Move yourself to BitWarden or 1Password or something, these folks don’t have what it takes to keep up a good password management service now that they’re owned by a hedge fund.

LastPass won't last, everyone will give it a pass. Self fulfilling prophecy name.

This is the best tl;dr I could make, original reduced by 85%. (I'm a bot)

> A hacker stole a file from password manager LastPass that contained the passwords of 30 million users and 85,000 companies.

> As long as customers had a good master password, their passwords were safe, the company said.

> Unlike what many users thought, their personal password vault was not a fully encrypted folder but a text document with a few encrypted fields, according to FTM. FTM also pointed out that by still claiming that the passwords are safe if people used a good master password, LastPass is shifting the responsibility to its users.

Extended Summary | FAQ | Feedback | Top keywords: password^#1 hack^#2 LastPass^#3 users^#4 information^#5

[deleted]

Shockingly, putting millions of passwords into the same place didn't turn out to be a brilliant idea.

Well that's awkward.

The ones about which sites you have accounts on are unencrypted. Most other password managers encrypt this information.

I save all my password in the browser saving password thing, is it bad?

How exactly!? Aren't they always boasting about "top of the line encryption this and encryption that"?

Information is encrypted before sending to Google ( I am assuming you are using chrome), so even Google doesn't know your passwords. Therefore, generally pretty safe.

[removed]

I wonder if they were selling this data then. That would be the only reason to keep this unencrypted.

It's not the best. Depending on how things are set up, anyone getting access to your PC can log onto any of the sites that you log into. You are also tied to the browser. e.g. Want to use an iPhone and chrome, tough. There are free options for password managers.

You have two options:

1. Put your passwords in a password manager - this can be local only
2. Remember all of your passwords

The second one means that you will either have duplicate passwords or a system in place where a person who knows one password can figure out the others. The only real option is a password manager. All password manager worth anything won't be able to get hold of your passwords without you first entering your master password so the trick is to keep a good master password and you should be fine.

Think if they're saved they go head to saved passwords and click a button to see it in clear text. Might have changed now but I remember doing that on a publicly used computer a few years back

The data stolen was encrypted. LastPass doesn’t ever have unencrypted passwords. However, the encryption is only as strong as your master password.

[deleted]

It’s probably not bad and it’s better than nothing, but it’s less portable than a good password manager.

LastPass does boast about that and it used to be true but they’ve been slacking off since the original founder sold the company. They are not keeping up with best practices that other password management services do (like encrypting most of their metadata).

Your PC will always be a single point of failure. At least a password manager tries to secure the data even when its sitting in your RAM and has features to try and thwart keyloggers. This buys you time to change your passwords.

Manually typing your passwords or copy/pasting via clipboard is the least secure method by far and is the main method key loggers plan on exploiting.

It's better than typing them manually. The main point is that all your passwords should be complex and unique. That should help you in 99% of cases.

There's a good reason I don't use a password manager. I don't trust anyone.

Does anyone know if what are called "Secure Notes" stored in Lastpass vault are safe/encrypted? Or saved credit cards?

build ourself a simple password manager is more safe. like ask chatGPT how to build ...

Why not google password manager

[removed]

you could also just write some down, can't hack paper

edit: seriously, think about it. why would you want to put ALL of your passwords into the hands of ONE vendor or company? it makes no sense. those services are so worthwhile to hack, it's almost certain they will be targeted. the company may even get hacked and not disclose anything about it to cover their own ass.

just think twice before trusting a random company with the keys to your life. anything you can say about how "secure" 1Password or BitWarden is was probably said about LastPass.

Hacking 1Password

Bitwarden password vaults targeted in Google ads phishing attack

It's missing a lot of features. Until recently, it didn't even support on-device encryption.

> Information is encrypted before sending to Google ( I am assuming you are using chrome),

That's a new feature (only since June 2022), and AFAIK isn't automatically enabled.

Ah yes, the old sticky note on the monitor solution.

[deleted]

So, my 16+ digit alpha numeric password is safe?

If that is your master password, yes. If that was a stored password and your master password was “Password1!” like mine was, then you need to rotate all the stored passwords.

I don't get the anger against paper. Do people think that there's someone going through their drawers and all the notebooks in them? If someone's in your house and reading all your notes you already have a much bigger problem than them getting into some random site.

Maybe passwords are a terrible way of authenticating users, and we need to move towards something else. Even two-factor authentication is an improvement. I dunno about you, but I have more passwords than I can keep track of, and the alternatives to using a password manager are much worse, such as reusing passwords. A single compromised username/password that is reused elsewhere can lead to you being hacked.

Do a quick check. Every year produces faster processors and gpus

If you have identical passwords you have a big problem already.

To be honest, not even paper. I would place a website and password clue in a text file. I'm not talking something simple like animal+49 = giraffe49, I'm talking about a clue where you already remember a whole bunch of passwords, you just need to know which one you used for that specific site so that you don't have to annoyingly try them all or get locked out.

Just curious, what would you have used instead?

Any online service you use is volatile to your password being stolen. In this case they just got the encrypted database, but with those remote services you usually run a browser extension. They're updated automatically, so you as a user would not even know if someone manages to smuggle password stealing code in there. The best password manager is one that is run on your local device only. If you use a good master password, you don't have to be concerned about your password database being synced over untrusted cloud storage providers.

End to end encrypted providers do exist though.

The people that stole the databases are not after anyones password specifically. They're running a huge password list against them and take what they can. data breaches usually work like this.

Everything in the vault is encrypted using your master password as far as I know.

[deleted]

Did you calculate the number of combinations? 62^16 are 4.7 * 10^28 combinations. This will hold for a veeeery long time.

Well, all the directly sensitive content. LastPass has always been bad about storing metadata in the clear. It doesn’t make it easier for an attacker to get your password, but it does let them narrow down who to try to attack.

They say that URLs for sites stored is not encrypted, but passwords are. So just wondering what else isn't

I habe around 150-200 passwords. Writing them all down is lots of work. But not only that. Maybe I need them somewhere else. Like on my phone on the go. So I need to take all my passwords with me.

And that paper can be stolen or lost easily. Like in a restaurant when going to the toilet or in a club.

Super insecure

Oh yes. A list of 150 passwords.

And still super insecure. A good hacking tool would need like 0.0001 seconds to check them all. With 4GHz and 6 cores (24 million tries per second), this is an easy task.

As Long as the password is not vulnerable to a rainbow table attack

If you read the article, you will read that, while the passwords were encrypted, a lot of other stolen data (usernames, websites, other data) was stored unencrypted.

Google’s main focus isn’t password management, for one

>It's missing a lot of features.

Like what, what more do you need that google password manager doesn't have?

But it does it better than most

[deleted]

No, not really. If you were to take a peek at Bitwarden or 1Password (especially 1Password), you would realize what a joke Microsoft/Google/Apple’s password managers are.

To begin, you can’t use Google’s password manager outside of the Chrome browser because the service lacks its own app.

People... Don't use chrome? Shocking

I get downvoted every time when I clown on these pass companies. Handle your damn passwords yourself. Put them in your browser, hell even write them on your hard drive. No one's gonna find them there. If someone has your computer, it's game over for you anyway, at that point nothing matters anymore. Maybe Lastpass should use a better password on their datacenter or something. Weird how I don't get hacked, yet every couple of months I hear another story like this of a big password vault type application company being hacked.

Terrific, so instead of having to crack a dozen different passwords for your different accounts, they have to crack one and they got them all. The modern equivalent of using the same password fir every account. Top notch, guys.

This is why I like Enpass. Your passwords aren't on a server with a vault of everyone else's passwords. It's much less centralized.

Because it's a dumb way to go about it and a waste of time. Are you going to be writing down all of your passwords by hand? Manually updating it as you change them? Getting the paper out of the drawer every time you need to log in? What if you need to log in on your phone when you're away from home?

None of these hacks result in your password being usable. The data these hackers get is a non-sensical string that they can't do anything with. I still wouldn't stick with LastPass. It's clear they give zero shits about internal security at this point. But saying that paper is an equal substitute to a password manager is just wrong.

a piece of paper is much more secure than a database. physical access will literally always take more effort than if I can just steal your shit from the comfort of my own home.

you're talking about trading security for convenience. and you can do that as long as you use some common sense.

for example, you could write down your most sensitive passwords (bank etc.) and do your best to commit those to memory if you're "at the club" as opposed to your ESPN account or whatever where the hack to life impact ratio is minimal. store those in your password manager all you want.

there is no easy way to have 200 passwords lol. it's like having 200 keys on a keychain.

[deleted]

[deleted]

ok, you're just talking about trading convenience for security. you're saying it's a waste of time aka inconvenient. that doesn't mean the paper method is less secure.

nobody said anything about an "equal substitute." there are obvious tradeoffs.

Usernames WERE encrypted.

[deleted]

Nah, a reference to each password completely internal to your head. Even if it's something like 'password 1, password 2, etc.' There's zero correlation between the passwords and what I stated.

Nah, a reference to each password completely internal to your head. Even if it's something like 'password 1, password 2, etc.' There's zero correlation between the passwords and what I stated.

[deleted]

16 characters seems low unless it’s a randomly generated password. PBKDF2 iterations would also matter a lot here. The most determining factor is probably how likely of a target are you? Are you likely worth the compute time?

[deleted]

Where is Karim Toubba, CEO of last pass? Has not uttered a word about this complete failure. I would place this kind of negligence or recklessness on par with the Catholic church catastrophe. Why is the CEO not taking some responsibility for this?

But again. With 150 services it’s quite hard to remember even with reference. And I look it up again. I have exactly 241 passwords in my manager.

They each need to be secure and not dependent on each other.

For a rainbow table attack you need a hash like the passwd file on linux systems. But we are talking about cracking a password safe.

This is why you use a strong master password. Tip: 25+ character passphrase with at least one capital letter, number and special char is S-tier. Also pretty easy to remember.

Can't steal from my notebook

Its records can only include a single domain, username, and password, and only the password can be changed.

The BitWarden example isn’t even comparable. It is 100% user error to use an unknown login portal based off an explicit paid advertisement result in Google.

A paper password book user would fall for the same scam but for whichever targeted sites. They are, in fact, more likely to get scammed because they lack an app like BitWarden which can identify and fill the actual portals thus removing the potential for error.

Password managers with a Yubikey are probably the strongest option for most people honestly.

But you could lose it or it could be destroyed

> a piece of paper is much more secure than a database.

Hard disagree. Just require authentication with something like a Yubikey for the best of both worlds. People can take vaults all they want, but they are never getting in it without both the master password and a Yubikey and a biometric component if also enabled.

Unless they kidnap you, in which case you have bigger problems on your hand.

Or one is talking about seed phrases for crypto wallets, in which case they better stamp it into metal and hide it well.

Paper burns and you’ll be locked out for a good long time if not forever. Yubikeys can have a duplicate kept in a safe deposit box. Can’t do that with a paper book in active use.

So?

Wouldn't that be the same as a hash password? Or wouldn't it be better if everything was hashed as opposed to it being encrypted by it's master password?

Hashed passwords are only useful for verifying somebody has the password. So if you are a website, you store only a users password hash, then when they try to sign in, you hash the password they’re logging in with to verify it matches.

You can’t reverse a hash back into the original password though.

So for you to be able to retrieve your passwords from LastPass, the password must be stored, not just the hash.

Oh ok that makes sense. Thank you!

Yeah they for hacked over the summer idk why it's just coming back up now

Definitely not. It's been used way longer. No one sends plain text passwords since the late 2000s unless it's an amateur made website.

This is incorrect. They stole the password vaults themselves, so if they crack your master password they'll get access to all of your passwords. Doesn't matter if you have 2FA on. This is one of the main reasons why this breach was so bad.

Although I am relatively safe, I am unsubscribing from LastPass completely. They lied.

Moving to Bitwarden

There are actual protocols that attempt to do away with most passwords, such as OpenID. The problem though becomes adoption. It is very easy to rely on the classic Web 2.0 login/password implementation

I have heard both options from reputable sources. Normally I would trust the company statements, but given their handling of this I trust NOTHING that touched them.

Can't use it without a URL, so I can't use it to remember SSH key phrases, generator doesn't do passphrases, locked into the google ecosystem, and no app separate from chrome.

It does if a site did something stupid and included something useful in the url that lp has stored.

Edit: it also makes phishing much easier. That Metadata can be used like this:

You have an ms account and an Adobe account. I know because I have your Metadata. I send you a sophisticated phish saying that Adobe is no offering to link to your ms account for single sign in. Just enter your Adobe and ms ids on this form...

It might not hit you but it would get a lot of users.

Local is the big part here. Password manager sites just are too big a target.

I use a simple phrase and convert it using base64encode.org

So say I type "I love pizza!"

It returns "SSBsb3ZlIHBpenphIQ=="

Best way I've found to make passwords

And last pass could have an outage or go bankrupt. Lots of arguments on your side, but you picked two bad ones.

Because the story keeps changing. First it was September. Then right before Christmas they dropped news about how bad it was. Now it was apparently earlier. A company who's job is based entirely on being trustworthy has been anything but open and transparent.

From what I understand this isn’t an issue. LastPass stores a copy on each computer/phone

have you ever signed into an app on your phone? other password managers have shortcuts to make this faster. even FaceID to auto-input your password on sites/apps that don’t have FaceID

https://xkcd.com/936/

Just a phase itself is a really good password

I've been very happy with bitwarden across multiple devices.

Any responsible site will salt the password before hashing it which makes rainbow table attacks worthless. Not every site is responsible though…

And the tools to decrypt that are where?

Huh? There is no need to decrypt, you just unlock with your password. I can use LastPass without being online. Have you ever used LastPass?

Because you're missing the whole point. Password managers are there so you can generate a password like G&li/PdsZH-)73m?Df78:+pJS*(9dD79. You don't have to remember it and the password manager "should" be secure and encrypted. The Password manager will auto fill in the password across your devices so you don't need to dig out your notebook and type that thing in. You also wouldn't be able to log into your bank account app, or other apps or websites from your phone if your password isn't saved unless you always carry that paper with you.

Then, there is the sharing part. I share passwords for sites with members of my family. I have to share thousands of passwords with members of my team at work. A shared vault that's encrypted and secure works great for that.

Paper is great for my mother. 1 computer in her house, doesn't use her smartphone for anything smart. Wouldn't need those passwords away from home. Doesn't need to share. She actually uses an address book with the little alphabetical tabs. If she needs her google password, she flips to G.

I have used it. I have never tried to use it in an offline state. I asked a question. Forgive me for asking a question. So sorry I don't know everything like you obviously do.

Edit: but since you are so knowledgeable, let's say I updated a bunch of passwords on my office device and haven't used last pass at home for a few days. When does last pass sync its database to "every device" as you said.

you’re the one that called my argument bad without even knowing details how LastPass works and now you’re calling me the know it all? Lol

"And the tools to decrypt it are where?" is what I asked you. After stating lastpass can go down. You could have corrected me without the attitude but no. The big bad keyboard warrior has to talk down to people about something. And my follow-up question?

Hey already replied first time without attitude even though you called my arguments bad without even understanding how LastPass works. Do you now see how LastPass going bankrupt or offline isn’t that big a deal as opposed to losing a piece of paper with all your passwords and no backup?

Now as for your follow up question. Yes if you updated a bunch of passwords at your office and LastPass goes down other devices won’t get the updates. However this shouldn’t be that big an issue since the work computer should have those changes you made locally

Is it bad that I know exactly which xkcd that is without checking?

A website and an app, as far as Google password manager cares, are two completely separate passwords. It also interacts poorly with subdomains.

Not to mention it is free for multiple devices.

I think this makes 3 or 4 breaches in the last 10 or so years.

I guess Google is made by amateurs, since on-device encryption was introduced just last year.

Next question; what happens if someone breaches last pass and destroys the vaults and nukes the backups (and given they've been so heavily breached, and I have 0 confidence in them corporately to store safe backups) then what.

My initial point was, there are lots of good reasons to argue against paper vs password manager, but loss isn't one of them. Anything can be lost, and with these companies getting breached at this level (including some having backups deleted) I don't think THAT is the argument to use.

Finally, I am genuinely curious; when have you used lastpass in an offline state? Like why??? LOL If your network is down, what are you signing into you don't have memorized?

Dammit LastPass! >:( now I have to switch. What's a really good password manager? Anyone have any recommendations?

It’s stuff like this that makes me wonder if I should pull from my password manager.

I’m subscribed to Dashlane and as of now, their records are clean, but this is worrying.

[removed]

I think I am just going to have to host my own password manager… it’s the only way I can think of to avoid it being lumped in together with a large collection of other peoples valuable information

This sounds like a very complicated Caesar cipher mixed with password reuse to me.

username, password, and password notes are encrypted. The website URL is only hex encoded so it might as well have been in plain text. In other words, hackers know which websites you have passwords for (so beware of phishing attacks) but if you have a strong enough master password, they are still probably trying to crack your vault. You can see for yourself what is encrypted by downloading your encrypted vault - this was a good article which helped me figure that out: https://palant.info/2022/12/24/what-data-does-lastpass-encrypt/

At any rate, going forward, 1password seems to be a better choice because of the additional secret key required to unlock the vault.

In the end, there is no substitute for a good, strong master password.

The vault backups is what was breached, which is even worse

[deleted]

The same vault that is stored server side should be what is available locally. Older vaults may be different, so your mileage may vary.

I know that I examined my local vault and fields that were associated with a credential were encrypted, but names and URLs were not. Some URLs were stored with a token in them. Regardless of that fact, I cycled all of my credentials as I migrated to another provider.

They had a breach a while back, too. I switched to LastPass! 😂😂😂

Apple’s Keychain is looking better and better, now that they have password support for Windows iCloud app.

Yes secure notes and the notes attached to passwords were encrypted.

That's what they wanted us to believe. Unfortunately that's not true.

You can see the vault structure of popular password managers here: https://i.imgur.com/QAvoPmb.jpg

URLs we're not encrypted in Lastpass. And almost all the meta data and field names were not encrypted.

Passkeys are something a few vendors are getting behind.

https://fidoalliance.org/passkeys/

And enpass supports keyfiles which is an awesome 2nd factor.

They did? I tried to look up if they had any history of breaches and everything says they’ve never had one…

Fuck these mother fucking pieces of shit and the horse they rode in on.

That's how I feel about LastPass. Fucking absolute failure at the one thing they were supposed to get right.

Sad irony about this... I stopped using LP for my family about 2.5 years ago and migrated to a self hosted Bitwarden instance. I kept my free LP account as a "just in case" something goes wrong with self-hosting.

Fast forward to now. Self-hosting Bitwarden has been simplistic, easy to secure and 100% reliable.

Now I'm finding myself going through all of my more sensitive secrets in LP, rotating encryption keys I backed up there, passwords and the like. Major pain in the ass (some of the services used / encryption keys require a full reset and reconfigure - things like off site backups - so, resetting and reconfiguring backup jobs).

Then I have to go take care of my wife's secrets (less sensitive things).

But yeah, for the less technical savvy folks using LP, much more of a nightmare.

Look at Vaultwarden (Bitwarden written in rust). I've been self hosting for almost 3 years. It's the bees knees!

While true, LastPass derives the encryption key from your master password using an algorithm called PBKDF2. There are guidelines for how many iterations of the PBKDF2 you're supposed to use--on the client side, server-side iterations are mostly irrelevant in regards to overall security. LastPass failed to follow these guidelines and failed to guarantee those who had vaults prior to each increase in the recommended iterations--or at least whenever LastPass actually increased the number by default for new vaults--were encouraged to login asap and re-encrypt their vault with a key using the new default number of iterations to derive the key from their master password.

The current guidelines--which LastPass was informed of by OWASP--are to use at least 600,000 iterations. Only after being breached did the increase it...but only to the previous recommended number, 310,000. However, as of the breach that saw vault backups stolen, there were still some vaults that had less than 310K, even as low as 1 for a few people who've been customers for a long time.

completely a different thing and this encrypts using your device and you need to enter your password to decrypt it. The password is still is not being sent to google as plain text and has never been.

As I understand it a lot depends on when you started using the service, including the number of rounds used on the master password.

> what happens if someone breaches last pass and destroys the vaults and nukes the backups (and given they've been so heavily breached, and I have 0 confidence in them corporately to store safe backups) then what.

I don't see this any different than your previous scenario. All your devices should have local copies. Sure, they may be a bit out of date but for the most part you should have most of your credentials

>My initial point was, there are lots of good reasons to argue against paper vs password manager, but loss isn't one of them

Well then we disagree. In my mind of the major features for LastPass is redundancy and they are more likely to be much better at it than I am and worse case I have copies on my devices. Truly losing a password can be extremely devastating, case in point (though an extreme example):

https://www.bbc.com/news/technology-55645408

>LOL If your network is down, what are you signing into you don't have memorized?

Imagine laptop you don't use often being locked and you're on a plane with your phone in airplane mode...

It's not as straight forward as that, as it turns out, LastPass doesn't encrypt everything. The hackers managed to steal customer's unencrypted email addresses, and the list of websites that the customer has passwords for. Maybe even billing addresses

What I meant by destroy the vaults is corrupt them. Then your devices syncs the corrupted one. Done.

As for the use case, fair enough. I don't know I've ever had that issue as my physical devices all have passwords I remember and their passwords never leave my brain. If my physicals get compromised it is game over for everything else as far as I am concerned.

Sure ok if there is a massive breach and that corrupts all your passwords and destroys backups but still allows to sync with every device you have destroying those copies and those devices also don’t have backups then yes you might be in trouble. No solution is absolutely foolproof. However what’s more likely, the scenario described here or someone accidentally throwing away their password list or it being lost in some home accident? That’s literally single point of failure

Normally I would agree with you, but given the level of breach suffered here AND the ABSOLUTE lack of transparency by the company, I wouldn't rule it out as an unreasonable concern.

With all the government supported bad actors in the world today the threat landscape has changed. State sponsored hacks designed to cause economic damage are becoming more and more common place. Sites like this are huge targets.

For the home user this is a difficult game but for the enterprise a well designed self-hosted solution (bitwarden for example) is the way to go right now IMHO.

Any of the big "public" cloud options are just too juicy a target. It is fairly trivial to set up your own reasonably redundant manager now if you're a company. The real issue is for the home user going forward. (But most home users have such horrible security posture i suppose it doesn't matter either).

That’s not what a rainbow table is. Also, rainbow tables are defeated by salting.

Half the people posting here need to go read Cryptography by Keith Martin. An easy to read book that explains, among other things, that encryption and hashing are not the same thing.

If you have identical passwords, why are you using a password manager?

[deleted]

Longtime LastPass user. I've switched to using the password function in Microsoft Authenticator, which I was already using for MFA. HUGE PITA - I had over 200 passwords on LastPass. But I'm done with them.

Yeah i know. I meant a dictionary attack… with the dictionary provided by the user and only the correct websites to be found.

Are you really arguing that "well, technically it's sent via TLS" is actually adequate for a password manager?

Rainbow tables are easily thwarted by salting passwords before hashing. Most systems do this nowadays. Pretty sure LP also does this.

[deleted]

Despite a lot of dislikes that your comment got I also do believe that Google password manager or Apple Keychain (for those who are all in on Apple ecosystem) are better and safer solutions.

Like where is your data more safe: at Google and Apple or at some random small startup with five employees total?

Don't make it sound like it's that hard to make a site-unique password scheme. And all it takes is buying a domain name, and you can have unique site-specific login emails as well. Even if one of the sites gets hacked and your L/P are in plaintext, it would take an actual person intentionally targeting just you to even have a hope of noticing your scheme, let alone figuring it out. Sprinkle in some 2FA and there's no way anyone is finding another accessible account before that site auto locks for bad logins, and/or you notice all the notifications thereof.

Or you can put your entire life worth of passwords into the hands of a company dedicated to making as much profit for as little work as possible, and hope it works out for you.

It's not ideal, but it's common. Best practice is to at least not save your hyper sensitive logins like bank pwds.

That one and “little Bobby tables” have well defined use cases

1password is great. Exported from lp to 1pw and been a nice transition

I wasn't basing that on statements from Lastpass. I just presented on this at work and as part of preparing the presentation, we analyzed Lastpass Bitwarden and 1Password vaults as they are synced to their respective services. Palent's blog was certainly one of the sources we used in putting together the analysis.

Some interesting takeaways are that Shared Folders and Federated authentication offered some additional security. 2FA is completely meaningless in this situation as nothing from 2FA is used as part of the encryption key derivation.

As you also mentioned, age of the account made some differences (though not in username encrypted or not). Default iterations being a big one, and AES-CBC vs AES-ECB, which would certainly make usernames more easily determined.

I've been very happy with bitwarden.

Dashlane has never had a security breach

Correct - we have never had a security breach (we even confidently state it front & center on our website). I'll never say it's impossible, but we are confident we deploy the highest level of security practices possible to ensure a breach will not happen.

I stand corrected. I thought they did a couple of years ago. That’s good to know. I might return as a customer.

Do you work for Dashlane, by any chance? Because you’re speaking in first person.

Yep ! I'm an engineer on our web app / extension.

Ah, alright.

So may I ask why Dashlane isn’t on Firefox’s extension store? Since you’re specifically working on the extension.

I know it’s not really the place to ask about it, but I tried looking it up and found a Reddit post from over a year ago.

Absolutely!

So I cannot speak to why we went the route of hosting the extension ourselves rather than listing via the Firefox add-on store in the first place, but I can say it's on our roadmap to explore listing this year. I'm not on the team that handles our store automation & deployment processes, but from my understanding there is some work needed making the migration still & it's slated this year (with no specific date planned yet).

Our hosted version will still receive automatic updates, we're just missing out on the marketing / discoverability that the add-on store provides.

Well, I just hope it’ll be resolved soon.

I definitely trust that your self-hosted extension is safe, but I’m not a fan of using such extensions. I just like the piece of mind of using one directly from the store.