with each professional account.. this help unboard people in having more secure solution when there is something for the users...
Fritzo2162@reddit
We're currently using MyGlue for password management. It's not the best but it does the trick and allows centralized management.
UncleGurm@reddit
I'd try to determine why he is against using SSO with your password vault. You can still keep a couple non-SSO users for "break glass" scenarios.
Tessian@reddit
Your CTO is right.
LastPass's SSO integration gives LastPass your encryption keys. They store them on their side, then issue them to devices after they succeed in SSO. If you do not do this, LastPass doesn't have your encryption keys, so yes by implementing SSO with Lastpass you're introducing risk associated with now giving a vendor your encryption keys.
We jumped ship from Lastpass long ago after their breach. They lied, they were insecure, and worst of all the root cause was a developer with production access to vault data FROM HIS PERSONAL COMPUTER and they did NOTHING TO CHANGE THAT after the breach. They only committed to "training" the individual on patch management of his personal PC. wtf!
Rant of Lastpass aside, even though others like Bitwarden or 1Password offer secure SSO we don't bother. It's not that bad to tell people they need a separate master password and we tie our MFA into Bitwarden direct. It also helps with DR / BCP if you have an outage that involves SSO and you stored your DR data/documentation in your password manager. SSO would be nice but we just didn't see it worth the effort compared to the number of users we had using it and the amount of work it is to set it up in a way where there'd be convenience for the end user.
thaughtless@reddit
You clearly know zero about SSO.
Tessian@reddit
This has nothing to do with SSO, my friend, and everything about key decryption. You can read the same whitepaper I did that explains how Lastpass is holding onto half your decryption key and putting the other half in Entra to decrypt your vault using SSO.
Other password managers don't do this for a good reason - they don't want any of your key. Lastpass does it in the name of convenience.
flashx3005@reddit (OP)
One thing I know the CTO was hesitant with sso with LP was that if a hacker gets hold of user creds, he/she can then essentially have access to the entire LP vault, correct? I think this is the main sticking point with him right now.
Tessian@reddit
They'd have to steal their credentials AND bypass MFA, but technically yes. This is a risk of any SSO integrated app, but normally you compensate for that by having stronger protections / policy around your SSO creds in the first place. If someone steals your SSO creds they already get access to O365 so then you're really in trouble already. Lastpass also used to, not sure if they still do, a way to reset your master password via email which would allow the attacker access to the vault anyway once they got your SSO.
Others will also point out that not using SSO with your password manager doesn't stop end users from reusing their password anyway.
So I wouldn't say that hooking a password manager up to SSO by itself is risky. I believe Lastpass's implementation of SSO is more risky than other vendors but that's not what your CTO is focusing on.
flashx3005@reddit (OP)
Agreed. Thanks for the detailed responses. You've helped a lot. Appreciate it.
ThomasTrain87@reddit
Completely incorrect. If you implement federated SSO with Entra ID for Lastpass the right way (and Lasspass’s recommended way) there are two separate 256bit keys one that LastPass has and one that Entra has. Only both together can unlock the safe and the Entra ID side is never shared with or stored on LastPass side.
So LastPass never has the entire key to decrypt your safes.
Have a read here for more details: https://blog.lastpass.com/posts/federated-identity-management
Tessian@reddit
I've read this a few times and I've not found where it talks about how decryption of the vault occurs in their SSO implementation, did you?
ThomasTrain87@reddit
Technical details should be in this white paper
https://assets.cdngetgo.com/da/ce/d211c1074dea84e06cad6f2c8b8e/lastpass-technical-whitepaper.pdf
Tessian@reddit
It does explain what I corrected later - Lastpass creates a key, splits it in two, and half goes to entra and half stays with Lastpass. So they do continue to have half your key.
Also explains it's the scim integration that puts the half key in entra, nothing to do with sso.
ThomasTrain87@reddit
Here is another one that describes the logon process flow: https://assets.cdngetgo.com/1c/e4/e53646f14a91a7c9cb7dd7afbb61/lastpass-technical-whitepaper.pdf
Tessian@reddit
This one seems to be specific to AD, not Entra, and does things slightly differently using their AD Connector and splitting the key into 3 pieces instead of 2 with Entra.
Either way, Lastpass is holding onto part of the decryption key and other enterprise password managers do not.
ThomasTrain87@reddit
I was using this as an example: but I also I don’t disagree, yes, LastPass is holding part of the encryption key. But do the logic and math here. It is two 256-bit keys xor-ed together to construct the master key. So yes, LastPass has half the key, but in this case half the key is useless without the other half, so still secure.
Tessian@reddit
Thank you, I did just reply to OP here and say as much but I couldn't find the details which you linked.
I'll still argue that I'm not aware of any other password manager doing SSO this way, and likely for a good reason. Giving them half a key, especially with their known past of breaches, is still very dangerous.
CharcoalGreyWolf@reddit
It’s not giving them half a key though, it’s public key / private key. This is a normal encryption method used in many, many environments.
I really think you may need to read up on how these things work. I’m not defending LastPass as much as saying public key /private key encryption is extremely common and normal.
Tessian@reddit
I put this elsewhere but I expect you just downvoted and ignored.
SSO does not handle the key decryption for your vault. As examples, Keeper and Bitwarden explain how they handle key decryption with SSO here: https://docs.keeper.io/en/sso-connect-cloud/security-and-user-flow and https://bitwarden.com/help/sso-decryption-options/. I have not found similar documentation from Lastpass - if you have please share I'd love to read it.
zer04ll@reddit
God I love Yubikeys!
flashx3005@reddit (OP)
Thanks for the detailed response. Definitely makes sense with this clarity/ point of view.
Tessian@reddit
So I will make a slight correction that looking around online it's not quite as simple as "Lastpass has your keys" -- apparently they're doing some wizardry with generating a key that they then split between themselves and the SAML IDP, but seeing as how companies that truly keep themselves to a high standard of security and don't get breached refuse to do SSO this way, I'll leave you to be the judge of how secure this implementation really is.
CharcoalGreyWolf@reddit
Again, this is literally how SAML SSO works via Entra with an Entra enterprise app. Other password managers using SSO work the same way; we use Keeper, and that’s exactly how this works and should work.
Tessian@reddit
I'm pretty sure you're the one mistaken. This isn't to do with SSO itself, it's to do with the encryption key
I looked up Keeper's SSO flow (https://docs.keeper.io/en/sso-connect-cloud/security-and-user-flow) and it explains it the same way that Bitwarden does their Trusted Devices option (https://bitwarden.com/help/sso-decryption-options/).
This is not how Lastpass is doing SSO.
RAMSxAI@reddit
Until you find users still using the lastpass master password a year after termination with access to companies logins.
Tessian@reddit
Well that's on your org for not implementing SCIM with Lastpass...
More_Purpose2758@reddit
Some pw managers lets you put another MFA outside of your SSO in front of the passwords.
jmeador42@reddit
I against both using LastPass and using SSO with an existential service like password managers.
SuperGr33n@reddit
1pass customer for about ten years now. Both private and corporate. Hasnt failed me yet
gumbrilla@reddit
Lastpass is an absolute horrendous option. those bastards lost all my creds to hackers, they've been breached multiple times. Is this r/ShittySysadmin ???
Smiles_OBrien@reddit
We use Keeper at work, pretty happy with it. And BitWarden seems to be the current darling (I'm in the "selfhosted Vaultwardent" crowd so I'm assuming official BitWarden is good, though I haven't used it)
hftfivfdcjyfvu@reddit
Don’t use lastpass And also don’t integrate your password manager with sso
Nyasaki_de@reddit
Vaultwarden
AccomplishedRobot@reddit
1Password, please read up on why their security is unique
Asleep_Spray274@reddit
SSO with condional access Device must be hybrid or compliant User must use phishing resistant MFA like logging into PC with windows hello for business Sign in risk low, med, high for LastPass - block
Xzenor@reddit
Biggest risk here is the use of LastPass in general... I don't get why people still use them.
chickahoona@reddit
Take a look at Psono. You can use it with or without SSO.
Scootrz32@reddit
This was just posted on any SSO with a password manager
https://www.reddit.com/r/sysadmin/s/FtXV3xxEd5
smoothvibe@reddit
Securden. Runs on premise and it can do HA.
thaughtless@reddit
Dont ever use lastpass. SSO is more secure as an approach. Is your CTO one of those made up ones by self appointed title vs actual experience?
flashx3005@reddit (OP)
Software Developer went up the ranks now oversees all of IT.
machacker89@reddit
So he/she is familiar with the software And the risks of using a Password manager
pjustmd@reddit
Your CTO is a dummy. One for using LastPass and the other for this ridiculous reasoning.
981flacht6@reddit
Bitwarden and rotate every password after migration.
HKChad@reddit
He sounds like the right guy for the job. LastPass sucks, use 1password
flashx3005@reddit (OP)
Yea I think we'll have to reassess the LP platform going forward.
Akamiso29@reddit
At my previous job, we got a corporate VPN solution along with the password manager for less than the price of LastPass. Nearly identical feature parity, too. Shit corporate security posture and expensive. You’ll look like a champ when you negotiate cheaper and more.
flashx3005@reddit (OP)
Which VPN and password mgr solution did you go with?
Akamiso29@reddit
I bounced before it was finalized, but I think it was Proton.
ExceptionEX@reddit
Bitwarden, the lastpass email about the data breach settlement being sent out this week isn't doing lastpass any favors.
flashx3005@reddit (OP)
Oh. I didn't even know about that. Thanks, I'll read up on that tomorrow.
Somedudesnews@reddit
Fisclosure: I used to work in that particular sector of software.
I wouldn’t touch Lastpass with a ten foot pole. Especially not after the acquisition and the string of compromises.
Nevertheless, you don’t always get to choose your tools.
We follow a light framework for managing the blast radius of SSO. We also use Entra (with a project in the works to take IdP in-house) but we don’t trust Entra to authenticate to certain high privilege services, including our password manager.
If it would cost us the business to lose it SSO doesn’t have the ability to provide full privileges.
matabei89@reddit
Bitwarden after dashlane. Better management of passwords
davy_crockett_slayer@reddit
1Password
Watsonwes@reddit
Anyone who uses lastpass should be fired
ABlankwindow@reddit
Keeper is what we have been using. But their pricing is predatory
man__i__love__frogs@reddit
Keeper
flaccidplumbus@reddit
Bitwarden
kdmclean@reddit
Good. They're at least base line qualified for their role. Read up on LastPass and realize that utilizing them is very much a situation of "fool me twice..." - I wouldn't trust their technical infrastructure.
There are plenty of good options out there, Bitwarden, Auth0, etc.
ludlology@reddit
Lastpass is dogshit, he's right
Even if it wasn't unsecure (it is) the user experience is low quality compared to all the better options. It's like the boomer version of a password vault basically
ObiWom@reddit
My org uses CyberArk but personally, I use 1password
stahlhammer@reddit
Bitwarden
Royal_Bird_6328@reddit
I would be suggesting SSO with Lastpass but implement Conditonal access policies to further lock it down, I.e not on mobile devices, only allowed on compliant devices
johnfkngzoidberg@reddit
LastPass is a dumpster fire. Didn’t you hear about them getting hacked 3 separate times with their source code getting compromised? NEVER use LastPass.
blackjaxbrew@reddit
Just my two cents but I prefer segregation here, I get it if you are dealing with tons of users for SSO. But we won't risk ease of access to a pw manager with SSO. This is a training issue imo. A great example is the recent Stryker incident with in tune and putting all your eggs in one basket.
perth_girl-V@reddit
Last pass i wouldnt use but others i would one pass or what ever is my go to
CheeksMcGillicuddy@reddit
I mean… a good CTO is going to be against LastPass all together.
reegz@reddit
CTO isn't wrong
macattackpro@reddit
We use Keeper 🤷♂️
ThomasTrain87@reddit
CTO is partially right and partially wrong. SSO has risks of done correctly but those risks can largely be mitigated.
A separate username, password, and MFA account for each app, fully disconnected without centralized enforcement of password policies, logs, etc is infinitely more risk.
Tessian@reddit
Lastpass's SSO implementation gives them your encryption keys which I don't think your accounting for with "risks that can be largely mitigated"
Kardinal@reddit
Previous commenter is taking about SSO in general. Not Lastpass SSO.
Tessian@reddit
Ok but OP's question is only about SSO with Lastpass. There's nothing here to indicate that the CTO is against SSO in general, just with Lastpass.
Kardinal@reddit
I'm not sure it is about only Lastpass SSO. There is some confusing language in there especially associated with Entra.
flashx3005@reddit (OP)
Sorry let me clarify its just SSO with LP. We do have SSO enabled for a lot of other apps just not with LP yet.
jsfarmer@reddit
Switch everyone to Macs.
Kardinal@reddit
Good SSO with strong protection, like available with Entra, is very secure.
Different logins for different systems is a password leak waiting to happen especially without, but even with, an enterprise password vault.
crashorbit@reddit
Having common identity management within the walled garden is a key enabler. Still, username/password pairs are an anachronistic social mistake. It arises out of technical laziness originating deep in the origins information technology.
Better is to use an authenticator, challenge response, or out of band token methods.
Still username/password is baked in to so many technologies and often for access to the highest management access in the infrastructure. You need some social practice for managing the few passwords you cannot eliminate. Using a password vault is way better solution than weak memorable passwords.
DULUXR1R2L1L2@reddit
The LastPass app sucks and so does the browser extension. If you want to encourage your users to take security seriously, it needs to be seamless, and LP is not that.
But SSO IS part of that seamless experience. Add 2FA (non-LP) if they're worried about SSO being compromised in some way.
RAMSxAI@reddit
I respectfully disagree with your CTO.
We used to have LastPass setup with SSO, with admins set to Master Password (now use 1Password still SSO).
Advantages far outweigh the disadvantages.
AppIdentityGuy@reddit
If there is one thing you absolutely want protected with strong MFA credentials it's your corporate shared password vault. Otherwise you have to go in and remove users manually as they leave....
Tessian@reddit
Enterprise password managers all support SCIM to allow for automatic onboarding/offboarding so you don't need SSO for that feature.
TheUnrepententLurker@reddit
Keeper tied to platform SSO