
Ask HN: I'm having doubts about LastPass security, what should I switch to? - STRML
I am becoming increasingly paranoid about the applications I use - LastPass is a big part of my daily workflow and I really enjoy it.<p>However after noticing (https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=6621560) that LastPass&#x27; vault is easily broken into when open, even with strict reprompt settings, I&#x27;m starting to trust their security model less and less. I opened a support ticket about the obvious password breach detailed above, and they say it&#x27;s an inevitable consequence of Chrome&#x27;s broken security model in extensions.<p>Well, if that model is broken, I don&#x27;t want to use it. I find it misleading that LastPass even offers a reprompt option, since it is so easy to retrieve passwords from the application when it is logged in, even if a reprompt is required. Sure, it would slow down unsophisticated attackers, but you don&#x27;t need to be that sophisticated to change the type of an input.<p>I have been trying to use it with very fast autologout policies but it very annoyingly asks for a password twice (once to login, once as a reprompt) as well as the Yubikey for every single site. The usability is garbage.<p>I&#x27;ve been looking at 1Password but I was turned off by their lack of meaningful 2FA support (Yubikey), and their exposure of data if used in any sort of convenient fashion (I would like access from my phone, which is part of the reason I want Yubikey support).<p>What do you use and what do you like&#x2F;dislike about it?
======
rmxt
I prefer to avoid placing my password store/database on the web in any form. I
like to use KeePass + key file + long password on a thumb drive. [1] There are
ports for pretty much every platform, and the Windows and Android ones that
I've used are pretty convenient once you incorporate them. The Windows program
offers a lock-screen reprompt, say if you are stepping away from your screen.
Also, it offers the option of only using a key file, rather than entering a
long password each time you access the database store. Lastly, the Windows
version offers an auto-type keyboard shortcut that you can customize based on
the window title in your browser (e.g. to match a specific webpage). It is
susceptible to keyloggers, but at that point you might have other issues than
your password stores being compromised.

[1]
[http://keepass.info/help/base/keys.html](http://keepass.info/help/base/keys.html)

~~~
WorldMaker
Windows Pro-Tip: KeePass supports Windows' "Secure Desktop" (the same place
where Windows UAC prompts launch into) for the reprompt. This really should be
the default now, but it's simple to enable and incredibly worth enabling given
that malware has been discovered in the wild trying to keylog/grab master
passwords for programs like LastPass, 1Password and KeePass.

Cross-Platform Pro-Tip: KeePass 2.x runs great as is on the Mono VM with only
the obvious Windows-only functionality unavailable.

------
tdicola
I'm actually going through and setting up KeePass with two factor auth (just
using Google's Authenticator app for now, maybe a yubikey in the future) right
now and have a similar question. After looking into KeePass and kicking the
tires a bit I really, really wish someone would step in and make a nice cross
platform version to simplify setting up a password store with two factor auth
and other best practices (long pass phrases, etc.).

Right now from what I see it's a horrible mish-mash of different apps on
different platforms written by different people with an unknown level of
support for each of them. Frankly I don't even know if most of the KeePass
apps are compatible with each other, and that kind of scares me. Setting up
two factor access to KeePass is also pretty obtuse and requires tracking down
blog posts and such to figure it out.

I don't mean to denigrate any of the contributions or work people have done in
this space (in fact I am incredibly thankful), but it does feel like some
leadership to put all these pieces together is badly needed.

I would absolutely love and be more than happy to spend some money on a
polished app that's cross platform and is 'batteries included' so you can
setup two factor auth & use devices like yubikeys without any extra screwing
around. Bonus points if it doesn't require Mono too.

~~~
mercnet
I spent forever trying to get KeePass/KeePassX to work on Linux, Windows, and
Android. I eventually gave up due to version incompatibility and continue to
use Lastpass as it works well on all three.

------
RoboTeddy
I use KeePassX (macosx) + MiniKeePass (iOS). They use the same password
database format. I only generate new passwords on my macosx device.
Occasionally, I manually copy my password database to my iOS device.

It's a bit annoying, and it means that recently generated passwords might not
be available from iOS, but overall seems to work!

~~~
danesparza
I tried KeePassX, but found it crashed a lot on my Mac. Have you checked out
MacPass?
[https://github.com/mstarke/MacPass](https://github.com/mstarke/MacPass) It's
another open source reader/writer of KeePass files.

------
vijayp
We open sourced (GPL3) Mitro ([https://www.mitro.co](https://www.mitro.co)).
You can find the code here: [https://github.com/mitro-
co/mitro](https://github.com/mitro-co/mitro).

We have a similar model for reprompting, but you can alter the code as you see
fit. Someone was working on a command line client too, but I'm not sure what
became of it.

~~~
nacs
Looks good but you should consider changing that frontpage headline ("Mitro is
now Open Source! Unfortunately, that means there is no support") which makes
it sound like open-source always equates to no support.

Maybe an asterisk after the first sentence with a footnote stating "this
product comes as is with no support" or something similar.

------
dozy
How about the Bruce Schneier-built Password Safe?

[https://www.schneier.com/blog/archives/2014/09/security_of_p...](https://www.schneier.com/blog/archives/2014/09/security_of_pas.html)

Although, in addition to being a non-cloud-based option, it seems he only
vouches for the original, Windows-compatible version. That said, the Android
and iOS versions do seem to be open source, so at least you can build inspect
them for yourself.

~~~
joeyrobert
Password Safe is great. I have a long password, and sync it to my phone and 4
computers using btsync. Windows, Mac, Linux and Android clients all work
seamlessly.

------
anatolyrc
Just to be clear, you do realize that any pw manager that runs as a browser
plugin has the same issue, right? If you want the convenience of being able to
auto-fill your passwords into the browser, that kind of limits your options.

~~~
Buge
I don't think being a browser plugin has anything to do with it. If the
problem is what mschulkind describes, then it can be fixed by changing the UI
a little to have an autofill button while logged out, and to automatically log
out after doing an autofill.

I think the underlying issue, which KeePass also has, is that the entire
database is encrypted. So to be able to search the database to see if a
password exists, you need to decrypt the whole thing, including the passwords.
If the passwords were each individually encrypted separately from the
database, this could be fixed.

~~~
STRML
I believe this is the same issue that 1Password had in the past, and a lot of
users complained about exposed urls/titles in their storage format. I believe
they now decrypt the urls & titles on startup in their plugins and keep them
in memory, and only read the passwords at will, but I am not 100% on that.

------
richardjs
I'm a little confused about the issue. I understand the problems you have with
the reprompt option, and if that causes you to switch from LastPass, it's your
decision.

But could this issue be solved by keeping your computer locked when you're not
using it? I understand that might not fit your general computer usage, but
it's how I use LastPass, and I certainly wouldn't use the service without
locking my machine (reprompt enabled or otherwise--reprompt is turned off for
most of my passwords).

You also mention trying very fast autologout policies, but that it gets
annoying to have to enter your password twice. My question is, if you're
logging out immediately, why do you need the reprompt option enabled at all?
If a user can log in, they can certainly reenter the password, so the only
thing the reprompt does is annoy you, with no added security.

I don't know your particular computer use, though, so forgive me if what I'm
saying isn't applicable.

------
sigil
This has been my system for a while now:

\- For each new account, generate a long, random but pronounceable password
using apg [1].

\- Don't let it touch disk. Immediately save it to a gpg-encrypted password
file. I use gnupg.vim. [2]

\- After a few logins the pronounceable password usually sticks. If I can't
remember though:

    
    
        gpg -d passwords.gpg | grep example.com
    

The downside: there's no mobile version. That's okay -- I'm not sure I trust
my phone with the keys to my kingdom anyway. I also wouldn't trust closed-
source software with the keys to my kingdom, or even immature open-source
software, for that matter.

YMMV depending on paranoia level / threat model.

[1] [http://linux.die.net/man/1/apg](http://linux.die.net/man/1/apg)

[2]
[http://www.vim.org/scripts/script.php?script_id=661](http://www.vim.org/scripts/script.php?script_id=661)

------
sedachv
Bruce Schneier still recommends using copy and paste to transfer passwords
from a password manager to the browser:
[https://www.schneier.com/blog/archives/2014/09/security_of_p...](https://www.schneier.com/blog/archives/2014/09/security_of_pas.html)

I've been using Emacs and GPG files (one for personal stuff, one for work
accounts) as a password manager since GNU Emacs 22 came out with GPG
integration in 2007. Works almost anywhere without needing any other
applications. I back up the GPG files to remote servers and keep my private
keys on several private devices to get the benefit of remote backups without
the risk.

Both iOS and Android are pretty much designed as surveillance devices, I would
not recommend putting your private keys or password list on them.

~~~
Someone1234
> Bruce Schneier still recommends using copy and paste to transfer passwords
> from a password manager to the browser

That's just a justification for his password manager which has no other way to
transfer passwords. There's no security benefit.

Keyloggers don't literally "log keys." A stream of typed keys with no context
is utterly useless. Particularly when the goal is automated data theft (rather
than a dedicated attacker targeting you personally).

Most keyloggers are embedded somewhere on the HTTP stack (e.g. browser
extensions/plugins, Win32 message hooking (e.g. steal the password from a
specifically named element when that element is destroyed), TCP driver, etc).

Why do otherwise intelligent people continue to think that malware literally
logs their keys? Even a cursory thought about the subject would flag all kinds
of issues and better alternatives.

I strongly suggest everyone with an interest in the topic go grab some malware
source code and read. It isn't like it is hard to find.

------
rickr
If you're paranoid about password security why are you storing them on a
server you don't own?

You can try KeyPass ([http://keepass.info/](http://keepass.info/)), but if
you're upset with the usability of LastPass you probably won't like KeyPass.

~~~
pyre
There's nothing wrong with storing them on a server you don't own... just so
long as all information the server sees is encrypted. E.g. you can keep your
KeePass file on DropBox because DropBox only sees the encrypted file.

------
lectrick
LastPass supports 2FA through Google Authenticator, maybe that will help you
rest easier?

[https://helpdesk.lastpass.com/security-
options/multifactor-a...](https://helpdesk.lastpass.com/security-
options/multifactor-authentication-options/google-authenticator/)

~~~
STRML
I use Yubikey 2FA. That still doesn't fix the problem that all of your data is
accessible while logged in, and that the usability goes to hell if you don't
stay logged in.

~~~
ttt
"That still doesn't fix the problem that all of your data is accessible while
logged in"

This sounds like a non-vulnerability to me.

You can't get mad at Ford because someone stole your car when you sat them in
the front seat and left the keys in the ignition. Why not log out?

~~~
STRML
Okay, this is a crappy metaphor, but imagine they had a feature where you
could put the car in standby while you went out for a quick errand, and just
press a button to start the car up again without inserting the key, but the
key has to be in your pocket. Except, as it turns out, you don't need the key,
it'll just start if you jiggle the wires under the steering column a bit. So
the standby feature is useless.

LastPass has a series of reprompt options for all sorts of actions, such as
opening password /secure note entries, logging in with a password, etc., and
you can make those reprompts time out; so, for example, you can keep the thing
turned on (so autofills will be prompted, passwords can be generated, etc),
but doing anything meaningful with it will require a reprompt after a short
amount of time.

As I've discovered, even with the reprompts enabled, you can access the data,
so the option is IMO totally useless.

------
acdha
> I've been looking at 1Password but I was turned off by their lack of
> meaningful 2FA support (Yubikey), and their exposure of data if used in any
> sort of convenient fashion (I would like access from my phone, which is part
> of the reason I want Yubikey support).

What exactly are you referring to by that? The 1Password keychain is encrypted
using PBKDF2 with a large number of iterations so they're rather resistant to
offline attacks, particularly since I'd assume all of your devices have FDE
enabled. If you're too paranoid to trust iCloud/Dropbox for the actual file
exchange there's also a local WiFi sync option.

------
tptacek
I like 1Password.

------
vhodges
I use [http://www.alexhornung.com/2014/01/15/introducing-
bpasswd2/](http://www.alexhornung.com/2014/01/15/introducing-bpasswd2/)
because it doesn't store anything anywhere except some settings for some sites
that need different options when generating the password.

~~~
dserodio
I used something similar until 2011 or so.

If the site's password is always a function of the master password and the
site URL, what do you do when a site was breached and you need to change its
password? What if the site changes URL (eg twttr.com became twitter.com)?

------
jrochkind1
If you don't need something that keeps your passwords sync'd accross devices,
then you have many more options.

Chrome on OSX uses the OSX Keychain to store passwords -- and I figure if you
can't trust OSX Keychain, then you're kinda doomed anyway using OSX. (But I
actually think it's pretty solid software). (I am not sure if Firefox on OSX
also uses the OSX Keychain? Safari surely does.)

And it's easy to share a Keychain file accross multiple OSX computers, even
over dropbox -- but just OSX.

There are also of course a number of third-party, and in some cases multi-
platform, password storage systems that simply keep your passwords in an
encrypted file. I am not sure if any of them have as good browser integration
as LastPass (or built-in browser auto-fill) though. Anyone know of any good
ones?

------
peatmoss
It's been mentioned here before, but there is also password manager that uses
a mix of git, bash, and gnupg. Not exactly as convenient as LastPass or your
OS's keychain:

[http://www.passwordstore.org](http://www.passwordstore.org)

~~~
emilecantin
This is the solution i've adopted a few weeks ago. I use it with the CCID /
JavaCard functionality of my Yubikey NEO. I like the blend of ease-of-use of
the PIN + device authentication, and it even works over NFC with this app:
[https://github.com/zeapo/Android-Password-
Store](https://github.com/zeapo/Android-Password-Store)

I think the usability needs to be a bit improved (I'm looking at maybe making
a Chrome extension), but overall I think it's a pretty good solution.

I like the fact that it builds upon reliable, solid blocks to provide a
solution: gnupg for encryption / decryption and git for synchronization
between machines / backup.

------
abandonliberty
The issue described in the linked article is a vulnerability where credentials
set to reprompt for use still autofill into fields on the page.

This doesn't seem like intended behavior and I'm surprised it hasn't been
fixed yet.

In any case, couldn't you avoid it by simply turning off the autofill function
as well for that credential? Then in order to access the site you would need
to go through the menu and reprompt.

Update: The other weaknesses addressed in the following have been resolved in
my chrome instance of lastpass
[https://news.ycombinator.com/item?id=6622154](https://news.ycombinator.com/item?id=6622154)

------
smacktoward
I do it like this:

\- Password database in KeePass (the mainline version, not KeePassX or one of
the other spinoffs)

\- Database requires both password and key file to unlock

\- Key file only lives on a USB thumb drive, which lives on the keychain in my
pocket

\- Database lives in a folder that is auto-synced to my various devices via
SpiderOak ([https://spideroak.com/](https://spideroak.com/))

\- Password autofill provided by KeeFox
([http://keefox.org/](http://keefox.org/))

Using a password and a key file provides a "kinda sorta 2FA" solution, since
the key file is tied to a physical artifact (the thumb drive, "something I
have") while the password provides "something I know." It's not perfect,
however, since the key file could theoretically be separated from the thumb
drive if someone got ahold of it.

A better 2FA solution would be one that incorporates a key that's completely
tied to the physical token. However, I haven't found a great consumer-oriented
product along those lines yet, despite much looking. The YubiKey is the
closest, but after buying two of them and spending hours fighting with them, I
eventually gave up trying to make them work; they force a choice between their
one-time-password (OATH) implementation, which is theoretically awesome but in
practice very finicky, and just using a static password stored on the key,
which isn't really any better than my USB stick solution.

I chose SpiderOak for syncing the database over alternatives like Dropbox,
primarily because SpiderOak appears to actually give a shit about security and
privacy. But it doesn't really matter that much because without both the
keyfile and the password they couldn't look into the database anyway.

I chose KeeFox for the browser integration primarily because it's well-
reviewed and open-source. But if you're concerned about the security of
autofill in the browser, you could omit it entirely and just copy the password
from the KeePass app when you need it. As always, the right balance of
security vs. convenience will vary from person to person.

~~~
pavel_lishin
What happens if you lose that USB thumb drive, or if it gets damaged?

~~~
samelawrence
I would guess there is a copy somewhere. Safety deposit box, etc.

------
hartator
You can use a easy trick to have a unique password for each website you need
to log in into:

1- Choose a common base ie. laroS-14

2- Take the two first characters of your login and slide one character back in
the alphabet ie. mylogin = lx

3- Take the two first characters of the websites and slide again one character
back in the alphabet ie. dropbox = cq

4- Concatenate 1-2-3 ie. laroS-14-lx-cq

Voilà! You have now uniq combinaisons for each website/login. Of course,
change the rules to suit your habit and make it yours. It's stronger than
using an external service or a software and you don't have to rely on
anything!

~~~
weavejester
> It's stronger than using an external service or a software

How do you figure? Your scheme clearly has less entropy than a randomly
generated string of the same length, and if an attacker learn two of your
passwords, then they know they only have four characters to brute force for
every other password you possess.

------
halayli
I use 1Password and very happy with it.

------
rafaqueque
Create a pattern in your head. Let me try to explain what I'm using.

1\. Create a prefix that will be in every password, like: MniJ33 -- quite easy
to remember "My name is John, 33 years old".

2\. Based on the service you want to use, apply that to the password as well,
like: Hnews

3\. A suffix with some special chars is also nice, to make it more
complicated, like: #$%

The final result would be "MniJ33Hnews#$%". Better than giving your password
to anyone.

Edit: Forgot the numbers in the final result.

------
Someone1234
> However after noticing
> ([https://news.ycombinator.com/item?id=6621560](https://news.ycombinator.com/item?id=6621560))
> that LastPass' vault is easily broken into when open

So to use an analogy, you're unlocking your front door, showing a stranger
into your home, and then are upset because they can steal stuff once inside?

They've already defeated all of your security if they have complete
unrestricted access to your LastPass vault. The fact they can hit F12 and use
the developer bar to inspect the DOM or restrive passwords from behind ######
is both expected and not a security issue.

> even with strict reprompt settings

That wasn't in your link. How do you bypass reprompt?

> I'm starting to trust their security model less and less.

Why? None of the reasons you've given are technically sound.

> I opened a support ticket about the obvious password breach detailed above,
> and they say it's an inevitable consequence of Chrome's broken security
> model in extensions.

It has nothing to do with Chrome's "security model." If you have completely
unrestricted access you have complete unrestricted access. End of.

You are literally accessing a UI that can display all of your passwords in
plain text and you're complaing because you can see your passwords in plain
text... Well, yeah...

> Well, if that model is broken, I don't want to use it.

You haven't explained how it is.

> I find it misleading that LastPass even offers a reprompt option, since it
> is so easy to retrieve passwords from the application when it is logged in,
> even if a reprompt is required.

Huh? Can you explain how you're able to bypass the reprompt prompt?

> Sure, it would slow down unsophisticated attackers, but you don't need to be
> that sophisticated to change the type of an input.

It shouldn't slow anyone! You've giving the attackers complete unrestricted
access to your password database. Nobody should be slowed, everyone should
have a complete overview.

> I have been trying to use it with very fast autologout policies but it very
> annoyingly asks for a password twice (once to login, once as a reprompt) as
> well as the Yubikey for every single site. The usability is garbage.

Then turn the reprompt off and just have it ask for login...

> What do you use and what do you like/dislike about it?

I use LastPass, but I'd consider something else if any of your complaints had
any technical credibility at all.

~~~
STRML
I think you're misunderstanding how you bypass the reprompt. LastPass has two
separate features - auto-logoff and reprompt, and you can tick a bunch of
boxes to decide which features you want reprompt for. I usually tick most of
them.

You can then set a reprompt delay (from 0 to 24 hours), and while still logged
in, you are reprompted at every interval when you try to use LastPass'
features. This is a nice alternative to simply having it log out at intervals
or log out when idle; some defense against a swiped computer or malicious
coworker, etc. Of course the usual rules apply and you should never leave your
computer unlocked but it is a nice feature.

I would except that many LastPass users use the reprompt model instead of the
auto-logout model, as it allows you to use some nice features (like site/form
detection) that you wouldn't get when logged out. So the workflow with
reprompt is simply: go to a site, click the autofill button, get prompted &
type password, continue on. This is significantly easier than clicking the
extension button, deliberately logged in, waiting for decryption, then
clicking the autofill button.

Unfortunately, if you rely on reprompts and somebody does get a hold of your
computer, they can do some trickery with the inspector and lift your passwords
so long as you are still logged in. This makes the reprompt useless; may as
well not have it at all.

~~~
Someone1234
So your reason to drop LastPass is that you don't like their implementation of
an optional feature even though an alternative is readily available (auto-
logout)?

------
zaroth
I think you've hit on a really interesting limitation of end-user password
managers. They are really convenient in some cases, but they have crazy bad
failure modes, and they aren't always easier to use.

In this landscape, I would be highly paranoid about those kinds of
applications. They don't provide the level of protection I would really want
for that kind of sensitive data.

------
lost_name
I use KeePass these days. It appears to have plugins browser integration if
that's the important thing.

I don't find it especially good or bad, but it does the job and it's all
stored locally -- I'm not concerned with accessing most accounts across
different machines.

[http://keepass.info/](http://keepass.info/)

------
julianz
The description of how to see the password in the linked HN comment doesn't
work as described - if it's set to reprompt then you have to enter the master
password before it ever gets to the detail form, so you can't just jump into
the dev console and make it display the password.

------
aosmith
I use KeePassX:

[http://www.keepassx.org/](http://www.keepassx.org/)

------
tytso
I use Yubikey but I don't keep any high security passwords stored in it. Those
I type by hand. It's annoying but as Scotty would say, "ye cannae change the
laws o' physics"!

------
BorisMelnik
I've been using Roboform for 7 years very surprised it isn't better
represented in here tbh. Cloud option or desktop option and does a really good
job of not invading your entire workspace.

------
paulrd
I've been using UPM
([http://upm.sourceforge.net/](http://upm.sourceforge.net/)) for quite a few
years. It's portable and full of great features.

------
rmurri
You could try [http://masterpasswordapp.com/](http://masterpasswordapp.com/).

I like its philosophy, even if some of the versions could use a bit more
polish.

------
mentat
Hiding shared passwords is a polite fiction. If you share the password, it's
accessible via many ways. (JS, stack intercept, network intercept, etc)

------
miohtama
I'm happy with KeePassX self-hosted in Dropbox

