Doesn't match what people claim here
Even worse, they have a history of doing hand-wavy corporate non-explanations for what actually happened in these incidents. The antithesis of being responsible and respecting users in the modern day.
You'd expect them to be one of the more targeted companies just because of the 'treasure' they hold - hence the more security breaches.
I’ve always taken the route of managing my own local Keepass DB & key files. Sure it’s more cumbersome, but it prevents me from having to decide whether or not to trust some third party vendor or not.
I know 100% that I’m in full control and I’ve never put my DB or key file in the cloud. I can sleep sound knowing that whatever password service, or file sharing service, somehow getting compromised, cannot endanger one of my most valuable assets
Furthermore, I’d argue that Firefox & chrome password managers probably have several orders of magnitude more passwords stored (and therefore much more highly targeted), yet they don’t seem to have annual security incidents. And you can’t even pay for those products.
People stealing passwords are probably doing it to eventually make money. Criminals could save themselves a ton of work by just directly hacking the banks, yet we don’t hear about highly regular complete compromises there.
Furthermore, if operating a password manager service puts a huge kick-me sign on your service, why don’t the other password managers have plenty of incidents?
"However, users receiving these warnings have stated that their passwords are unique to LastPass and not used elsewhere." That's really hard to verify. I think most users would say that rather than admit they re-used passwords (or used similar passwords that were easy to reverse engineer). Since there only seems to be 2-3 reports of this, and they're self-reported and not cited, it doesn't seem like LastPass was compromised.
I'm not saying I like LastPass (I use 1Password and find LastPass to be much worse), but I haven't seen any indication at this point that LastPass has been compromised at all.
(To be clear, it's very possible I'm wrong and this message won't age well. But so far, it seems like LastPass is doing its job, and I'd want to see more than this before jumping on the blame-LastPass bandwagon.)
There are now over 20 in the original HN [1] thread. ( Excluding reports from Reddit and Twitter ) From password never used since 2017 to account newly created in the past few months. OP has full Bio, Links and Credential, others have long history on HN and karma points. I did at one point suspected a PR attack on Lastpass, ( sorry guys ) but that is somewhat unlikely.
Of course, this doesn't rule out a malware running wild.
> They stopped all usage of correct passwords they believed were compromised
Immediate question: how the heck would they know which passwords are compromised, if it wasn't a compromise on their end? From the information provided, the only thing they have is the IP & geolocation data, which isn't going to be reliable when the attacker(s) are using VPNs. For everyone whose account was protected by blocking access from odd region, how many are there whose accounts were quietly accessed and no email was shot off to warn the owner?
They are claiming that the master password was used on some other (compromised) service, but they provide zero evidence for this. And if they don't know your passwords, how on earth do they know that you've reused them on a compromised service? Can they name that service? Has anyone yet found a service every affected user has in common? I haven't seen that.
> "However, users receiving these warnings have stated that their passwords are unique to LastPass and not used elsewhere." That's really hard to verify.
That is true, but there are so many reports now that it's really hard for me to believe they were all dumb enough to reuse their master passwords elsewhere and are also bullshitting us on HN.
> I haven't seen any indication at this point that LastPass has been compromised at all.
Neither have I, but I still believe it to be a plausible explanation. I don't think we have a "smoking gun" or a site/service/extension that is common to everyone who reported this thing happening to them.
First thing's first, and yes I am "victim blaming" when I say this: 60% of users reuse their passwords. [0,1] It's a widespread problem. Maybe that number is lower for a technical site like HN, but I have encountered technical people who do not practice what they preach.
>how the heck would they know which passwords are compromised, if it wasn't a compromise on their end?
You can check for a compromised password the same way you check if a password is valid, both without having stored the original password in plaintext. You have a list of known-compromised hashes and see if the hashed password is in that list. [2]
>For everyone whose account was protected by blocking access from odd region, how many are there whose accounts were quietly accessed and no email was shot off to warn the owner?
None based on my experience with the service. Each time you login from an unrecognized device or IP, you receive an email and have to confirm the login. It's good hygiene to check the access logs, although I've been dirty in that regard.
>They are claiming that the master password was used on some other (compromised) service, but they provide zero evidence for this. And if they don't know your passwords, how on earth do they know that you've reused them on a compromised service? Can they name that service?
No. And they probably won't ever be able to. And probably neither will anyone else. See [2].
>That is true, but there are so many reports now that it's really hard for me to believe they were all dumb enough to reuse their master passwords elsewhere and are also bullshitting us on HN.
Well I can imagine a few things going on. Like that 60% reuse number in [0], there are probably a lot of people who did reuse their master password. I'd be embarrassed myself to admit I reused a password and it got compromised (correction: I have reused passwords and have been compromised, luckily not in a damaging way). You're kind of exemplifying that point by calling someone who would do that "dumb enough".
The other group of people who really didn't reuse their passwords may have done something I did a few weeks ago - forgot I was connected with a VPN. I SSH'd into a server, saw a weird IP and freaked out. Then after 15 minutes of investigation, I realized duh I was just connected through a VPN in Europe.
>bullshitting us on HN
I'd be careful about this assumption. I have seen people bullshitting here. I won't go as far as outright denying that people haven't reused their passwords, but I am always a little skeptical of things like this (i.e. where people say one thing because they're embarrassed about being associated with the other). It has certainly heightened my senses.
>I don't think we have a "smoking gun" or a site/service/extension that is common to everyone who reported this thing happening to them.
As has been theorized elsewhere, it's very possible we're seeing early signs of the results of the log4j exploits.
I'm in wait and watch mode to see if LP really is compromised.
[0]: https://spycloud.com/password-reuse/
[1]: https://www.troyhunt.com/password-reuse-credential-stuffing-....
[2]: https://haveibeenpwned.com/Passwords A password from my late childhood to early teens shows up 150 times
https://www.mcafee.com/blogs/enterprise/cloud-security/lastp...
Unfortunately the only password solutions I would recommend at this point are 1Password for something turn key, and BitWarden if you want to self host.
A few people and I are trying to chase down which software in common could have resulted in our passwords being stolen.
The most egregious and hard-to-understand related cases (now 3!): https://twitter.com/Valcristerra/status/1475734357805572098
"Someone tried my @LastPass master password earlier yesterday [Dec 27] and then someone just tried it again a few hours ago after I changed it. What the hell is going on?"
https://twitter.com/shift_plusone/status/1475959354742525956
"Exactly the same thing happened to me last night. They tried again literally minutes after I changed the password to something not used on any other form."
https://twitter.com/Pablohere/status/1475966760130125828
"I had this same thing happen to me. Saw attempts yesterday, changed password last night to random generated pass from pass utility and had attempts today again from different countries."
---
I saw a few mentions of uBlock origin in yesterday's thread. I definitely might have used it in 2017 (the last time when my compromised LastPass password was used).
Could people that received the "Someone just used your master password to try to log in to your account from a device or location we didn't recognize" email please reply and confirm whether or not they have the uBlock origin extension installed?
The other alternative is for the LastPass extension itself to have been compromised (and to still be..?). There are other alternatives as well (some clipboard sniffing malware for example).
Let's try to rule out uBlock if possible. Thanks!
Statistically speaking it's probably because everyone has ublock origin installed, rather than it getting hacked. It's used by 5M+ users on firefox and "10,000,000+" on chrome. If ublock was really compromised you'd expect widespread reports of account compromise, rather than for only one password manager.
1. If LastPass has been compromised, the scale of these attack would have been tens of thousands times higher. But it isn't. And I think it is reasonable to trust and assume Lastpass does not hold the masterpassword, as they have stated.
2. If it was browser extension, and clipboard sniffing, the scale would have been higher as well. But it is important to note there are many reports of those password have not been used for 3-4 years. They would have sat on a drove of password and decide today is the day. And yet report of these attacks, while scary, are still very very limited.
3. It is hard make a guess without everyone posting their OS, Computer, Browser, extensions, list of software, and even Router, Location, Network ( MITM ? ) etc.
4. We have tested the theory of Lastpass triggering the wrong email notification even with wrong password. So far doesn't seems to be the case here.
5. Nearly all reported cases are unique passwords. ( A few didn't specify )
6. There was a case where the whole Lastpass App and passcode was stored on an old laptop which hasn't been used for a long long time.
7. And yet there are also cases where account was only created in October / November this year. Meaning this activity is fairly recent. ( Doesn't rule out they could be two independent leaks or attack )
8. I was expecting someone working in InforSec would jump in, but I guess they are all on holiday at the moment.
9. This happened just after LogMeIn announced they will spin off Lastpass. I am thinking of the incident with Ubnt where the actual problem was internal, an employees hacking their own companies for bitcoin or something. Still I dont know how any Lastpass staff, without storing any Masterpassword could have gained access to it.
10. For now this doesn't seem like a coordinated PR attack on LastPass. If it was, seriously guys you need to do a better job with Social Media marketing. :P
Anyway It is an interesting thread to watch.
I'm happy to delete my message if this way of finding out doesn't make sense.
I haven't used LastPass since, at the latest, 2017. I had actually deleted all my passwords from my LastPass vault, but originally kept the account because of LastPass's password sharing feature, though I stopped using that as well. I believe I had the LastPass extension installed on both Chrome and Firefox, on both Mac and Ubuntu. I primarily used Chrome on Mac. I did have uBlock Origin on those setups as well, but I really doubt that's the vector, it's likely just incredibly popular with all users of Hacker News. My LastPass password was globally unique and between 15 and 20 characters long (with some symbols and digits). This password shows no matches at https://haveibeenpwned.com/Passwords . I considered sharing the password here, but just in case an old version of my vault is out there somewhere somehow I'm not going to. My understanding is that such a password would be so incredibly impractical to brute force that it's not worth considering. Unless I'm outdated/wrong on that, that means the password leaked in clear text (or hashed with a broken hashing method). As I haven't typed that password since at least 2017 and I can't imagine LastPass is storing passwords in clear text, I'm inclined to believe the password was stolen in clear text from client machines (either LastPass extension exploit or malware) in or before 2017. It's weird they were not used earlier, but as LastPass doesn't allow new IPs by default, maybe the attackers knew this and were sitting hoping an additional exploit would allow their user. But now they're just trying in the off chance someone clicks the "That's me" link in the email. This doesn't explain the more recent claims, personally I'm inclined to disregard them as unrelated noise (user confusion, reused password, etc).
(I actually found an email from LastPass dating back to 2017 where they were confirming that a vulnerability with their extension had been fixed. The subject of that email is "Security Update for LastPass Extensions" and it dates back to March 31st, 2017)
I also agree with you that the attackers may have been hoping this time that some people would click the email link by mistake.
What's most baffling to me are the 3 independent reports of people changing their passwords, and getting the "Someone just used your master password" emails again i.e. the same attackers that attacked you and me somehow also having access to these new passwords. That can be explained in some ways (those 3 people are currently infected with the same malware) but that explanation seems, to me, very unsatisfying.
The fact that lastpass support says that it means that the correct password was used doesn't mean it's true, the support staff might just be mistaken.
Counterpoints:
- LastPass officially responded to this story by saying that all of our passwords were compromised elsewhere and then someone attempted to login with those i.e credentials stuffing.
If it was a false positive email, it would have been easier to say that and a lesser reputation hit on them. Right now, they're saying "oh yeah those passwords were valid -- it's just that the attacker got them somewhere else, we weren't breached."
- The (now 3!) twitter reports mentioned in https://news.ycombinator.com/item?id=29719033 point out that someone attempted to login again after they changed their password. They received the "Someone just used your master password" email a 2nd time.
If those emails are not false positives (per LastPass), how could that have happened?
Used a VPN endpoint in a country that would surely get blocked. Attempted to login with wrong password, did not receive email. Logged in with correct passphrase, received email. Both scenarios looked the same on the login screen, so there wasn't any indication that I logged in with the correct password if I were the attacker
edit: last night they released something that says they sent some of those emails in error. I hope that is the case, but it's still not very re-assuring. I went through and changed all of my financial/critical accounts yesterday in precaution, today my bank account was locked out from brute force. Could be a coincidence, but that is the first time it's ever happened with that account
I think it exists at an intersection of (relatively) trustworthy and necessary that makes it extremely popular among the kinds of people participating in these discussions.
If you got it, assume you have malware and all your passwords you have entered have been captured.
I was in touch with a security researcher on Twitter who has access to the RedLine Stealer stolen credentials.
Neither my email nor LastPass password (the one that was compromised) were in there. The researcher looked for another email/password (of someone else affected who reported it here on HN and contacted me via email) and no result as well.
This would explain all the data I’ve seen so far, including LastPass’ reaction.
Speculation: LastPass might use this message even if someone tries an old password? Does that fit the data so far?
I just tried my old password and the error message only says to check the password -- there are no emails sent saying that someone attempted to log into my account with my password.
LastPass did change their systems, supposedly correcting for the issue that we all saw. So the test I just did also isn't really indicative of how their systems were working 2 days ago.
There are still remaining questions:
- the use of "some" and "likely" in LastPass' new announcement -- https://www.bleepingcomputer.com/news/security/lastpass-user...
- an explanation on how the false positives happened. What made the system think those attempts were using the correct master passwords?
- an assurance that no correct master passwords were used during the attack -- that they were all false positives (i.e. this attack was strictly credentials stuffing i.e. someone tried a bunch of passwords they obtained from other sources)
- finally, an explanation for the 3 independent cases where people changed their passwords and then received an email again saying someone had attempted to login using their passwords. Those emails may have been false positives as well, but we would have to know.
Must be a compromised browser extension at this point.
> To make things even worse, customers who tried disabling and deleting their LastPass accounts after receiving these warnings also report [1, 2] receiving "Something went wrong: A" errors after clicking the "Delete" button.
Is there anything more infuriating than this type of error message?
Just for fun, I downloaded the official LastPass chrome extension. The zip file is 32MB before unzipping, and it has 426 separate *.js files, total of 25MB of javascript. That should be a fun audit.
Edit: To be clear, nobody has said the LastPass extension is compromised, though that is one possibility.
Edit #2: Some of the larger js files do have a fair amount of the size as arrays of localized text, error messages, lists of numbers, etc. But it is still a lot of JS.
For (a totally bogus but hey) comparison, I'm shipping products which include the Linux kernel, userland (busybox plus a pile of scripts and some daemons & other utilities), "the application" (two-three hundred thousand lines of C maybe?) plus deps (including sqlite, crypto libs, etc.) and the compressed image that contains all of this easily fits in 16MB SPI NOR flash with a few megs to spare.
And how did this breached exactly happen?
i wonder if any of that is log4j ( :
In their 2019 breach, JS on arbitrary pages was able to access the contents of LastPass' own extension to obtain the last used username/password combinations. [0]
As, today, the extension now contains 25Mb of JS, making it difficult to audit, I wouldn't say that it has to be someone else's fault until proven.
[0] https://bugs.chromium.org/p/project-zero/issues/detail?id=19...
The previous thread had password never typed, copied or used for years. Unless we are talking about multiple vector, otherwise browser extension doesn't fit most of the reported scenario.
Impending company changes also raises the possibility of an insider attack.
> Is there anything more infuriating than this type of error message?
Well the other classic move by webshits is to have you stare at a spinner indefinitely.
From 2019: https://www.reddit.com/r/Lastpass/comments/afmfop/cant_delet...
From 2020: https://twitter.com/jowouters/status/1222438393981886464
There's a ton of those posts. Some in the official LastPass forum as well, and the response from LogMeIn was basically that the account was deleted.
(It's of course crappy, just saying that this behavior is nothing new and probably just something they don't care about enough to fix..)
Keeping my secrets store on someone else's computer is simply not compatible with my threat model.
Yes, they say it is encrypted, and I believe them and believe they're competent.
But competent people write vulnerable code all the time, disastrously bad hires happen (see Unifi), and companies go bad. You can't un-disclose information stored with them, only laboriously invalidate it.
The only thing I pay for is the managed hosting, but in theory it's not much different than anything else properly designed (e.g. bitwarden) aside from the obvious things, such as OSS-ness.
The only relevant CVEs are relatively mild compared to LastPass.
Give them some credit.
I had 2fa enabled on my LastPass account, but didn't have access to the phone anymore. I clicked a link, LP sent me an email, and I was able (through that email) to remove 2fa.
It doesn't make their 2fa completely useless, but it's not great.
Some of our skulls are so thick you’d need at least a $10 wrench
You can be forced to disclose your secrets but you will know they were compromised, that's encryption doing its job.
There's a world of difference in knowing.
>>> Take this with a grain of salt.
LogMeIn, the owners of LastPass, had a Chinese APT group in their servers for years. They only found out because the attackers started launching unoptimised SQL queries that started killing their database cluster. They didn’t have to report this breach, despite being based in Germany where it’s a legal requirement, because they didn’t have proof customer data was accessed. They didn’t have proof because they didn’t have any logging or auditing. Whatsoever.
[0] https://www.pcworld.com/article/491164/lastpass_ceo_exclusiv...
Does LastPass/LogMeIn have a history of lying about/downplaying security incidents? I only remember a controversial (and to my knowledge unresolved) issue at TeamViewer (where the company claimed no compromise but due to the number of reports there were doubts about that claim).
This could be very hard to trace since users would have to notice the correlation between visiting a certain web site (or e.g. one of many compromised sites) and getting hacked. Worse, combined with malvertising, it could be exploited from almost any web site if the user doesn't block ads.
I'm sure some people will look at me very funny for doing this, but it seems to me that I have both fewer hassles logging in and fewer breaches than people using more "secure" methods (like handing your passwords over to LastPass's mystery Chrome extension).
Think about today's threat landscape and tell me I'm wrong. I may not be more secure in every possible situation, but I'm more secure in the situations that cause the vast majority of breaches today.
It's a free open source app that runs on your local machine and stores your passwords locally - never uploads your passwords to a server. But it does this securely.
And you can run it on multiple machines (and phones) and transfer the passwords (the vault) without ever uploading anything to servers.
If you like to have synced database between devices with minimal risk of exposure I would recommend setting it up to use a master password AND generated key file. I do this, then sync my database to cloud/butt and just keep my key file offline and on device only.
Edit: I believe you can also use a FIDO/U2F key (yubikey, google titan, etc.) in place of a key file but 2 password lock is great even if someone guesses your master password, the database is still useless without the 2nd key.
My threat model is 100% aimed at remote attacks/hackers. I could not care less about law enforcement. I also use a hardware backed second factor.
A computer will always do a better job at generating\remembering passwords.
hardware 2FA is definitely a good idea.
Important questions might be how secure is your computer (encrypted HD, multiple users, etc), what incoming services have you enabled (ssh?), does your computer ever travel (is it a laptop, is it prone to loss or theft), and how secure is your apartment/house (is a robbery plausible).
The main thing a desktop file is, for most people who use password managers, is inconvenient. Without some kind of remote access at home, it might mean not having access to passwords when doing errands or traveling, any time when not physically at home. But with remote access, the password file access does become riskier, that does become cloud access where you’re responsible for the security of all methods of remote access (are any ports open you don’t know about?).
Having my password manager on my phone has been incredibly useful at times.
The number of times my home's been broken into: 0 (and based on news, virtually all of burglars are just looking for jewelry, wallets, and similar stuff and they won't bother trawling through your papers for passwords).
The number of times I've had devices on my network that run some hastily put together vendor firmware that was last updated six years ago: too many to count.
The number of times I've had to rush to update/patch my own computers to fix a newly disclosed remotely exploitable vuln: quite a few.
The number of times I've actually witnessed attempts at trying to exploit said remote vulns: too many to count! Sometimes mere hours after I've patched my stuff.
The number of times I've known I've had malware: at least a couple times (admittedly long ago, back when I ran Windows..).
I just don't trust keeping personal passwords on online connected computing devices. And password managers are a very lucrative target today (plus it tends to be all eggs in one basket for most people!).
I do keep passwords for employer's stuff in a password manager but not on the same device(s) I use said passwords on; even if you had malware on my work laptop, you wouldn't get my master password, nor would you be able to grab my password database. Passwords are also not stored on any third party service.
The price I pay is a relatively minor inconvenience. (I do have plans for something more convenient though!)
You can sync the encrypted files to your phone or other computers.
KeepassXC requires authorizing a plugin, and authorizing specific sites before it releases a password.
One of the reasons I haven't moved over to NeoVim is because they removed this feature, because supposedly it's not perfect or something. So sure, the NSA may be able to still be able to extract my passwords if they arrest me and take my computer, but the point is that random people won't be able to.
I have been using it for a couple years and haven't noticed any issue. Even if Google decides to screw me over and terminates my Google account, I can still access the passwords via the local copy in Chrome, so that is not really a concern.
(Though, don't take this as my recommendation to use Google' password manager. I have not done enough research in the password manager landscape, which is why I am asking this question in the first place.)
EDIT: also include other browsers' password managers. (It appears that it is a mistake to mention anything Google on HN :/)
EDIT: Also, if you don't know, Chrome also supports passwords export/import, so it not any more vendor-lock-in than any other password managers.
I've done the same transition. I was too lazy to install a password manager and didn't care enough about my online accounts. Now I have strong passwords on all my accounts and they propagate to my Android apps automatically, without me having to do anything. I also trust Google's security.
I use passwords on my iPhone, MacBook, and Windows, so I need a manager that can provide passwords across all of those (and not just in a browser)
Because then you are locked into Chrome and some people prefer the freedom to switch browsers at any time
You should evaluate if you're comfortable using this or that password manager even if they were aquired by the most evil company you can think of. If the design is solid, it shouldn't matter since the evil company shouldn't be able to compromise anything. If it does matter, then you shouldn't be using that software no matter how much you trust the company (because regardless of trust, they're still subject to secret court orders etc.)
So it’s not just bots trying passwords from other database leaks
The whole premise of LastPass is that they can’t even decrypt your master password. It’s pretty concerning that this is happening.
If hackers can get your master password, then _all_ of your passwords are at risk
This will give you nice conflict resolution if accessing (modifying) the file from multiple machines.
There are clients available for all platforms. I use: Keepass (Windows), Macpass/ Keeweb/ Strongbox (MacOS), StrongBox (iPad) and Keepass2Android (Android, this one's fantastic!).
https://blog.lastpass.com/2021/12/unusual-attempted-login-ac...
"However, out of an abundance of caution, we continued to investigate in an effort to determine what was causing the automated security alert emails to be triggered from our systems. Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved."
(I removed my account recently and got the same error message, everything seems to be gone now)
I have both Keepass and Lastpass, but the reason I didn't do away with Lastpass yet is basically that it seems to me that Keepass can't do proper form-filling like Lastpass can? I'm talking about: auto filling custom configurable fields, addresses, credit cards, etc.
Am I missing something, some addon/extension?
My current Keepass setup:
Keepass 2 with Keeweb for filling passwords in Firefox on PC and KeePassDX for filling passwords on Android. All Keepass DB files are synced using Syncthing, which works fine.
KeePass lets me fill in the username and password fields, and I can configure the names of the fields if KeePass can't figure it out itself. My browser remembers not-so-secret stuff such as my address, and it's very rare I'd want additional form fields managed by KeePass, beyond username and password. That said, I wouldn't be surprised if there was a plugin that does that.
It's encrypted on my computer by Open Source software that I can trust. I used to use LastPass, but it was clearly a sinking ship ever since it was bought by LogMeIn.
None of these opaque, closed-source "cloud" password managers. Because if you don't control your secrets, then you don't have anything. I don't care if it's a zero-knowledge construction approved by Big Name Cryptography Guy or best intentioned founders since depending on a single service that could potentially hold your secrets hostage, expose them, or forget them would be insane.
The end.
I have my TOTP codes stored in Bitwarden for other services like Facebook etc, but I use Authy as an independent TOTP provider for Bitwarden. 1.5 factor I guess (2FA tokens in a password manager), but works a treat and is very convenient!
My Bitwarden account is protected by 2FA (via Authy - only backup method is SMS - which has become handy at one point when my phone was pick-pocketed abroad in Amsterdam as I'm able to get a replacement SIM card from my operator) but then if you get past that (and the master password) then you've 'pwned' me.
It's a trade-off of convenience and security really - I think I'm doing a lot more than the average Joe and feel relatively secure. For the majority of my accounts (FB/Twitter/Instagram etc. etc.) if you get the password you're getting nowhere. Even then using a password manager I have a different password for every service so unless you breach my password manager you've at most made it into one account - if that doesn't have 2FA via Bitwarden.
You might struggle a bit moving away from Authy though if you ever want to as it does a lot of 'proprietary' stuff. I had to use a bit of JavaScript to extract my TOTP codes from the Chrome Web App (e.g. for Twitch) otherwise you're unable to get them out of Authy.
I hate that they try so hard to hide the standalone version for which you just paid a fixed price. That's the only way that I still use 1Password.
Yes, there's not much redundancy or convenience without the cloud, especially if your computer's hard drive becomes damaged, but if I lose my master password at least it's on me.
[1]: https://blog.1password.com/what-the-secret-key-does/
[2]: https://old.reddit.com/r/1Password/comments/rp8t02/security_...
> Some customers have also reported changing their master passwords since they received the login warning, only to receive another alert after the password was changed.
This sounds to me like either a widely-compromised browser extension (LP itself?) or LP infrastructure.
I previously tried offline password managers but syncing the files between devices and such was a huge pain.
Plus, if my phone or my yubikey or whatever is stolen in a foreign country I'm not SoL because the algorithm is in my brain and the rules are public knowledge.
That isn't going to work for most people, obviously. Most people want to be able to use their credentials from arbitrary machines. I don't have that requirement.
When I need to log into Nintendo's eShop from my Switch, I use my algorithm. How does that work for a self-hosted super long random Bitwarden password? I'm guessing I need to bring up the password on my phone or something and manually copy and compare it digit by digit into the Switch which sounds like a lot of work.
Writing passwords each time is so old now. there are plenty of good password managers either local or cloud based.
For what it's worth, I got an unidentified login email today with an IP in Canada. I didn't see that login attempt in my LastPass access logs, however, so I don't know for sure if they used the correct master password. I did check, and it said that my master password was last set in 2015, so it's possible I was impacted in an older breach.
I just enjoy how easy generating new passwords are. Still has some work to do, but they’re definitely on the right track.
https://www.go350.com/posts/the-design-flaws-of-password-man...
>Users must also devise a master password to unlock the encrypted passwords stored by the password manager. This is similar to a master key. It is generally accepted that master keyed locks are less secure than non-master keyed locks. If the master password is exposed, then confidence (in all the passwords that it unlocks) is lost.
1. In a perfect world, having a master password is worse than having independent passwords. However, realistically you can't remember that many passwords, so in practice you end up reusing passwords across sites. Using a master password in this case is a worthwhile tradeoff.
2. on most password managers, you need access to both the database (either through the web, or as a file) and the master password to compromise its contents. Even if your password was "hunter2" or something, your accounts would probably be fine.
>DPG
Deterministic password generators/managers have problems of their own. Their main draw is supposedly the lack of state to keep track of, but realistically you still need to sync stuff (eg. usernames, site identifiers, password formats, counters), so that dream is never realized.
>1. Never store passwords. Rather, generate them as needed based on user input. The need to backup, synchronize and properly encrypt passwords is removed. There is no master password that immediately unlocks all of the other passwords. There is nothing to become lost, stolen or corrupt.
I can't tell whether this is satire or not. The author dunks on other password managers for having a "master password that immediately unlocks all of the other passwords", but his program literally has the same flaw? At least with traditional password managers you need access to the database and the master password.
I know storing my TOTP passphrase along with my un:pw combo isn't as secure as keeping them in separate locations, but my threat model is just to stop someone with only my un:pw.
YMMV
This is basically the same "cloud" vs "on-prem" debate. Cloud won, I think.
I installed Keepass on my windows desktop along with iCloud drive sync. I keep my Keepass database in my iCloud directory. I can now use this Keepass database on my iPhone (via Files app), on my Macbook (iCloud Drive). Any changes made are automatically synced daily.
Is that really too difficult? And yes, it does "just work".
Bonus: Any passwords stored in my iCloud Keychain are also synced to my Windows Chrome instance via Apple's 'iCloud Passwords'[1] plugin.
[1] https://chrome.google.com/webstore/detail/icloud-passwords/p...
Mainly with compromised\rogue updates, you push a malicious update to customers and then get access without needing to compromise the hosts.
Very similar to a supply-chain attack.
It's about convenience vs security, and specifically, auto-filled passwords across devices and applications. Anything that provides such a feature will be inherently less secure than an encrypted file.
If LastPass and others are to blame for anything, it would possibly be their marketing around the this tradeoff, though I think they avoid direct misrepresentation by just avoiding the issue completely.
I tried selfhosting in the past and it is painful process to set it up since I don't have an experience with it and the documentations on selfhosting are barely minimal. I tried selfhost an RSS Reader (FreshRSS) through webserver that are closed off to the public network. It is rewarding BUT frustrating experience for me beacuse of how much it needs to be functional. And don't forget the difficulty of setting up a CA for the HTTPS (SSL/TLS), it is PITA to set it up and it kept having problems. I am considering Caddy server since it generates its own CA automatically. Their documentation are not beginner-friendly and requires some prior knowledge to set it up.
It's doable. I managed to teach a 50+ year old to do it.
I still self-host.
so they basically have to change their name now, right?
sounds like a broken promise otherwise.
There is a tradition here that we tell programmers they must never write cryptographic code, that they will screw it up, and so on. To which I say: Yes, I agree that writing crypto code if you don’t know what you are doing can cause problems. It should not be done unless you know what you are doing; if you think using MD5 in any cryptographic context is secure, you don’t know what you are doing and shouldn’t be writing code using crypto.
If one wishes to write crypto code, the first thing is to realize that it’s very important to choose an algorithm wisely. Use one which has been made by an esteemed cryptographer, has been released to the academic cryptographic community, and has not been broken by said community.
Never try to make your own algorithm. Unless you know the difference between differential cryptanalysis and linear cryptanalysis, you have no business making your own algorithm. Even if you do, you have no business making you own algorithm and using it in production without releasing it to the academic cryptographic community so they can analyze it and see if it’s broken in some way you didn’t see.
It’s not just algorithms. It’s how to use an algorithm. If you don’t understand why it’s a bad idea to use a block cipher in ECB mode, then you probably shouldn’t be writing code that uses a block cipher in live production.
I would not have anyone write crypto code for production use unless they have read Applied Cryptography cover to cover; while somewhat dated (it came out before AES, MD5 getting broken, SHA-3, or post-quantum crypto) it is an excellent introduction to the basics.
That said, I have written my own password generator. I have read Applied Cryptography. I know MD5 is broken. I know to random pad plaintext before encrypting it with RSA. I know not to use a block cipher in ECB mode. I have written cryptographic code used in production and it hasn’t ever been shown to be weak or broken; I have revised the code when purely academic attacks have been made against it: I started transitioning from AES to RadioGatún[32] back in 2007 because, while purely academic, I felt the cache timing attacks made it too insecure for me to continue using it in production code.
My password generator takes a master password, and it appends it to that master password the name of the site I am visiting, then runs it through a strong cryptographic hash (RadioGatún[32], for the record, which has been around for over 15 years and remains unbroken) for over 500,000 rounds, to generate a secure password. Since it’s not an online service, there is no point of failure where hackers could get in to the online site; since it’s not a browser plugin, there is no point of failure where a browser security hole or a Javascript hack can get at my master password.
The code is open source and available here: https://github.com/samboy/PassGen/
The idea is one or more "master" password(s) that can be stored in keyboard's RAM (so you don't need to type them every time; and yet you still never need to input it into your computer at all!), then a short memorable site-specific "password" (could be as simple as the site's name) plus a prefix/postfix that adjusts the output to work around different services' fucked up password rules.
I might also make a completely offline device for this in case I need to "look up" a password without actually typing it into a computer.
I don't need to write any crypto for this, just use a well known and secure KDF / hash.
