> we have seen no evidence that this incident involved any access to customer data or encrypted password vaults.
One way to prevent risk to your passwords in the event of a security breach is to not store them in the cloud at all. KeePass is great!
LastPass and its competitors theoretically have zero-knowledge storage of everyone's passwords, so even a full breach of their servers would fail to leak passwords.
I keep a password database on the company network with all my work passwords and I have no need to keep a copy of those credentials on a bunch of my personal devices or cloud servers.
My personal passwords are stored on my own personal devices. Syncing between them can be done using any number of methods without uploading to the cloud, but even if I wanted to use somebody else's servers to do that a properly encrypted file with a very strong password could be safely stored anywhere, so there's no need to limit myself to one company's servers. I can use whatever works best for my needs and won't have to worry about what I'd do if the one I was using goes under or becomes unavailable. In exchange for a little extra work you gain a ton of utility and resiliency
This is a dangerous fallacy. Nothing fundamentally would prevent someone who attacked their infrastructure from pushing a malicious app update or a malicious extension update which exfiltrated the decrypted library from the client side.
Simply secure the database with a password and keyfile then copy the key file manually to your mobile devices and workstation.
That way you can be certain that your cloud provider has zero knowledge of your key file and also doesn't control the application in which you enter the master password.
www.passwordstore.org and stand up your own bare git repo.
You can literary audit this password manager in 30 mins! Thus, I feel it’s more secure than a complex solution like LastPass, since the code is small and a Yubikey touch gives you a chance at one password (with other password managers the whole vault is unlocked and all passwords are at risk and may be extracted at once).
Pass has advantages over other password managers (even though it has some limitations too).
I have my pass repo somewhere on the internet and the android/ios clients have been adequate for me.
If your passwords are encrypted you can put that file on a Times Square billboard and it doesn't matter. That is the entire point of encryption, moving sensitive data across adversarial channels. If you don't trust the encryption of the software you're using, well that's a good indication to not use it at all. But if you do there's literally zero point to not use a cloud provider.
EDIT: I revisited the code. Looks like everything in [1] is fixed, nothing in [2] is fixed, there are now JWTs for some reason, and… they removed metadata encryption??[3][4] Or it was never in in the first place and simple-crypto-js was used for something else? Either way, it’s a current and major flaw.
[1] https://news.ycombinator.com/item?id=22587940
[2] https://news.ycombinator.com/item?id=22582570
[3] https://github.com/lesspass/lesspass/issues/185
[4] https://github.com/lesspass/lesspass/blob/314fc7386f2c29750c...
in all seriousness, Lesspass has a cool concept (I hadn't heard of them before, just looked at their website now). I'd be interested in hearing what cryptography/security experts think about it.
I'm guessing nation-state because it seems they stole some source code/R&D. I'd guess China. That's their entire MO. Further the Chinese economy by any means necessary. Why waste years and millions on R&D when you can just steal it?
https://www.cbsnews.com/news/chinese-hackers-took-trillions-...
For something like a password manager using client side crypto, compromising the software supply chain of the client is an interesting proposition for an attacker.
https://www.france24.com/en/20110104-france-industrial-espio...
He said they put all their resources into industrial espionage and it’s pretty much their only focus.
This is the current trend each time there is a breach: let's pretend/show that we are serious and waste money taking "security" consultants, that will in the end probably tell us obvious things.
Pay more or listen to your own employees instead and eventually go hire competent engineers instead of funding bullshit jobs.
Lastpass is supposed to be in the "cyber security" field, so it is a little bit ridiculous to say that you need external help on this subject...
This isn't hiring an auditor or consultant to recommend better security practices but more like a team of world-class detectives, investigators, and forensicists to figure out exactly what happened and how, what they might have done or taken, if they still have or could regain access, and, potentially, ideas as to who or what the culprits may be and what their objectives were. In particular, you want to have as much confidence as possible in what they may have done when they had access to your systems and that they have been effectively shut out and don't have any other access points/backdoors.
LastPass undoubtedly also has their own security incident response team - most companies probably should - but it's like the local county PD calling in the FBI when a serious or sophisticated crime occurs.
Short of serving customers malicious JS code or an app to steal passwords, the production environment referred in the article can be made totally public, without secrets in vaults bring revealed, no?
Get into their dev env (ideally unnoticed), exfiltrate the sensitive code you need, poke around their systems. Once you’ve got a handle on their code and have figured out what to add, do so and just begin the waiting game.
Maybe that’s all happened, and this attack is “air cover” for the last-stage.
Not good! All a password manager sells is trust. Without that they don't offer anything of value.
All your data is kept separate from the company, and if you depart you just need to add a credit card.
This doesn’t seem to be the case in this incident though.
That's basically what happened in the solarwinds compromise.
So unlikely.
BitWarden's UX is a little different, and in some ways inferior to LastPass. Sharing passwords with my wife feels convoluted in BW, but it works perfectly fine. You have to create an "organization" where both users join, and then add your sites/pws to. In LastPass you just share it. But I've also found BitWarden works better, especially on mobile. LastPass would fail filling in passwords on some sites, and I'd have to use different autofill methods to get it to fill. But BitWarden doesn't have the same issue and mostly just works. I also like BitWarden's built-in 2FA field for each site's password, which eliminates having to use other authenticator apps. Except you'll still want to use a 2FA app for BitWarden's master password.
We're looking at you Twitter / GitHub
Putting your passwords in the hands of a third party drastically increases your threat surface and no amount of hand-wavy "but it's not as convenient" will change this fact.
Now, it may be true that the convenience factor is very strong right now, but the solution will never be "let's keep hoping real hard that the third parties are good at this." Not unless any of the third parties are willing to take on indemnification or liability.
The proper thing to do is to figure out how we can best empower people on their own. I know it's difficult, but that doesn't fundamentally cut into the fact that "this is what SHOULD be done."
Even on this point I have to disagree because that's precisely what 2FA is for. Even if LastPass (or Bitwarden in my case) stole my vault's password and posted my credentials on pastebin, no one could log into any of my 2FA protected accounts. (Ironically this account on HN is one of the few that doesn't support 2FA. Oh no my internet points!)
"not your keys, not your coins" may apply in the cutthroat 2FA-less decentralized world of cryptocurrencies, but most of the rest of the world has much more nuanced threat models.
The threat isn't the service having the encrypted vault anyway; we kind of trust the encryption to be decent (though of course you can't know what technological threats are looming).
The real threat is that you're putting your password for decryption into a proprietary blob with an internet connection and auto-updates enabled. It might be sending your password random places now or maybe at some later point.
Note that even a source-available password manager doesn't really solve this issue if it's not self compiled - and most of the time you'd probably want automatic security updates enabled on something security critical. But they can put anything they want to or are pressured into putting in there.
Is the source for the live site public? 2FA could be added in an afternoon.
- passwords need to be strong, and that is inconsistent with being memorable
- passwords shouldn't be repeated
- people use multiple devices
What is the user empowering solution to those three constraints other than password managers that store in the cloud, or flat-out ending passwords in favor of biometrics or something?
Use a password manager, remember a 2nd password for your email yourself, and then use a second factor for as many things as possible. USB keys are best, but anything is better than nothing: SMS, Authy, Google Authenticator, phone call, whatever. Chrome and Safari both have password managers these days, and some Chromebooks even have a builtin second factor. 2FA is still a hassle for sure, but it's getting better all the time.
Consider a classic "grandma" solution. A little notebook with good passwords kept in the purse or wallet. The issues here are more knowable than with LastPass or whatever.
I literally have this posted on my office door at the university where I teach.
I switched over to a self hosted bitwarden, and not only is the user experience a lot better, I've got better security confidence since my password store never leaves my home network.
lastpass has to be ready for some sort of attacks I guess, it's good that they identified this early
Take Wordpress as an example, the code is open source, yet the majority of loopholes come from plugins, not really the core.
But, we never know.
Huge huge potential loss here for people until they affirm this didn't happen.
Not a good look for an online password storage service.
Breaches can and will happen to anyone and we should assume they eventually will happen to everyone. What matters is how quickly you can detect the breach how limited the impact is. It's still too early to tell exactly whats happening here yet. That said, if this only impacted a development environment that contained no customer data then this is a good example of that principle.
However, it is at the same time fair to say that there are possible breaches for Bitwarden as well that would involve stealing information, despite being open source. Their website, the securing of the process by which their downloads and updates are produced and distributed, the way the hosting for their web vault is secured...
