by wallunit on 3/23/17, 4:46 PM with 213 comments
by dahart on 3/23/17, 6:06 PM
As a fairly happy LastPass user, I would certainly like to know what ongoing threats there are here, and what the real-world likelihood that I might be exposed to those threats. Would anyone care to summarize? The linked issues have been fixed, even in Firefox, and the claim that vulnerabilities still exist are unsourced.
*EDIT: disclaimer has been added! My comment is now out of date.
by mnm1 on 3/23/17, 6:05 PM
No, it's not harsh enough for a program that knows the right password, shows it to you, but then inputs the wrong one in the password field. Of course, compared to these security issues, such UI issues are almost irrelevant. With such a simple UI to program, you'd think they'd at least get that right or fix it. And if they don't, it's likely they have much bigger problems under the hood. Over and over.
Unfortunately, all the reviews of Lastpass I read gave it 4-5 stars and it was often a recommended or editor's choice pick. Clearly, those reviewers and their publications are just a bunch of shit words to attract advertising (that includes pretty much every article on password managers I managed to read). This is a pretty important part of security. If it takes someone with expert skills in computers almost a year to find a good password manager program, not to mention days worth of work importing into and testing various solutions, what chance does your everyday computer user stand?
The way things stand with password managers right now, I'm not sure we're advising ordinary computer users correctly in telling them to use one.
by johnjuuljensen on 3/23/17, 5:35 PM
Put your keyfile on Dropbox/OneDrive/whatever so it syncs to all your computers.
Keepass2Android works great and can read from most cloud storage solutions.
Don't know about iPhone.
Edit: It also has a lot of neat plugins. I use one for storing ssl certificates, which also supports key forwarding to putty.
by Blackthorn on 3/23/17, 5:41 PM
Is there anything automatic out there? I'm not going to use program+dropbox/cloud-provider. I need something like lastpass.
Don't suppose there's anything out there that can import the lastpass db?
by staticassertion on 3/23/17, 8:00 PM
> Altogether it looks like LastPass is a lot better at PR than they are at security. Yes, that’s harsh but this is what I’ve seen so far. In particular, security vulnerabilities have been addressed punctually, only the exact scenario reported has been tested by the developers.
This seems unfair.
LastPass fixes the initial vulnerability punctually - we do not know what they will do in the future. Is it better for them to wait, come out with a defense in depth approach, and then patch? Seems silly.
Of course, how long do we wait? Historically, I would argue, LastPass has down defense in depth fairly well - when their was a breach they were quick to not only address the vulnerabilities immediately but soon after they rolled out Content Security Policy and HSTS, two technologies that were rarely deployed in the wild at the time (and are still sadly too rare).
My suggestion to LastPass users is to:
1) Enable 2FA 2) Up your PBKDF2 Rounds 3) Disable as many browser integration features as possible
I don't recommend dropping LastPass and trying to roll your own key-sync store with KeyPass/Dropbox as some have done. I don't know of any other browser-based password manager that isn't equally weak to attacks based on browser-integration.
Alternatively, don't use a browser-based solution. This is less convenient but you'll avoid by far the largest area of attack surface.
by jd007 on 3/23/17, 5:35 PM
by Orangeair on 3/23/17, 5:44 PM
I guess for now I'll just turn off all of the automatic features like this I can find.
by ja27 on 3/23/17, 5:56 PM
by gtirloni on 3/23/17, 5:20 PM
by miles_matthias on 3/23/17, 6:17 PM
<rant> However, can I just rant for a second about how these security assessments and blog posts fold out? The beginning of my career was spent thinking I was going to go into this field (one of my degrees is in Information Assurance) and the #1 thing that persuaded me to switch to building software instead was the attitude and approach of the security field.
If it's not 100% secure and we all agree that it's the 100% best way to do something, it's the end of the world and anyone using LastPass is an idiot who will have all of their passwords hacked and their life ruined. (Remember when the draft for client side storage was announced? You would have thought armageddon was upon us based on the reaction of the security industry.)
Big picture here -- most people re-use a short, simple password on all of their sites. Using a password manager, even one with a few things that it can and should improve, is a HUGE step in consumer behavior. Bickering amongst ourselves and boasting for crapping on someone's company is not the right approach to increasing our entire society's security stance.
Want to actually help?
1. Create more resources to help consumers pick, use, and adopt a password manager with super simple setup process. Even the current methods that all password managers use of generating, saving, and autofilling passwords are too complex and cumbersome for the average consumer. Heck, even MFA is seen as a huge waste of time and barrier to logging into people's accounts by the majority of people right now.
2. Create more resource to educate developers of these services, helping them to see what they should do and how they should do it, not bragging about your ability to tear down a service they spent hours slaving over. Get over yourself and actually help society. (https://www.owasp.org/index.php/OWASP_Guide_Project is a great example of this)
Looking for an example? Apple's iTouch. Yes -- it's not the most secure option. People leave their fingerprints all over the place and they can be lifted and used to unlock a phone. But look at the other option -- using no passcode, or a 4 digit passcode that's easy to guess or look over a shoulder. Is it the most secure option? No. Does it raise the level of security for our society as a whole by providing a realistic security barrier that the average consumer can use? Yes. </rant>
by Sealy on 3/23/17, 5:22 PM
by mancerayder on 3/23/17, 5:33 PM
It seems password managers please some of the people some of the time, and unnerve many of the people all of the time.
by indutny on 3/23/17, 7:38 PM
(Disclaimer: I'm the author of it).
by h1d on 3/23/17, 6:22 PM
With that said, I only use offline managers and this is only for Mac but Locko by Binarynights is clean and easy to use. The downside is that it's browser extension can't remember basic auth credentials but other than that I like it. I can also back up the encrypted database easily with a script.
(Seems the link is gone from their site with the release of forklift3 but the page still exists. http://www.binarynights.com/locko/ )
by proactivesvcs on 3/23/17, 10:45 PM
by 4ad on 3/23/17, 5:37 PM
I don't care about portability. Why would I want e.g. 1Password instead of simply using Apple Keychain.
Thanks!
by feeblewitz on 3/23/17, 5:49 PM
I thought I had no illusions about the inherent insecurity in using LastPass, but I guess I was wrong. I use Yubikey and disabled autofill long ago, but I was still vulnerable. Their response to these exploits is maddening. "Our investigation to date has not indicated that any sensitive user data was lost or compromised." This when they can't verify if passwords were compromised as LastPass servers weren't involved in this exploit.
So I guess I need to switch to a different service. Any suggestions?
by alexmat on 3/23/17, 6:11 PM
It works well with chromium on linux and on my android phone. It's free, has all the security of a google account including u2f, chromium integration is flawless on linux, and works well with chrome on Android.
by hyyypr on 3/23/17, 5:58 PM
by test6554 on 3/23/17, 7:21 PM
by aeleos on 3/23/17, 7:58 PM
by touchofevil on 3/23/17, 6:42 PM
by karood on 3/23/17, 5:34 PM
by SubiculumCode on 3/23/17, 6:15 PM
by draw_down on 3/23/17, 5:35 PM
by saosebastiao on 3/23/17, 5:41 PM
Once you've adopted a password manager, you've limited the scope of potential abuse, and you've decreased the pain of recovering from abuse that does happen. Being forced to change passwords used to be a stressful problem for me, and now it is not. Before, I would procrastinate changing passwords after a breach, because I knew how hard it would be. With lastpass, I literally changed every password in my vault in less than a half hour.
The PR matters because it's too easy to hear some bad news and give up on trying to be secure. If the PR prevents people from giving up, I'm all for it.
by rebootthesystem on 3/23/17, 6:15 PM
Context:
What I am after is a password manager that has the option to NOT store anything in the cloud at all. I want encrypted storage to be stored locally. No exposure outside my network. Inter-device synchronization done manually or automatically within the confines of said private network.
I would also like to store data beyond uid's and pwd's. For example: secret questions and their answers, account and pin numbers, company tax id's, bank account numbers, passport numbers, etc. In other words, data you might need handy that should be encrypted.
I've been using a program for a number of years. The program started exactly as I described above: Network only synchronization.
Over the years they have mutated the program to cloud based storage. And, over the years, they have done this without warning to users or seeking any kind of authorization.
Imagine if you are using software that only stores data locally and syncs over your network only to wake up one day to discover that the latest update uploaded all of your secret data to their cloud-based system WITHOUT your permission. And, to make things even worst, they progressively eliminated the network sync option.
The current version doesn't even ask, the minute you edit a record or create a new one it shoots it up to the cloud. Unbelievable.
Years ago I asked about this. I have an email from the support assuring me the data would never be stored on the cloud. Time to file a lawsuit?
Anyhow. Is there a tool fitting my description above? I don't care if it's free or paid. I simply want my data to never move outside my network unless I want it to.