Hacker News new | past | comments | ask | show | jobs | submit login
Even the LastPass Will Be Stolen (blackhat.com)
367 points by icadariu on Sept 14, 2015 | hide | past | web | favorite | 153 comments

It seems dubious that there is a real vulnerability here.

The authors talk a lot about how you can get everything if you compromise the client machine, but of course if you compromise the client you can compromise everything.

Just install a keylogger to get all typed passwords, send the decrypted hard drive image over the network and run it in a VM proxying network traffic via the compromised machine, no need for any targeted attack.

The fact that they focus on that rather than on an actual interesting attack makes me believe that there is no real vulnerability whatsoever.

"We also found how it is possible to abuse account recovery to ultimately obtain the encryption key for the vault" is really scary, but if it were accurate they would be talking solely about that, so maybe it's just a phishing attack.

Sounds like one of those "It rather involved being on the other side of this airtight hatchway"


There is an account recovery mechanism available to those with a LastPass extension that is or was logged in to the account in question. Dropbox is the same way - if you forget your Dropbox password you can use your logged-in copy to get an authenticated session and change your password.

It will be news if there's an account recovery mechanism that can be exploited by a total stranger without access to your copy of Chrome/FF.

You would expect that 2FA could be bypassed for the locally cached password database, since AFAIK there is no such thing as requiring an OTP to decrypt the ciphertext that you have, only to prove to a server that you know the TOTP secret.

Lastpass discloses that you can turn off 2FA for new logins by proving ownership of an email address. You can set a separate email address for this purpose, and I believe also turn it off.

The fact that it is still a central point of failure that contains the keys to the kingdom is worth noting.

It occurs to me as I write this that for most people compromising an email account would be just as disastrous, given how many services rely on a simple email for password recovery/resets.

> The fact that it is still a central point of failure that contains the keys to the kingdom is worth noting.

I think the difference between someone who uses a password-manager user, and the vast majority of people who don't, is that those who don't have HUNDREDS of points of failure that contain the keys to the kingdom, some completely insecure.

Hardly. "Keys to the kingdom" seems to imply that access to the key opens up a large number of other doors. That's the case for email (via password recovery) and password manager (via its function), but not for much else. E.g. while access to online banking is a catastrophe in its own right, it doesn't unlock many other accounts.

No, the point is, people without a password manager tend to use the same password for every account. So you steal the bank password, and it opens your email, facebook, and everything else. Hundreds of failure points. With a password manager, there is just one.

Human nature being what it is, a large fraction of password-manager users probably also reuse passwords, or nearly reuse them, which is nearly as bad. With the password manager being there for cases where some BOFH admin required two relatively-prime numbers, plus three non-adjacent capital letters, plus at least one special character that's not a star, plus a final character that's not a lower case letter, plus uniqueness with respect to your previous 100 passwords, plus a length of at least 12 characters, plus a change every 14 days.

Assuming that one stores top-tier passwords (banking, primary email) in the password manager. Which is to say, yeah, 99.9% of users.

Which would be fine it more banks used a two tier approach to bank operations. Checking the balance? Username and password should suffice. Making a transaction? SMS token or matrix card or RSA key, all seem fine.

One of my banks (BCR Romania) requires a login with a token for initial access (just seeing stuff, or transfers between one's own accounts) and another token OTP, based on the amount and the last four digits of the destination account, for transfers to someone else.

Royal Bank of Scotland and First Direct use a 2FA device that is authenticated first with your bank card pin (3FA?)

All the devices are the same (across customers and banks), so your card is the second factor, the device is just a reader for it.

I've decided to start doing that (banking at least, not yet primary email), since remembering many high-security passwords is hard, and my bank has 2FA anyway. A keylogger could easily get at all of my passwords anyway, so that doesn't make the threat any worse.

My email account is safe, with 2FA it's doubtful you could access it. My phone in the other hand, is often easily accessible, his password can potentially be broken by looking at grease on it or simply waiting that I unlock it once (which I do really often) to memorize it.

And yet it may be interesting to compare it to competing password managers such as iCloud Keychain. Is it less vulnerable to "master password decryption" part of this attack due to its deeper OS integration?

Not that it doesn't have its own vulnerabilities.[1] But perhaps those are more bugs (e.g. not enforcing sandboxes properly) than architectural weaknesses.

[1] http://arstechnica.com/security/2015/06/serious-os-x-and-ios...

I agree. It doesn't sound so much like an actual vulnerability in Lastpass as much as it is a reminder of how crypto works.

Not everything, my 2FA wouldn't be compromised and if I'm lucky, I would find the keylogger before using the passwords I use less often (bank accounts, servers key passwords, etc...). Personally I would like some sort of hardware password manager, it could even take care of my private keys. Hackaday tried to build something similar but it was too expensive and too bulky.

So it's the old story that desktop operating systems lack process/application separation aka sandboxing.

I prefer hardware separation: just use old smartphone, without connection to internet, as password vault. No connection — no risk of stealing (except physical stealing, of course, so use _old_ ugly smartphone, e.g. with broken screen).

Keep your important passwords encrypted with GPG on flash card, with backup on an another flash card. Regular GPG works flawlessly in terminal. Small shell script, which will ask for password and site name to display site password(s), will do the job on any Linux-compatible smartphone.

This would be really painful. Many of my passwords are more than 20 characters all over the keyboard, and I probably fill in passwords 20 times per day.

Instead, I just use KeePass, which I protect with an offline SSH key as well as a strong password. In order to compromise my passwords, you'd need my KeePass database, access to one of my devices (laptop, desktop, but not phone), and my password.

I think you are right. I am sorry to say I have fallen prey to this flawed argument. I need to migrate to LastPass something I am not happy with and have been stopped a few times because of articles like this one. I'll ascribe it to a lazy approach to evaluating what is being said.

LastPass is pretty sweet. It even has a CLI widget that deploy scripts like Fabric can use to check out credentials and log into remote servers.

What do you mean by >run it in a VM proxying network traffic via the compromised machine?

Yes, of course if your live machine is owned you lose.

However, this means you can potentially recover vaults from unattended / stolen / lost / unwiped hard drives, phones etc.

Only if they told the browser plugin to "store my master password." That shouldn't surprise anyone -- if the master password is stored somewhere that the plugin can read it without any additional decryption keys, so can an attacker.

I guess you could setup two factor auth. locally without a third party...

Full Disclosure. I am a former LastPass employee.

This guy's research, and most research regarding password managers is way overblown. Every lp product has a big popup that says "WHAT YOU ARE DOING IS INSECURE" when you click "Remember Password". Having secure defaults are something they are very mindful of.

All password managers are toast if you have someone else on your box. It's baked in to the threat model.

Doesn't LastPass encourage you to install their browser plugin though?


And this is the popup that plugin gives you when you click the button to save the master password: http://i.imgur.com/s0FgRhI.jpg

That's actually quite poor ux design.

Alerts confirming things happen all the time and so users have been trained to click yes to make things work. I'd suspect only 20% might actually read that sentence and even less will understand what it means and why.

Instead that login screen should change and have large, clear text and iconography that violates expectations and thus forces users to read. Having buttons that explain like "make less secure" makes it more likely to be understood than "yes" "no."

Yeah but if you give the user the choice between convenience and security, they're almost always gonna chose convenience.

How often do you type your master password? You only need to be compromised for the average time between each typing of that password. I have plenty of password that I rarely type more than once a month (my bank account is a good example). A master password though would be typed way more often.

Sadly (?), it may be reasonable for password managers to not even offer that option because of technically-invalid PR fiascos like this one -- people are just going to stop using password managers otherwise.

An user moving to LastPass (or any password manager) is exponentially safer than before, even if they choose to save the master password on their local computer. If there's a subset of users who would drop LastPass if the password couldn't be saved, that would be a shame, as they're much better off this way.

Yeah, 1password doesn't let you save the master password.

That's a different functionality. You can use the plugin and not save the master password. The plugin is more secure than the webapp anyway. You do the decryption/search completely on your machine.

> "The plugin is more secure than the webapp anyway"

Can you explain how this is correct? Because i use only webclient thinking that the plugins may be more vulnerable because other plugins may read what lp plug in does.

To use the webapp you have to send the master password over the network. So if that connection is captured in some way, your account is hacked. But extensions actually save the encrypted store locally - you can even access them offline (password is still required).

This is not correct. The extension and the webapp authenticate the same way, and neither send the master password over the network.

Criticism to using the webapp is generally JS crypto being broken. Code delivered every time coupled with the browser not being good place for crypto (any code can eat any other code..).

Extensions, being a separate program that lives mostly apart from the web pages your browser visits is slightly a more trustworthy environment

Interesting to hear lastpass actually employs javascript cryptography in their design. I would be interested in hearing the rationale behind this design decision considering the obvious risks that are being taken.

Oops, you're right. I was thinking of the mobile app, not browser extension. Brainfart :(

The mobile app does not authenticate by sending plaintext password to the server either.

I'm not sure how that relates to the point being made.

The insecurity comes from someone already having physical control of your machine, and if you had alowed saving of your master password (which Lastpass and anyone sane encourages against).

If Lastpass truly believed that warning, they wouldn't let users do it in the first place.

They give us the choice because it is ours to make. I personally prefer that model to the "do it our way or else" model.

Some people have poor memory and need a way to organise things. Not everyone uses lastpass just for security.

In fact LastPass didn't have it at first, but after dozens of impassioned pleas from people with disabilities we made the decision to add it with a very strong warning against using it.

LastPass Enterprise has a policy to disable it, which is recommended there.

It's probably worth noting, this exploit requires the user to save their master password locally.

While it's not obvious from the blackhat blurb, it's stated by the author in their more detailed blog post [1]

Additionally, this behavior is something that LastPass advises against:

"Are you sure you want to have LastPass remember your password? This will significantly decrease the security of your LastPass account!"

[1] http://www.martinvigo.com/a-look-into-lastpass/

Sounds rather dicey, considering that the attack apparently depends on both the user using the "store master password" option, and the attacker having admin/root access to the user's computer. At that point, you might as well just install a keylogger, browser snooper, etc.

I don't think this makes any progress on any of the real nightmare scenarios, like a bulk breach of LastPass servers plus some critical mistake allowing the master passwords to be cracked en-mass in less than a multi-decade timespan, or even a vulnerability allowing somebody capable of intercepting the traffic between a device and the LastPass server to get master password or cleartext vault data.

Hmmm, I agree, based on what they claim, the above is not an "exploit", it is more like "I forgot my master password, and I am admin, how do I get my password back"

Like this: https://apple.stackexchange.com/questions/56130/how-to-retri...

So yes, if you gain root access on someone's machine, you can do nasty stuff. That is not really news.

Blog post about the sploit here from the authors: https://news.ycombinator.com/item?id=10217551

From above link: "Our attack only covers users that click the “Store my password” option though so, don’t store your master password!"

That seems a rather important detail. Thanks for the link.

> "Our attack only covers users that click the “Store my password” option though so, don’t store your master password!"

> That seems a rather important detail.

It's also against LastPass's best practices. When you click that button (Remember my password) you get this:

"Are you sure you want to have LastPass remember your password? This will significantly decrease the security of your LastPass account!"

This has me breathing a sigh of relief. That said, why is this even an option??

Can this be a problem on mobile?

I have a long master passphrase - too long to type on a touchscreen keyboard in any convenient amount of time and where there's a non-trivial risk that somebody peering over my shoulder (think - using it on the bus) could spy it. So in that case I resort to using the fingerprint-unlock feature (which I assume is the security equivalent of 'save master passphrase' or at least token).

I am aware that this might open me up to other attacks - an adversary dusting my fingerprints off my tablet, etc. Curious though as to whether this is an attack vector for the same or a similar type of process to what the authors are describing (haven't read their blog post, just the Black Hat description).

Fingerprint unlock on iOS puts something equivalent to the master password in the iOS keychain for 1password. Only when your fingerprint is verified does the 1password app get it.

So at the very least you still have your passwords kept in a relatively secure keychain manager and not inside the app stored in plain text of some sort.

About iOS fingerprint- while a judge can not compel you to type in a password, I have heard that they can compel you to swipe your fingerprint. Something to consider when deciding whether to enable fingerprint access to your smart phone login or other sensitive credentials (e.g. Password manager keychain credentials).


(Fwiw - I use LP, no master password saved, no iOS finger print access)

I wish there was a way to combine a simple 4-6 digit pin with fingerprint, it'd certainly make an attack on a physical device more cumbersome, especially if the rejection happened after the TouchID so the error was obfuscated on what failed.

Your fingerprints are already on the phone, they don't need to ask. After getting access to the phone owner accounts and data they can use other investigation methods to get proofs that can be used in a trial. Tl;dr, fingerprints are a password replacement only against people that can't read them.

I do the same thing.

The rationale I use personally is that the master password might be stored in a retrievable format on my phone, but the phone itself is encrypted (iOS 8). And the convenience factor is strong enough (it's really convenient!) that I'm not discouraged from using strong passwords like I otherwise might be.

Unless someone sneakily borrows my phone and fingers while I'm sleeping, I don't think I'm at much risk.

iOS has pretty restrictive sandboxing; it's unlikely that an attacker could get at LastPass's data without root and unlikely that an attacker could get root in your iPhone in the first place.

It could, however, mean that your master password is in a cleartext or Apple-recoverable iTunes (local) or iCloud backup of your phone.

I save my LastPass master password on my home computer, which I never log out of. (It's not a laptop, so it never leaves my office.)

If an attacker is already physically in my office then I've got bigger problems.

Same thing.

I'm using Linux and my /home directory is encrypted. My laptop automatically logs out after a pretty short inactivity (2 minutes, unless I'm using certain apps like VLC in which case, it logs out after half an hour) essentially locking the access to my /home directory.

With that being said, having to type in my master password over and over again seems like a bit of an overkill.

Because if people are required to type in a complex password every time they use LP, then people will choose short simple passwords. It's a tradeoff between security and ease-of-use.

Possibly flippant response: because if the user doesn't want to keep rekeying their password, they should not be forced to.

Reading that, it looks like the master password retrieval relies on you using the 'store password' feature, which means anyone with access to the local machine would have access to your vault anyway. Obviously such a feature will reduce security, although you wouldn't necessarily expect it to make the password itself retrievable.

This was also somewhat reassuring:

"As always, we made a responsible disclosure to LastPass. I want to stress how easy it was to work with the security team. The where very responsive and worked on fixing the issues we reported immediately. They also followed up with us from time to time and asked for our thoughts on every fix. It was a real pleasure to work with team!"

A google search did not return meaningful results, so pardon the dumb question: What does the store password feature does exactly? Is that a way to remember the password like usual browsers do? I use 1Password and I don't think it has this feature?

This is the feature to store the master password, so you don't have to type it in each time; you can just log into Lastpass automatically on that device. (Not a great feature for security!)

Yeah I got that reading the full post by the researchers. I am surprised it's even offered.

That's from 2014, though. I would imagine what they are going to present is more current research?

I use 1Password. To my non-security-expert eyes, the two weakest spots in how I use 1Password are: (a) The plugin I use on the browser, (b) The fact that I use Dropbox to sync the password keychain.

I can maybe move the keychain to an encfs encrypted folder in Dropbox. Then, I won't be able to use 1Password mobile app. And for the plugin, perhaps I can disable the plugin and copy-paste the password directly from the app.

Would love to get others' feedback. UPDATE: It appears I can combine sync through encfs folder and manual sync through phone to achieve sync on all devices.

The 1password keychain is of course encrypted[1] (I think[3] that dropbox syncing uses the older agile keychain format?). I personally sync my 1password keychain with icloud. Apple claims[2] that iCloud data is encrypted during transfer, as well as encrypted at rest. If I was more concerned about that aspect of it, I would probably just sync with wifi.

I do not use the browser plugin (personal preference).

[1]: https://support.1password.com/opvault-overview/

[2]: https://support.apple.com/en-us/HT202303

[3]: https://support.1password.com/switch-to-opvault/

Yeah, the keychain is obviously encrypted, but I still feel uneasy about it being naked on Dropbox. The reason I'm leaning towards using encfs + Dropbox vs iCloud is that although I definitely trust Apple more with my data (compared to Dropbox), I feel that an encryption controlled by me at client side will be safer.

The 1password keychain is encrypted locally before being transferred to Dropbox.

https://defuse.ca/audits/encfs.htm is an EncFS security audit, that didn't come out too clean. If you install encfs on debian it pops up a warning screen telling you to not use it for anything too sensitive atm.

Yeah, I'm aware of some of those security issues (I understand that it can't help me if I am targeted. But, I may be safe in broad hack attempts). However, I just don't have any solution that has the convenience & stability of Dropbox + encfs. What do you use for syncing docs securely?

Genuinely wondering, which part of 1Password's encryption don't you trust? Or is it about metadata leakage?

The weakest spot against targeted attacks is probably the fact that a 0-day in your browser compromises everything.

I dropped all plugins. I open the app each time I need a password. Slightly inconvenient, especially at presentations where I had to type the master password and noticed attendees dripping off since it was too long, but this is a situation I am not keen on optimizing on.

Thanks! I also disabled the plugin. As 1Password asks for my password every few hours anyway (I lock the screen every time I leave the desk), hopefully it won't be as inconvenient as I originally thought.

Actually mine asks for it on every occasion almost. I know it sounds silly, but I type my master password with lightening speed now so. :D

You can sync through WiFi and it's pretty painless. A computer serves as a WiFi server and then mobile devices (or other computers) sync off that when they are on the same network.

This attack appears to require compromise of the client machine running LastPass. If the target were not using a password manager, it would be relatively simple to use the same vector to deliver a keystroke logger, so it's unclear that there is an actual security disadvantage here.

I'd say mainly that you don't have to wait around for the user to go to the sites you are interested and look for passwords in a long string of keys.

True, but this is sort of academic when we're talking about protecting secrets on an already compromised machine.

I don't think this is a reason to not use LastPass.

There are some scenarios in which compromising a machine once is much easier. A lost device is one example. Installing a keylogger won't provide any value there, but if this exploit can recover the Lastpass master password and disable 2FA authentication (if enabled), then they will have access to the entire vault.

Agreed. I use lastpass and don't plan on stopping unless something major (that isn't fixed quickly) comes out.

Any popular password manager, especially an online one, is likely to be compromised. Security has to make a successful attack more expensive than the target is worth. How much is all data in all accounts of an online password manager worth? That is a very attractive target, and generally in IT it is much cheaper to attack than to deend.

I doubt any password manager vendor has the resources necessary to truly protect their users. At least, if you are not paying top dollar for security, don't expect much.

My biggest issue with LastPass is that they force you to have the _same_ password for your online account and as the master password for your vault.

To have a secure master password, you do not want to be using it to login to their website, because now you are blindly hoping they aren't having it logged somewhere or retained in memory that can be dumped.

I used to just let Chrome remember everything, but then jumped on the LastPass bandwagon after Heartbleed last year.

I've been happy with it. The mobile app works well and it is very convenient. I just can't help but to have this nagging feeling since all their salts were exposed, I am really no (or not very much) "safer" than if I let Chrome remember them. If someone gets on my machine and knows what they're doing it is probably all over anyway, right? (And no, I dont let LastPass remember master PW, and I do use a system-level password so you cant easily see them in chrome://settings/passwords unless you have that to...) So the question is who do you trust more to protect the credentials that are synced to the cloud: Google or Lastpass? I don't know the best answer, all things considered (local and on the network). I would guess Google is a much harder target than LastPass.

I trust LastPass for 3 reasons:

1) LastPass has a history of taking ownership of vulnerabilities and taking appropriate measures. They do this publicly and provide a level of detail that demonstrates their expertise[1].

2) They're working under the same constraints as Google with the same caliber of engineering strength.

3) Most importantly, their business depends on delivering a secure product. It's in their best interest to continue providing a secure product.

[1] https://blog.lastpass.com/2015/06/lastpass-security-notice.h...

It isn't that I don't trust LastPass the company. It is that I'm no longer sure if the entire model of the product/service offers enough additional (or comparable) security over what Chrome offers, wrt to the syncing of encrypted credentials to the cloud.

If your're only considering vulnerabilities that pertain to that, I would think native Chrome has an inherent security advantage over a Chrome plugin. I am happy to be wrong about this, though.

Edit/Addition: While I give them props for the full disclosure about the salts being exposed, we don't have any evidence that this has ever happened to Google, so setting everything else aside, we already know for certain LastPass has been exploited in a way we don't have any evidence that Google has. That's not intended to be a slight on LastPass or praise for Google, just that, "it is what it is."

I use http://www.passwordstore.org/ without any plugins. I imagine this has to be pretty rock solid.

I wish it offered using symmetric crypto - so I won't have to find ways to secure a GPG key...

Yes, I also use pass with a GPG-encrypted password store, synced to private git repositories.

I posted this last week [0] but got no traction. Nothing to worry about, but it is the same exact URL and I thought HN was deduplicating entries. Isn't that the case?

[0] https://news.ycombinator.com/item?id=10202196

Edit: added link

One thing I found out (well, actually, just asked them) last year is this[0].

Basically, even though they are claiming not to send your password to the server, if you open their security check:

> Once the master password is entered on the security check page, it decrypts your data (login and passwords) and send the length and character to our server for analysis then send you the result.

So, practically, they're not sending your passwords per se, but they are sending the length and characters used?

[0] https://lastpass.com/my.php?token=T1KUZTUH78P7&lpnorefresh=1

Only when you perform a security check about the passwords you storesñ

Well, that sounds bad.

At least they apparently need access to a local machine. Would be a lot more concerned if a random hacker on the internet could break into anyone's vault. Still obviously not great though!

> At least they apparently need access to a local machine.

In addition to everyone in the building, the individuals in your IT department have access to your work machine, and can install key loggers easily. It may even be SOP at some places.

I am my IT department, and the only other individuals in my building are my family. ;) But in general I agree: local-only exploits are still a significant concern. (Just not as bad as remote ones.)

After reviewing this service for password sharing among coworkers (yes it it still necessary for a few parts on a server) I have big doubt in security of Lastpass. Turning on 2FA did not worked most of the times and user experience without their browser plugin is very bad. So I analyzed their page sourcecode and saw everywhere PHP which was also failing sometimes (see the 2FA). Sorry but I will never give trust to a password manager written in PHP (no offense against PHP, but please not for my 100% secure passwords!)

Full Disclosure: I work at LastPass.

> "Turning on 2FA did not worked most of the times"

If you have a security issue here we'd appreciate a report at https://lastpass.com/security/ that said every report of this has always been a case of someone not reading the manual or FAQs so please checkout https://lastpass.com/support.php?cmd=showfaq&id=2775 first.

> "Sorry but I will never give trust to a password manager written in PHP"

The password manager is actually written in C++,Objective-C,Java,C# and JavaScript -- depending on platform. You seem to be focused on our website however (which only handles encrypted data with a key never get) which is written in Hack: http://hacklang.org/ actually, not PHP.

Regarding the user experience being less without extensions installed -- yes, that's true, we highly encourage installing those -- the extension-less access should really be used for emergencies only -- it's safer to login to the extensions since it's not relying on JavaScript you just downloaded, it's always preferred.

Big thanks for clarifying! But it seems I'm not the main target audience because I do not want to use Lastpass for all my passwords (personal preference) and I also do not want to force coworkers to use browser plugins just for exchanging passwords once in a while.

Understood -- you may want to consider a combination open source command line version + mobile + mac apps:


If your coworkers aren't using something they're likely reusing company passwords, which is one of the key reasons to force using the extensions.

Sooooo... what's a good recommendation for an "offline" password manager (ie: one that connects via USB and requires physical input to "paste" the password)

There is Password Safe, which has a few third party implementations. I believe they have Yubikey integration.

Keepassx is cross platform, and supports keyfiles, which could be installed on removable media.

Based on a paper I saw a few months ago, Password Safe's crypto looked to be better implemented.

I use "pass": http://www.passwordstore.org/

Everything in GPG-encrypted files, in a git repo that I sync with my server. The GPG key is kept unlocked for an hour or so with gpg-agent, meaning I only type my key password a few times a day.

All passwords copied and pasted from the shell, though I use Conkeror so there's no reason I couldn't write a little bit of integration to have the passwords pasted directly into the web forms.

I do the same here, though I have not pushed my keys to anywhere external just yet and I do not have my gpg kept unlocked for very long.

I keep the repo sync'd between two computers, and have even cloned it to my Android phone, but I haven't yet summoned the guts to actually put my PGP key on my phone so I can access my passwords there.

I've posted this before, but as the subject keeps coming up:

    (defun cc () "Secrets File" (interactive) (find-file "/home/ajross/.cc.gpg"))
Launch with "M-x cc" and edit/copy as needed. Your Linux distro's GPG integration is going to cache the credentials appropriately even if you delete the buffer (which I usually do just out of irrational paranoia), so you can use a nice long pass phrase without hassle.


Password Safe has (or had) Bruce Schneier's recommendation, for what that's worth. I think he helped design the original version, years ago.

However, I think the key question is, what are you protecting? I doubt Schneier would recommend Password Safe, for example, for nuclear launch codes, but maybe your email password (depending on what's in your email).

Keepass and variants have served me well (as far as I know...)

1Password is available on OSX/iOS/Android/Win, but isn't available on desktop Linux. You can sync it with your phone over local wifi connections.

It's not as secure as a pure-usb connection, but might be worth considering.

Not exactly offline, but if you have a spare clean android device with internet access and a camera, you could use the app/website I created, https://throwpass.com .

It allows you to send your password from your android device to any computer with a browser. It encrypts the password end to end with a public key generated in the browser and distributed to the device via qr code.

Password manager file format comparison: https://news.ycombinator.com/item?id=9727522

According to this paper Password Safe is the best. But really bad it is mainly for Windows and only expensive 3rd party OS X client. So I'm stuck with KeepassX (btw. 2.0 beta 2 was recently released)

That paper is pretty old now. If I remember right, it covered 1Password version 2. It's at version 5 now and it handles things different from before.

Keepass or Password Safe

KeePass, password-store

I suggest Enpass: http://www.enpass.io/


There is always a security cost for convenience.

Personally, I use a password manager that doesn't directly integrate with any browsers or plugins. While the crypto protecting most vault files is imperfect, there are mitigations that can lower that risk. I can't mitigate risks from third party plugins.

Some of what 1password provides is a synergy of security and convenience.

1password's browser integration can save you from phishing, because it can tell g00gle.com from google.com every time and not offer to fill in your google.com login, whereas if you're used to just copying from your password manager, you have to make sure not to mess that up.

Lack of convenience means manual work, which means chance for error. This is the same reason we recommend coding using trustworthy high-level crypto constructs instead of implementing it yourself; it's more convenient and harder to mess up.

LastPass offers 2 options in the Chrome extension to help mitigate the issue if you enable remember your master password:

1) Automatically Log out when all browsers are closed and Chrome has been closed for (mins)

2) Automatically Log out after idle (mins)

I literally switched to using LastPass for everything over the past four hours after meaning to do so for years. I can't believe this.

Don't use the browser plugin "Store My Password" functionality and you're fine. They offer the feature as a tradeoff: lose some security in exchange for convenience. It's very plain and always has been that the master password is the "key to the kingdom" and the only place it should exist is in your head. Anywhere else and you've opened yourself up to attack of those secondary locations - your wallet, your home, your spouse, your browser, your phone, etc. Evaluate for yourself which of these you think is secure and which isn't.

LastPass is so much of a win for the average user that even with this feature enabled, you are still better off than using the same username/password for every website which is the norm. This thread will be full of people recommending alternatives and there will be solid choices. I will keep using and recommending LastPass.

Well that's bad timing but really, this sort of news is a good thing. No software is perfect and now they can improve upon these findings. Password Managers are still a very valid technology. Better then Firefox/Chromes integrated plain text login stores or using the same password everywhere.

Though, IMO, a password manager which uploads all your password onto a central location with thousands upon thousands of other peoples password is just a really damn stupid idea to begin with.. Even if it's encrypted or whatever.

Read some other comments. It is only if you check the store password option and lastpass has been very responsive in fixing the issues since they disclosed them privately.

Mine was the first comment on this post; I did read the discussion that followed and it was a huge relief.

Well on the bright side I think you can export your lastpass account to something better, like 1pass.

Actually I'd rather use lastpass after they fix the issues than 1pass now. Lastpass just got a serious security review. For all we know 1pass has just as many issues.

I used 1password before, but several times I lost access to all my passwords after upgrading the software. On the bright side, I was always able to restore access to it by manually downloading 1password and reinstalling 1password. Besides, 1password does not officially support Linux. That's why I wanted to try Lastpass. I also find the yubikey support interesting.

Well, I guess, it's time to reinstall keepass2 again.

A really cool feature I love about 1Password is that you can open up the `agilekeychain` file in a web browser and unlock it to view your passwords right there without the application. [0]

One of the few unique passwords I remember myself is that of Dropbox, so I'm always able to access my passwords this way from anywhere that has a web browser.

I don't know if this would have helped your particular situation (not sure if you can export from this stripped down interface), but it gives me peace of mind that if the software itself ceased to function, my passwords would still be accessible.

[0] https://support.1password.com/guides/mac/1passwordanywhere.h...

1pass likely has similar problems (if you are talking about 1password)

Why is the latter better?

A password manager would be the perfect application for a smartwatch.

What I try to do is use LastPass for unimportant passwords and just remember unique but memorable passwords for important sites, like my bank's.

But nowadays this is pretty tough in general.

We're going to be actively encouraging our enterprise clients to use Logrr (http://logrr.com/) to eliminate their password completely in favor of on device cryptography. It's the only way to avoid the vulnerability of password's entirely that I've seen.

The How does it work section of their website doesn't explain how it works and the FAQs are empty. How did you get enough information about their technology?

Met them in person - I'm sure they'll update the website at some point, they're working hand in hand with their customers right now so I think marketing materials are probably falling a bit to the wayside. It's really quite something.

Why don't people use KeePass ?

I do. It's less convenient, but I feel more secure.

black page with white text...WHY?? *headache

javascript:(%28function%28%29%7Bwindow.baseUrl%3D%27 https%3A//www.readability.com%27%3Bwindow.readabilityToken %3D%27%27%3Bvar s%3Ddocument.createElement%28%27script %27%29%3Bs.setAttribute%28%27type%27%2C%27text/javascript %27%29%3Bs.setAttribute%28%27charset%27%2C%27UTF-8 %27%29%3Bs.setAttribute%28%27src%27%2CbaseUrl%2B %27/bookmarklet/read.js%27%29%3B document.documentElement.appendChild%28s%29%3B%7D%29%28%29)

Make a bookmark out of that (all on one line, newlines added to not kill page formatting), toss it in your browser's bookmarks bar, and click to convert. It's crazy awesome.

You need to drop the space after the 'script' element up there, but otherwise this is a great little tool. Thanks!

Is this vulnerability in 1Password too?

That's why your passwords root should lie somewhere in the basement in the form of printed QR-code. In hopes that it will never be needed.

well then...

Well that sucks.

That is really big news, it also allows me to go find my friend and claim my $20 from our bet that his password manager of choice would succumb to an attack within 5 years that renders it more dangerous than not having it...

> We also found how it is possible to abuse account recovery to ultimately obtain the encryption key for the vault.

If a 3rd party can help recover your information, your information is not secure because account recovery can typically be bypassed by social engineering.


Someone posted the blog outlying more details:

>With all this information, we where finally able to obtain master passwords in cleartext. Woo hoo! Our attack only covers users that click the “Store my password” option though so, don’t store your master password!

So it's hackable, but only if you're an idiot who stores your master password or sets your password reminder to contain your password.

Seems my bet with my friend wages on. I'll probably be out $20 by the years' end.

> renders it more dangerous than not having it

If I were your friend, I would tell you that this is still dubious owing to the fact that without it, many people might use very weak passwords that never change. You gotta weigh that and the vulnerability it presents for large-scale remote attacks/leaks, against the likelihood of these guys getting local access to your machine (i think?) for this exploit.

Please allow me to elaborate a bit.

Storing multiple passwords within a single master password means your security is only ever as strong as your master password is safe. Literally "putting all your eggs into one basket". Same with centralized email. One should separate accounts by email such that if a single email is compromised - not every account is compromised.

My argument (and practice) is to have individual emails for individual accounts. Using a dice selection method [0] they'll be as secure as any individual master password. The issue is burden of memory.

The argument in favor of password managers is that they relieve the user of burden of memory by exchanging a small chunk of security for a large chunk of convenience. Which is why I use a password manager.

The actual bet however is that somewhere in the implementation of password managers there will be found something that is so insecure it allows someone to "seize the basket" and more or less make the trade-off go from a "small chunk of security" to "all security". Specifically, any PM that doesn't require the device being compromised; though physical access is fine. (Physical access allows memory attacks but the device itself is not yet compromised.)

I hope that helped give my position some more nuance.

[0] http://world.std.com/~reinhold/diceware.html

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact