Hacker News new | past | comments | ask | show | jobs | submit login

There's a level of irony in complaining about LastPass's security, followed by suggestion people run their passwords through random third-party software that you wrote. Even if your code isn't malicious (which I believe), it opens up so many potential attack vectors.

For anyone reading this, please use the official 1Password import functionality, not this: https://support.1password.com/import-lastpass/




There was no 1Password to LastPass importer at the time I wrote that (believe me, I looked because I have better things to do than write apps to benefit a commercial entity like agilebits otherwise), and of course the code is published on GitHub and released under the MIT license. It's very short and simple and rather easy to review. It's also a .NET executable, which is ridiculously easy to reverse-compile back to C# (not just assembly) so you can even check that I'm distributing an exe that does the same thing as the code I published.

EDIT

I just revisited that link I shared, and I have to say, it takes some real chutzpah to turn around and accusing me of advising insecure practice when the link I shared literally talks about just that:

Due to the nature of this application, 𝘄𝗲 𝘀𝘁𝗿𝗼𝗻𝗴𝗹𝘆 𝘂𝗿𝗴𝗲 𝗲𝘃𝗲𝗿𝘆𝗼𝗻𝗲 𝘁𝗼 𝗱𝗼𝘄𝗻𝗹𝗼𝗮𝗱 𝘁𝗵𝗲 𝘀𝗼𝘂𝗿𝗰𝗲 𝗰𝗼𝗱𝗲, review it quickly, and compile it yourself to use this tool. However, we do recognize that this may be beyond the means of all security-minded folk out there looking to make the switch, so we are providing signed binaries available for download. If you do opt to use the binary download, make sure to validate the authenticode signature like so: ...


I am extremely grateful to ComputerGuru and others who freely share code and binaries they used to scratch a specific itch like this. As for security, I'd never dream of running anything like this outside of an isolated, offline system and would destroy the instance immediately afterwards.


> There was no 1Password to LastPass importer at the time I wrote that

The details were hazy, but in 2016, there was a way to export your passwords from LastPass and import them into 1Password, though I don't think there was a way to do so on windows (which I believe is what your importer addresses).

After LastPass vulnerability in July 2016, I switched to 1Password.


Password managers generally use CSV, avoiding vendor lock-in. However, back when Lastpass doubled their subscription cost (yes, doubled, literally) I switched to Bitwarden. At that point, there was some issue with exporting passwords with a certain character (IIRC it was ; or #). I ended up changing the few passwords which quit working.

As for OP, my take is you clicked a bad link triggering a zero day vulnerability in your browser, or perhaps you logged in on Lastpass via a VPN or Tor? Its pure speculation though.


There is, I just did it recently. It's an unncrypted copy paste dump from lastpass into 1password


This was in reference to the OP not having an option in 2017 to import to 1pass.

If I recall, I had to sign up for LastPass premium to pull my passwords to my phone, and then use keychain to import them to 1pass.

I don't think that solution would work for Windows users back in 2016.


There was a 1password to lastpass importer at that time, I know because I used it


Just because you put a warning label on a bad practice doesn't mean it's a good practice.

Pumping your passwords through some random code on Github that has a "be smart" label doesn't make it a good idea.

Would be so easy to imitate you, reupload the code with an exploit. For giggles, if I was making this into a hijack I'd leave all your warnings in and even make them bigger and more obvious, confident in the knowledge that 99%+ of my stolen users wouldn't read the code or would just download the binaries sight unseen.


1) Clone random git repo on Kali, related to Kali usage.

2) Don't read the code.

3) ???

4) Forever don't know what or when it happened.


> Just because you put a warning label on a bad practice doesn't mean it's a good practice.

That is such a salient point, generally.


Funny how common it is though


Well, why shouldn't people who already use insecure software with vulnerabilities (LastPass) without the possibility to even audit the code also run some code written by other people they don't know?


BREAKING: There is no perfect security.

>Would be so easy to imitate you, reupload the code with an exploit.

Put your keyboard where your fingers are: do it by tomorrow morning and post here when you're done.


And there ya go.


Clearly we both agree it's an insecure practice, since you felt it needed a warning.

Now that you know there's an official LastPass importer for 1Password, I'm curious why you're defending your version rather than updating your blog post, unlinking your original HN comment and deprecating the GitHub repo.

I believe you're genuine and just trying to help. If there's an attack, it wouldn't be you doing it – it'd be someone else replacing the binaries on an old 2017 post without you noticing. WordPress is just as insecure as phpBB. Like the other commenter said, "Just because you put a warning label on a bad practice doesn't mean it's a good practice."


cut them a break. no body's gonna to update a 2017 blog post irl, and last I checked a majority of the bloggers just use Wordpress, not exactly their problem.


I agree that's the right response, maybe just give them some time to consider it. It can be tough to give up something you worked on.


There's a level of irony in complaining about malicious code, and still recommending a closed source password manager.


I can't parse this. Is your point that "closed source" is a synonym for "insecure"?


Closed source is a synonym for insecure if you accept secure means no blackbox processes.


Do you think bank ATM software/hardware, plus online banking and components should be open sourced?


Dingding Exactly!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: