
LastPass: Security done wrong - wallunit
https://palant.de/2017/03/23/lastpass-security-done-wrong
======
dahart
It must be noted that the author of this article has a competing project, and
in an article so deeply critical of LastPass, it seems like a disclaimer
should be prominent. Wladimir does disclose this on the previous article:
[https://palant.de/2016/09/16/more-last-pass-security-
vulnera...](https://palant.de/2016/09/16/more-last-pass-security-
vulnerabilities)

As a fairly happy LastPass user, I would certainly like to know what ongoing
threats there are here, and what the real-world likelihood that I might be
exposed to those threats. Would anyone care to summarize? The linked issues
have been fixed, even in Firefox, and the claim that vulnerabilities still
exist are unsourced.

*EDIT: disclaimer has been added! My comment is now out of date.

~~~
bqe
Here's a question you should ask yourself: do you want malicious webpages or
malvertising to have direct API access to your password manager?

This is the case with all password manager browser extensions. A desktop-based
password manager without the browser extension does not have this risk vector.
And, as we've seen with the dozens of extremely critical LastPass bugs,
they're not even particularly good at securing said API. Other products may be
less bug ridden, but they share the same risk vector.

I use pass[1], and I recommend it if you can stand copying and pasting. It's
really not much of an inconvenience for the dramatic increase in security you
get.

[1]: [https://www.passwordstore.org/](https://www.passwordstore.org/)

~~~
SubiculumCode
copying and pasting seems to be a vulnerability..especially if you get
distracted for a moment, or haven't had your coffee and paste it into your
search bar.

~~~
mixedCase
While I don't use pass, KeePassXC and KeePassDroid clear the clipboard shortly
after use.

~~~
sprucely
KeePass also has a handy feature that bypasses the clipboard and sends
{username}{tab}{password}{enter} keystrokes directly to the browser window.
The keystrokes can also be customized per web page.

------
mnm1
"Altogether it looks like LastPass is a lot better at PR than they are at
security. Yes, that’s harsh but this is what I’ve seen so far."

No, it's not harsh enough for a program that knows the right password, shows
it to you, but then inputs the wrong one in the password field. Of course,
compared to these security issues, such UI issues are almost irrelevant. With
such a simple UI to program, you'd think they'd at least get that right or fix
it. And if they don't, it's likely they have much bigger problems under the
hood. Over and over.

Unfortunately, _all_ the reviews of Lastpass I read gave it 4-5 stars and it
was often a recommended or editor's choice pick. Clearly, those reviewers and
their publications are just a bunch of shit words to attract advertising (that
includes pretty much every article on password managers I managed to read).
This is a pretty important part of security. If it takes someone with expert
skills in computers almost a year to find a good password manager program, not
to mention days worth of work importing into and testing various solutions,
what chance does your everyday computer user stand?

The way things stand with password managers right now, I'm not sure we're
advising ordinary computer users correctly in telling them to use one.

~~~
r3bl
> If it takes someone with expert skills in computers almost a year to find a
> good password manager program, not to mention days worth of work importing
> into and testing various solutions, what chance does your everyday computer
> user stand?

The reason why I hate these kinds of threads in IT communities is that we
usually don't seem to talk about the issue(s) the article is referring to.

Take this one for example. There's much more discussion about what works for
who than the actual content of the article. And then I followed an article
linked in the comment here about getting 1Password to run on Linux. And at the
bottom of the article there was a link to the HackerNews thread about that
article. And the situation is exactly the same.

Out of 57 comments in that thread
([https://news.ycombinator.com/item?id=9091691](https://news.ycombinator.com/item?id=9091691)),
only four are actually related to running 1Password on Linux, and none of them
is actually related to someone actually trying the method from the article and
sharing his/her experience. 53/57 comments are basically "I use X because of
Y".

~~~
mnm1
"The reason why I hate these kinds of threads in IT communities is that we
usually don't seem to talk about the issue(s) the article is referring to."

I clearly describe the issue: "a program that knows the right password, shows
it to you, but then inputs the wrong one in the password field". This isn't a
bugtracker. If you want details, I'll gladly supply them. But don't accuse me
of not writing something that's clearly in my post.

~~~
r3bl
I wasn't referring to your own comment, but to the discussions about password
managers in general (hence, the usage of "we" instead of "you"). I apologize
my comment led you to believe otherwise. I found your comment relevant to the
discussion and went on trying to discuss how these threads in general might
have something to do with us taking so long to chose a password manager.

------
johnjuuljensen
[http://keepass.info/](http://keepass.info/) is awesome.

Put your keyfile on Dropbox/OneDrive/whatever so it syncs to all your
computers.

Keepass2Android works great and can read from most cloud storage solutions.

Don't know about iPhone.

Edit: It also has a lot of neat plugins. I use one for storing ssl
certificates, which also supports key forwarding to putty.

~~~
avoutthere
Putting one's keyfile in the cloud just seems to me to be asking for it.
You're essentially trusting a 3rd party with the keys to your kingdom.

~~~
TorKlingberg
* Compared to completely cloud-based password manager like LastPass and 1Password, it's no worse.

* The database in encrypted with your master password.

* You can optionally also encrypt it with static "Key File" that are on all your devices but not in Dropbox.

~~~
extra88
1Password seems to put saving to their cloud front and center but you can
still choose to not save your passwords on their servers and use your own
methods. My 1Password vaults are encrypted with my master password and synced
between devices using Dropbox, I think there's also an option for directly
syncing between smartphones and computers.

------
Blackthorn
Sigh. I can't ignore the red flags anymore. Time to switch off.

Is there anything automatic out there? I'm not going to use
program+dropbox/cloud-provider. I need something like lastpass.

Don't suppose there's anything out there that can import the lastpass db?

~~~
pwenzel
If you're open to a paid option, 1Password for Teams/Families a good one. You
can transfer from LastPass via CSV ([https://support.1password.com/import-
lastpass/](https://support.1password.com/import-lastpass/)).

~~~
WhitneyLand
I felt like they weren't above board previously with pricing. It wasn't fraud
but IIRC prices got a big jump that was timed to be in combination with some
kind of defacto mandatory upgrade. It had a bait and switch feel to it and at
the time the family price across multiple devices seemed too high.

~~~
xeromal
I'm still on 4.* which was a 1 time fee. I never felt like I was forced to
upgrade.

~~~
WhitneyLand
That's cool, but the problem is most software is not safe to use unless it's
actively maintained and offering updates from at least a security perspective.

So I don't consider that a realistic approach for most people, especially for
something as mission critical as password management.

~~~
tripzilch
You just can't really expect proprietary software to be actively maintained
indefinitely for a one-time fee. Add to the financial (and ego-) incentives to
downplay security issues, I really don't think people should consider anything
but open source password managers.

------
staticassertion
Yeah, the two weak points pointed out have _always_ been weak points. It's
unfortunate, but disabling autofill has always been my recommendation.

> Altogether it looks like LastPass is a lot better at PR than they are at
> security. Yes, that’s harsh but this is what I’ve seen so far. In
> particular, security vulnerabilities have been addressed punctually, only
> the exact scenario reported has been tested by the developers.

This seems unfair.

LastPass fixes the initial vulnerability punctually - we do not know what they
will do in the future. Is it better for them to wait, come out with a defense
in depth approach, and then patch? Seems silly.

Of course, how long do we wait? Historically, I would argue, LastPass has down
defense in depth fairly well - when their was a breach they were quick to not
only address the vulnerabilities immediately but soon after they rolled out
Content Security Policy and HSTS, two technologies that were rarely deployed
in the wild at the time (and are still sadly too rare).

My suggestion to LastPass users is to:

1) Enable 2FA 2) Up your PBKDF2 Rounds 3) Disable as many browser integration
features as possible

I don't recommend dropping LastPass and trying to roll your own key-sync store
with KeyPass/Dropbox as some have done. I don't know of any other browser-
based password manager that isn't equally weak to attacks based on browser-
integration.

Alternatively, don't use a browser-based solution. This is less convenient but
you'll avoid by far the largest area of attack surface.

------
jd007
I wonder if 1Password is equally susceptible or less so, due to the way that
the extension works. Because 1Password has a native application, I believe the
browser extensions merely communicate with the native application to retrieve
passwords to fill when needed, instead of handling your whole decrypted vault.

~~~
JoelTheSuperior
Precisely this. The LastPass extension actually handles the decryption,
whereas the 1Password one merely communicates with the app. 1Password should
therefore be significantly more secure.

~~~
mentat
If it auths the application, which it didn't for quite some time. Tavis has
found plenty of issues with 1Password and their team has been much more
hostile and less responsive.

~~~
jfindley
Can you please provide a source for this? The 1Password only bug I can find
filed by tavis is [0], in which 1Password were very responsive and thankful of
tavis' efforts.

I note that can't find anything on twitter that even remotely supports your
allegations either.

0: [https://bugs.chromium.org/p/project-
zero/issues/detail?id=88...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=888&can=1&q=1password)

------
Orangeair
I would love to switch to a different password manager, but nothing else I've
tried has quite managed to nail the usability aspect. Specifically, Lastpass's
app fill functionality on Android is a huge benefit that I haven't seen in
others. It also has a browser extension that works without a separate program
running on your computer; I didn't even realize that was a plus until I
started trying to use other apps that did that.

I guess for now I'll just turn off all of the automatic features like this I
can find.

~~~
bigtunacan
Usability is great, but we're talking about our passwords. Security needs to
be put ahead of usability in this case.

If you can get both that's great, but poor usability beats having your banking
and systems owned.

~~~
baldfat
Why would people put their bank and other important passwords like this in a
password manager?

I use lastpass for over 5 years and I memorize my lastpass and my bank account
passwords.

~~~
Bluestrike2
Why wouldn't the average user? The entire idea is that you'll just have to
remember two passwords: your computer account, and your password manager. At
least for most users, the idea that some password shouldn't be stored just
opens the door to bad practices and password reuse.

For someone working on a password manager, I think the default assumption has
to be that a screwup on your part will--literally--impact pretty much every
aspect of a user's life. You can't assume that some passwords won't be stored.

~~~
baldfat
Well my wife believes that reusing the same password with variations is more
secure then a password manager. Most average users distrust a manager and
won't use it.

~~~
tripzilch
And my imaginary uncle believes that locks attract burglars ...

------
ja27
I've always been quite nervous that the LastPass two-factor authentication can
be easily bypassed if your email account is compromised. On the 2FA screen
there's a "If you lost your Google Authenticator device, click here to disable
Google Authenticator authentication" link. No. I don't want that to be able to
be disabled. I have one-time passwords for that.

~~~
nickik
You can configure quite a lot of stuff in the 2Fa settings. I have no such
option for my 2Fa on Lastpass. Also, my E-Mail also has a 2Fa.

~~~
twblalock
Given how many sites will send password resets and one-time-use second factor
codes to email, it's pretty much imperative to have two-factor auth on your
email account these days.

------
gtirloni
What to use instead that doesn't fall into the same situation and offers
decent mobile/browser support?

~~~
pseudobry
I signed my family up for 1Password a month ago and love it so far.

Here's the 1Password Security Design Whitepaper:
[https://1password.com/files/1Password%20for%20Teams%20White%...](https://1password.com/files/1Password%20for%20Teams%20White%20Paper.pdf)

~~~
izacus
1Password has no Linux support so it's not really a drop in replacement.
Android autofill functionality is also significantly worse.

~~~
ac29
Android O is getting an Autofill API [0], which should be very useful for apps
like LastPass.

[0][https://arstechnica.com/gadgets/2017/03/the-android-o-
develo...](https://arstechnica.com/gadgets/2017/03/the-android-o-developer-
preview-promises-better-battery-life-faster-apps/)

------
miles_matthias
I've been using LastPass for a few months and have loved it, but maybe I'll
consider switching to 1Password.

<rant> However, can I just rant for a second about how these security
assessments and blog posts fold out? The beginning of my career was spent
thinking I was going to go into this field (one of my degrees is in
Information Assurance) and the #1 thing that persuaded me to switch to
building software instead was the attitude and approach of the security field.

If it's not 100% secure and we all agree that it's the 100% best way to do
something, it's the end of the world and anyone using LastPass is an idiot who
will have all of their passwords hacked and their life ruined. (Remember when
the draft for client side storage was announced? You would have thought
armageddon was upon us based on the reaction of the security industry.)

Big picture here -- most people re-use a short, simple password on all of
their sites. Using a password manager, even one with a few things that it can
and should improve, is a HUGE step in consumer behavior. Bickering amongst
ourselves and boasting for crapping on someone's company is not the right
approach to increasing our entire society's security stance.

Want to actually help?

1\. Create more resources to help consumers pick, use, and adopt a password
manager with _super_ simple setup process. Even the current methods that all
password managers use of generating, saving, and autofilling passwords are too
complex and cumbersome for the average consumer. Heck, even MFA is seen as a
huge waste of time and barrier to logging into people's accounts by the
majority of people right now.

2\. Create more resource to educate developers of these services, helping them
to see what they should do and how they should do it, not bragging about your
ability to tear down a service they spent hours slaving over. Get over
yourself and actually help society.
([https://www.owasp.org/index.php/OWASP_Guide_Project](https://www.owasp.org/index.php/OWASP_Guide_Project)
is a great example of this)

Looking for an example? Apple's iTouch. Yes -- it's not the most secure
option. People leave their fingerprints all over the place and they can be
lifted and used to unlock a phone. But look at the other option -- using no
passcode, or a 4 digit passcode that's easy to guess or look over a shoulder.
Is it the most secure option? No. Does it raise the level of security for our
society as a whole by providing a realistic security barrier that the average
consumer can use? Yes. </rant>

~~~
irrational
Thank you for putting into words my exact thoughts. Though, I'm cynical enough
to believe that people would rather moan about how much password managers suck
(Why can't everyone just memorize a different 30 character string for each of
their 200+ websites? Losers.) and not do anything productive to fix it. I wish
I had the skills to do so.

------
Sealy
Interested to hear what the HN community thinks about 1Password

~~~
monatron
I used 1Password for quite a long time but have since switched to LastPass
mostly due to Linux compatibility and u2f integration

~~~
karood
I used it (1P) and it was super, but mac only - no Linux client. Just switched
over to Enpass, and its very like 1Password, only they do provide a linux
client. So far its great, very happy with it.

~~~
Shoop
How is enpass's (cryptographic) design and security compared to 1Password?

~~~
iKlsR
[https://www.enpass.io/security/](https://www.enpass.io/security/)

------
mancerayder
Commentary / Opinions on how this compares to a KeePass+DropBox solution would
be quite interesting to me.

It seems password managers please some of the people some of the time, and
unnerve many of the people all of the time.

~~~
cmdrfred
I use KeePass+SFTP personally. Something like a password manager I won't trust
to a cloud service.

------
indutny
Has anyone considered using DerivePass yet?
([https://derivepass.com/](https://derivepass.com/)) It doesn't store
passwords anywhere at all, just the domain and login information, both of
which are encrypted with your master password.

(Disclaimer: I'm the author of it).

------
h1d
Not sure how people like online password managers. The consequence will be far
worse than selling your online attitude to Google by using their online
services in case of a security breach. It pretty much gives your online self
up to hackers.

With that said, I only use offline managers and this is only for Mac but Locko
by Binarynights is clean and easy to use. The downside is that it's browser
extension can't remember basic auth credentials but other than that I like it.
I can also back up the encrypted database easily with a script.

(Seems the link is gone from their site with the release of forklift3 but the
page still exists.
[http://www.binarynights.com/locko/](http://www.binarynights.com/locko/) )

------
proactivesvcs
With KeePass, a Yubikey and Syncthing you have a pretty solid system which you
can carry around with you, without having to trust any third party with any
data (or service availability). Arguably you could even leave out the Yubikey
and still get a great degree of security.

------
4ad
I'm interested to hear what the HN community thinks about keeping passwords in
iCloud-based Keychain (Safari) or whatever Google's alternative is called.

I don't care about portability. Why would I want e.g. 1Password instead of
simply using Apple Keychain.

Thanks!

~~~
madamelic
Here is how I think about it: It is a spectrum.

You can have high accessibility / ease of use or you can have high security.
You can't have both.

By storing your info on a remote server, you are trusting they will protect
your data. Maybe they will, maybe they won't.

It is just a matter of finding a balance you feel comfortable with.
Personally, I don't store my passwords on any cloud service, carry them on a
thumb drive and don't use services that expose them to the browser. Could I
lose a thumb drive? Sure. I rate the chances of someone picking it up and
knowing how to exploit it as very low.

~~~
el_benhameen
How do you deal with passwords on your mobile device?

~~~
madamelic
Type them in by hand.

It does mean I have to have a computer around with me though. I don't really
use a lot of apps, I mostly have my bank apps and those stay logged in.

------
feeblewitz
I've been a LastPass user for a few years and I use the browser extension
everyday. As an admin of several websites, the the extension has been a time
saver.

I thought I had no illusions about the inherent insecurity in using LastPass,
but I guess I was wrong. I use Yubikey and disabled autofill long ago, but I
was still vulnerable. Their response to these exploits is maddening. "Our
investigation to date has not indicated that any sensitive user data was lost
or compromised." This when they can't verify if passwords were compromised as
LastPass servers weren't involved in this exploit.

So I guess I need to switch to a different service. Any suggestions?

~~~
dbg31415
I've struggled with this too.

I love how I can share passwords with a team using LastPass (share just
access, share ability to view, share ability to edit). For me... it's more
about getting the team using the right tool than individuals. There are
probably better individual solutions than LastPass, but I don't know of any
that are better for teams. I know that having a tool that lets you share
passwords is inherently risky... but I still think LastPass is less risky than
people sharing via PostIt, or sharing via emails... or less risky than not
sharing passwords in that "hit by a bus" scenario we always talk about.

I tried Enpass, 1Password, and KeePass for individual use... none of them were
horrible (I liked 1Password the most). Enpass let you sync your vault with the
storage option of your choice... so you could sort of do team passwords that
way. Typically I don't want to share all my passwords, just a few... and like
I would want to share different subsets with different people... so that
"share your vault" option wasn't ideal for me.

Usability-wise, I love how LastPass fills in my credit card info and address
on forms I tell it to. And how LastPass can automatically update passwords for
many common sites. And gives me a report of passwords that are weak, old, and
duplicate -- the "global rank" on LastPass is a game and I want to get a high
score. Ha. (Full disclosure, I tried each casually for less than a week...
there may have been things I missed.)

Been on LastPass for a long time, generally happy with them and haven't found
anything that better fit my needs, but clearly these reports that they aren't
taking security as seriously as they should be are troubling.

EDIT: Going to look at
[https://1password.com/teams/](https://1password.com/teams/) in the next week
or so. I don't think this option existed last time I looked at 1Password.

------
alexmat
I use passwords.google.com

It works well with chromium on linux and on my android phone. It's free, has
all the security of a google account including u2f, chromium integration is
flawless on linux, and works well with chrome on Android.

~~~
bergie
Note that you can't use the web interface if you've encrypted your Chrome
password store with a passphrase

------
hyyypr
The HN community seems to be giving a lot of praise for 1Password, Lastpass
and Keepass occasionally. But rarely mention Dashlane, I'm curious as to why ?

~~~
dublinben
Dashlane isn't open source, nor is it available on Linux. That is going to
prevent a lot of people from even considering it.

~~~
svenfaw
Lastpass / 1Password are not open source either.

~~~
dublinben
Great reason to not recommend them either!

------
test6554
I literally just decided to jump into the world of password managers this past
weekend. I went with LastPass

------
aeleos
Does anyone know of an extension based program, that doesn't rely on an
application, that just uses a keepass file stored in the cloud? I really like
the idea of KeeWeb, but I wish it could be part of an extension, with support
for things like automatic detection and autofill.

------
touchofevil
Does anyone use Keeper? How is it? I need a password manager that supports
Linux so it seems that LastPass, Keeper, Enpass, and Keypass are the only
options. [https://keepersecurity.com/](https://keepersecurity.com/)

~~~
Kametrixom
I can recommend
[https://www.passwordstore.org/](https://www.passwordstore.org/)

------
karood
I used it (1P) and it was super, but mac only - no Linux client. Just switched
over to Enpass, and its very like 1Password, only they do provide a linux
client. So far its great, very happy with it. * reply to comment above re
1Password

~~~
dmix
I use `pass` on linux/mac, which creates a directory of .pgp encrypted
plaintext files for each password for each website.

[https://www.passwordstore.org/](https://www.passwordstore.org/)

I sync this directory to my mobile device using megasync (linux packages and
Android app available).

[https://aur.archlinux.org/packages/megasync/](https://aur.archlinux.org/packages/megasync/)

[https://play.google.com/store/apps/details?id=mega.privacy.a...](https://play.google.com/store/apps/details?id=mega.privacy.android.app)

Then I use `pass` on Android via the "Password Store" app (and the APG app to
manage my PGP keys on mobile).

[https://play.google.com/store/apps/details?id=com.zeapo.pwds...](https://play.google.com/store/apps/details?id=com.zeapo.pwdstore)

The whole UX is super easy. Basically just PGP, plaintext files, and
copy/paste.

~~~
dewey
If you want to have some more features than default pass while keeping your
third party apps there's also gopass
([https://news.ycombinator.com/item?id=13551692](https://news.ycombinator.com/item?id=13551692))
that was posted a while ago.

------
SubiculumCode
I just noted that my lastpass extension was updated by Firefox. Is this fixed?

------
draw_down
I never liked it, but I won't pretend it's because I'm some security genius.
Just found it very unpleasant to use

------
saosebastiao
From a strict security standpoint, maybe all of this is true. But I see strong
PR as a feature, not a bug...at least until password manager market
penetration is closer to 100% than it is to 0%.

Once you've adopted a password manager, you've limited the scope of potential
abuse, and _you 've decreased the pain of recovering from abuse that does
happen_. Being forced to change passwords used to be a stressful problem for
me, and now it is not. Before, I would procrastinate changing passwords after
a breach, because I knew how hard it would be. With lastpass, I literally
changed every password in my vault in less than a half hour.

The PR matters because it's too easy to hear some bad news and give up on
trying to be secure. If the PR prevents people from giving up, I'm all for it.

~~~
mentat
These are security critical pieces of software. Like, AV, if the password
manager makes it easier to compromise your access in bulk, that's a very very
bad thing. This doesn't need to be targeted, just throw some JS into an ad and
pwn up 100s of 1000s of accounts. That's actually worse.

~~~
saosebastiao
My black hat method is much easier than that, and it doesn't even require a
black hat skillset.

1) Download two datasets from different massive breaches. You can find plenty
of them with plaintext passwords on any torrent tracker.

2) Correlate email and password combos across datasets. Don't worry, you'll
find 10s of millions of people who don't use password managers and reuse
passwords.

3) profit

If you have reason to believe you're being targeted, any breach is a problem.
But until my method no longer produces results, theres no reason to believe
black hats will go through _any additional effort_ to obtain the average
person's creds.

------
rebootthesystem
I am almost ready to file a lawsuit.

Context:

What I am after is a password manager that has the option to NOT store
anything in the cloud at all. I want encrypted storage to be stored locally.
No exposure outside my network. Inter-device synchronization done manually or
automatically within the confines of said private network.

I would also like to store data beyond uid's and pwd's. For example: secret
questions and their answers, account and pin numbers, company tax id's, bank
account numbers, passport numbers, etc. In other words, data you might need
handy that should be encrypted.

I've been using a program for a number of years. The program started exactly
as I described above: Network only synchronization.

Over the years they have mutated the program to cloud based storage. And, over
the years, they have done this without warning to users or seeking any kind of
authorization.

Imagine if you are using software that only stores data locally and syncs over
your network only to wake up one day to discover that the latest update
uploaded all of your secret data to their cloud-based system WITHOUT your
permission. And, to make things even worst, they progressively eliminated the
network sync option.

The current version doesn't even ask, the minute you edit a record or create a
new one it shoots it up to the cloud. Unbelievable.

Years ago I asked about this. I have an email from the support assuring me the
data would never be stored on the cloud. Time to file a lawsuit?

Anyhow. Is there a tool fitting my description above? I don't care if it's
free or paid. I simply want my data to never move outside my network unless I
want it to.

~~~
jameskilton
Have you looked at [https://1password.com/](https://1password.com/)? And it
looks like [https://www.enpass.io/](https://www.enpass.io/) has similar
capabilities, but I don't use it so I'm not sure exactly.

1Password keeps a local encrypted file. The "integrations" are 1Password
knowing default locations to look to store the file in the right directory.

