Privacys is an "advanced option".
... Welp. ....
A security researcher has recommended against using the LastPass password manager Android app after noting seven embedded trackers. The software's maker says users can opt out if they want. German infosec bod Mike Kuketz spotted LastPass's trackers in analysis produced by Exodus, which describes itself as "a non-profit …
privacy is illegal. anon apps are not allowed in most jurisdictions. the login page is a tracker.
if you install it on a phone its not private, if it goes over the Internet it's not private. end to end encryption is a myth, it means encryption in the middle, they pwnd your phone. you don't even have root on your own phone ffs. somebody does and they see everything they want to.
All LastPass users, regardless of browser or device, are given the option to opt-out of these analytics in their LastPass Privacy Settings, located in their account here: Account Settings > Show Advanced Settings > Privacy
Well in my version of Lastpass in Firefox on OS X there is no such setting!!
In one of LastPass' numerous UI design fails, there is also (from the browser)
Security Dashboard -> Account Settings . A dialog comes up with a "Show Advanced Settings" button at the bottom. Click that and scroll down to the bottom, where there is a Privacy section with two checkboxes:
* Keep track of Login and Form Fill History
* Send anonymous reporting data
This is different to what you get from the Account Options menu on the browser add-in, and also to the Advanced Options on the Security Dashboard
The Security Dashboard is just a clusterf*** of poor design that this latest news and the imminent expiry of my LastPass Premium subscription has motivated me to move to another product.
This post has been deleted by its author
Only problem was keeping all my devices in synch between several OS on several laptops plus a mobile phone was a pain in the butt, especially if you have to add a password to your iPhone.
In any case time to give 1password a look. If I’m paying for a service (and I am paying for a family subscription of LastPass), it should not have any 3rd party trackers in it at all!
yeah.... When I'd finally decided to use a password vault, I've faced the problem of accesing and synching from multiple devices. Google Drive (because is there for free) work like a charm between my both PC and phones.
(using KeePassDX in the phones downloaded from Druidics, not from GooglePlay)
Keeping a password database in the cloud is not a problem if it's only decrypted locally. I use KeePassXC, syncing the database via $cloudprovider, and it makes cross-device sync completely seamless. Of course, security should be in layers and all that, and I wouldn't go posting the database for just anyone to download, but to a certain extent I don't actually care who gets to see it, because it's 256-bit AES encrypted with a very strong password. Not impossible to break, but hard enough that I don't think it likely that anyone with any sense will even bother trying.
Sticky Password gives a choice of syncing via the cloud or just over a local network. When I used it, the local sync didn't work sometimes, but networking is something that has always defeated my brain and I'm sure that proper techies wouldn't be as easily defeated as I was.
I also went bak to Last Pass. Various password managers I've used over the years struggled with autofill or even recognising the password fields, and especially on sub-domains vs domains, but LP has been by far the best at this in my experience although it's not 100%. I shudder at the cost of LP, although it's paid by my business. Think I'll give Bitwarden a look before my renewal is up.
Yes, lots of options.
I have a git repository on my local network, and keep the encrypted keepass file in that.
Then when I'm at home with phone, I can run a one liner in termux to synchronise the phone's git repository with the local server. Ditto for laptop and desktop.
The restriction is that you really should only edit on one device, as there's no way (obviously) to merge changes made in parallel via the version control system given it's a binary file. But on flip side, I don't move file to uncontrolled cloud services.
Yes, yes, see the note at the end of the article: we meant KeePass. Though KeyPass does exist and also has no trackers, I'm told.
Don't forget to email corrections@theregister.com if you spot anything that looks wrong, please, so we can fix it immediately.
C.
"perhaps not CPM-80"
But it does have ports for Palm and Windows Phone.
I use it not just for passwords but also for credit cards, bank and brokerage accounts, and various lists of information that I want to be secure.
It is the second thing I install on a new PC or phone (after Dropbox which is where KeePass keeps my database).
The company says users can opt out if they want.
Read: "It's in there somewhere, just search if you really want it"
or "Most users won't care anyway so it doesn't matter it YOU shut it off"
or "Good luck figuring out which magic buttons to press, Muahahahaha!"
or something else that's equally arrogant and/or condescending.
Tracking should be OPT IN or NOTHING. no exceptions.
"Under GDPR and the UK equivalent, all cookie options must be opt-in. "
Which makes me wonder why so many European and UK sites still have only the blarb that says you can change options in your browser. It's about time, if Europe and the UK are serious about their legislation, that they had a simple reporting system for sites that don't comply with the regs.
if Europe and the UK are serious about their legislation
What on earth made you think that the UK was, in any way, serious about this?
The aim is that, like in a certain country some hours west of here, to teach you that you have no rights. You have no rights to security, to privacy or even to what you buy. The only right you have is to give money to corporations. Any other restrictions are red tape that the government is giving itself the right to sweep away!
"...all cookie options must be opt-in."
Try telling that to Google and its Youtube tentacle. There it's opt-out and the bastards even sneak in one for Doubleclick but somehow forget to mention it.
I was mulling over whether I should report this to the ICO but having been fobbed off in the past I have hesitated. I might give them a buzz and see if I can get any joy this time.
> "All LastPass users, regardless of browser or device, are given the option to opt-out of these analytics in their LastPass Privacy Settings, located..."
..next the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard.
It's hardly discoverable, if people are unaware of it to begin with, is it?
Just before my dad was diagnosed with dementia he kept forgetting all his passwords so I set him up with a password keeper so he'd only have to remember one. He instantly forgot it, and also forgot where he'd written it down.
On the upside we got a bottle of pink gin delivered six months ago but it came with one of those magnetic security seals on it. We got the price discounted but it has been mocking my engineering skills since then. YouTube videos are out of date, here is what I did to get to the nectar. I cut a couple of millimetres on either side of the metal bolts, and then I pulled like fuck. Brute force attack, literally. Wouldn't work in-store, somebody would notice, but fine in your house.
First of all this is a back stab move from Last pass!
Few months ago I became committed to move all my passwords from google to Last pass and just before I heard the news for use on one device I was considering the family pass account.
Now this nonsense with tracking is totally not what I expected. Especially for my kids! They should not and may not be tracked when under aged! (EU law)
Sorry last pass you just lost a potential paying customer!! I'm leaving!!
Translation from a recent post on golem.de:
==========
They only use App Center to get crash reports and Firebase only uses the notification API for push notifications. It's not enough to look at what frameworks an app uses with some rubbish tool, you also have to look at what exactly it does with it, and anyone can do that, because Bitwarden is open source and anyone can convince themselves that nothing is tracked there:
Q: What third-party scripts, libraries, and services are used?
A: Currently, we load third-party payment scripts from Stripe and PayPal on payment pages in the Web Vault. In the mobile app, the Firebase script is used for push notifications. The HockeyApp is used for crash reporting. Please note, Firebase and HockeyApp are removed completely from the F-Droid build if you are interested in using that option. Turning off push notifications on a Bitwarden server will disable using the push relay server if you want to self-host.
https://bitwarden.com/help/article/security-faqs/
> It's not enough to look at what frameworks an app uses with some rubbish tool
Exactly and I wish some of these security "experts" that I've invariably never heard of before would understand that. Really they should work as devs before moving into security in order to understand how software works.
For example: "Even the app developers do not know what data is collected and transmitted to the third-party providers, said Kuketz" - Bullshit. I know exactly what data is collected and transmitted to third-party services by my apps. If a service does not tell me what data it can collect and provide me control over what is collected then I won't use it. If I use analytics in an app I know exactly what is being sent.
I'm not saying he's wrong about LastPass but you can't just assume that because an app uses a particular analytics service that it is sending everything about you to them. And, assuming the devs don't have a clue what their software is doing is insulting.
I checked this aspect out when I switched to Bitwarden. With this news, I re-examined the situation. I did change to the F-Droid build to avoid the third-party code.
Not the best solution for the masses though. I had no trouble switching to the F-Droid build. Too many steps and unfamiliar actions for the typical end-user.
I also rethought my initial assessment. I did not know Firebase. I did not know HockeyApp. Even though the Bitwarden app may only be using the push functionality of Firebase to sync the database... What else did Google embed in the push code?
HockeyApp for crash analytics, okay, I can understand the need to have data to improve the reliability. Bitwarden is built using Xamarin which is part of the open source .NET and also a subsidiary company of Microsoft. A healthy amount of skepticism will suspect HockeyApp of the same.
I think I will try pressuring the devs to consider replacing both. Firebase would be easier to replace since it is only a component. HockeyApp itself may only be a component, but how about Xamarin?
Why has my last "Hello World" program measured 10 MB, while the first only measured under 512 bytes?
KeePassXC. It's unfussy, written in C++ (rather than for example C#), GNU licensed, largely cross-platform (although for Android or iOS you'll need a different majigger), and for me it just works when I sync via [my current cloud drive provider]. (Note that in this case cloud sync is a very minimal security risk because the database only gets decrypted locally.) See also this info.
Does the downvoter care to elaborate, or will he or she choose to remain a chimp?
keepassx, or, if available on your platform, the current keepassxc are the optimal choices. keepassxc is the continuation of keepassx and continues under active development. It is open-source (so you can verify there is nothing in the code) and it has a great interface. I don't know 1password, so I can't opine about it or other managers. But with close to 20 years use of keepassx and now keepassxc -- I can tell you, you can't go wrong with either.
I've been using SecureSafe for ages, partly because of its inheritance feature (and partly because I know who audits them).
I do occasional BCM work, and it's quite impressive to see how many people neglect succession planning (even in a family context). SecureSafe's solution is simple, effective and prevents abuse, and works on the platforms I use.
This is the thing that always p*sses me off when a company is caught with its hand in the privacy jar:
The software's maker says users can opt out if they want.
1 - I should not have to opt out of something that impairs my rights because yes, Internet companies, privacy has actually been a Human Right (#12) since 1948;
2 - It is in Europe not allowed to default to opt in to privacy grabbing;
3 - even from a sheer marketing perspective it's lunacy to do this, because the moment it leaks (it will, and it has, QED) you have a major PR problem because you're also managing people's most important online data, passwords. Who's to say you haven't been tapping those as well?
Stupid beyond belief. I hope they lose all their customers.
This, by the way, pours some extra validation sauce over Apple's push to get developers to declare what they get up to with user data. No wonder Zuckerberg is seriously pissed off about that..
KeePass and its many forks -- KeePass2Android in particular -- are the real McCoys. Hopefully this article helps get that message across at a quicker pace. And if KeePass source code is ever abused here's hoping El Reg is on the case like flies on LastPass.
"Complex" passwords are only hard to memorise because the rules provided for creating them don't take account of human psychology (or indeed in many cases, the mechanics of crackability). Even the concept of "complexity" is not understood, It typically means no more than "looks random to me", without reference to the absolute fact that the human brain can not create a truly random string due to a phenomenon called "memory". In any case, where's the rationale for even true randomness providing protection against anything except possibly the most naïve schoolboy attempts at guessing?
There's masses of robust research into real password quality (in all senses) spanning some 30 years, but nobody who sets the rules seems to have read it.
What we have instead is a regime defined by folks who don't even seem to understand the basics, such as "strength". There's actually no such thing as password strength. For it to mean anything, it must be qualified as "strength against what?" Each specific threat to a password needs different attributes and conditions to protect against, and by far the majority don't relate to the composition of the string at all. Just for example, infinite retries on a credentials entry form with a fixed maximum field length allow any possible password to be cracked by long term trial and error. It's also worth noting that pretty much all the major reports on "weak passwords" have obtained their data from offline cracking of exfiltrated password databases. So the fundamental problem was exfiltration of the database, as no password hash is immune to eventual cracking offline.
The definition of strength for passwords is based on dictionary-based attacks and refers to the permutations afforded by the character set and password length. Hence, awarding marks for case mixing, numbers and non-alphanumerics. While I agree that this is not really a good way to determine password security, it's better than nothing for those situations where passwords are still unavoidable.
As mentioned in the article, Bitwarden has signatures for two trackers. Bitwarden has this posted in their security FAQ regarding the trackers used:
"What third-party scripts, libraries, and services are used?
A: Currently, we load third-party payment scripts from Stripe and PayPal on payment pages in the Web Vault. In the mobile app, the Firebase script is used for push notifications. The HockeyApp is used for crash reporting. Please note, Firebase and HockeyApp are removed completely from the F-Droid build if you are interested in using that option. Turning off push notifications on a Bitwarden server will disable using the push relay server if you want to self-host."
https://bitwarden.com/help/article/security-faqs/
You should be using a password manager that encrypts and decrypts passwords only on your own devices and only you have the decryption key (aka master password) with well vetted strong encryption. If that is the case, you should have no problem storing the encrypted passwords anywhere. You should even be able to post the encrypted passwords publicly. If not, you are using the wrong password manager.
The good ones will be warning you that if you lose the master password, you are screwed, since nobody will be able to decrypt.
Long ago, before KDE reached 3.5, keepassx was a premier password manager. It offered something rare then, versions for both Linux and Windows. That largely being due to it being an interface wrapped around a hashing and storage algorithm. It does one thing, and does it very well. Then when phones got smart enough to run apps, keepassx was there on the iphone (probably android as well). While I particularly liked the 0.4.3 interface, all interfaces were incredibly clean, well thought out, and ... practical and useful (a rarity in the "kids with crayons" UI design world of today). OpenSource (so you can look and ensure there is nothing nasty in the code) and GPL2.
But alas, development on keepassx has waned -- enter keepassxc. Keepassxc is a continuation of keepassx that continues to enjoy active development. Slight changes to the interface that do not detract from what was available with keepassx 0.4.3 (hard to improve on something that is already that good -- changes more likely screw things up than make things better). So while I still use keepassx 0.4.3, I have keepassxc as well that happily imports directly from keepassx (both 0.4.3 and the 2.x versions).
The thought of someone providing a password manager that contains tracking software is an absolute show-stopper. The fact that the trackers in LastPass are so granular they can report when and to what type a password was changed is one malicious .dll away from sending the keys to the kingdom out to some redirected 3rd party server. Any developer including trackers in a password manager lacks the modicum of decency necessary for users to trust their most critical data with that app. The fact the opt-out is intentionally hidden under Settings->Advanced Settings->Privacy is a direct reflection of the disdain the developer has for user privacy. Run, run like lemmings to another password manager that values your privacy enough to provide tracker-free code (do that for all apps you can).
So, you must think I am involved in some way with keepassx or keepassxc. Nope. The only contact I have ever had with the developers is to send in UI suggestions back in the 2008 time-frame. But I have been a user or keepassx since it's inception (or soon thereafter) and I am a staunch open-source and privacy advocate with more than two-decades of open source use and development experience. When you think about the mindset it takes to make the decision "Okay, go ahead with the trackers in the password management software", it is repugnant, and one-step-too-far in the perverted game of tracking users behavior. So pick a password manager that respects your privacy -- never compromise.
Of course the Very Righteous Register would never have trackers, analytics or other scripts running on its website.
Google-analytics, ads-twitter, doubleclick, amedo, a tagmanager from Google and possibly others that remain hidden.
Not that the Register would *ever* allow such things. Not while berating others for that offence.