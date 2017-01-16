Hacker News new | comments | show | ask | jobs | submit login
PSA: LastPass Does Not Encrypt Everything in Your Vault (hackernoon.com)
106 points by kobayashi 1 hour ago | hide | past | web | 89 comments | favorite





I think this is NOT the case.

You are looking at intermediate data of what's stored in your decrypted blob. Yes, some things are encrypted twice in the Lastpass vault.

The contents considered "unencrypted" by the blog post are actually only accessible after your private key has been provided.

"How can Lastpass show me the Google logo?" It's shown by your Lastpass Extension, after your vault has been decrypted with your password. It's the same reason that Lastpass can show you the password saved for Google!

Notice that request has an unencrypted folder name, "Email." Those folder names are only accessible after the decryption of the entire vault.

URLs are encrypted. LastPass does not know your URLs.

I noticed the article does not include the destination URL for this request, only the parameters. So I can't make a determination as to why this request was made and who the destination server is.

I just tried adding a new site to the "Email" folder, and no requests to remote servers showed up in my Network tab.

IF the LastPass extension really does make a call to lastpass.com with this information, then, yes, there is a possibility that Lastpass can track these hashes in some separate store. But that doesn't mean that the encrypted vault blob has the unencrypted data as claimed.

Back to the Metadata problem. Here's how this information could be weaponized:

NSA: LastPass, we suspect that John Smith uses your service. Give us access to John Smith's password database.

LastPass: We cannot, all of John's usernames and passwords are encrypted and we ourselves don't have the key.

NSA: Alright, then, give us the websites for which John Smith's database has credentials for, and we'll subpoena each website of interest individually.

If John Smith has known email address JohnSmith@gmail.com, it is probably safe to assume that the email is the login for at least some of the websites of interest, and can then ask each website for info on that particular user.

Your tin foil hat is on a bit too tight.

    1.
The NSA already has that data they have your home address (this is public) and can see you connect to gmail servers at times you are normally home for. We've already seen evidence this is well within the NSA's capabilities based on the Dread Pirate Robert's trial.

    2.
LastPass's RNG is closed source so if your threat model includes the NSA you've already lost as it is very reasonable the NSA knows every password LastPass could ever generate for you.

    3.
LastPass's encryption/decryption is ALSO closed source so there is no reason the NSA can't just subpoena them to update your client with a faulty crypto.

    4.
LastPass Apps/Browser phone home once unlocked. If subpoena by the NSA they can steal your password there.

Seriously if you have a threat model that includes the NSA you've already lost.

DPR had terrible OPSEC. We should all learn from his failures.

You are completely correct that any threat model that includes direct attention from the NSA is insurmountable. Even highly skilled targets like OBL are eventually defeated.

Maybe. But this would also work for any local yokel law enforcement organization. It doesn't have to be the NSA. It could be the Mayberry PD.

Is there is any proof that the "Concerned LastPass User" who wrote this isn't just the creator of BitWarden?

I normally don't assume astroturfing without concrete evidence, but there is no information in the post that explains why the author is anonymous and the creator of BitWarden has previously made comments without disclosing their affiliation (https://news.ycombinator.com/item?id=12754396).

Does it matter? If the claim is true, then it's a serious problem. If it's untrue, then the article is wrong. Neither one is changed if the author is a particular person.

> Does it matter?

Yes, as this seems to be an initial marketing attempt by Kyle Spearrin (the creator of Bitwarden) to unveil his own LastPass alternative while simultaneous making LastPass seem untrustworthy. Regardless of whether the issue detailed in this article is true, the following timeline cannot be ignored:

1. Bitwarden.com was registered on Nov. 16, 2015

2. The initial commit to bitwarden/core was on Dec. 8, 2015

3. Release v1.3.0 of Bitwarden is issued on Jan 16, 2017

4. A quick fix release v1.3.1 is issued on Jan 17, 2017

5. Bitwarden.com gains an SSL certificate on Jan. 17, 2017

6. This article arrives touting an unknown LastPass alternative on Jan. 18, 2017

Suspicious? I am. Especially since Kyle is the only contributor to the project, as well.

I don't see how any of that makes it matter. Given that timeline, what difference does it make whether 6 is a coincidence or written by Mr. Spearrin?

It matters a little bit since, if the thing does happen to be written by someone affiliated with Bitwarden, you have a good reason to avoid both LastPass and Bitwarden.

I really don't see how this is a "serious problem".

The only thing unencrypted is the site's domain name. Who cares? Site domains are public anyways.

Definitely two opinions on this matter, I suppose. But for me, I really don't care that they don't encrypt the domain names for the sites.

It's not just the domain name, it's the full URL. Which could contain embedded username, organizational and/or sensitive information.

FTA, which is clearly more than a domain name:

https://accounts.google.com/ServiceLogin

Metadata matters. The NSA revelations have shown this.

For a really simple example, I guess there are quite a few people with a pornhub account in their vault. I'd guess a significant portion of those users don't want that fact to become public.

Domain names are public, what should not be public is the set of domain names you have accounts for.

It's fine you don't care about these things. Are you also suggesting you would prefer to be oblivious to the security of your passwords? Are you also unable to see why other people would very much care about this issue?

LastPass is so buggy, I have a draft blog post that I'm going to publish some day listing the dozens of bugs I've found. It's still the least worse cross-platform password manager (with sharing and sync features) that I've tried.

Bitwarden looks interesting, but it doesn't seem to support team features, nor does it seem to have any documentation, or even an "about us" page.

I'd either need Bitwarden to take some money or be fully open source and I have to provide the cloud storage. Being "free" but still clearly costing them real operational money (even if not much) is not something I will plan on being there in 5 years.

I don't necessarily need LastPass to be there in 5 years, since I can export and recover what I need into another manager if I need to, but I personally don't want to go into something that is set up right now to not be there in 5 years.

This is not a permanent objection forever and ever, amen. If my objections go out of date, I'd consider at least trying it.

Hi there. I'm the lead developer of bitwarden. bitwarden is currently sponsored by the Microsoft BizSpark program which covers many of our operation costs and allows us to offer services for free to our users. We are working to introduce enterprise features for businesses in the future which will allow us to monetize. For now though, everything is free for users.

So I decided to email them about how they are funded and this was the response :

Let me know if you have any other questions.

Tell LastPass about the bugs you find. They seem to fix bugs pretty quickly once they find out about them.

he doesn't really have any, just a "draft blog post" that will be published "some day".

While I haven't used 1Password on Windows, it's come a long way in the last year or so, so that it's now a first-class cloud-based password manager with sharing, sync, and cross-platform clients, as well as the ability to belong to multiple organization-level accounts at a time (great for us serial entrepreneurs!). 1Password's Mac browser plugins actually communicate with the native client running in the background and doing the heavy lifting, which I think is a better security model as the plugins only need to worry about securing the localhost communications channel, rather than securing any data caches or doing any cryptography themselves. I've left LastPass entirely, and good riddance.

Do they have a Linux client now? I recently switch from 1Password TO Lastpass due to lack of a Linux client.

Unfortunately as of October it's not a priority for them: https://discussions.agilebits.com/discussion/66916/1password...

There is a somewhat limited functionality Lua script [0] that will decide the vault, limited but works.

Wine works too.

[0]: http://www.lucianofiandesio.com/1password-in-linux

Not yet which is a shame. I want to use the chrome extension when on my dev machine.

It functions well enough under wine. A native client would be lovely, but I gather they don't see it as a priority.

Wine is not an acceptable workaround for using 1Password. Either they write and release a Linux client, or I don't pay for their service.

I really want to love LastPass, I think all the pieces are in place, the UX is underwhelming though. We have been using it at the company for years, and I agree that it feels very rickety.

Can't even begin to count the # of times it lost a newly generated password, or it failed to swap the password for a website, or didn't immediately show a password I just created until I did a full refresh, or it has opaque rules about what can be shared with teammates. Would be great if they put more focus on getting the fundamentals right before expanding the feature set.

Just to clarify: You're talking about Lastpass here? For myself, Lastpass has just been an absolutely terrible user experience, with many of the issues you're talking about. I have this obscure ritual I have to go through when generating new site passwords -- like generate one in a new tab, then go manually "add site" and input the information -- because Lastpass can't get it together.

Thats exactly what I do for generating a new password.

LastPass always thinks I want to replace credentials for subdomain sites. all the time.

When I have a password saved for foo.com And then I try to save a password for bar.foo.com. LastPass, for all that is holy and good in the world, stop assuming I want to replace my password for foo.com damnit.

reply


Yeah, LastPass. I sometimes copy and paste the auto-generated password just in case it loses it. I've had many occasions where it would flat out drop it after I save the site and now I have to immediately password reset because the password is nowhere to be found.

Least worst? What are the issues with 1Password?

Pricing model

Lack of linux client (which I suspect are more likely to pay for a password management system)

Is there a Linux client now?

man, try 1password or enpass. The user experience across windows/osx/android/ios is so much better than last pass ever was for me, and they don't host my data. Linux support is iffy and unofficial at best though.

Lastpass is an atrocity to software. In almost a year using it (including its "Premium" version), I was unable to get their password change feature working and it was often unable to remember passwords properly. I would change the password, Lastpass would show the right password in its UI, then it would use the wrong one. This is the most basic feature of a password manager and it simply doesn't work. Their support, even for the paid version, might as well be a bot that just spits out random Lastpass "facts".

I see a ton of reviews all over the Internet claiming it's one of the best password managers, and I wonder if these reviewers and websites didn't just get paid some money to write a positive review without ever installing, let alone using the software. With the software being so shoddy, I would not trust my passwords to Lastpass even if they ended up fixing the UX. I ended up deleting my account and switching to Enpass which has worked flawlessly. On top of that, I don't have to trust Lastpass, or any shitty company like that, with my most valuable data and can sync it over WiFi, my NAS, and shared folders in addition to cloud providers (also works in Linux).

I don't see this as much of an issue personally. I don't ever store any identifying information in urls, so it's more of a convenience to have the logos for easy navigation.

I get that they say that everything is encrypted, but really it could be a lot worse. I definitely won't be switching password managers just because of this like some people are saying.

Its a pretty huge deal if you store passwords for websites that you don't want other people to know you even have an account for. Like, say, a dissident in a politically oppressed country having an account for the US immigrations website.

reply


Well, I'd love to use something other than Lastpass but there are no other password managers that are as well integrated into chrome and that sync seamlessly.

Keepass had tons of issues on the synch-side, merging incorrectly or just plain not syncing in addition to the android app being horrible to some extend. Additionally the chrome plugin is less well written, it's not bad but not as easy to access as lastpass.

1password is still not out on linux and I have no intention of using them until they bring out a linux client.

Bitwarden looks fishy to me (audit? pricing? funding? integration?).

If the only problem with Lastpass is that they sent out the URL of the site in cleartext over a HTTPS connection, fine, have it, there is clearly worse and it's something I'm willing to accept in exchange for one of the better password managers.

This is an issue that every password manager ever created would have if they requested information about what sites are being used.

Same information that your internet provider already has linked to your ISP and can be retired by a warrant or no warrant.

Have you seen enpass? It is basically a more polished version of Keepass. https://enpass.io

This doesn't seem like a terribly important information leak, but what gets me is that they obfuscated it by converting it to hex. Why do that?

On the one hand, it feels like they're being sneaky and trying to trick savvier users who might glance at the data to make sure it "looks encrypted". On the other hand, they have to have realized someone would notice eventually. Or maybe that's the point: if they obfuscated it well, someone would break it and they'd have egg on their faces. By just hiding it a little, they have plausible deniability that they weren't trying to obfuscate.

But any way you slice it, it seems weird.

Conversion to hex is probably to deal with characters that would require conversion if a part of the URL.

reply


It's probably just easier to convert it to hex rather than worry about escaping characters. I've done that before.

Yeah, good point, although URL escaping is particularly easy.

As someone who's worked in this domain, I found this very poorly handled. The obvious, privacy-conscious solution, would be to embed all logos in the client, but this can be unfeasible on the web, depending on the quantity of data. In practice, maybe sacrificing a couple of MB for a one time download isn't such a bad trade-off for privacy (and this will only happen for logged-in users who visit their vault).

However, if we want to trade off _some_, but not all privacy (in terms of what logins a vault contains), I can think of a naive obfuscation scheme where random domains are added to a login alongside the real one. Here's how that could work:

    Preprocessing
    * assign an order to the logos and hence numerical IDs
    * pick a hash function (URL / site name) => ID

    User adds a new login:
    * is the URL recognized (e.g. accounts.google.com) i.e. do we have a logo for it?
    * if yes, obtain its ID e.g. 1
    * get N more random IDs e.g. 14, 124, 144
    * save all of them as the login's metadata e.g. "logo_cache:1,14,124,144"

    User requests logins (and hence needs logos):
    * compute (and cache) the list of IDs of logos needed (M entries x N logo IDs each, deduped)
    * pack and send the logos (hopefully a much smaller subset than all logos)

Stupid question: why can't LastPass encrypt the URL as well and decrypt client-side to show the logo, like they do (as I understand it) with passwords?

They can, I don't see why they chose the current implementation over this one, somehow this small leak can let them build a database of browsing habits and target users who use x website...hmmm

reply


reply


It probably wouldn't be infeasible to send the client all the logos they have. The client could then pick them out with no server interaction. There's only going to be thousands of them, tops, and probably only hundreds. Hooray powerlaw.

This might be modestly annoyingly resource intensive for mobile, probably not an issue for desktops.

reply


that seems a better solution, but lastpass would still know that user_x is downloading the google.com logo.

reply


How? The logo image request goes to google.com then, and not Lastpass, right?

reply


reply


reply


LastPass needs to comment on this. It looks pretty bad.

reply


I got a license for 1Password Families in a Humble Bundle recently and have been seriously considering making the switch from LastPass. The LastPass Chrome extension gets disabled on me once or twice a week and has become a real annoyance. The only thing holding me back is the ongoing pricing for 1Password is 5x more than LastPass.

It's really weird that the URL parameter is encoded as hex. Is this some attempt to hide it, or just a lazy programmer not wanting to call an escape function?

reply


reply


KeePass, it's well supported on mobile platforms and has decent browser addons.

Looks like their Argon2/ChaCha20 based KDBX4 format is now out too, so I've got some upgrading to do.

KeePass doesn't have sync or sharing features.

reply


Sync is easily achievable, I use Syncthing to go between my phone, dev server and desktop. Other options are the usual suspects, Dropbox, BT Sync, etc.

As for sharing - yeah, you probably lose that. Well, unless you sync a separate DB or something.

You can easily use it in conjunction with drop box or any other file sync program.

it isn't difficult to share a database file for KeePass and you could easily set up a sync interface for it with github

Yes it does you just have to run your own server.

http://keepass.info/help/v2/sync.html

KeePassX - I've been using it for years now. I just put the database on my Dropbox. Quick, convenient, and most importantly for me, always in my own hands.

reply


reply


The article mentions https://bitwarden.com/. I haven't tried it but on a quick glance it seems to match most of your requirements.

I don't really trust "free" cloud services. Hosting has a cost, if they aren't charging to get that money, how else are they going about getting it?

reply


Hi, I am the lead developer of bitwarden. bitwarden is currently sponsored by the Microsoft BizSpark program which covers many of our operation costs and allows us to offer services for free to our users. We are working to introduce enterprise features for businesses in the future which will allow us to monetize. For now though, everything is free for users.

Indeed. There Is Always A Business Model, there is no such thing as a free service online.

Totally. Plus, the creator of BitWarden has been shown to try and sneak egregious things by people, for example Google Analytics inside BitWarden [0].

[0] https://news.ycombinator.com/item?id=12676979

Codebook by Zetetic, going strong since 1998. Uses an open-source extension to SQlite for encryption.

https://www.zetetic.net/codebook/

https://www.zetetic.net/sqlcipher/

That one is also missing Linux support.

I use Password Safe. Clients for many platforms. Only drawback for me is that the iOS client does not support ownCloud for syncing.

What's wrong with Chrome's built-in password manager nowadays?

reply


Anyone with access to your computer can look at the plaintext passwords in Chrome just by going to settings > passwords > show.

It's been a long-standing dispute... Chrome says "if people have physical access, security is broken anyway." But that's because they refuse to acknowledge the lesser threat model; "A non-tech savvy friend or family member borrowing my computer for 20 min" -or- "my computer gets stolen from my desk while I was logged in... and now they have access to all chrome passwords in plaintext."

It's infuriating. Wish they'd fix that, even if it's a superficial fix.

Not on windows. On windows is requires your windows password to unlock your passwords.

Actually, I think it does that on Mac OS too.

reply


Hasn't this changed in recent versions with the move to google smart lock?

It has support for Gnome Keyring or KWallet (IIRC, default is `--password-store=detect`). If you're using either, then it's the same.

Yes, it's using the gnome-keyring which requires unlocking. How is this less secure than using LastPass or KeePass?


The advantages of using a password manager - Password generation - Safe from google - Safety when google account is compromised (and physical access) - Non-password encryption

When using a non-cloud solution (e.g. KeePass, local 1password installation) - Auditable and specified ecryption: I know how my passwords are encryped. I can check this by actually decrypting and finding my passwords - No automatic updates. You can't force an update to my client that breaks security.

It has a much smaller feature set than any of the full fledged password managers.

I had the same reaction when I saw the Google logo in my vault: "how do they know?"

reply


reply


Did they delete it?

reply


reply


I have a question to all the hackers here about personal identity managers and UX. There are projects to decentralize personal identity and move away from passwords, such as Solid (https://solid.mit.edu) and our own project, Qbix (https://qbix.com/platform).

The WeChat article recently posted shows one major thing about user behavior and UX architecture. Users actually prefer to have one APP on their phone representing their social identity, have all their notifications, contacts, etc. from all different communities in the app.

So this probably means that the "personal identity server" should have some default protocol to receive notifications (encrypted with user's public key) and an APP for iOS and Android. The server would have rules for processing notifications and may notify the user (eg it may stop after the first 5 or set do not disturb where only the badge updates). Upon opening the app the user would see all the notifications from all the other services (they would be fetched and decrypted). And those notifications may contain deep-links back into flows that generated the notifications, eg a chat.

What is also nice is if you can have these rules be general purpose hooks that run on the client in some isolated JS environment. Then for example you can update the list of ids that a user's contacts have on different services (if you have pairwise anonymity) in the background. And next time you visit a website the auth extension/library/app can offer to connect you with those people on that website.

I think the Personal App should display badges corresponding to the # of websites that have caused notifications, not the # of notifications. The latter should appear only when you open the app and see the list of relying party websites. Then each website can have a # of notifications next to it and the can be sorted eg by most recent or most urgent notifications.

Last thing - by having a personal APP I have a feeling that it would also be tied in with payments in the future. Identity service is becoming tied with payments (to prevent fraud, China now ties the two together more than any other country and cash is disappearing). So the Personal App could in the future have some standard for attaching payment methods and using them without giving the relying party anything except tokens representing payment plans the user agreed to (like Stripe does).

In this way, even though payments are increasingly tied to identity - which may lead to fascism - we can empower local communities to control the identity and maybe in the future even issue their own money on their own credit! This may help finance loans for poor people in India etc. (already shown that having a large group guarantee loans works better for everyone due to social factors etc.) and pull people out of poverty faster. @mediaprophet what do you think of these points about integrating payments inside identity App in the future?

(By the way I say community because you may host your own data AND your own identity on your own server but when it comes to reputation and payments, there has to be some others who give you this value. Maybe it will not be communities. Maybe it will be completely distributed with no centers. But so far in history, wealth and reputation and power has always found a way to concentrate itself at least a little.)

"I wonder what the Federal Trade Commission thinks about that claim"

Would be my reply to the email, coupled with my demands.

