> The forced logout + MFA resync events are taking place as we increase all customer's password iterations.
Typically you just need to wait for a user to log in, then validate the password against the old hash and create a new stronger replacement hash. Ending all sessions is a good way to log everyone out and force that. But I'm confused.
If weak password hashes were leaked, then the passwords need to be changed too. Increasing the rounds doesn't prevent attacks on the previously leaked weak hashes. Maybe they expect everyone already did that but some people did it before they increased the hash rounds?
The MFA reset shouldn't be related to the increase in hash rounds, those are unrelated. So they must suspect the MFA seeds were also stolen, but aren't saying it, right?
gurchik 782 days ago [-]
> The MFA reset shouldn't be related to the increase in hash rounds, those are unrelated. So they must suspect the MFA seeds were also stolen, but aren't saying it, right?
They were stolen but weren't very clear about it.
From their summary of their latest security incident[1] it says attackers stole:
> Backup of LastPass MFA/Federation Database – contained copies of LastPass Authenticator seeds, telephone numbers used for the MFA backup option (if enabled), as well as a split knowledge component (the K2 “key”) used for LastPass federation (if enabled). This database was encrypted, but the separately-stored decryption key was included in the secrets stolen by the threat actor during the second incident.
This summary links to a page[2] with more information, but actually on this page they give less information, saying only:
> [Customer Secrets accessed includes] Multifactor Authentication (MFA) seeds - MFA seeds assigned to the user when they first registered their multifactor authenticator of choice to authenticate to the LastPass vault.
> If weak password hashes were leaked, then the passwords need to be changed too. Increasing the rounds doesn't prevent attacks on the previously leaked weak hashes. Maybe they expect everyone already did that but some people did it before they increased the hash rounds?
I assumed they were just increasing the rounds as a general good practice. The best time to plant a tree was ten years ago, the second best time is now, and all that.
crote 782 days ago [-]
If it is just a regular rounds increase, why force an immediate re-auth on all users? It would be way more user-friendly to just wait 6 months or so for natural re-auths to occur, and only do a forced re-auth on the few remaining users afterwards.
ExoticPearTree 782 days ago [-]
From an user experience perspective, this would be the way.
At some at the company I work for, we decided to changing hashing algorithms and we did it on the fly when user authenticated again. Users were happy, we were happy.
But as someone already said here, there's a high probability that the OTP seeds were stolen so that's why they are doing this forced reset for MFA re-enrollment.
palata 782 days ago [-]
Genuine question: why are there still LastPass users?
I mean, if you have a password manager, it means that you somehow care about your passwords. If you have LastPass, it means that you chose something that was not the default Google Wallet or Apple whatever-it-is-called.
Are there so many LastPass users who haven't followed the news in the last 2 years?
yallpendantools 782 days ago [-]
I'm a developer by profession and I almost didn't switch from LastPass after their breach last year.
Simply put, after all the reports of last year's breach, I assessed how vulnerable I am. First, my LastPass settings were such that I shouldn't be too affected by their breach; among other things in their self-assessment report, I had the "new" healthy default of 600K iterations. Also, the three most important accounts forming the basis of my online identity were never on LastPass and had unique passwords.
(And yeah, I understand that the security issue isn't purely on technical merit but also a social question of LastPass' reputation as a company. But on a personal level, I didn't really care that much. Moving on...)
Hence, on a personal basis, I didn't see much reason to switch out. The alternative would be the hassle of evaluating a new password manager, exporting data from LastPass, setting up the new password manager on my devices, importing my pre-existing vault, tweaking the new password manager so it behaves as I expected, etc. I know I'm playing the world's smallest violin with this grievance but that's really how it was. I think there was also a confluence of other factors why I didn't want this hassle on my plate at the time (e.g., I remember this was end of last year and I'd rather focus on my holiday arrangements).
I did reach out to family members whom I might've recommended LastPass to in the past though, and advised them to switch out. I didn't believe they could make the same self-assessment that I did.
In the end, I did switch to Bitwarden though. I did go through the hassle as I thought I would but articles like this make me glad I did. The decisive factor for why I did it anyway was that I realized that I might have some passwords/keys in my vault that I use professionally so, out of professional prudence, I switched. Were I not a developer, I might not have had this factor at all.
charles_f 782 days ago [-]
It's not about the leak itself, but the lax of their operational policies that resulted into it, the low level of ownership they demonstrated in communication through the incidents, the weird design decisions that were made to leave parts of wallets unencrypted, that you would never know of since it's all a black box (1pwd for example opensourced some of their designs).
koheripbal 782 days ago [-]
Unless you want to self host, it is naive to think other password managers are not also the subject of attack
palata 781 days ago [-]
The problem, IMHO, is that selling a password manager is about selling trust. It is okay to have an incident (to some extent of course: "we got hacked and somebody stole our database, which was not encrypted" is pretty bad), but it is not okay to lose trust.
Given how it has been going with LastPass, I don't see how one would still trust them with their passwords.
baal80spam 782 days ago [-]
Very true, that's why I stick to KeePassDX for many years now.
NegativeK 782 days ago [-]
I've been involved in switching users in a corporate environment from one password manager to another.
You want to irritate non-technical people? Tell them that they need to use a password manager.
You want to irritate even technical people? Tell them that the password manager you had to force them to use is going to be replaced by a new one, and _they_ have to do the export/import steps -- despite the fact that their boss is breathing down their neck for four projects that are late, half of which they have no control over.
I'm glad I don't have to worry about the Lastpass breach, but I can absolutely commiserate with anyone who has to care about password managers for other people.
jeroenhd 782 days ago [-]
You want irate non-technical people? Tell them they need to come up with something better than Password123.
People hate passwords. You can explain to them why passwords are important, how people from the outside can do all kinds of nasty things if you pick weak ones, but people will ignore all that because they never need to deal with the fallout.
When these people eventually get hacked, they will blame their computers, their antivirus, their browsers, the websites they use, and most likely also the most recent person who touched the computer.
Password security is like herding toddlers. This is why I'm looking forward to a future where physical keys and passkeys are supported essentially everywhere. We don't even need them as 2FA because they work fine as a first factor in most cases, though 2FA would be much better of course.
And to be honest, whoever manages normal people's IT is probably partially to blame for the hate most people have for passwords. Things like monthly password resets, session tokens that last less than a work day, separate passwords with slightly different usernames across different applications, and all kinds of other useless limitations are why people hate passwords so much: using a password manager once or twice is fine, but having to use it to copy/paste passwords every other hour is tedious and terrible.
Companies unable or unwilling to fix their terrible password setup should invest into something like Yubikeys to at least make the process less frustrating. The difficult part is getting a backup when people lose their keys, but you can probably use passwords as a fallback until a new key can be arranged.
NegativeK 782 days ago [-]
NIST's recommendation of passphrases that don't expire except when cracked is better, because it avoids <employer name>fall2023. But now you have to pay for the audit (whether it's internal or external) and then explain why their TV quote/book title/whatever is easy to guess.
And whether it's passphrases or passkeys, we still haven't solved the problem of the gajillion other accounts people will have to log into to do work that are nowhere near that standard.
throwaway67743 782 days ago [-]
As a technical user faced with the most absurd of password complexity policies I totally understand non technical user frustration given my much higher bar of ability etc, so I don't think it's entirely fair to blame them, sure they could do with making more of an effort but most people just don't care or aren't aware of the ramifications...
maerF0x0 782 days ago [-]
> and _they_ have to do the export/import steps
At least for a personal account, the 1password import tool worked flawlessly (as far as I can tell after about a month switched) .
Does it not work for enterprise? Or perhaps each would have to run it?
NegativeK 782 days ago [-]
When there's segregation between passwords that the organization can see and passwords that only the employee can see, then each user has to run the import/export.
Waterluvian 782 days ago [-]
Yes. Most of them.
It’s such an important lesson for informed people, and tech people, especially, to learn: our context is absolutely not the common one. Things that are obvious and clear to us are a world away for most others.
Trufa 782 days ago [-]
I am pretty tech savvy, read HN often and still use it.
Partially, laziness, partially hard to change flows, partially hard to migrate, partially I don’t believe that it’s THAT bad, though the last one is the one I’m least sure.
iLoveOncall 782 days ago [-]
But you don't even have to have followed the news. LastPass has sent an email to all its users informing them of the somewhat recent breach.
I had already left by then but I would have otherwise.
zdragnar 782 days ago [-]
People still read their emails? I thought it was mostly just for registration verification links and spam.
Waterluvian 782 days ago [-]
Yep. They either don’t know or don’t care. There’s a level of security fatalism among non-techs.
I can imagine a security professional explaining to a random person everything they ought to do to be secure. Not gonna happen.
UncleMeat 782 days ago [-]
Okay. But how is a typical person supposed to effectively judge the relative risk of LastPass against alternatives such that it justifies the hassle of switching?
The core problem with the LastPass breach was their response to it, not necessarily that they were pwned in the first place. Like, the whole point of password protected vaults is to make this situation less harmful.
jeroenhd 782 days ago [-]
People don't know about the ability to export and import passwords, though. Modern interactions are so much "everything is locked behind this branded app" that it's a miracle people still remember they can email to other domains.
What they do know is how annoying it was to have to set up LastPass, entering each and every password, dealing with accounts and setup and recovery keys, and the process of getting used to it.
Unless LastPass adds a button that says "click here to switch to a competitor", I doubt their remaining customers will ever leave the problem.
secabeen 782 days ago [-]
Bitwarden still doesn't have as good a multi-account workflow as LastPass does. They finally added multi-account support late last year, that was a full blocker for me, as I need access to both my personal and work vaults on my devices. Now that they have multi-account support, it's better, but they still are significantly worse than the LP approach. If they get multi-account search working as requested here, I might finally switch over:
Password managers have a stickyness to them. Moving is hard. There are import/export functions, but I found all of them have issues.
Moving needs to be fast and seamless enough that I can move my entire family without hassle. Thats why I'm stuck.
palata 782 days ago [-]
I exported my LastPass vault (yeah I used to be on LastPass...) and imported it into Bitwarden. Maybe I was lucky, but I was amazed by how simple it was. It took like 2 minutes, and it just worked.
squeaky-clean 782 days ago [-]
Unless you also changed every password for every account you store in your password manager, you still have the original security issues of Lastpass to deal with, as well as any potential issues from your new password manager.
palata 782 days ago [-]
Yeah, obviously, but good to mention.
I did change them. Very quickly for the important ones, more slowly for the others.
wruza 782 days ago [-]
Some of them may be company-plan users who can’t choose and it’s hard to replace overnight.
latexr 782 days ago [-]
> the default Google Wallet or Apple whatever-it-is-called.
It’s just called “Passwords”. Consistent with “Mail”, “Notes”, “Reminders”, “Calendar”, but it doesn’t have a dedicate app like the others (it’s inside System Settings).
holiveros 782 days ago [-]
Probably mostly companies stuck with long-term contracts.
The global company I work at uses it, they have an enterprise-wide contract. Migrating to something else is just a massive PITA, extra costs & sure downtime.
x3874 782 days ago [-]
Good question. I cannot even 100% remember why i left a couple of years ago. IIRC it was a compromised cache / logon on a device i didn't control anymore and the general uneasyness of having my digital identities stored on a foreign service that could be hacked / could lock me out any time.
Keepass plus syncthing works for me; Keepass' autotype is great.
paultopia 782 days ago [-]
Frankly, it's a crappy landscape:
1. The main competitor everyone knows about, 1Password, has its own problems. (I gave up on it a couple years ago after learning that you can't quit the goddamn MacOS application when it's logged out. It literally requires you to be logged in to make use of a super-secret-strong quit that doesn't leave some daemon on the system. Which is incredibly irritating when you're trying to just run a software update but instead you have to type your super long and secure password manager password.)
2. Transitioning passwords is hard even once you find a good alternative. One should change passwords after a breach, but there are basically three options: (a) use the automated password changing within the old password manager. But if you don't trust your password manager after a breach, it's probably a bad idea to use the automated password changing feature of said password manager and end up with your new passwords in the insecure service. (b) import everything to a new password manager and change from there. But if you have a lot of passwords, there's a good chance the new password manager won't be able to automatically change them all, and then you'll either have to carve out a huge amount of time to do it all at once, or have a mixture of secure and insecure passwords in the new password manager, which seems very problematic. (c) gradual transition: move the mission critical passwords first and change them on the spot, then as you use a less important service, change the password for that and move it to the new service as you go. Which makes sense, but means you'll still be using the shitty old one for a while.
Caveat, bitwarden-cli isn't supported last I checked. They also only implement a subset of bitwarden features. Not to knock it vaultwarden, I've used it for years and have no plans to migrate anytime soon.
The bitbetter project[0] shims bitwarden licensing for personal use. It might be better if you're looking for complete feature parity and client support.
What parts of the cli doesn't Vaultwarden support? The cli client works fine for me when it comes to basic password operations.
I'm aware that the backend doesn't implement every API Bitwarden has but I've also never noticed any missing features. It did take some time before Bitwarden Send was implemented, but I can't fault the devs for that. I also expect the upcoming BW passkey support to take a while to make it to Vaultwarden.
Personally, the whole organisations thing is only a nice to have when it comes to hosting Bitwarden. The standard Bitwarden installation eats up gigabytes of memory for (I assume) optimizations for large installations that most self hosters probably don't really need.
0x0000000 782 days ago [-]
> They also only implement a subset of bitwarden features.
Any idea what's missing?
Vaultwarden does add TOTP support, which the free official server didn't last time I checked, so while it may be missing features, it also unlocks features you wouldn't have without paying.
sdht0 782 days ago [-]
Bitwarden is also moving towards a unified docker image [0] that allows using SQLite or Postgres instead of the earlier mess of containers. Working pretty well for me and avoids have to trust an additional 3rd party.
1Password is probably the best kept secret when it comes to password managers. I don’t understand why not more IT professionals advocate this software.
maerF0x0 782 days ago [-]
+1 Made the switch this quarter. It's practically the same price, incredibly easy to switch, comfortably similar if you've used lastpass before... And as I went through this process I also discovered despite breaches and insecurity, my LP account actually had some hardening issues remaining that they fixed for new signups, but failed to do so for long time customers. So fuck them. (I've since rolled many of the most important credentials btw)
If businesses can't trust any of that, then we wouldn't have any online businesses.
throw1230 782 days ago [-]
doesn't LP have the same certifications?
devnullbrain 782 days ago [-]
>I don’t understand why not more IT professionals advocate this software.
I can have an offline password manager that just works, for free, and I don't have to worry about backdoors or hackers or incompetence.
ChiefEngineer 782 days ago [-]
Cost. Get a quote for a few thousand users from each vendor. Bitwarden and LastPass will come in around $50k, where 1Password will quote you $75k and have no flexibility to be competitive on their pricing. LastPass will probably drop to $40k later in your decision process to entice you to pick them.
LastPass has known issues and IT departments can make an understandable recommendation to the business to pick Bitwarden even with a slight cost premium. There is nothing to justify the insane premium 1Password demands. I have seen them lose multiple contract opportunities because of this.
Note: The dollar quotes are made up numbers, but the percentage differential is real. 1Password is often 50% higher in total cost.
realitythreek 782 days ago [-]
Surely 75k for a secure password manager is better than 50k for an insecure one. They’re failing at their core competency.
pletnes 782 days ago [-]
Seconded. I’ve used Lastpass at work a few times and I have zero idea why they still exist - 1password is much better and othet competitors exist, too.
ClumsyPilot 782 days ago [-]
I don't like any of this. Your passwords need to be with you, not rely on a server.
I use keypass, it stores all passwords in a file, encrypted. The file can be stored in Onedrive/Dropbox/ etc.
But the point is, if all the aervers in the world go down, I have all my passwords in a local copy. There is also an android app.
You can even edit the database file independantly on desktop and on mobile and it will be able to merge two cobflicting files
Reminder for anyone with keepass on iOS, make sure it isn’t the malware one. I had it and had to change all my passwords
BrotherBisquick 782 days ago [-]
There's malware on the iOS app store?
What's the point of all that garden-walling and 30% tax and hoops you have to jump through if there's still malware?
8organicbits 782 days ago [-]
It happens sometimes [1] [2]. Reduced malware and quick removal is all you can hope for.
I have an app in the Play Store and received some unsolicited requests to install (and get paid for!) adding some extra jar file to my app and hosting someone else's apps in my account. Attackers put in a lot of effort to sneak in.
Having fewer malware would still be a worthy goal. That said, I’m not defending the App Store. It’s still riddled with junk, ads, casinos for children in the form of free-to-play games, and adult casinos disguised as children’s games.
I think this is partially true. LastPass has offline support so the LastPass servers temporarily being inaccessible doesn't need to be an issue. But you're right, it's not "offline first".
There's lots of reasons not to use LastPass but I don't think this is high on this list.
> Your passwords need to be with you, not rely on a server.
Pretty much all password managers including Lastpass do store the vaults on your device and you can access them offline. The issue here is the borked MFA reset.
iudqnolq 782 days ago [-]
Your setup sounds great. You might find it interesting that it's also very close to what 1Password does.
1Password apps store local state in an SQLite database. They then package up that database and encrypt it with your chosen master password and a randomly generated password. (The random password is only to protect users who picked a weak master password against a server breach, so it's stored in plaintext on your computer). That encrypted file is uploaded to their server.
There is also an android (and iOS) app. If you edit independently conflicts are merged.
account-5 782 days ago [-]
I genuinely don't know why people don't use offline databases like keepass. The conveinance of online password management is not worth the hassle they can cause. All be it lastpass appears to be tge worse!
Dayshine 782 days ago [-]
Because I have four devices I need my passwords on, on three different OSs, and no admin on one.
All of my banks use a mobile app for confirming transactions, which requires me to login. Sometimes that requires reauth not just biometrics. I'm not going to go home and try and type a 20-30 character password into a phone when trying to pay for car parking.
account-5 782 days ago [-]
I'm managing fine with the same situation with keepassxc/dx. No need for a third-party to manage my passwords for me.
predictabl3 782 days ago [-]
I use "pass" with a yubikey and happily use it from Windows, Linux, Android.
It syncs via git and syncthing.
I think I've been using this longer than BitWarden gas existed and will be using it after something happens with BitWarden and triggers another migration.
Once again, a one-time learning and cost of setup has saved me countless headaches and time not spent migrating over the years.
ilikehurdles 782 days ago [-]
Back when 1Password honored its offline, non-subscription license we bought, we could store the encrypted vault in a cloud storage service like Dropbox (or your own server) and simply set up other instances of the 1Password client to use the vault on that folder.
account-5 782 days ago [-]
Exactly what I'm doing with my keepass database. I have an offline keyfile that's never in the cloud for added security. I've found this to be the best solution.
commandersaki 781 days ago [-]
I feel like people that say "I don't store in the cloud" don't really understand how modern encryption works.
account-5 779 days ago [-]
Care to elaborate?
It's not like I don't store in the cloud, since my database is in the cloud. Why would I store the keyfile next to the database?
commandersaki 768 days ago [-]
First a password manager would never store a key unencrypted on the cloud.
When implemented correctly a password manager storing the database shouldn't have any information (keys) to decrypt the database. Only the user & the client knows this information, and it never leaves the client.
There is still the matter of authenticating to the password manager service to retrieve the database. There's a couple of ways to do it, but usually a strong password hash (least desirable and I think this is what LastPass uses) or a Password Authenticated Key Exchange (PAKE) in which the service keeps an authenticator to verify your password/credentials but the authenticator cannot be reversed or attacked to determine the password (similarly observing the PAKE transaction over the wire or MITMing it won't allow any attack to find the password).
Even if the authentication aspect fails and someone could download all the databases, the database should be protected with at minimum a slow password hash, so a dictionary attack should be very slow. I believe LastPass has stuffed this up in the past. On the other hand, 1Password took a proactive stance despite a hit to the UX by requiring a password + "secret key" which is I believe at least a 128-bit secret that's mixed together to come up with a high entropy password that is used to encrypt the database - so an attacker will have a hard time with any 1P database.
Put bluntly, as a 1P user I'm the least bit concerned that the database is stored in the cloud. I guess the only thing I have to worry about is a surreptitious version of 1Password being distributed to my machine which may capture/exfil my password & secret key. I guess not being open source is a net negative here. So I do place some trust and faith in AgileBits to protect their supply chain and software distribution. Their reputation depends on the security of the service after all.
SoftTalker 782 days ago [-]
I agree. If you don't totally own your password manager, you are at the mercy of the company that does.
I use password store (pass command-line utility) at its core it's GPG encrypted files in a local git repo, with a convenient command-line utility to manage them. It's cloud-free, runs on my local machine. If you need to sync, you can use git push/pull to do that.
I don't use it from mobile as I do very little on my phone that requires a password, but if you need that there are options:
I've been using Bitwarden for a very long time without any hassle. It just works. Technology-wise it's effectively the same thing as KeePass+Dropbox, just bundled. It's even open source, so I could export my data and self-host it if needed.
I would be careful about judging the experience of all online password managers based on LastPass.
therealdrag0 782 days ago [-]
Can the DBs get merged or are they subject to conflict race conditions?
A years ago experienced hassle and data loss (not of passwords) due to local-first sync solutions such that I’m very wary of them now.
account-5 782 days ago [-]
Race condition? In the context of my usage that's not possible and I'm only the only user, and am accessing the data on one device at a time. Even less so since I'm essentially using sneakernet rather than cloud storage for "sync".
causality0 782 days ago [-]
Why would LastPass let you "unsubscribe" from critical security emails like "hey you're gonna be locked out"? Or have they tied critical emails to marketing garbage emails in their communication preferences?
semiquaver 782 days ago [-]
I recently had to start using Lastpass for work and I am absolutely mind-boggled at what an all-around terrible piece of software it is. I have my complaints about 1Password but those are peanuts compared to the mile long list of show-stopping bugs and UX problems I experience every day with LP. Irredeemable garbage.
AlbertCory 782 days ago [-]
I don't use a password manager. You shouldn't, either, probably, unless you want to share passwords with a group or something.
I have a file of hints which are only meaningful to me. Even if a malefactor got hold of the file, it wouldn't help them. (no, I'm not going to give examples; if you can't think of some combinations of characters that only you can remember, then fine, use a password manager). I'm always thinking of new ones, too.
You don't need a unique one for every site, either. Having 15 or 20 that you choose at random means that an invalidated one doesn't affect everything you do.
Occasionally, the Hint file has an actual gibberish password with no hint, where I have to copy/paste it. I think this is fine once in a while.
All I really have to remember is the password for the place where that file is stored, and my email's. Often it happens that my stored hint doesn't work (maybe I forgot to update it), but every site has a Forgot Password link.
ryan-c 782 days ago [-]
Counterpoint: Use a password manager and unique passwords for every site, and be mad about the terrible authentication UX, just like the vast majority of experts in the field recommend.
lolinder 782 days ago [-]
> You don't need a unique one for every site, either. Having 15 or 20 that you choose at random means that an invalidated one doesn't affect everything you do.
But it does mean that if one of those passwords gets leaked and the service that leaked it takes a while to notice, you now have X other services that are compromised and you don't even know it.
There are breaches on haveibeenpwned for my email that I was never notified of. If I were reusing passwords, each of those would represent a possible security breach in unrelated accounts.
AlbertCory 782 days ago [-]
I'm not going to give examples here, but: there are tons of sites that no one is ever going to bother impersonating you on. They can't use them to buy, sell, move money, or ruin your reputation.
Maybe they're like diseases you have that aren't any threat to your health.
If some site is really important, then yes: you do need a unique password for it.
latexr 782 days ago [-]
> I don't use a password manager.
Seems like you do, in the form of a hints file. You even protect it with a password. You’re using a bespoke solution, sure, but you’re still using something to manage your passwords. You could do all that trickery with an off-the-shelf password manager.
AlbertCory 782 days ago [-]
No, I couldn't. With an off-the-shelf password manager, one failure and the bad guys are in. Or I'm locked out, which seems to be what happened here.
latexr 782 days ago [-]
> one failure and the bad guys are in.
You don't have to store passwords in an off-the-shelf password manager; you can store secure notes and files. In other words, you could continue to use your current method of hints but with more organisation.
Point being that what you’re doing is not meaningfully different from using a password manager, you just manage your passwords in an uncommon manner.
AlbertCory 782 days ago [-]
It IS meaningfully different: almost everyone expects the password manager to fill in the actual password on the form, not a hint about it.
As far as I know. Maybe someone does do that?
Anyhow, password managers cost money. This doesn't.
latexr 782 days ago [-]
It is not mandatory for password managers to fill in passwords. Turning that on is often an extra step because you need to install their browser extension. Everyone is free to not do so.
And there are plenty of free (and open-source) password managers.
It’s fine that you don’t want to use an off-the-shelf password manager, but if you’re not familiar with how they work in practice, perhaps you should not advise people to not use them. Your system is a way to manage passwords and from your description seems to be more complicated than most people (especially non-technical users) would bear.
AlbertCory 782 days ago [-]
"more complicated" on the contrary. It's a homebrew system like people have used since before computers. And since it's a one-off, it's not worth cracking.
Edit: what do you consider "complicated"? Compared to all the inevitable complications of a PW manager and browser extensions? Not to mention screwups like the LastPass one.
Yasuraka 782 days ago [-]
Did you try KeePassXC?
AlbertCory 782 days ago [-]
No, why would I? And would one of these "unsophisticated users" even know about it?
diarrhea 782 days ago [-]
This is not the way. So much churn for less effect.
AlbertCory 782 days ago [-]
"churn" ?? what are you talking about?
or is that a hint that's only meaningful to you? /s
Latty 782 days ago [-]
More vulnerable to phishing, a good password manager checks the URL programmatically and won't fill a different domain, human validation of domains is weak, we forget and can be tricked.
AlbertCory 782 days ago [-]
These are all weak. "Phishing protection" consists of not clicking on URLs someone sends you, particularly the "is this you in the photo?" messages on Facebook.
"human validation of domains" : not sure what you mean here but I think it's a theoretical problem, not a real one.
If you're afraid of misspelling your bank's name and landing on some malware, you can enter the bank name in your search engine.
latexr 782 days ago [-]
> "human validation of domains" : not sure what you mean here but I think it's a theoretical problem, not a real one.
It’s a very real and not theoretical problem. For example, someone sends you a link to a Google Doc. You open it and the page looks exactly like the real deal, but the domain is `signin.googledocs.com` or `login.googgle.com`. Even a technical user could not be paying attention and be fooled by that, manually entering their email and password. Because a password manager would only auto-fill your password on the correct domain, you have an extra reason to be suspicious and note something is amiss.
AlbertCory 782 days ago [-]
You missed the part where I said not to click on URLs people send.
latexr 782 days ago [-]
But you do realise non-technical people (i.e. most of the world) will click those links, don’t you? Password managers have a convenient and secure solution to the problem and you’re offering an alternative which requires teaching and convincing everyone to act differently in a very specific situation to prevent a situation that rarely happens but is potentially catastrophic when it does.
AlbertCory 782 days ago [-]
Everyone in the world is not reading Hacker News.
latexr 782 days ago [-]
Exactly. Which is why it’s a good thing password managers exists. It means people don’t need to read specific advise about not clicking links, which is their purpose, on tech forums.
AlbertCory 782 days ago [-]
"people don't need to read"
Any less sophisticated user needs to be told that. If you go to some classes for new computer users, I'm pretty sure that'll be in the first hour.
Anyhow, HN readers don't fall in that group.
Latty 781 days ago [-]
So some news site you read on gets hacked and they install malware that means when you move to another tab, it changes the tab to look like a log in screen for say, google, and when you go back, you log in. This has been seen in the wild, and it is very hard for a human to catch, we assume we had a tab open and log in. A password manager will refuse to do it because it isn't the right domain.
Yes, of course all of these kind of attacks can be avoided by "just don't do anything dangerous", but in the real world we are all flawed and mess up. No human can be perfect, and relying on never making a mistake makes you vulnerable. Anyone serious about security makes it hard to do the wrong thing.
Hardware security keys are an even better solution, but not every site supports them. Both is by far the best option.
AdmiralAsshat 782 days ago [-]
I jumped ship to Bitwarden at the beginning of the year, and haven't logged into LastPass in some time, although I forgot to delete my vault and account.
I suppose there's some assurance that if I'm indefinitely locked out of the account then at least hackers are, too?
cube00 782 days ago [-]
Unless their backups get stolen (again)
digdigdag 782 days ago [-]
Why anyone would continue to use their service after their amateur hour
operation was revealed is beyond me. That's not to say their competitors are guaranteed to be better. Really, you shouldn't depend on any offsite service for password management. Use something like Pass (https://www.passwordstore.org/), self-hosted bitwarden or at worst, GPG encrypted text files (which is essentially what Pass does).
Obscurity4340 782 days ago [-]
Hate to say it but these remaining users were and are fools for not having jumped ship like yesterday. This is not a serious + competent password manager product/company. Hopefully they had backups or they are in for a world of hurt dealing with the worse mess of being stuck in such an absurd loop.
KnobbleMcKnees 782 days ago [-]
Hey I'm not a fool! Just time poor and a bit lazy.
Also I use 1Password at work and find it a bit doddery compared to LP, which is no speed daemon itself.
iLoveOncall 782 days ago [-]
It took me 30 min to migrate from LastPass to BitWarden, they have a process to import the passwords so it really doesn't require any effort.
It does require effort though.
Migrating the passwords is a thing in the process, but there is also finding a good alternative first, that integrates well the softwares one uses, getting used to new UI, new shortcuts, new bugs, etc.
All in all, it does take (much) more than 30 minutes.
degenerate 782 days ago [-]
I hear you, and generally you are correct, but migrating from LastPass to BitWarden (and setting up the extension to work exactly the way I liked LastPass to work) truly did take 30 minutes. I wasn't expecting 100% feature parity but it's there. What took the longest was discovering CTRL+SHIFT+L is the shortcut to auto-populate username/password in forms. Pressing it again will cycle to the next account in the vault.
JaggedJax 782 days ago [-]
I knew about Ctrl+Shift+L but never thought to try using it to rotate through multiple credentials. Thanks for that!
orheep 782 days ago [-]
Lastpass user here that probably should migrate. Is that keybinding changable and how is the iOS experience?
lukevp 782 days ago [-]
It’s great on iOS! It integrates into the password manager just like LastPass did, so you get the “Passwords” button or the account name. If you have faceID or touchID set up, it’ll auto auth you and autofill the password. Bitwarden is seriously almost a drop in replacement. The biggest difference is the extension settings in browsers don’t autofill by default in the same way as LastPass. Also you can self host bitwarden (what I do).
5e92cb50239222b 782 days ago [-]
> that keybinding changable
Any shortcuts used by extensions based on the WebExtensions API are changeable. If you're on Firefox, press Ctrl+Shift+A (or go to about:addons), open the gear menu, and click "Manage Extension Shortcuts".
trilbyglens 782 days ago [-]
I tried but warden for a bit and found it to be quite janky. Not good UX over all.
gchamonlive 782 days ago [-]
You don't have to achieve all at once. First migrate to a competent service before getting locked out of your secrets. Then you should change all passwords just in case there is a LP dev db leaking somewhere. Then you can investigate what that particular service does for you in terms of workflow and migrate later if you find one that better suits your needs.
dgrin91 782 days ago [-]
It took me 30 minutes to do this process as well. Then it took days and weeks to find a bunch of corner cases that Bitwarden missed. At the same time it took me a few weeks to realize that I just don't like Bitwarden's UX. Their mobile app is just bad. Its slower than competitors, common actions take more button clicks, and the UI doesn't look good (it looks like it was built by programmers for programmers). Combining that altogether meant I couldn't move my family onto Bitwarden and my migration was a wasted effort.
tourmalinetaco 782 days ago [-]
BitWarden didn’t lose any of my passwords (which is what I assume you meant by “corner cases”), and their UX on Chromium and iOS are about on par with LastPass, so I’m not quite sure the difficulties you may have experienced. And while BitWarden’s iOS app isn’t well optimized, considering its a FOSS solution I am more than happy with that minor trade-off. I also haven’t had any trouble moving others onto it, even the more tech-illiterate people in my life.
It’s certainly not perfect, but I’m not quite sure these issues are consistent enough to be indicative of BitWarden’s quality. I mean if its lost your passwords I would assume that’s something worth making an issue about on their GitHub?
moogly 782 days ago [-]
LastPass' CSV export can't handle certain characters so the exported password is wrong. I doubt they've fixed that. It was in the product during the 10-12 years I used LastPass.
dp-hackernews 782 days ago [-]
Worse than that, LP notes are multi line which makes importing a bloody nightmare! Especially if you have any CSV characters in the note.
I had to modify the native CSV with some vim magic to add a line delimiter for each record so it allowed for spanning over multiple lines in order to successfully import each entry - which also required the importer to allow for an additional EOR marker.
Even then there wasn't a 1:1 column match between pw apps.
Without this step though all sorts of hell breaks loose, and if you don't notice the columns got out of sync during import because a note had a few commas in it what good is it to you really. It's a hell of a mess that you may not notice until its too late.
There should also be a verify feature for any import that can query the original source via some API calls - or use that to do the import. Of course nobody is going to provide that because it means users can leave their ecosystem too easily - but the other thinking is customized backups to a PGP destination suitable for direct import via the sale API calls.
This was for LP to KeePass BTW.
suddenclarity 782 days ago [-]
> BitWarden didn’t lose any of my passwords
Do we know that considering how they handle iframes and how lax they seem about it?
eviks 782 days ago [-]
> it really doesn't require any effort.
That's because you don't have or don't know about all those custom fields that don't get exported by LastPass, which turns real migration from 30min to many hours
Also it'd be wise to change passwords during the migration as well given all the hacks, which is another set of hours
mNovak 782 days ago [-]
BitWarden has custom fields too, though if LP doesn't export them, then yes that's a pickle. I don't know about attachments, but notes do transfer though they're stored a few clicks deeper in the "vault".
I would argue if password updates are required because of LP's insecurity, that's really not a migration issue, that's just a LP issue.
bathtub365 782 days ago [-]
And you shouldn’t change the passwords if you aren’t migrating?
lazide 782 days ago [-]
Once you hit 300+ sites, with attachments and custom fields, it starts to be one of those ‘I am going to pretend this will app work out if I ignore it’ things rather than an easy afternoon project.
iLoveOncall 782 days ago [-]
I have more than 400 websites in mine, but not a single one has custom fields or attachments and I can't think of a single reason why that would be necessary.
blincoln 782 days ago [-]
If one does any of the following and wants to keep track of it in a structured way, it might require custom fields in some password managers:
* Use a different name for each account
* Use different "personal information" (date of birth, etc.) for every account
* Track "security" questions and randomly-generated answers for each account, for services that still use that terrible approach
* Track which phone number is associated with each account, for services that uses SMS MFA codes
* Attach list of one-time recovery codes to accounts that use those
* Attach source of credential information when credentials were sent by someone else for e.g. testing
There's six reasons off the top of my head. I'm sure there are more.
nani8ot 782 days ago [-]
Some services use usernames for login instead of an email address, so I keep the per service email address in another field. Or I use a different name & birthday for a service etc.
dizhn 782 days ago [-]
I have a few that require custom fields. I don't really have a lot of passwords saved either. Maybe 50 tops.
Custom ones are usually all banking sites. One does not use standard field names so bitwarden does not detect it. Another has an extra field for user . (Bank customer company id, password then particular user's name).
xeromal 782 days ago [-]
It doesn't matter if you think it's necessary though. They use the fields hence it's a harder problem that most people make it out to be.
Tijdreiziger 782 days ago [-]
Preferably, you change all your passwords too, which is the time-consuming part.
ncallaway 782 days ago [-]
Do the migration first, then change rotate passwords over time.
If you're still using LP, and haven't been bitten by this, do it now. Do the migration.
Once the migration is done, start rotating passwords as soon as you can.
fluidcruft 782 days ago [-]
Bitwarden import of Lastpass was a pain in the ass when I did it and required hours of cleanup.
12345hn6789 782 days ago [-]
I swapped the day LP announced removal of free tiers. It was nearly instaneous.
I have over 300 passwords, multiple cards. Multiple notes. All synced flawlessly.
fluidcruft 780 days ago [-]
Glad you had an easy go of it. It messed a lot of things up for me and I had to ultimately cobble together a bunch of scripts that would find the mistakes so I could go in and manually correct each one (with like three extra clicks than necessary for each operation because Bitwarden's UI is trash). I think people who only used really basic LastPass features may not have had those problems. But I had LastPass Family with sharing and folders and it was a massive mess because the LastPass export was buggy and then incomplete. And Bitwarden is not able to iterating on fixing imports so you're stuck manually correcting import errors and duplicates. Not to mention that editing and updating in Bitwarden is a real pain in the ass because bulk operations are missing. I was really shocked at how shitty Bitwarden's database tools are when I actually had to try and use them.
keybpo 782 days ago [-]
That happened to me only because I imported the file twice or three times, thinking records would be overwritten when they completely matched. Oh, and because it also imported deleted (but not flush/emptied out) entries, which in hindsight I found it to be a good practise. Aside from that, importing was straightforward and categorizing the many uncategorized entries a breeze compared to LastPass.
iLoveOncall 782 days ago [-]
> Hopefully they had backups
We know they do, since they got their backups stolen not even a year ago lol.
toyg 782 days ago [-]
Ah but maybe they reacted to that by stopping backup jobs. Wouldn't put it past them, pretty shambolic operation.
ramraj07 782 days ago [-]
I continue to use LastPass because I’m lazy and I never trusted any app fully in the first place. All my main account passwords are in my head alone.
doublerabbit 782 days ago [-]
Yeah. I don't get this. I've never required a password manager, maybe I'm just good at remembering passwords.
And why would you even trust a cloud based product. If I can't see the hosted source code storing the password then I'm not trusting it regardless.
ajmurmann 782 days ago [-]
> I've never required a password manager, maybe I'm just good at remembering passwords.
How is this possible? I must have at least 50 passwords I use with some regularity and many more I use once a year or so. All my passwords are at least 16 characters long and totally random. Are you able to remember that without compromises like repeat passwords or patterns used for generating them (including website name in password or similar)?
somehnguy 782 days ago [-]
If you can remember your passwords I have a strong suspicion that you’re using weak passwords and/or re-using them. All my passwords are 12+ (whatever the site max is) random alphanumeric+symbols and don’t get re-used across sites - there is no possible way I could remember them all.
Using a quick back-of-the-napkin calculation, you get roughly this amount of entropy from 1password's wordlist when compared to random alphanumeric strings [a-zA-Z0-9]:
- 5 words ≈ 12 chars
- 6 words ≈ 14 chars
- 7 words ≈ 17 chars
- 8 words = 19 chars
If we take 5 words as the minimum you'd want to use on a web service:
- halvers persia dutiful manes party
- append medalist society duke disobey
- acoustic halo assuage upkeep dexter
- area theist motile align trespass
As a non-native English speaker (which should be obvious from my strained speech), I'd say it's rememberable enough.
doublerabbit 782 days ago [-]
9-12 characters upper and lower case with numerical and special characters, pretty much unique.
kstrauser 782 days ago [-]
I’m sure we won’t talk you out of this, so I won’t try.
Anyone else reading this: do not just remember your passwords. Unless you’re Lord Nikon, if you can remember more than a handful of passwords, it’s because they’re weak enough to be memorable. Or worse, used in more than one place!
Use a password manager. Always. For everything.
doublerabbit 782 days ago [-]
I'm not against a password manager just cloud based ones where you have no sight on the source.
Nor are my passwords weak. Okay; seeing as one of my passwords expired lately.
U0ptz#^7--9
You zero pee tee zee hash up-thinggy 7 dash dash nine
Another:
L0@!tF..9w&
Lel zero at metal-gear-solid-noise tee follow dot dot nine walks and
I find that stuff very easy to remember. I just make a fantasy story based on the password.
L9d£5"s
Little 9 ducks cost 5 said sir.
HNr!##@t
Hacker News really can suck balls at times.
shepherdjerred 782 days ago [-]
My 1Password has 1000 passwords/license keys/ssh keys/api keys stored for me, along with the associated username + 2fa code. There's no way I'm going to be able to remember more than a handful of those.
> And why would you even trust a cloud based product.
1Password's security model sounds pretty reasonable to me. The convenience of having my Passwords backup and synced to my devices is worth the tradeoff in security in my case.
suddenclarity 782 days ago [-]
> maybe I'm just good at remembering passwords
I've got close to 1500 stored passwords. How does one even start to remember those?
doublerabbit 782 days ago [-]
Your telling me you use all 1500 passwords? How many of them are obsolete?
esskay 782 days ago [-]
More fool anyone silly enough to still be using LastPass.
dav1app 782 days ago [-]
I was an user of LastPass. Happly switched to Bitwarden.
sowbug 782 days ago [-]
It's scary when a company ships a security feature with a buggy "happy path," because it generally means the engineers who built it don't follow personal best security practices themselves.
An example is whether a website's login form works with browser autofill. If it doesn't, it probably means the person who built that page doesn't use browser autofill, which means they probably use the same password on all their personal accounts, which is terrifying. (Bad example for a product that's supposed to replace the browser's built-in password manager, but you get the idea.)
remote_phone 782 days ago [-]
I still use my licensed 1Password version from like 10 years ago. I share passwords over Dropbox to my other computers and I cut and paste passwords. It’s not hard at all and I don’t have to pay a subscription.
x86a 782 days ago [-]
Same here, but I would gladly pay 1Password to support this model again.
anonym29 782 days ago [-]
No matter how many compromises, how many DoS events / lockouts, or how many other times internet-based password managers royally screw up, it never ceases to amaze me how people continue to trudge back to these sorry services.
"It's so convenient!"
"I don't like having to manually sync between devices with <100% local password manager>!"
Convenience addicts making excuses for their next hit of convenience... no matter how severely convenience harms them.
kevincox 782 days ago [-]
I hate to say it but convenience is king. If I need to log into accounts on my phone and computer there are two options 1. Use a crappy password that I can remember 2. Use a syncing password manager. If the password manager doesn't sync it doesn't provide enough convenience to be useful to me and I will fall back to 1.
Convenience has long been an underrated aspect of security. If you make the secure option as convenient (or even more convenient) than the insecure option people will do it. Of course security is always in opposition to convenience to some degree (otherwise we wouldn't have passwords at all, just type in your username to log in, we trust you completely), but minimizing the inconvenience is key to making the system secure in practice. If you make the system too inconvenient people will just work around it no matter how secure it is in theory.
I think we are beginning to understand this and things are improving, but many legacy systems still suffer. For example NIST guidelines have accepted this and now recommend against time-base password rotation[1] but many organizations still enforce it.
Syncing and managing passwords can be handled just fine by two separate applications. I switched from LP to Syncthing + KeePassXC several years ago, and besides the initial setup it has been exactly the same level of convenience. And the only thing that was more difficult with the set up is that I had to install two applications on my machines instead of one.
throw1230 782 days ago [-]
having to use two apps and a harder setup process is already inconvenient
predictabl3 782 days ago [-]
More inconvenient than having your LastPass hacked? More inconvenient than migrating password managers twice a decade?
I'm with GP. Something's are worth taking a modicum of effort and doing right. Especially for this, especially for this audience.
kstrauser 782 days ago [-]
This is so critically important! “Convenient + good” is vastly better than “inconvenient + better” for 99% of common use cases.
anonym29 782 days ago [-]
Secret security isn't a common use case, as it has an uncommon but critical property - it's binary - either the credential is leaked / stolen or it isn't.
If "convenient + good" isn't good enough and your credential is compromised, your solution fails completely, 0% score.
If "inconvenient + better" does prevent the compromise of your credential, then it is an absolute success, 100% score.
Prioritizing convenience over security while selecting your password manager is like prioritizing keyless entry over functioning brakes while shopping for a used car - it's clearly a stupid decision even from the perspective of a layperson.
I'll shed zero tears as I play the world's smallest violin when people who've made such decisions have their identity stolen, home forclosed, and savings drained because "muh convenience!"
kstrauser 782 days ago [-]
People who study this for a living say that you’re wrong on balance. For example, it would be great if every changed their password every time they logged into every service they used. Forget TOTP for 2FA — let’s make one-time passwords for everything!
But in practice, making people change their passwords regularly ends up with them inventing convenient workarounds to avoid the mental overhead of having to learn a new password constantly. “Last month I used `Passw0rd!23`. This month I’ll use `Passw0rd!24`.” And then when their password DB is inevitably breached, an attacker has a pretty great guess as to what their password will be next month.
In a perfect world where everyone perfectly followed perfect instructions to the letter, convenience isn’t critically important. In the one we actually live in it, is. And it’s not just me saying this.
anonym29 779 days ago [-]
"In a perfect world where everyone perfectly followed perfect instructions to the letter, convenience isn’t critically important. In the one we actually live in it, is. And it’s not just me saying this."
Is this your polite, roundabout way of saying "A number of users are literally so stupid that they're incapable of making rational decisions in their own password management practices"?
I would tend to disagree. I think most people have the capability to follow instructions and act responsibily, when they want to. We really shouldn't be letting the general public drive 3-ton SUV's capable of rapidly accelerating to 120+ mph (200+ kmh) if that weren't true, right?
anonym29 782 days ago [-]
Option 3. Use a secure password manager on device 1, make a second encrypted database with only the needed credentials of device 2, move the encrypted database to device 2.
• Pros - actually secure
• Cons - takes about 18 seconds longer and teeny tiny bit of cognitive effort
Options 1 and 2
• Pros - Caters to NPCs and other entities incapable of thought, effortless
• Cons - horrific and lengthy track record of brutally failing to perform the SINGLE necessary function, keeping passwords secure.
IG_Semmelweiss 782 days ago [-]
Ok. I'll take the advice here. I am a time-constrained Lastpass user. I'm aware of the issues but not thw seriousness. I will abandon the platform now, but I could use your help:
1- is industry gold standard 1password or bitwarden ? Key requisite: edge or FF browser extension. (I dont use mobile password management apps and will never do so)
2 - in light of the LP breaches. Do I change all my pw accounts, the master LP account, or both??
Caboose8685 782 days ago [-]
Bitwarden is fantastic IMO, vaultwarden if you like to self host.
Out of an abundance of caution, it would be prudent to change the passwords for the most critical accounts in your life initially. Things like your bank, email, Google. Accounts that losing control of would immediately make you go "oh shit, I can't do X that I need for daily life". Then slowly over time change the less critical ones.
piaste 782 days ago [-]
Bitwarden is the gold standard, and it has browser extensions in addition to the cross-platform app.
oraetlabora 782 days ago [-]
who says that Bitwarden is the gold standard?
stavros 782 days ago [-]
I really like its pricing, too. $10/yr is an easy sell.
sashank_1509 782 days ago [-]
Started with LastPass, switched to Bitwarden like 6 months back. It’s brilliant, it works and I never need to touch LastPass again
justinclift 782 days ago [-]
The problem of needing a current login session in order to access support is a fairly common failure mode in some organisations.
Strangely enough, some places don't fix it when they learn about it. I'm not sure why though, as that makes no sense to me.
wryoak 782 days ago [-]
One reason I left LastPass was because it kept bypassing 2FA (or incorrectly presenting it when it for whatever reason wasn’t required) - I could just press cancel and then there all my passwords were. The macOS app was … wild
paultopia 782 days ago [-]
the blame the user responses reported in this story are just hopeless. Also, as far as I can tell, untrue: I cancelled my lastpass subscription after the last horrific breach and migrated to a new password manager while changing my critical passwords, but every once in a while I have to use lastpass to dig up an old unimportant password for something that didn't make the list for immediate changes... and I've never seen any kind of message about resetting MFA.
Whatarethese 782 days ago [-]
It's just issue after issue with LastPass. Is it just apathy that is keeping people using them? There are much better options out there that are cheaper and better.
n05tr0m0 781 days ago [-]
[flagged]
nicetryguy 782 days ago [-]
I don't even let Chromium / FF save my passwords what a genuinely horrible idea. Get off my lawn!!!
iLoveOncall 782 days ago [-]
That just means that you have such a small number of passwords that you are much more unsafe that someone using a compromised password manager. I guarantee you your passwords have been leaked in individual website's breaches and that has exposed all your other accounts using the same credentials.
nicetryguy 782 days ago [-]
Possible, however: My personal strategy, much like i have a "junk email" address for signing up for random BS and a personal one for actually using is that i have a "junk password" that i sign up for unimportant services, and i guarantee it has been leaked many times. My important banking / amazon / etc passwords are indeed (slightly) unique and backed up by an digitally impenetrable firewall: pen and paper.
Granted, this is just for personal use, and i can totally see a use case for a password manager in a company / corporate environment.
BrotherBisquick 782 days ago [-]
Would you be amenable to a program like Keepass?
Your password store is a single file, it can be encrypted, backed up (or not), distributed/synchronized between your devices (or not). It belongs to you, not to a third party.
The inevitable rejoinder is, "what happens if someone gets that file?" Well, what happens if someone gets your piece of paper?
nicetryguy 782 days ago [-]
> Well, what happens if someone gets your piece of paper?
Considering it's in my house there is short list of suspects, unlike exposing it to the entire world VIA TCP/IP, but yeah i get your point.
> Will you ever use a password manager.
Not for personal matters and that is a personal choice. My way ain't broke and i ain't fixin it. A password manager smells like something that could break, get compromised, or go out of business at any time without any warning and i don't like the smell of it.
I also code with Notepad++ with none of that autofill suggestion crap and doesn't take 8 smoking cores to fucking type a sentence if that tells you anything about my personality. Get off my lawn!!!
_joel 782 days ago [-]
They're a random string of text unique to each site, I wouldn't even class them as 'my' passwords, just a derirative. Password Managers are a godsend (happy 1password user).
jrm4 782 days ago [-]
To borrow a refrain from crypto; "Not your keys, not your passwords."
Hope people don't fall for the stupid thing that Google/Apple et al are trying to do, either.
jmclnx 782 days ago [-]
I do not understand why people need to use these things, maybe they make it easier and more secure for Cell Phones ? I never use my Cell Phone for anything Finance or Medical Related.
But for me, I keep an encrypted text file and get the passwords my using emacs or vim. I generate passwords using:
and with the result I may replace 1 character with what they call a "special character". To me that avoids a lot of worry.
o1y32 782 days ago [-]
> I never use my cell phone for anything finance or medical related
Do you realize that 99.99% of the population in the world, including maybe 99% of the people here, don't do that? Similar to those comments that say "I don't use a cell phone", sorry what is your point? You realize that your very unique way of living and your life experience don't apply to others, and your comment is meaningful to just about nobody but you? Do you actually expect people to read your comment from there?
whatwhaaaaat 782 days ago [-]
Just chiming in to say a text file encrypted with vi storing passwords is a heck of a lot more common than you seem to think. I know at least one team who use this method and there is a reasonable chance you’re interacting with some of their infrastructure secured by this method right now.
It’s about as secure as anything (esp after the swap file issue was resolved).
monsieurgaufre 782 days ago [-]
I’m note sure what your definition of common is but i can say that this way of storing passwords isn’t.
whatwhaaaaat 782 days ago [-]
Yes it is
monsieurgaufre 782 days ago [-]
Your position implies a lot of specific knowledge about technologies and how they work. It hardly fits with the definition of "common".
KirillPanov 782 days ago [-]
[flagged]
danielbln 782 days ago [-]
What's with these comments who can't possibly conceive why a certain product is popular and in use. Convenience, sharing, application integration, recovery, 2FA, passkey, SSH agent integration, the list goes on. LastPass is kind of bad considering their avoidable security snafus, but there are more reputable vendors out there.
Yes, you can roll your own, but that's not a scalable solution if you're an org or have requirements that lay outside using a Textfile.
dwheeler 782 days ago [-]
Agreed. I've used vim for decades, and also use a password manager. I have a laptop and phone, and routinely use multiple web browsers. I want to sync encrypted passwords across devices, and auto fill in when I visit a a website... and websites infuriatingly vary.
1Password and Bitwarden help with this. Your use case might be different and that's fine.
forty 782 days ago [-]
"people" don't know what is Emacs, vim, tr or urandom for any reasonable definition of "people".
I work for a company that makes a password manager, and at least one clear benefit, versus copy/pasting from somewhere, even for tech savvy users is phishing resistance (the password manager browser extension should not fill your password on a website which doesn't match the website associated with that credential) which is how password gets stolen in practice when they are not reused (not re-using is the main benefit of a PM, but your home-made system does solve that issue too)
They are other benefits more on the convenience side (mobile as you mentioned and even not having to switch app each time you need to grab a password...) which matters more for most people than security (or so they believe at least)
Havoc 782 days ago [-]
You genuinely can't picture a world where people don't want to use emacs/vim to sign up for a website?
spdif899 782 days ago [-]
It's probably safe to say that 99% of people using this sort of password manager don't know what emacs and vim are, and additionally use their cell phone for most of their online computing.
If you look at it from the opposite perspective the value is clear - this isn't a tool for people who can generate and store their own passwords, it's a tool for people who got their Facebook hacked because they used the same password for everything for years and hey, this app can help avoid that mom, let me show you how.
commandersaki 782 days ago [-]
My bank has gimped the web interface of banking services.
Similarly government services gimp the web interface of tax, medical, etc. and try to push you onto mobile apps.
I can't fight this trend. Good for you that you can opt out of this nonsense.
782 days ago [-]
friendlypeg 782 days ago [-]
The entire website is written in PHP. I have nothing against the language, but it's a major red flag when you would expect it to be using Java instead like most bank and government websites do.
veave 782 days ago [-]
I know this is a troll comment, but, a website being written in Java screams "this was subcontracted to junior devs" to me, which is not precisely a green flag.
eimrine 782 days ago [-]
How do you know whether backend is Java or PHP?
esskay 781 days ago [-]
It's usually the one that looks like it belongs in 1998. See: Most insurance company customer account areas.
esskay 782 days ago [-]
The language you use matters very little. It's how you use it. PHP's not at fault here, even if they used Java or another language their incompetence would still be the issue.
giancarlostoro 782 days ago [-]
I dont know that a website running Java gives me warm and fuzzy feelings only because its on Java. I care mire that whatever the underlying website is powered by is not easily exploitable by bad actors.
bob1029 782 days ago [-]
I am completely over the idea of storing secrets inside of one of these 3rd party systems. I've currently got a team member writing an internal secret storage app for our organization.
Creating a SQL schema with a "Secrets" table and maybe some audit logging and organizational extras should take a seasoned developer ~30 minutes. Throwing a CRUD web app on top of this and making it accessible to your employees - maybe another day or 2.
I really don't know why you'd risk this sort of stuff with a 3rd party. It just boggles my mind. What are they doing that you can't do? Even a 3 person startup can probably find time around a weekend to knock this out once and for all.
Edit: clearly I missed an important point. We don't care about browser integration. I am not going for 1:1 feature replacement. If you seriously believe "a safe place to keep internal text" is an extremely hard problem that absolutely must be outsourced, I don't know why you would even be involved in technology.
sk0g 782 days ago [-]
Those are the most project manager estimates I've ever heard!
Security seems to be missing entirely from the requirements, for one thing. Access control as well.
mozman 782 days ago [-]
To be fair audit logging was mentioned, just don't log the secrets!
sk0g 782 days ago [-]
All of that within the first 30 minutes though!
I would probably take that long to stand up a DB for testing locally, re-learn $DB's table creation syntax, and connect to it from $lang.
skrebbel 782 days ago [-]
I've wondered why so many software companies have so extremely many engineering employees. SaaSes raising a 9-figure Series D and hiring thousands of devs for a customer support app. I just never got it, I wondered about this for years.
But now, thanks to your comment, I finally understand.
ericabiz 782 days ago [-]
Why would you spend dev time on this when you can set up something like Bitwarden across the org and have all the same benefits without wasting precious dev time on it?
FWIW I’m on 1Password and it hasn’t had any of these issues, either. I would not spend dev time on this as a startup/software company founder.
have_faith 782 days ago [-]
Looking forward to the audit and post-mortem
danparsonson 782 days ago [-]
> Creating a SQL schema with a "Secrets" table and maybe some audit logging and organizational extras should take a seasoned developer ~30 minutes.
No it would take a junior developer 30 minutes; a seasoned developer would look at you sideways and recommend self-hosting something like Bitwarden.
junon 782 days ago [-]
> What are they doing that you can't do?
I highly doubt your engineer is doing proper cryptographic handling of data like they do.
8organicbits 782 days ago [-]
LastPass hasn't been doing proper cryptography, so that part may be a fair bet.
If you use Django's default hasher, for example, you get more hashing rounds in the default config and they increase those periodically (the latter part that LastPass is struggling with, per the article).
Browser and phone integration: autofill, autoupdate. You can do that too, but it’s not a trivial effort. It’s important because otherwise users will sacrifice security for convenience.
Lastpass also knows how to autochange for some sites. It was hard to lose when I left.
8organicbits 782 days ago [-]
Self-hosting Bitwarden (edit: or Vaultwarden) may be a better approach. I'd recommend checking your feature list against Bitwarden to see what you forgot about. There's a lot of usability concerns that quickly become security-critical in a tool like this. Also review the security fixes that have been applied to BW, a rewrite will need to avoid these mistakes as well.
rcxdude 782 days ago [-]
why not use an existing self-hostable option like bitwarden (possibly using one of the easier to setup up servers like vaultwarden)? Then your estimates might actually be accurate.
Typically you just need to wait for a user to log in, then validate the password against the old hash and create a new stronger replacement hash. Ending all sessions is a good way to log everyone out and force that. But I'm confused.
If weak password hashes were leaked, then the passwords need to be changed too. Increasing the rounds doesn't prevent attacks on the previously leaked weak hashes. Maybe they expect everyone already did that but some people did it before they increased the hash rounds?
The MFA reset shouldn't be related to the increase in hash rounds, those are unrelated. So they must suspect the MFA seeds were also stolen, but aren't saying it, right?
They were stolen but weren't very clear about it.
From their summary of their latest security incident[1] it says attackers stole:
> Backup of LastPass MFA/Federation Database – contained copies of LastPass Authenticator seeds, telephone numbers used for the MFA backup option (if enabled), as well as a split knowledge component (the K2 “key”) used for LastPass federation (if enabled). This database was encrypted, but the separately-stored decryption key was included in the secrets stolen by the threat actor during the second incident.
This summary links to a page[2] with more information, but actually on this page they give less information, saying only:
> [Customer Secrets accessed includes] Multifactor Authentication (MFA) seeds - MFA seeds assigned to the user when they first registered their multifactor authenticator of choice to authenticate to the LastPass vault.
1: https://blog.lastpass.com/2023/03/security-incident-update-r...
2: https://support.lastpass.com/help/what-data-was-accessed
I assumed they were just increasing the rounds as a general good practice. The best time to plant a tree was ten years ago, the second best time is now, and all that.
At some at the company I work for, we decided to changing hashing algorithms and we did it on the fly when user authenticated again. Users were happy, we were happy.
But as someone already said here, there's a high probability that the OTP seeds were stolen so that's why they are doing this forced reset for MFA re-enrollment.
I mean, if you have a password manager, it means that you somehow care about your passwords. If you have LastPass, it means that you chose something that was not the default Google Wallet or Apple whatever-it-is-called.
Are there so many LastPass users who haven't followed the news in the last 2 years?
Simply put, after all the reports of last year's breach, I assessed how vulnerable I am. First, my LastPass settings were such that I shouldn't be too affected by their breach; among other things in their self-assessment report, I had the "new" healthy default of 600K iterations. Also, the three most important accounts forming the basis of my online identity were never on LastPass and had unique passwords.
(And yeah, I understand that the security issue isn't purely on technical merit but also a social question of LastPass' reputation as a company. But on a personal level, I didn't really care that much. Moving on...)
Hence, on a personal basis, I didn't see much reason to switch out. The alternative would be the hassle of evaluating a new password manager, exporting data from LastPass, setting up the new password manager on my devices, importing my pre-existing vault, tweaking the new password manager so it behaves as I expected, etc. I know I'm playing the world's smallest violin with this grievance but that's really how it was. I think there was also a confluence of other factors why I didn't want this hassle on my plate at the time (e.g., I remember this was end of last year and I'd rather focus on my holiday arrangements).
I did reach out to family members whom I might've recommended LastPass to in the past though, and advised them to switch out. I didn't believe they could make the same self-assessment that I did.
In the end, I did switch to Bitwarden though. I did go through the hassle as I thought I would but articles like this make me glad I did. The decisive factor for why I did it anyway was that I realized that I might have some passwords/keys in my vault that I use professionally so, out of professional prudence, I switched. Were I not a developer, I might not have had this factor at all.
Given how it has been going with LastPass, I don't see how one would still trust them with their passwords.
You want to irritate non-technical people? Tell them that they need to use a password manager.
You want to irritate even technical people? Tell them that the password manager you had to force them to use is going to be replaced by a new one, and _they_ have to do the export/import steps -- despite the fact that their boss is breathing down their neck for four projects that are late, half of which they have no control over.
I'm glad I don't have to worry about the Lastpass breach, but I can absolutely commiserate with anyone who has to care about password managers for other people.
People hate passwords. You can explain to them why passwords are important, how people from the outside can do all kinds of nasty things if you pick weak ones, but people will ignore all that because they never need to deal with the fallout.
When these people eventually get hacked, they will blame their computers, their antivirus, their browsers, the websites they use, and most likely also the most recent person who touched the computer.
Password security is like herding toddlers. This is why I'm looking forward to a future where physical keys and passkeys are supported essentially everywhere. We don't even need them as 2FA because they work fine as a first factor in most cases, though 2FA would be much better of course.
And to be honest, whoever manages normal people's IT is probably partially to blame for the hate most people have for passwords. Things like monthly password resets, session tokens that last less than a work day, separate passwords with slightly different usernames across different applications, and all kinds of other useless limitations are why people hate passwords so much: using a password manager once or twice is fine, but having to use it to copy/paste passwords every other hour is tedious and terrible.
Companies unable or unwilling to fix their terrible password setup should invest into something like Yubikeys to at least make the process less frustrating. The difficult part is getting a backup when people lose their keys, but you can probably use passwords as a fallback until a new key can be arranged.
And whether it's passphrases or passkeys, we still haven't solved the problem of the gajillion other accounts people will have to log into to do work that are nowhere near that standard.
At least for a personal account, the 1password import tool worked flawlessly (as far as I can tell after about a month switched) .
Does it not work for enterprise? Or perhaps each would have to run it?
It’s such an important lesson for informed people, and tech people, especially, to learn: our context is absolutely not the common one. Things that are obvious and clear to us are a world away for most others.
Partially, laziness, partially hard to change flows, partially hard to migrate, partially I don’t believe that it’s THAT bad, though the last one is the one I’m least sure.
I had already left by then but I would have otherwise.
I can imagine a security professional explaining to a random person everything they ought to do to be secure. Not gonna happen.
The core problem with the LastPass breach was their response to it, not necessarily that they were pwned in the first place. Like, the whole point of password protected vaults is to make this situation less harmful.
What they do know is how annoying it was to have to set up LastPass, entering each and every password, dealing with accounts and setup and recovery keys, and the process of getting used to it.
Unless LastPass adds a button that says "click here to switch to a competitor", I doubt their remaining customers will ever leave the problem.
https://community.bitwarden.com/t/implement-multi-account-se...
Password managers have a stickyness to them. Moving is hard. There are import/export functions, but I found all of them have issues.
Moving needs to be fast and seamless enough that I can move my entire family without hassle. Thats why I'm stuck.
I did change them. Very quickly for the important ones, more slowly for the others.
It’s just called “Passwords”. Consistent with “Mail”, “Notes”, “Reminders”, “Calendar”, but it doesn’t have a dedicate app like the others (it’s inside System Settings).
The global company I work at uses it, they have an enterprise-wide contract. Migrating to something else is just a massive PITA, extra costs & sure downtime.
Keepass plus syncthing works for me; Keepass' autotype is great.
1. The main competitor everyone knows about, 1Password, has its own problems. (I gave up on it a couple years ago after learning that you can't quit the goddamn MacOS application when it's logged out. It literally requires you to be logged in to make use of a super-secret-strong quit that doesn't leave some daemon on the system. Which is incredibly irritating when you're trying to just run a software update but instead you have to type your super long and secure password manager password.)
2. Transitioning passwords is hard even once you find a good alternative. One should change passwords after a breach, but there are basically three options: (a) use the automated password changing within the old password manager. But if you don't trust your password manager after a breach, it's probably a bad idea to use the automated password changing feature of said password manager and end up with your new passwords in the insecure service. (b) import everything to a new password manager and change from there. But if you have a lot of passwords, there's a good chance the new password manager won't be able to automatically change them all, and then you'll either have to carve out a huge amount of time to do it all at once, or have a mixture of secure and insecure passwords in the new password manager, which seems very problematic. (c) gradual transition: move the mission critical passwords first and change them on the spot, then as you use a less important service, change the password for that and move it to the new service as you go. Which makes sense, but means you'll still be using the shitty old one for a while.
The bitbetter project[0] shims bitwarden licensing for personal use. It might be better if you're looking for complete feature parity and client support.
[0] https://github.com/jakeswenson/BitBetter
I'm aware that the backend doesn't implement every API Bitwarden has but I've also never noticed any missing features. It did take some time before Bitwarden Send was implemented, but I can't fault the devs for that. I also expect the upcoming BW passkey support to take a while to make it to Vaultwarden.
Personally, the whole organisations thing is only a nice to have when it comes to hosting Bitwarden. The standard Bitwarden installation eats up gigabytes of memory for (I assume) optimizations for large installations that most self hosters probably don't really need.
Any idea what's missing?
Vaultwarden does add TOTP support, which the free official server didn't last time I checked, so while it may be missing features, it also unlocks features you wouldn't have without paying.
[0] https://bitwarden.com/help/install-and-deploy-unified-beta/
1. Comb through your last pass, and delete cruft
2. Signup for 1password https://1password.com/switch/
3. use their auto import tool to pull from lastpass
4. Profit for ~3 months just for safety
5. Delete each item in last pass (who know if they do hard or soft delete?)
6. Request account deletion https://lastpass.com/delete_account.php
I can't see how any business would allow secrets to be stored on hardware they don't control
Earlier versions allowed the store to be on other sites like dropbox for syncing or on your own servers or a mix.
Note I do use 1password as I don't need any corporate secrets at the moment. It allows me to use other browsers than Safari and also Windows and macOS
If businesses can't trust any of that, then we wouldn't have any online businesses.
I can have an offline password manager that just works, for free, and I don't have to worry about backdoors or hackers or incompetence.
LastPass has known issues and IT departments can make an understandable recommendation to the business to pick Bitwarden even with a slight cost premium. There is nothing to justify the insane premium 1Password demands. I have seen them lose multiple contract opportunities because of this.
Note: The dollar quotes are made up numbers, but the percentage differential is real. 1Password is often 50% higher in total cost.
I use keypass, it stores all passwords in a file, encrypted. The file can be stored in Onedrive/Dropbox/ etc.
But the point is, if all the aervers in the world go down, I have all my passwords in a local copy. There is also an android app.
You can even edit the database file independantly on desktop and on mobile and it will be able to merge two cobflicting files
https://keepass.info/download.html
What's the point of all that garden-walling and 30% tax and hoops you have to jump through if there's still malware?
I have an app in the Play Store and received some unsolicited requests to install (and get paid for!) adding some extra jar file to my app and hosting someone else's apps in my account. Attackers put in a lot of effort to sneak in.
[1] https://www.wired.com/story/apple-app-store-malware-click-fr...
[2] https://www.reddit.com/r/KeePass/comments/13o0s0q/ioskeepass...
Having fewer malware would still be a worthy goal. That said, I’m not defending the App Store. It’s still riddled with junk, ads, casinos for children in the form of free-to-play games, and adult casinos disguised as children’s games.
https://soyacincau.com/2021/04/17/ios-app-games-for-children...
There's lots of reasons not to use LastPass but I don't think this is high on this list.
[1] https://support.lastpass.com/s/document-item?language=en_US&...
Pretty much all password managers including Lastpass do store the vaults on your device and you can access them offline. The issue here is the borked MFA reset.
1Password apps store local state in an SQLite database. They then package up that database and encrypt it with your chosen master password and a randomly generated password. (The random password is only to protect users who picked a weak master password against a server breach, so it's stored in plaintext on your computer). That encrypted file is uploaded to their server.
There is also an android (and iOS) app. If you edit independently conflicts are merged.
All of my banks use a mobile app for confirming transactions, which requires me to login. Sometimes that requires reauth not just biometrics. I'm not going to go home and try and type a 20-30 character password into a phone when trying to pay for car parking.
It syncs via git and syncthing.
I think I've been using this longer than BitWarden gas existed and will be using it after something happens with BitWarden and triggers another migration.
Once again, a one-time learning and cost of setup has saved me countless headaches and time not spent migrating over the years.
It's not like I don't store in the cloud, since my database is in the cloud. Why would I store the keyfile next to the database?
When implemented correctly a password manager storing the database shouldn't have any information (keys) to decrypt the database. Only the user & the client knows this information, and it never leaves the client.
There is still the matter of authenticating to the password manager service to retrieve the database. There's a couple of ways to do it, but usually a strong password hash (least desirable and I think this is what LastPass uses) or a Password Authenticated Key Exchange (PAKE) in which the service keeps an authenticator to verify your password/credentials but the authenticator cannot be reversed or attacked to determine the password (similarly observing the PAKE transaction over the wire or MITMing it won't allow any attack to find the password).
Even if the authentication aspect fails and someone could download all the databases, the database should be protected with at minimum a slow password hash, so a dictionary attack should be very slow. I believe LastPass has stuffed this up in the past. On the other hand, 1Password took a proactive stance despite a hit to the UX by requiring a password + "secret key" which is I believe at least a 128-bit secret that's mixed together to come up with a high entropy password that is used to encrypt the database - so an attacker will have a hard time with any 1P database.
Put bluntly, as a 1P user I'm the least bit concerned that the database is stored in the cloud. I guess the only thing I have to worry about is a surreptitious version of 1Password being distributed to my machine which may capture/exfil my password & secret key. I guess not being open source is a net negative here. So I do place some trust and faith in AgileBits to protect their supply chain and software distribution. Their reputation depends on the security of the service after all.
I use password store (pass command-line utility) at its core it's GPG encrypted files in a local git repo, with a convenient command-line utility to manage them. It's cloud-free, runs on my local machine. If you need to sync, you can use git push/pull to do that.
I don't use it from mobile as I do very little on my phone that requires a password, but if you need that there are options:
https://www.passwordstore.org/#other
I would be careful about judging the experience of all online password managers based on LastPass.
I have a file of hints which are only meaningful to me. Even if a malefactor got hold of the file, it wouldn't help them. (no, I'm not going to give examples; if you can't think of some combinations of characters that only you can remember, then fine, use a password manager). I'm always thinking of new ones, too.
You don't need a unique one for every site, either. Having 15 or 20 that you choose at random means that an invalidated one doesn't affect everything you do.
Occasionally, the Hint file has an actual gibberish password with no hint, where I have to copy/paste it. I think this is fine once in a while.
All I really have to remember is the password for the place where that file is stored, and my email's. Often it happens that my stored hint doesn't work (maybe I forgot to update it), but every site has a Forgot Password link.
But it does mean that if one of those passwords gets leaked and the service that leaked it takes a while to notice, you now have X other services that are compromised and you don't even know it.
There are breaches on haveibeenpwned for my email that I was never notified of. If I were reusing passwords, each of those would represent a possible security breach in unrelated accounts.
Maybe they're like diseases you have that aren't any threat to your health.
If some site is really important, then yes: you do need a unique password for it.
Seems like you do, in the form of a hints file. You even protect it with a password. You’re using a bespoke solution, sure, but you’re still using something to manage your passwords. You could do all that trickery with an off-the-shelf password manager.
You don't have to store passwords in an off-the-shelf password manager; you can store secure notes and files. In other words, you could continue to use your current method of hints but with more organisation.
Point being that what you’re doing is not meaningfully different from using a password manager, you just manage your passwords in an uncommon manner.
As far as I know. Maybe someone does do that?
Anyhow, password managers cost money. This doesn't.
And there are plenty of free (and open-source) password managers.
https://en.wikipedia.org/wiki/List_of_password_managers
It’s fine that you don’t want to use an off-the-shelf password manager, but if you’re not familiar with how they work in practice, perhaps you should not advise people to not use them. Your system is a way to manage passwords and from your description seems to be more complicated than most people (especially non-technical users) would bear.
Edit: what do you consider "complicated"? Compared to all the inevitable complications of a PW manager and browser extensions? Not to mention screwups like the LastPass one.
or is that a hint that's only meaningful to you? /s
"human validation of domains" : not sure what you mean here but I think it's a theoretical problem, not a real one.
If you're afraid of misspelling your bank's name and landing on some malware, you can enter the bank name in your search engine.
It’s a very real and not theoretical problem. For example, someone sends you a link to a Google Doc. You open it and the page looks exactly like the real deal, but the domain is `signin.googledocs.com` or `login.googgle.com`. Even a technical user could not be paying attention and be fooled by that, manually entering their email and password. Because a password manager would only auto-fill your password on the correct domain, you have an extra reason to be suspicious and note something is amiss.
Any less sophisticated user needs to be told that. If you go to some classes for new computer users, I'm pretty sure that'll be in the first hour.
Anyhow, HN readers don't fall in that group.
Yes, of course all of these kind of attacks can be avoided by "just don't do anything dangerous", but in the real world we are all flawed and mess up. No human can be perfect, and relying on never making a mistake makes you vulnerable. Anyone serious about security makes it hard to do the wrong thing.
Hardware security keys are an even better solution, but not every site supports them. Both is by far the best option.
I suppose there's some assurance that if I'm indefinitely locked out of the account then at least hackers are, too?
Also I use 1Password at work and find it a bit doddery compared to LP, which is no speed daemon itself.
https://bitwarden.com/help/import-from-lastpass/
All in all, it does take (much) more than 30 minutes.
Any shortcuts used by extensions based on the WebExtensions API are changeable. If you're on Firefox, press Ctrl+Shift+A (or go to about:addons), open the gear menu, and click "Manage Extension Shortcuts".
It’s certainly not perfect, but I’m not quite sure these issues are consistent enough to be indicative of BitWarden’s quality. I mean if its lost your passwords I would assume that’s something worth making an issue about on their GitHub?
I had to modify the native CSV with some vim magic to add a line delimiter for each record so it allowed for spanning over multiple lines in order to successfully import each entry - which also required the importer to allow for an additional EOR marker.
Even then there wasn't a 1:1 column match between pw apps.
Without this step though all sorts of hell breaks loose, and if you don't notice the columns got out of sync during import because a note had a few commas in it what good is it to you really. It's a hell of a mess that you may not notice until its too late.
There should also be a verify feature for any import that can query the original source via some API calls - or use that to do the import. Of course nobody is going to provide that because it means users can leave their ecosystem too easily - but the other thinking is customized backups to a PGP destination suitable for direct import via the sale API calls.
This was for LP to KeePass BTW.
Do we know that considering how they handle iframes and how lax they seem about it?
That's because you don't have or don't know about all those custom fields that don't get exported by LastPass, which turns real migration from 30min to many hours
Also it'd be wise to change passwords during the migration as well given all the hacks, which is another set of hours
I would argue if password updates are required because of LP's insecurity, that's really not a migration issue, that's just a LP issue.
* Use a different name for each account * Use different "personal information" (date of birth, etc.) for every account * Track "security" questions and randomly-generated answers for each account, for services that still use that terrible approach * Track which phone number is associated with each account, for services that uses SMS MFA codes * Attach list of one-time recovery codes to accounts that use those * Attach source of credential information when credentials were sent by someone else for e.g. testing
There's six reasons off the top of my head. I'm sure there are more.
Custom ones are usually all banking sites. One does not use standard field names so bitwarden does not detect it. Another has an extra field for user . (Bank customer company id, password then particular user's name).
If you're still using LP, and haven't been bitten by this, do it now. Do the migration.
Once the migration is done, start rotating passwords as soon as you can.
I have over 300 passwords, multiple cards. Multiple notes. All synced flawlessly.
We know they do, since they got their backups stolen not even a year ago lol.
And why would you even trust a cloud based product. If I can't see the hosted source code storing the password then I'm not trusting it regardless.
How is this possible? I must have at least 50 passwords I use with some regularity and many more I use once a year or so. All my passwords are at least 16 characters long and totally random. Are you able to remember that without compromises like repeat passwords or patterns used for generating them (including website name in password or similar)?
https://www.eff.org/deeplinks/2016/07/new-wordlists-random-p...
https://www.eff.org/dice
This generator uses a different wordlist with about 18000 words.
https://1password.com/password-generator
Using a quick back-of-the-napkin calculation, you get roughly this amount of entropy from 1password's wordlist when compared to random alphanumeric strings [a-zA-Z0-9]:
If we take 5 words as the minimum you'd want to use on a web service: As a non-native English speaker (which should be obvious from my strained speech), I'd say it's rememberable enough.Anyone else reading this: do not just remember your passwords. Unless you’re Lord Nikon, if you can remember more than a handful of passwords, it’s because they’re weak enough to be memorable. Or worse, used in more than one place!
Use a password manager. Always. For everything.
Nor are my passwords weak. Okay; seeing as one of my passwords expired lately.
U0ptz#^7--9
You zero pee tee zee hash up-thinggy 7 dash dash nine
Another:
L0@!tF..9w&
Lel zero at metal-gear-solid-noise tee follow dot dot nine walks and
I find that stuff very easy to remember. I just make a fantasy story based on the password.
L9d£5"s
Little 9 ducks cost 5 said sir.
HNr!##@t
Hacker News really can suck balls at times.
> And why would you even trust a cloud based product.
1Password's security model sounds pretty reasonable to me. The convenience of having my Passwords backup and synced to my devices is worth the tradeoff in security in my case.
I've got close to 1500 stored passwords. How does one even start to remember those?
An example is whether a website's login form works with browser autofill. If it doesn't, it probably means the person who built that page doesn't use browser autofill, which means they probably use the same password on all their personal accounts, which is terrifying. (Bad example for a product that's supposed to replace the browser's built-in password manager, but you get the idea.)
"It's so convenient!" "I don't like having to manually sync between devices with <100% local password manager>!"
Convenience addicts making excuses for their next hit of convenience... no matter how severely convenience harms them.
Convenience has long been an underrated aspect of security. If you make the secure option as convenient (or even more convenient) than the insecure option people will do it. Of course security is always in opposition to convenience to some degree (otherwise we wouldn't have passwords at all, just type in your username to log in, we trust you completely), but minimizing the inconvenience is key to making the system secure in practice. If you make the system too inconvenient people will just work around it no matter how secure it is in theory.
I think we are beginning to understand this and things are improving, but many legacy systems still suffer. For example NIST guidelines have accepted this and now recommend against time-base password rotation[1] but many organizations still enforce it.
[1] https://pages.nist.gov/800-63-FAQ/#q-b05
I'm with GP. Something's are worth taking a modicum of effort and doing right. Especially for this, especially for this audience.
If "convenient + good" isn't good enough and your credential is compromised, your solution fails completely, 0% score.
If "inconvenient + better" does prevent the compromise of your credential, then it is an absolute success, 100% score.
Prioritizing convenience over security while selecting your password manager is like prioritizing keyless entry over functioning brakes while shopping for a used car - it's clearly a stupid decision even from the perspective of a layperson.
I'll shed zero tears as I play the world's smallest violin when people who've made such decisions have their identity stolen, home forclosed, and savings drained because "muh convenience!"
But in practice, making people change their passwords regularly ends up with them inventing convenient workarounds to avoid the mental overhead of having to learn a new password constantly. “Last month I used `Passw0rd!23`. This month I’ll use `Passw0rd!24`.” And then when their password DB is inevitably breached, an attacker has a pretty great guess as to what their password will be next month.
In a perfect world where everyone perfectly followed perfect instructions to the letter, convenience isn’t critically important. In the one we actually live in it, is. And it’s not just me saying this.
Is this your polite, roundabout way of saying "A number of users are literally so stupid that they're incapable of making rational decisions in their own password management practices"?
I would tend to disagree. I think most people have the capability to follow instructions and act responsibily, when they want to. We really shouldn't be letting the general public drive 3-ton SUV's capable of rapidly accelerating to 120+ mph (200+ kmh) if that weren't true, right?
• Pros - actually secure
• Cons - takes about 18 seconds longer and teeny tiny bit of cognitive effort
Options 1 and 2
• Pros - Caters to NPCs and other entities incapable of thought, effortless
• Cons - horrific and lengthy track record of brutally failing to perform the SINGLE necessary function, keeping passwords secure.
1- is industry gold standard 1password or bitwarden ? Key requisite: edge or FF browser extension. (I dont use mobile password management apps and will never do so)
2 - in light of the LP breaches. Do I change all my pw accounts, the master LP account, or both??
Out of an abundance of caution, it would be prudent to change the passwords for the most critical accounts in your life initially. Things like your bank, email, Google. Accounts that losing control of would immediately make you go "oh shit, I can't do X that I need for daily life". Then slowly over time change the less critical ones.
Strangely enough, some places don't fix it when they learn about it. I'm not sure why though, as that makes no sense to me.
Granted, this is just for personal use, and i can totally see a use case for a password manager in a company / corporate environment.
Your password store is a single file, it can be encrypted, backed up (or not), distributed/synchronized between your devices (or not). It belongs to you, not to a third party.
The inevitable rejoinder is, "what happens if someone gets that file?" Well, what happens if someone gets your piece of paper?
Considering it's in my house there is short list of suspects, unlike exposing it to the entire world VIA TCP/IP, but yeah i get your point.
> Will you ever use a password manager.
Not for personal matters and that is a personal choice. My way ain't broke and i ain't fixin it. A password manager smells like something that could break, get compromised, or go out of business at any time without any warning and i don't like the smell of it.
I also code with Notepad++ with none of that autofill suggestion crap and doesn't take 8 smoking cores to fucking type a sentence if that tells you anything about my personality. Get off my lawn!!!
Hope people don't fall for the stupid thing that Google/Apple et al are trying to do, either.
But for me, I keep an encrypted text file and get the passwords my using emacs or vim. I generate passwords using:
tr -cd "[:alnum:]" < /dev/urandom | fold -w 16 | sed 10q
and with the result I may replace 1 character with what they call a "special character". To me that avoids a lot of worry.
Do you realize that 99.99% of the population in the world, including maybe 99% of the people here, don't do that? Similar to those comments that say "I don't use a cell phone", sorry what is your point? You realize that your very unique way of living and your life experience don't apply to others, and your comment is meaningful to just about nobody but you? Do you actually expect people to read your comment from there?
It’s about as secure as anything (esp after the swap file issue was resolved).
Yes, you can roll your own, but that's not a scalable solution if you're an org or have requirements that lay outside using a Textfile.
1Password and Bitwarden help with this. Your use case might be different and that's fine.
I work for a company that makes a password manager, and at least one clear benefit, versus copy/pasting from somewhere, even for tech savvy users is phishing resistance (the password manager browser extension should not fill your password on a website which doesn't match the website associated with that credential) which is how password gets stolen in practice when they are not reused (not re-using is the main benefit of a PM, but your home-made system does solve that issue too)
They are other benefits more on the convenience side (mobile as you mentioned and even not having to switch app each time you need to grab a password...) which matters more for most people than security (or so they believe at least)
If you look at it from the opposite perspective the value is clear - this isn't a tool for people who can generate and store their own passwords, it's a tool for people who got their Facebook hacked because they used the same password for everything for years and hey, this app can help avoid that mom, let me show you how.
Similarly government services gimp the web interface of tax, medical, etc. and try to push you onto mobile apps.
I can't fight this trend. Good for you that you can opt out of this nonsense.
Creating a SQL schema with a "Secrets" table and maybe some audit logging and organizational extras should take a seasoned developer ~30 minutes. Throwing a CRUD web app on top of this and making it accessible to your employees - maybe another day or 2.
I really don't know why you'd risk this sort of stuff with a 3rd party. It just boggles my mind. What are they doing that you can't do? Even a 3 person startup can probably find time around a weekend to knock this out once and for all.
Edit: clearly I missed an important point. We don't care about browser integration. I am not going for 1:1 feature replacement. If you seriously believe "a safe place to keep internal text" is an extremely hard problem that absolutely must be outsourced, I don't know why you would even be involved in technology.
Security seems to be missing entirely from the requirements, for one thing. Access control as well.
But now, thanks to your comment, I finally understand.
FWIW I’m on 1Password and it hasn’t had any of these issues, either. I would not spend dev time on this as a startup/software company founder.
No it would take a junior developer 30 minutes; a seasoned developer would look at you sideways and recommend self-hosting something like Bitwarden.
I highly doubt your engineer is doing proper cryptographic handling of data like they do.
If you use Django's default hasher, for example, you get more hashing rounds in the default config and they increase those periodically (the latter part that LastPass is struggling with, per the article).
https://github.com/django/django/blob/650ce967825aa192222391...
Browser and phone integration: autofill, autoupdate. You can do that too, but it’s not a trivial effort. It’s important because otherwise users will sacrifice security for convenience.
Lastpass also knows how to autochange for some sites. It was hard to lose when I left.