Comparing Lastpass to browserpass through the eyes of a "normal user"

[ipundit]

Introduction

First of all, great work on this extension and providing an open source alternative for password management. I recently moved from Lastpass to browserpass on Windows and it was (and still is) a painful process. In my opinion, the project has great potential, but there are some usability features that need to be implemented before it can be viable alternative for "normal users."

For the purpose of this narrative, I'll call this "normal user"/persona "Alice", who is an amalgamation of real people whom I've supported and consulted for as the "guy who they call to fix my computer." Alice is a 50 old grandmother who can't remember her passwords. So, she puts them in a plain text note on her phone and types them into her banking website. She does not know or even want to know what gpg is; she just wants to use the internet and login forms "get in her way".

Alice is willing to try out browserpass (or any other alternative) upon my recommendation because I say that it's free (as in speech), but what she understands is that browserpass is free (as in beer). However, Alice has a very low tolerance for bugs or usability issues. If her password manager does not work on the first, or at most, second try, she will abandon it as she must have an unusually high degree of trust in any software that manages her passwords.

Therefore, at this point, I would still have to recommend Lastpass to Alice as there are several features in Lastpass that make it possible for Alice to use, as browserpass in its current state is beyond what Alice has patience for. Here are the Lastpass features I would consider essential before I recommend browserpass to Alice:

Lastpass has a user-focused website

Lastpass has a big button right on its homepage where Alice can download its installer. Alice has never been to github before, and would get lost in its browserpass' verbiage about making the software. If she perseveres and finds the releases page, she would not know that she needs to download and install the windows package, as well as the Chrome package.

Or worse yet, she finds browserpass-ce though the Chrome addons page and installs it, but it doesn't work because the native client is not installed. At this point, Alice would give up, especially as the error messages are cryptic (issue #164).

Also, Lastpass' webpage has extensive documentation, not only on how to use the product, but why and the security implications of one tradeoff vs another. Would it be possible to set up a browserpass wiki to facilitate crowdsourcing the documentation? browserpass is one tool of a set of tools that need to be combined and configured as a package to deliver a

Lastpass has what they call, a "Universal installer"

Alice would like an installer similar to Lastpass' "Universal installer", which:

1. Offers to install browserpass for all browsers on her computer by default (Lastpass includes IE and Edge support, but these days, I can usually convince "Alice"s to move to Chrome because she knows and trusts the Google brand, especially if she has an Android phone and her life is that ecosystem already. Thus, IE and Edge support is nice to have, but I don't think it's a showstopper for "Alice"s to move over)
2. Installs all its dependencies so "it just works out of the box". That would include the browser extensions, native client, gpg, password store, and creating a private key for her
3. Warns Alice that she must choose a password that she will not forget, as even browserpass cannot help her recover her password.
4. Offers to import her passwords from every browser.
5. If she has another password manager installed, provides a wizard interface that guides her through the process of exporting the passwords from that manager and importing them into browserpass
6. Automatically creates a cloud account on lastpass.com that backs up her encrypted passwords and shares them on all her devices, especially her phone. This is a killer feature, but it requires backend infrastructure and certification that costs a lot of money. I think as a cheap alternative, browserpass could look for its password store in a well-known location in Alice's Dropbox or Google Drive, and pre-populate her passwords from there. If you install in something like, "C:\Dropbox\browserpass passwords" and have a readme file in it saying "don't delete me", Alice will leave it alone. Power users would want to move this default password store location to somewhere else, but they have the know-how and patience to figure it out; Alice does not.

First impression of Lastpass

First impressions count; they count a lot for Alice. This is an actual screenshot of Lastpass; browserpass has no equivalent to it. Several notes illustrated by this screenshot:

1. Search LastPass Vault is the equivalent of browserpass's filter, except

• It's noticeably slower and does not return in-place results as fast as a Google search, which is what Alice expects these days
• You don't have to press enter or / to move to filter mode. This is superior to browserpass' bimodal search interface, especially since there is no visual indicator of which mode you're in (filter vs search)

1. Open My Vault brings Alice to a lastpass.com webpage showing her online password store. A similar link to jump to my local password-store would be helpful
2. Sites is a local view of Alice's password-store, and could be a complete replacement for her browser's bookmark features. Alice doesn't use it, because she's used to using her browser's bookmarks.

• Besides, once she browses to a site with a login, Lastpass automatically fills it in and logs in for her (issue Add an option to autofill the login form after URL is opened via browserpass #249). This is a killer feature for Alice, and unless browserpass implements it, it would be difficult to convince Alice to move over to browserpass. I've actually converted many "Alice"s over to Lastpass by demoing this feature, "You mean, I don't have to remember enter my password anymore?" Then a long story of how she's forgotten her passwords, followed by a demo of how she finds and remembers her passwords (the most common solution is a txt file stored in non-backed up place. One "Alice" had a hard drive crash and lost her only copy of her password txt file, but that's a different story... :), followed by "I want it." Meanwhile, management is happy because their employees are happily moving to a more secure password system, but it was the convenience story more than the security story that convinced most "Alice"s to move over.
• Under the Sites menu (not shown in this screenshot), there is a button to "Save All Entered Data". Unfortunately, Alice doesn't use this feature because she never found it in Lastpass' interface. However, it's a very useful workaround for the not-so-rare cases where Lastpass could not completely detect and fill out a form. Alice would ask Lastpass to fill out a form, and then manually fill out the rest of the fields. Pressing "Save All Entered Data" would then correctly fill out the forms in the future because it has the field ids. (Issues #187, Autosubmit form by emitting Enter keypress #271)

1. Secure Notes gives Alice a GUI to store encrypted files and text. A browser-based GUI to GPG would be a nice and often-used feature to have, especially if you can use it to Create Update Retrieve Delete (CRUD) logins (Issue #24). If you go that far, then extending the UI to CRUD *.gpg files in your password-storage is not much harder to do. From a UX point of view, I like Lastpass' label and UI of "Secure Notes"; it's a clever and easy way to convince users to move from unencrypted plain text files to an encrypted solution for their sensitive data.
2. Form Fills is issue #187. Seeing how Lastpass and other password managers implement this feature could be instructive for browserpass's UX design for this feature
3. Click Show Matching Sites to get the below screenshot. This is by far and away the button Alice will click most often for Lastpass because she logs into a site way more often than any other Lastpass feature. Not having to click this button every time you want to log in is a major UX win for browserpass over Lastpass
4. Alice does not use Recently Used as she does not know that the feature exists. Instead, she just browses to the site she wants to go to and Lastpass logs in for her (Issue Add an option to autofill the login form after URL is opened via browserpass #249).
5. Alice does not use More Options. It's the equivalent of the Advanced... button common in Windows interfaces which contains advanced features that Alice rarely, if ever needs to use. Thus, she never uses it, and therefore she doesn't even know that it exists.
6. Alice does not use Preferences. She would get more benefit out of LastPass if she went through those options, but the default settings for Alice is good enough for her and she's satisfied with the product.
7. That's why she doesn't click the Help menu item either. But if she did, it directs her to the online documentation. If there was more documentation than a single readme.md file (eg. set up a wiki so we can help?), this would be an easy and useful feature to implement for browserpass
8. Logout does what it says, but see issue No obvious (or even possible?) way to logout #273 why this is not implemented in browserpass. More interestingly Lastpass allows you to login with another account. Supporting multiple password stores encrypted by different private keys with different passwords implements multiple account logins. But then, you need a way to logout from one account vs another. Issue No obvious (or even possible?) way to logout #273 gives a workaround that requires a command line. Alice doesn't even know what a command line is.

Lastpass vs browserpass, side by side comparison

This is a screenshot comparing Lastpass' most used popup with browserpass' only popup after I imported Lastpass' paswords into browserpass and configured multiple password stores to get badges, etc. I did not rename the *.gpg files in my password store as it would take hours to rename the 646 passwords(!) I had in Lastpass. However, without this manual renaming, or some kind of auto-renaming for me, browserpass would remain unusable for my normal workflow as shown in the right hand part of the screenshot:

Some more detailed UX-focused comments:

1. Alice has difficulty seeing browserpass' logins - the font is too small
2. Lastpass has the ability to generate passwords and keep them around until the user explicitly deletes them. This is a v3 feature for browserpass (Issue #24)
3. Lastpass shows the login names; browserpass does not.
4. Browserpass shows its popup screen way faster than Lastpass does. I assume, but cannot be sure that this means Lastpass decrypts the logins before displaying the user names. Browserpass does not decrypt gpg files before showing this popup form for performance reasons (see Issue Update README.md #242 for details) But from Alice's point of view, she much prefers seeing her login names than not. If there was no way to automatically rename the gpg files to the user names, then she would not be willing to switch from Lastpass to browserpass. I was surprised that I had 646 passwords and I would not be willing to rename them all to the user names manually either. Has anyone written a script to do this?
5. Lastpass matches on the URL to display only the logins that match that URL. This makes more sense, as Alice can organize her logins in a directory tree that makes sense to her without regard to having the url in that directory tree. Browserpass matches on the directory structure and name of the gpg files to do the same, but it then forces Alice organize her gpg files by URL folders to achieve the same filtered results.

A proposed solution to have great UI and great performance

I like Lastpass' better UI, but browserpass' speed. Lastpass seems to be getting slower and slower with the last several releases, to the point where I finally started looking for alternatives and found browserpass. It has great promise, and support is great as @maximbaz can answer and close issues faster than I can respond to them :), but this renaming issue is a showstopper for me.

Stepping back to solve several problems illustrated in this narrative, I would like to propose a different data model for browserpass:

1. Indexing phase: Decrypt and read all the keys in the user's password-storage and index them by:

• Username (1 per login)
• URLs (1 or more per login see Issue UI guides the user to enter credentials into the wrong site #274)
• Tags (0 or more per login)

This would take a long time for 646 passwords, but would only have to be done once if written to a plain text file, or an sqllite database (this is probably overkill). If the user CRUDs logins through browserpass' interface, then both the gpg files and the index file will be kept in sync; otherwise, a reindex operation will be necessary.

Also note that name and directory structure does not have to be used by browserpass in this design, so I can arrange my password-store the way I like it without it impacting how browserpass displays search results to me.

2. Filter phase: Get rid of search mode and just use filter mode, but filter on Username, URLs, and tags to return search results. Bash-like Tab completion and completion hints would be nice here. The result would be a flexible and fast way to search through all my passwords, to the point where I would seriously consider getting rid of my bookmarks and using browserpass instead.

For example, I could search by Finance to see all the sites I tagged with "Finance". This replaces the Finance folder in my bookmarks. Then I could filter by Personal to see the personal logins on these finance sites as opposed to my work logins. Then I could type in the first few letters of the site I want to login to, and login there - all without using the mouse.

Or if I know the site I want to login to, I type in the first few letters of its domain, tab to complete it, and get a list of color coded logins (#270) tagged by Personal, or Work. I click the login that I'm interested in, and jump there.

This is a better workflow than I've seen anywhere else. If browserpass can match Lastpass' ease of use, but retain its blazingly fast performance, then I would be able to convert many "Alice"s I have in mind over to browserpass.

[maximbaz]

First of all, huge thank you for this write-up, I really appreciate the time and energy you put into describing this in such a great detail! I will try to keep my answer as informative as your proposal is.

Target audience

I think the main point to clarify is the fact that Alice is not a target audience for browserpass, simple as that. Lastpass is and will always be a better, easier way for Alice to manager her passwords. I personally recommend my "less tech-savy" friends & family to use Lastpass, not browserpass.

Meet Bob, a member of the target audience of browserpass. Bob likes the Unix philosophy and so has made pass (or gopass) his primary password store. He studied how pass and gpg operate, and how to configure them to his liking, and he puts a high degree of trust in this password management system precisely because he understands its inner workings. Bob sets up a cloud sync of his precious password store (via GitLab, GitHub or Dropbox) because he understands why it is secure. He has high tolerance for bugs in software he uses, he will happily investigate an issue and notify developers, or maybe even submit a pull request himself. Bob is quite happy to use pass on a daily basis, but he is concerned of becoming a victim of a phishing attack (also, he would like to simplify a process of filling and submitting login forms). He is searching for a browser extension that will offer him protection, but at the same time not stand in a way of two primary operations: search for credentials and submit them. Browserpass seems to be just what he needs.

Installation

Bob understands that browserpass will have access to his most precious information, he will not just install a random binary from the internet. Luckily browserpass is open source, and since the sources are on Github, he will download the installation archive from there. Browserpass provides both pre-compiled binaries and source tarballs via Github releases, and of course gpg signatures. Bob will definitely verify the signature, and prefer compiling the application from source if that is not too complicated. He will consider scripting the installation process and making it available for people using the same OS (e.g. AUR package for Arch Linux users, or homebrew package for macOS users).

It is even possible to script even the installation of the browser extension (this is done in AUR package), but if not, Bob will happily install the extension from Chrome or Mozilla webstore to get automatic updates (only after he confirmed on Github that these links are genuine).

Bob is a user of pass, so he knows what is the expected location of password store on a system, how to migrate from lastpass to pass and how to securely sync his credentials between devices, he neither trusts nor wishes a browser extension to do this for him.

Usage

(A lot has been reworked in v3, I'm writing about the experience in v3)

1. Browserpass doesn't have two modes (search/filter) anymore, the default screen shows you a subset of credentials, press Backspace and you can search across the entire password store. The search is instant and realtime, doesn't require pressing Enter or /.
2. Browserpass will not leak any credentials by default, it will definitely not put credentials automatically on a page, and will not submit forms automatically (although it is possible to relax this globally or for certain credentials).
3. Browserpass is intended to be a thin client over pass, so pass edit is still the preferred approach to handle secure notes.

UX comments

1. Larger font - done in v3

2. Generate passwords - planned

3. matching by url: would again require decrypting the entire password store, so no

4. Show logins - browserpass shows them if you name your files as site.com/login.gpg

   @ipundit https://www.passwordstore.org/ has a script called lastpass2pass.rb, I personally used it to migrate. It is relatively easy to modify the script to choose your preferred naming scheme.

5. Indexing password store is costly and has to be done every time you add credentials or modify existing ones (in case you changed url field). And the fact that there is no intermediate substance like SQLite database or text file I actually consider a benefit, not a drawback :) I'm curious, what kind of organization of a password store would you rather have, and why?

6. Get rid of two modes - yes!! This was the first thing we did in v3. And instead of Tab-completion there is a fuzzy search. What you have now in browserpass v2 when you press "Backspace, /, Enter" is activated by "Backspace" alone in v3, and then you can e.g. type "wogi" to find an entry "work/github.com".

7. Using browserpass as bookmark manager - you know how this makes me feel :) But, I don't think the experience is that bad. Yes, it was confusing on the first try that you have to press globe button and not the url name, but next time you already know where you need to press - and the button is just 2cm to the right. The globe button should work for every password entry that has a domain name in it, open a new issue if Globe button throws errors for you and describe some context. If you are a keyboard user, there are shortcuts available, see README.

Final notes

The fact that your password store is primarily managed by pass, and not by an extension has another advantage - it is very easy to migrate between "browserpass-like" extensions without experiencing issues like you now have migrating from Lastpass. There are currently two quite cool alternatives to browserpass that you might be interested to check out.

1. passff - if I remember correctly, it actually decrypts the password storage, allowing you to have complete freedom in organizing your password store and just providing url field in every gpg file (also it already supports the extra form fields). Unfortunately it currently works only in Firefox, but the Chrome port is planned.
2. gopassbridge - very new, uses the host application built into gopass itself! One less binary to install, but of course works only with gopass.

In v3 the host app is actually rewritten completely from scratch, and it is designed to be as simple as possible, with great API, well tested and simple to reuse. People will actually be able to build their own implementations of browser extension, and reuse the same host app. If there is a demand, I can totally envision an alternative browserpass extension built specifically with Alice as target audience in mind.

Hope this clarifies the project goals, let me know if I can provide some extra information.

[savyajha]

Will the v3 host app be compatible with the gopass json API? I realise that gopassbridge exists, but I like this extension. :)

[maximbaz]

No, at some point I proposed this as well (#194), but there was no interest from the community, or the person who implemented the gopass API (and we need to have some influence over the host API if we were to go that way). So with v3 you will still need to install our host app.

However, that might be for the better, once we decided to rewrite everything, having the freedom to make any changes and avoid the burden of maintaining compatibility with anything allowed us to make better design decisions.

But to make it clear, we don't have a hard dependency on pass, so your gopass store should still work with browserpass as it works today.

One of the biggest goals for v3 host app specifically is to reduce the number of times people need to update it — ideally we would never need to even release v3.1. Browser extension is where most of the features will be implemented, but its versioning is not tied anymore to the version of the host app, and luckily updates to browser extensions can be pushed automatically via Web stores.

[jangari]

I identify heavily with Bob. I work as a tech consultant for researchers (read: people who have more important things to do that study the underlying architecture of their applications) and I commonly recommend Lastpass to people who I reckon would identify more with Alice. I also recommend KeePass to people who are slightly more technical, and worry about cloud storage of their credentials and trusting everything to probably the most lucrative target for hackers that has ever existed, but who might struggle to handle GPG keys, syncing their store with Git, etc.

I might add that the comment about using BrowserPass as a bookmark manager raised my brow. Obviously decrypting each time you want to visit one of your bookmarks is terribly inefficient, but I'm wondering whether anyone knows of a bookmark extension that could work like BrowserPass in all respects except encryption? Or if there's a way to configure BrowserPass to use the url in the password entry filename rather than the url: attribute?

[erayd]

@jangari Thanks for your input on this issue :-).

I might add that the comment about using BrowserPass as a bookmark manager raised my brow.

It's not intended for use as a bookmark manager ;-). That feature is there for the sole purpose of intercepting login requests that block when the page is first opened (e.g. HTTP basic auth request etc.).

If you launch the URL from browserpass, then the assumption is that you did so in order to log in. If you launched in some other way, then browserpass has no idea which credentials you may wish to use (if you even want to log in at all), and no way to determine this - so it leaves things strictly alone.

Or if there's a way to configure BrowserPass to use the url in the password entry filename rather than the url: attribute?

It already does. It looks in the pass file first, but if it cannot find a url: entry there, then it falls back to the deepest valid domain found in the file path.

[maximbaz]

Closing to cleanup the list of active issues, but feel free to comment if you have other questions or suggestions.