As a fairly happy LastPass user, I would certainly like to know what ongoing threats there are here, and what the real-world likelihood that I might be exposed to those threats. Would anyone care to summarize? The linked issues have been fixed, even in Firefox, and the claim that vulnerabilities still exist are unsourced.
*EDIT: disclaimer has been added! My comment is now out of date.
The claim that vulnerabilities still exist was unsourced six months ago - now you have proof that they do. It would be naive to assume that this was the last of them. As I explained several times already, the issue is a structural one. LastPass keeps the attack surface unnecessarily large and they are pretty bad at securing it.
The recent vulnerability reported was particularly bad, launching an arbitrary external application is really as bad as it goes - this could have resulted in a malware infestation. But the typical threat is "merely" losing all your LastPass data to a random website you are visiting (or a hacked ad script running on it).
How likely it is that bad guys will actually try to target LastPass? They seem to have at least 10 million users judging by AMO and Chrome Web Store numbers. I can clearly see that on some websites trying to exploit LastPass users can actually be lucrative. Whether it will happen to you personally, nobody can tell of course.
Re: unsourced vulnerabilities, only complaining about my own ability to know what that means, not questioning the validity. Yes, reports always start unsourced, necessarily.
This is the case with all password manager browser extensions. A desktop-based password manager without the browser extension does not have this risk vector. And, as we've seen with the dozens of extremely critical LastPass bugs, they're not even particularly good at securing said API. Other products may be less bug ridden, but they share the same risk vector.
I use pass[1], and I recommend it if you can stand copying and pasting. It's really not much of an inconvenience for the dramatic increase in security you get.
Good security is hard in practice because people are always going to default to the most convenient/simple way to accomplish their goal, and at this point, most of our security measures require someone to expend extra energy. That means it's going to be very hard to get people to do it.
We have decades of experience with this just with regard to one layer of passwords. Adding an extra layer, like a password vault, is not going to make things better.
While it absolutely true that there is more risk involved in using a third-party extension to manage a password vault than not, the actual net effect is likely better security, because if you make things too hard, people are just going to say "Fuck those annoying nerds, we're going to make every password 123456", or whatever the next-simplest answer that the system will permit is.
As for LastPass making mistakes, that's true, but the benefit you get by using a well-known product like LastPass is that Project Zero has hardened it. That's not the case for most other password vault extensions, especially those made as shims for external vaults like KeePass.
Sometimes I don't have my laptop with me.
Try browserpass. It uses pass internally. https://github.com/dannyvankooten/browserpass
I do wonder though if the change in ownership last year has led to a decline in quality.
Even @taviso had this (positive) follow up tweet: https://twitter.com/taviso/status/844574176165822465
The user experience with extensions for different browsers (Chrome, Firefox, Safari) is inconsistent. Menus look and behave differently. Some options are present (and turned on by default) in one browser's extension and absent in another. For example, Firefox's extension opens the vault every time you log in unless you uncheck a box, so if you're at a password field ready to login, LastPass decides to just get in your way.
But by far the most infuriating part for me has been the iOS app. For the past few months this is what I have to go through to use it:
1.) Open app
2.) Enter password
3.) Scan fingerprint
4.) Start looking for what I want to find
5.) App logs me out after about 30 seconds for no perceivable reason
6.) Enter password
7.) Scan fingerprint
8.) I'm now logged in, but the vault is completely empty
9.) Force close the app
10.) Open the app
11.) Enter password
12.) Scan fingerprint
13.) Finally get what I want
I really do want to switch to something else, preferably self hosted, but I haven't been able to set aside the time to do the research and export/import what I have in LastPass currently.
To me, the point is managing the dozens of separate logins you have to manage to use the web. I often can't be bothered to remember which sites I've signed up for, let alone what the username and passwords are.
For critical accounts (email, financial stuff, etc.) I'll always take the effort to memorize some high quality and unique usernames and passwords. I find this to be the best trade-off.
No, it's not harsh enough for a program that knows the right password, shows it to you, but then inputs the wrong one in the password field. Of course, compared to these security issues, such UI issues are almost irrelevant. With such a simple UI to program, you'd think they'd at least get that right or fix it. And if they don't, it's likely they have much bigger problems under the hood. Over and over.
Unfortunately, all the reviews of Lastpass I read gave it 4-5 stars and it was often a recommended or editor's choice pick. Clearly, those reviewers and their publications are just a bunch of shit words to attract advertising (that includes pretty much every article on password managers I managed to read). This is a pretty important part of security. If it takes someone with expert skills in computers almost a year to find a good password manager program, not to mention days worth of work importing into and testing various solutions, what chance does your everyday computer user stand?
The way things stand with password managers right now, I'm not sure we're advising ordinary computer users correctly in telling them to use one.
The reason why I hate these kinds of threads in IT communities is that we usually don't seem to talk about the issue(s) the article is referring to.
Take this one for example. There's much more discussion about what works for who than the actual content of the article. And then I followed an article linked in the comment here about getting 1Password to run on Linux. And at the bottom of the article there was a link to the HackerNews thread about that article. And the situation is exactly the same.
Out of 57 comments in that thread (https://news.ycombinator.com/item?id=9091691), only four are actually related to running 1Password on Linux, and none of them is actually related to someone actually trying the method from the article and sharing his/her experience. 53/57 comments are basically "I use X because of Y".
I clearly describe the issue: "a program that knows the right password, shows it to you, but then inputs the wrong one in the password field". This isn't a bugtracker. If you want details, I'll gladly supply them. But don't accuse me of not writing something that's clearly in my post.
I often come to these comments on articles like this precisely because I want to see if the knowledgable folks here suggest the product/service in the article, or if not something else (in the same space).
The reason why I hate these kinds of threads in IT communities is that they always devolve into criticism of what other people want to talk about.
Syncing data between different computers is still work in progress. Then again, with it being a password generator this is less of an issue than with password safes. As long as your master password is the same you can simply create a password with the same name on another computer and it will work.
Put your keyfile on Dropbox/OneDrive/whatever so it syncs to all your computers.
Keepass2Android works great and can read from most cloud storage solutions.
Don't know about iPhone.
Edit: It also has a lot of neat plugins. I use one for storing ssl certificates, which also supports key forwarding to putty.
* The database in encrypted with your master password.
* You can optionally also encrypt it with static "Key File" that are on all your devices but not in Dropbox.
B) You choose which 3rd Party to trust. There are many options with different security/trust/threat models.
(Example: lately I've been using an encrypted share in Resilio Sync where the "cloud" option for me is a dumb VPS that can share the folder torrent but does not have decryption keys into the contents.)
I ran into this when checking unexpected files on a client's system.
I've been looking for a alternative with somewhat parity with lastpass with a better security policy.
Is there anything automatic out there? I'm not going to use program+dropbox/cloud-provider. I need something like lastpass.
Don't suppose there's anything out there that can import the lastpass db?
I've read a lot of reviews but many predate 1Password's cloud option.
Has android/ios/blackberry/windows mobile clients, desktop clients for mac/win/linux/chromebook (including portable versions), and browser addons. It's not a subscription service---the desktop versions are free, and the mobile versions cost a 1-time purchase to unlock all the features. I'm very happy with it.
Usage: It's a git repo with passwords stored in encrypted text files. Syncing is done by push/pull the git repo. Since it is git, you have a record of every password you ever generated. Unlocking a password with a Yubikey requires a pin entry and a physical touch. Once entered, the key is available for further passwords without pin, but a Yubikey 4 can be configured to require a touch every time if you're worried about compromised hardware stealing your entire password database.
There's no import from other managers that I'm aware of, but it might exist. Googling stuff about 'pass' is tedious. Google for 'zx2c4 pass' and you'll have better results.
It can import from a lastpass file.
Even though it's open source, there is a hosted instance (so the experience is much like lastpass). There was a kickstarter a while back that failed though, so I'm unsure how it's funded.
The lead developer answered that here:
Autofills my logins and fully integrates with Firefoxes password manager so that you don't get conflicts between the browser and your password manager trying to save the same password. Also doesn't add the stupid CSS hacking that LastPass does to add their logo into the password fields breaking various site's styles.
[0]: http://keepass.info/help/base/importexport.html- No https on site
- Update file hosted via http (not https)
- Downloads via sourceforge which has injected adware in downloads before
- FAQ downplays lack of constant time comparison instead of using constant time comparisons and being extra safe
- You have to cobble together multiple apps from multiple developers to get a full working solution; means you have to trust lots of individual entities
That being said I can hardly defend staying on Lastpass anymore.
I just wish 1Pass was crossplatform so there was a clear universal winner!
Sounds like a huge pain compared to LastPass, as well as increasing attack surface.
https://csdashlane.zendesk.com/hc/en-us/articles/202699141-H...
There's an unfixed bug in the OSX client where it crashes rarely (every couple months for me) and I have to kill the process manually and restart, but it has very minor impact.
Is there any security analysis or consensus on Dashlane security vs. other password managers?
I feel like with lastpass the attack vector is bigger with all the fancy features.
Padlock does: https://padlock.io/howto/lastpass/
Disclaimer: I'm the developer
> Altogether it looks like LastPass is a lot better at PR than they are at security. Yes, that’s harsh but this is what I’ve seen so far. In particular, security vulnerabilities have been addressed punctually, only the exact scenario reported has been tested by the developers.
This seems unfair.
LastPass fixes the initial vulnerability punctually - we do not know what they will do in the future. Is it better for them to wait, come out with a defense in depth approach, and then patch? Seems silly.
Of course, how long do we wait? Historically, I would argue, LastPass has down defense in depth fairly well - when their was a breach they were quick to not only address the vulnerabilities immediately but soon after they rolled out Content Security Policy and HSTS, two technologies that were rarely deployed in the wild at the time (and are still sadly too rare).
My suggestion to LastPass users is to:
1) Enable 2FA 2) Up your PBKDF2 Rounds 3) Disable as many browser integration features as possible
I don't recommend dropping LastPass and trying to roll your own key-sync store with KeyPass/Dropbox as some have done. I don't know of any other browser-based password manager that isn't equally weak to attacks based on browser-integration.
Alternatively, don't use a browser-based solution. This is less convenient but you'll avoid by far the largest area of attack surface.
wait. the communication goes what way?? You make it sound like the 1Password extension (that doesn't handle encryption, therefore is not authenticated) can request password and credential data from the 1Password app, like it's pulling data from it?
How does the 1Password app know that whatever process is making that request is in fact made by that particular browser extension, prompted by user-action on the extension that is the same user as the one that unlocked the encrypted password vault in the app? And if it doesn't why are you storing your passwords in it :)
Are we all clear on what a password manager is? Maybe we should start with a good definition, such as:
A password manager is an application that manages an encrypted database, that when unlocked by the user, can be prompted by the user, to decrypt an entry from the database, and send one or more fields of that entry to a specified receiving application's input/login field(s). Communication only flows from the user prompting, to the password manager, to the receiving application. Not the other way around.
Ok that's not a full definition yet, it also needs a bit about how to store the encrypted database, how not to sync it, not keeping any keys or plaintext in memory any longer than strictly necessary, etc etc.
But it's good if we'd have a definition like that, something that is waterproof by definition.
I guess for now I'll just turn off all of the automatic features like this I can find.
If you can get both that's great, but poor usability beats having your banking and systems owned.
I use lastpass for over 5 years and I memorize my lastpass and my bank account passwords.
[0] https://developer.android.com/preview/features/autofill.html
Here's the 1Password Security Design Whitepaper: https://1password.com/files/1Password%20for%20Teams%20White%...
<rant> However, can I just rant for a second about how these security assessments and blog posts fold out? The beginning of my career was spent thinking I was going to go into this field (one of my degrees is in Information Assurance) and the #1 thing that persuaded me to switch to building software instead was the attitude and approach of the security field.
If it's not 100% secure and we all agree that it's the 100% best way to do something, it's the end of the world and anyone using LastPass is an idiot who will have all of their passwords hacked and their life ruined. (Remember when the draft for client side storage was announced? You would have thought armageddon was upon us based on the reaction of the security industry.)
Big picture here -- most people re-use a short, simple password on all of their sites. Using a password manager, even one with a few things that it can and should improve, is a HUGE step in consumer behavior. Bickering amongst ourselves and boasting for crapping on someone's company is not the right approach to increasing our entire society's security stance.
Want to actually help?
1. Create more resources to help consumers pick, use, and adopt a password manager with super simple setup process. Even the current methods that all password managers use of generating, saving, and autofilling passwords are too complex and cumbersome for the average consumer. Heck, even MFA is seen as a huge waste of time and barrier to logging into people's accounts by the majority of people right now.
2. Create more resource to educate developers of these services, helping them to see what they should do and how they should do it, not bragging about your ability to tear down a service they spent hours slaving over. Get over yourself and actually help society. (https://www.owasp.org/index.php/OWASP_Guide_Project is a great example of this)
Looking for an example? Apple's iTouch. Yes -- it's not the most secure option. People leave their fingerprints all over the place and they can be lifted and used to unlock a phone. But look at the other option -- using no passcode, or a 4 digit passcode that's easy to guess or look over a shoulder. Is it the most secure option? No. Does it raise the level of security for our society as a whole by providing a realistic security barrier that the average consumer can use? Yes. </rant>
Much happier with 1Password since we switched from Lastpass. Consistent UI, proper OS integration, multiple separate vaults, not to mention the security story seems better (I've seen several LP vulnerabilities of concern but not yet seen a 1PW one that worried me).
I've been tempted to do away with the extra clicks and just use iCloud Keychain and encrypted Notes, but 1Password feels like less of a black box at this point (maybe just because I've been using it longer). It also seems smarter about filling out forms than the browser-native options in Chrome and Safari — not perfect, but better. I don't use their subscription service, just the desktop and mobile app.
Thinking about it I'm really only using it for convenience, security/strong passwords is in second place.
Given all the problems with OpenSSL, I really wished they used something like BoringSSL.
It seems password managers please some of the people some of the time, and unnerve many of the people all of the time.
(Disclaimer: I'm the author of it).
With that said, I only use offline managers and this is only for Mac but Locko by Binarynights is clean and easy to use. The downside is that it's browser extension can't remember basic auth credentials but other than that I like it. I can also back up the encrypted database easily with a script.
(Seems the link is gone from their site with the release of forklift3 but the page still exists. http://www.binarynights.com/locko/ )
I don't care about portability. Why would I want e.g. 1Password instead of simply using Apple Keychain.
Thanks!
You can have high accessibility / ease of use or you can have high security. You can't have both.
By storing your info on a remote server, you are trusting they will protect your data. Maybe they will, maybe they won't.
It is just a matter of finding a balance you feel comfortable with. Personally, I don't store my passwords on any cloud service, carry them on a thumb drive and don't use services that expose them to the browser. Could I lose a thumb drive? Sure. I rate the chances of someone picking it up and knowing how to exploit it as very low.
I thought I had no illusions about the inherent insecurity in using LastPass, but I guess I was wrong. I use Yubikey and disabled autofill long ago, but I was still vulnerable. Their response to these exploits is maddening. "Our investigation to date has not indicated that any sensitive user data was lost or compromised." This when they can't verify if passwords were compromised as LastPass servers weren't involved in this exploit.
So I guess I need to switch to a different service. Any suggestions?
I love how I can share passwords with a team using LastPass (share just access, share ability to view, share ability to edit). For me... it's more about getting the team using the right tool than individuals. There are probably better individual solutions than LastPass, but I don't know of any that are better for teams. I know that having a tool that lets you share passwords is inherently risky... but I still think LastPass is less risky than people sharing via PostIt, or sharing via emails... or less risky than not sharing passwords in that "hit by a bus" scenario we always talk about.
I tried Enpass, 1Password, and KeePass for individual use... none of them were horrible (I liked 1Password the most). Enpass let you sync your vault with the storage option of your choice... so you could sort of do team passwords that way. Typically I don't want to share all my passwords, just a few... and like I would want to share different subsets with different people... so that "share your vault" option wasn't ideal for me.
Usability-wise, I love how LastPass fills in my credit card info and address on forms I tell it to. And how LastPass can automatically update passwords for many common sites. And gives me a report of passwords that are weak, old, and duplicate -- the "global rank" on LastPass is a game and I want to get a high score. Ha. (Full disclosure, I tried each casually for less than a week... there may have been things I missed.)
Been on LastPass for a long time, generally happy with them and haven't found anything that better fit my needs, but clearly these reports that they aren't taking security as seriously as they should be are troubling.
EDIT: Going to look at https://1password.com/teams/ in the next week or so. I don't think this option existed last time I looked at 1Password.
It works well with chromium on linux and on my android phone. It's free, has all the security of a google account including u2f, chromium integration is flawless on linux, and works well with chrome on Android.
Dashlane is the only password manager that looks normal enough to be used by the non-tech members of the company. I've found its sharing feature invaluable, I can get the whole team on it using 2FA and passwords don't get emailed around anymore!
Honestly surprised there aren't more players in this space but it seems really hard to get into.
https://www.passwordstore.org/
I sync this directory to my mobile device using megasync (linux packages and Android app available).
https://aur.archlinux.org/packages/megasync/
https://play.google.com/store/apps/details?id=mega.privacy.a...
Then I use `pass` on Android via the "Password Store" app (and the APG app to manage my PGP keys on mobile).
https://play.google.com/store/apps/details?id=com.zeapo.pwds...
The whole UX is super easy. Basically just PGP, plaintext files, and copy/paste.
Why are you copy and pasting it again in the same thread?
Once you've adopted a password manager, you've limited the scope of potential abuse, and you've decreased the pain of recovering from abuse that does happen. Being forced to change passwords used to be a stressful problem for me, and now it is not. Before, I would procrastinate changing passwords after a breach, because I knew how hard it would be. With lastpass, I literally changed every password in my vault in less than a half hour.
The PR matters because it's too easy to hear some bad news and give up on trying to be secure. If the PR prevents people from giving up, I'm all for it.
1) Download two datasets from different massive breaches. You can find plenty of them with plaintext passwords on any torrent tracker.
2) Correlate email and password combos across datasets. Don't worry, you'll find 10s of millions of people who don't use password managers and reuse passwords.
3) profit
If you have reason to believe you're being targeted, any breach is a problem. But until my method no longer produces results, theres no reason to believe black hats will go through any additional effort to obtain the average person's creds.
Context:
What I am after is a password manager that has the option to NOT store anything in the cloud at all. I want encrypted storage to be stored locally. No exposure outside my network. Inter-device synchronization done manually or automatically within the confines of said private network.
I would also like to store data beyond uid's and pwd's. For example: secret questions and their answers, account and pin numbers, company tax id's, bank account numbers, passport numbers, etc. In other words, data you might need handy that should be encrypted.
I've been using a program for a number of years. The program started exactly as I described above: Network only synchronization.
Over the years they have mutated the program to cloud based storage. And, over the years, they have done this without warning to users or seeking any kind of authorization.
Imagine if you are using software that only stores data locally and syncs over your network only to wake up one day to discover that the latest update uploaded all of your secret data to their cloud-based system WITHOUT your permission. And, to make things even worst, they progressively eliminated the network sync option.
The current version doesn't even ask, the minute you edit a record or create a new one it shoots it up to the cloud. Unbelievable.
Years ago I asked about this. I have an email from the support assuring me the data would never be stored on the cloud. Time to file a lawsuit?
Anyhow. Is there a tool fitting my description above? I don't care if it's free or paid. I simply want my data to never move outside my network unless I want it to.
1Password keeps a local encrypted file. The "integrations" are 1Password knowing default locations to look to store the file in the right directory.