For password protection, dump LastPass for open source Bitwarden For better or worse, we still need passwords, and to protect and organize them, I recommend the open source Bitwarden password manager. LastPass is perhaps the world's most popular password manager. It's also arguably the most broken password manager. There's a better, safer open source alternative. But before I dive into …
There was a thread on here many years ago that convinced me to get a premium subscription and I've never looked back. The UI is great, straight to point with no unnecessary bloat, particularly the iOS apps... a rare thing these days! The LastPass debacle is making me think I should switch to my own server too. Anyhow... +1 for Bitwarden
I switched to Bitwarden when LastPass started charging (I'm half Scottish and live in Yorkshire - wallet is welded shut). Maybe 3 years ago?
I was a bit disappointed with Bitwarden at first - auto fill was very flaky, especially on mobile. Since then, it's continually improved and is now better than LastPass used to be. Recent addition of passphrase instead of plain passwords a great improvement as 20+ random characters is a pain to type.
You may not want to keep autofill turned on. Search for an article on the Freedom To Tinker site titled: "No boundaries for user identities: Web trackers exploit browser login managers"
The article is from 2017, and I don't know if various web browsers or password manager plugins have fixed the problem or not, but I turned off autofill back in 2017 and haven't tried it since.
"...on here many years ago that convinced me to get a premium subscription..."
Wait... I was going to post that the article seems a bit like guerrilla style advertising for Bitwarden and you're telling me that you've already been sold by another article here years ago? ... journalism today.
>The UI is great
Really. I think the Bitwarden UI on the browser plugins is awful. It completely closes and loses state if you switch away from it [for example to refer to some info you want to put in there] and, if you do remember to pop it out into a floating window, so that it doesn't disappear, it loses whatever info you've already entered.
This has been flagged up several times, as far back as 2019, as an issue and the developers' response has been a Jobsian "You're holding it wrong!"
* https://github.com/bitwarden/clients/issues/839
* https://community.bitwarden.com/t/pop-out-to-a-new-window-should-retain-current-site-match-or-search-results/4644
* https://community.bitwarden.com/t/kepp-current-tab-filter-when-pop-out-to-new-window/7856
I also find that the autofil works about one time in 100 on my Android devices, even though all the necessary settings and permissions are in place. The only thing Bitwarden has going for it, over any other password manager, is the price and the semi-open-sourcery.
I used Authy up until New Year. Over the holidays and prompted by the LastPass scandal I did a little bit of due diligence on the different solutions, especially with regards to transparency.
I had been using BW for passwords for a few years - and yes the UI still needs some improvement, but over the time I've been using it there have been good changes.
So I switched to the base premium version of BW at that point and moved my TOTP there too. Plus bought myself a YubiKey as a present :)
That move was a little painful, one of the reasons being that there doesn't appear to be any way to query Authy for the order token/key - which was one of the few reasons I switched!
One thing though that I think 1Password does slightly better is the encryption key for the Vault doesn't just rely on the Master Password.
But with the addition of the Yubikey and ability to approve logins from the App that BW have added over time, I've been able to change what was already a pretty strong password to a very strong one.
For free, you also get a cloud-based store for all your passwords, Bitwarden Web Vault;
Why is this necessarily any more secure than LastPass, or any other password manager? At the end of the day, most of these breaches come down to human error and/or social engineering, and being open source doesn't magically exempt software from that sort of attack. Personally I have no particular desire to delegate my password security to a third party, whether they are stored "in the cloud" or not.
AFAIK Bitwarden stores all passwords in an encrypted binary blob which gets sent to the local device and is decrypted there, ie your master password (which can be as strong as you want/can remember) never leaves your device. And same for encrypting.
Having said that, I use BW for websites that are uncritical (like El Reg) but not for banking and the like... these things sit in a local KeePass database with a strong password and a keyfile.
Lastpass only encrypts username and passwords, all other data in your vault is in clear text (base64 encoded). That means they've lost all the information necessary to phish you, all the notes (e.g. your second factor pin that you stored in a note). Everything else is gone, almost certainly. They would be telling us if it was limited and they aren't.
@yogan - You've obviously upset someone for the down vote.
You are right LastPass's marketing combined with media references to 'vaults' does make it seem all the information in your 'vault' is securely encrypted by the master password, yet as you note the lack of detail in the disclosure does seem to indicate that only the passwords were encrypted, not the aide-memoire notes, payment cards, bank accounts and 'custom items'...
Whilst it would seem breaches occur, ie. we should expect account credential data to be targeted and accessed by unauthorised third parties, given the constant trickle of warnings from HaveIBeenPwned over recent years. What is perhaps a little disturbing about the silence from LastPass is the lack of information on what they are changing to improve security.
Zoom took their security issues on the nose and announced a security enhancement programme, I'm concerned that as yet LastPass - or any of the other password manager vendors/teams, have announced a similar security review, given we can be fairly sure (until this incident) the majority of cloud-based 'vaults' will have implemented a similar level of security as LastPass only as yet they have not knowingly been compromised.
Thanks Yogan!
Managed to listen to the full show.
To everyone I suggest you watch at least the first 53 minutes of this episode:
https://twit.tv/shows/security-now/episodes/905
The problems uncovered aren't unique to LastPass, BitWarden has a number of similar weaknesses !
It would seem LastPass and the spotlight the security community have thrown on the latest breech should be a wake-up call to all providers of credential managers. As a user, you need to check your settings/advanced settings, and if you are a long-term user of LastPass (like myself) or other product, you should do this as a matter of urgency.
A password iteration count of 100,100 should be a minimum - the video recommends increasing this by at least a factor of 10. Long-term LastPass users may find this value to be 5000 (as it was in my case) or even 1...
Secure notes are encrypted, not just passwords.
Phil's question hasn't been answered in the comments or in the article: what reason do I have to think that the same headline won't appear for BitWarden a year from now?
It matters because I'm being told to take on another migration to something that isn't better. For this effort we should move to a team-aware offline solution (git-crypt or the like).
For me the problem is not that there's a cloud-based store, but that the thing is run by for-profit company.
I have no reason to suspect that the company running Bitwarden is anything other than ethical and trustworthy.
Right up until the point that some other company (or crazed billionaire) decides to buy it. Then all bets are off.
-A.
This is one reason I'm cautious about password stores: That you're reliant on a third party's ethics (in addition to their security).
I don't think there is a perfect solution (even if you write your own) but BitWarden sounds like a better option than some I've worked with (LastPass being one of them). Like you: will have to wait and see if some crazed corp (or billionaire - even millionaire... crazy is as crazy does) takes over.
Exactly, I was thinking exactly the same thing.
It is stored in the cloud somewhere therefore there is a possibility (however remote) that it can be compromised.
Even if you setup your own server there is still issues of vulnerability.
Surely the best option is to NOT save you passwords in a cloud-based application. KeePass springs to mind as something I have used for many years.
At the end of the day most people just store the passwords in the web browser anyway, it is the easiest and the average user will always take the simplest route or the one that is offered first.
It's not, they just want to sell you a premium subscription
Use Keepass with a NAS and offsite encrypted backup. No more cloud please, this fad has gone on long enough
Everyone keeps telling me how "great" cloud management is yet at the past 3 jobs I've had, all clients seem to have more trouble getting the automated systems to work than it would be to just create accounts manually, and when the auto provision systems fail the mess is wayy longer to clean up than just doing it the old fashioned way
While BitWarden is great, also consider the competition such as Passbolt.
A risk with BitWarden seems to be that it's another one-man-show type of project, at least last I checked, Kyle was the only developer.
There's a truly open source version of BitWarden's backend server called Vaultwarden: https://github.com/dani-garcia/vaultwarden It's a lot lighter too and doesn't require Microsoft SQL Server. BitWarden's Docker setup will install MS SQL in a container for you, but still...
The ties to Microsoft exist because BitWarden (the company) was initially supported by MS and I think one of the stipulations was that MS SQL and C# be used.
Former Lastpass subscriber and Bitwarden user here: I won't use the cloud directly for this sort of thing now. KeepassXC for me keeps things local, and whilst I do use Dropbox to share the vault across devices, the use of a manually-transferred key file makes sure that even if you got my vault and could crack my password, you still won't have access to the vault's contents. It's certainly less convenient, I suppose, but I learnt years ago that when it comes to security or convenience, pick one. :)
Another switcher - Lastpass had one job - and they blew it - and I didn't realise there's unencrypted and "hacker useful" data in there, even if they can't practically decrypt due to complex master passwords.
I've switched to Bitwarden as I need a "family friendly" solution - have had my kids on Lastpass for years and they do use it - so any switch need to be usable which means I steer clear of anything too hairshirt!
Hopefully Bitwarden won't make similar mistakes!
A thread here pointed me towards it at some point and my Pi Zero hasn't looked back since.
Hourly backups to my OneDrive and dynamic DNS updates incase the ISP decides to change my IP are a few of the add-ons I've thrown in.
At some point someone will break into BitWardens service ala LastPass problems, but they are much less likely to find mine on a random ip. And if the vulnerabilities don't get patched I can export my data and import into a n other service.
So I guess the banks and the government all keep your data on.... somewhere?
This old trope about "someone else's computer" is getting a bit old. You have got to trust someone with your data, and avoiding "The Cloud" is going to get harder and harder. Deal with it, and take appropriate measures to make sure you are not the low hanging fruit. Such as using unique and decent pass phrases, and U2F. And taking extra precautions with things that are extra sensitive (like where you keep your money).
"Somebody else's computer" is as true now as it ever was. You think it's "getting old" because you don't like the truth.
There is no "cloud". The "cloud" does not exist. It is now and always has been somebody else's computer, a computer you do not own, do not control, and which WILL eventually get hacked because it's a massive target.
Your bank isn't safe because there's any chance it won't be compromised. Your bank is only safe because government insures your money when the compromise happens.
For your password storage, you're a fool if you put it on somebody else's computer.
KeePass is a far better option than keeping your passwords on somebody else's computer.
Agree with the “other users computer” and “keepass” but FDIC does not insure your account if it is hacked, only if the bank fails and that has limits. There are a lot of misconceptions that they don’t care to correct. Read the fine print.
FDIC’s purpose is the same as the federal reserve, do what ever it takes to protect the banking institutions, and only the customers if it will prevent a bank run.
Some people still think banks contain enough cash to cover their accounts.
Guys, thanks for post about problems and solutions. Keep them coming
I think "the cloud" does exist - it's somebody else's computer that they've shared out across the Internet.
Another vote for local KeePass with local sync across devices.
Off-site backup? Err, only if I'm off site at the time, which to be honest is an acceptable risk for me - unless someone steals all my devices at the same time or my house burns down, in which case I have quite some other things to worry about.
Er, how?
I run several internet-facing servers on a domestic ADSL connection. The servers are located in my lounge.
OK, they're (mostly) for my personal use. How is a corporate scenario any different?
At my place of employment we used to run internet-facing servers in-house. Literally inside the same building. This worked perfectly.
Later the higher-ups in America decided that we should instead use a corporate datacenter in Ohio. This worked tolerably well.
After a palace coup, the new higher-ups in America decreed that we had to use AWS. This works very poorly and costs a fortune.
My home servers are still humming along.
-A.
In view of your implied 99.999% system availability, I would recommend offering your home server cloud facilities to your higher-ups in America. Perhaps with an introductory discount of 15% when they move from AWS? You'll be set for life! And I'll come and work for you. I promise to be extra careful when hoovering the carpet around the servers, too!
@steve button. I agree. Use all the precautions available but don't be afraid of the cloud. The online services we use are all hitting someone else's computers whether cloud based or internal DC. All our passwords are already out there on these servers anyway - hopefully encrypted.
Running servers to manage a password DB is totally impracticable for 99.99%+ of people, even for those like me who know how. And if you're running home infrastructure are you sure you're doing a better job on the security than teams who are 100% dedicated to it. I doubt it but it's unlikely that the ones doing it will be honest with themselves.
Anywhere you like! The KeePass store is just a single, encrypted file. For example DropBox, AWS, floppy disk at your mother-in-law's, etc, anywhere. Also, KeePass allows you to synchronise directly with a KeePass data file on another computer - without having to use an external (cloud) service. And if you create a key file (in addition to a master password), then you even have 2FA.
The other problem with the cloud is you need to maintain an account with that cloud provider... if they go bust or your account lapses, then your data disappears
all those precious photos backed up from your phone... zap!
There is/was a story on the BBC News site recently about a woman who had been running a business based around a blog... then the cloud host closed down and she nearly lost everything
Specifically keepassxc the follow-on to keepassx and compatible with keepass files. The only downside to keepassxc is the damn ridiculous Qt build that takes 20 minutes compiling away on what should be a 5 second build. But you take the good with the bad. keepassxc is actively developed and imports all previous keepass and keepasx databases.
Clean user interface (though I will always prefer the original keepasx interface under KDE3 -- hard to beat). The keepassxc interface is flexible enough it can be made to look close -- putting only the details you need in summary view and a single-click to bring up the details. The only "network" involved in moving a copy of the database to the iphone via "Files" and you have your encrypted database available there to.
I've never trusted and won't trust some cloud based service with the keys-to-the-kingdom...
...run your own Bitwarden server.
This is the only way to ensure you are in control. It also means that you need to know what you are doing.
Unfortunately, most people have absolutely no clue what they are doing when it involves computers (or, for that matter, most technology). They are consumers and don't care how stuff works. It is not something that would come up in their minds. They are nothing more than consuming users.
As with all security and privacy issues, you need to know what you are doing and actively control everything you do. It is a continual process that needs to be adhered to for all time.
So is this an option for the majority of people? No.
Is it a solution for the knowledgeable? Maybe or not because they already know what to do and how to do it and may do their own thing anyway.
BitWarden has the same flaw as LastPass: it relies on a single password and anyone that has access to your vault is only a password away. Spoiler: you're a terrible password generator and you can't remember cryptographically strong passwords.
Instead, use a password manager that has a second factor. You can use 1Password which also has a secret that 1Password itself doesn't know. Or you can put a Keepass database on Google Drive and lock it with both a password and a key file, and not store the keyfile on Google Drive.
Both of the above ensure that if someone gets your encrypted database from the cloud, they'll have a very hard time cracking it.
Indeed, exactly the same as how lastpass does it.
If people want to use open source on moral grounds that's fine (although they probably won't find bitwardens license suits their morals) but Bitwarden implements the same security model as lastpass. I'm intrigued how people think its somehow more secure. At least when lastpass lose all your personal data there is someone you can take to court for it.
If people want to use open source, there's always Password Safe (https://www.pwsafe.org/), the program by Bruce Schneier. It's Win only, but there are a flock of compatibles for other platforms (see their "Other Platforms" page). I've been using it for 2 decades. It doesn't natively do cloud or sync, though you could have it do backups to the cloud, or I suppose put the datafile there.
Nearly but not quite, there are some differences.
For one, the whole of the BW Vault data is encrypted, not just a couple of attributes.
Further, as this code is open source it is audited.
As a general point related, BW have been (as far as we know) pretty transparency, they don't appear to be hiding any skeletons....
And yes whilst there isn't /currently/ an additional secret key for vault decryption, that is a high up on the wishlist item for folk now. Hopefully they can add that in the near future.
There are ways to improve that though. I've memorized a 20-something character password generated by a machine and then one of a pair of YubiKeys is required to access my password manager. All browser password managers turned off. I'm sure I could do better, but I'm happy with that security posture for my personal stuff. It's certainly going to be more of a challenge to any would-be attacker than Jonno next door, so hopefully he's the low-hanging fruit
"you're a terrible password generator" - this is true. So don't generate the password yourself. Both Bitwarden and diceware will let you generate a cryptographically secure passphrase which works just fine.
Reading between the lines though, it is disappointing to see that Bitwarden don't use a secret from the second factor to decrypt the vault.
I believe the reference is to you generating the password to your password locker.
There are ways to generate complex passwords that can be remembered. They're not as 'secure' as a random password, but it then comes to a question of how the hackers are getting your passwords: Are they shoulder surfing, are they brute forcing, or are they intercepting the password in transit.
Some years back there was a problem with HeartBeat messages after an upgrade to software forgot to validate the actual message length with the supplied length - a check bit error if you like. This meant you could send a Heart beat/keep alive message of 'Dog', '100' and get the 96 characters following your heartbeat message returned (3 characters sent, message separator and the next message(s) that were received. This allowed 'hackers' to keep pinging compromised nodes on the internet to intercept login credentials, including passwords that were at that point, unencrypted. This then allowed the hackers to get access to accounts and lock the owners out.
TLDR: Don't rely on one system for your security. Use layered systems, meaning if you use a password vault, have a separate one for other parts of the system (as an example). Oh, and if you can, monitor user behaviour: It's another layer that can expose hackers after they've gotten in to your system. May not sound easy, but if a user has a habit of logging in and visiting El Reg (what else would they be doing first thing in the morning? Other than working, obviously) and today they log in, try getting into confidential files, get their password wrong twice and be looking through areas of your system they've never paid attention to before... best to go see what's going on. They might be trying to get client info before quitting their job, or it could be a hacker's in and rummaging around.
@author: Why?
>> You can also share passwords with this plan. Do not, I repeat, do not do this.
Why are you adamantly against sharing passwords via Bitwarden?
IMHO there are good reasons to do so (think: parents sharing password for their wifi router or mutual email account) in order to keep >2 individuals ready to work.
Or do you assume that even Bitwarden can't do this securely?
Yes but some information must be both shared and still secured. If you can setup shared access with separate authentication mechanisms that is best but not always possible.
Financial institutions with badly designed web access and aging parents is one situation where this crops up for me.
But certain people *are* trusted. If I and my wife can’t trust each other to look after our young kids’ school and Minecraft passwords etc., we would frankly have bigger problems than credential management. Some paranoia is justified, and some is excessive.
I've worked at a number of MSP's before and having an enterprise grade password sharing system is paramount. Ideally you'd have everything authenticating through an individual's identity for each client, but there are just some systems that won't allow it or it's prohibitively expensive for the services cost model.
The password gets wiped from the systems memory and the password is never shown on screen in clear text. Every access for the password is audited and there is granular control on access for each password, if you need it.
It also helps you with password rotation with reminders to change passwords etc.
It isn't completely foolproof, but nothing ever is. I'm not aware of any of the systems that were used ever having a password based breach.
I've used Keepass for years since a (now former) employer who handled stuff for a bunch of very security aware clients made us standardise on it. And taking a leaf out of their book, I don't put all passwords in the same file.
Example
Mobile file has everything you may need to access from a device while out and about. This is synchronized to all devices and desktop using Syncthing. No cloud involved, and any updates while away also get synchronized back home too.
Home file has everything else, lives solely on desktop (with backup) and never goes anywhere near a mobile device.
For the really paranoid you could use an Offline file on removable storage for really important passwords that you don't use frequently if you don't think your deskop is secure enough.
Most likely issue for me is mobile broken or gets lost / stolen, in which case if somebody gets into it they have a chance to crack Keepass and be rewarded with a bunch of low value passwords. I suspect you'd make much more money from selling the knowledge on how to crack Keepass than cashing in some almost-expired airline and hotel points...
Of course the strength of your master passwords / fingerprint reader is still a weakness. And if you're truly paranoid you'd not be using a fingerprint reader as your frontline security method would you?
This post has been deleted by its author
This post has been deleted by its author
If you want your credentials to remain confidential, keep them to yourself. I have nothing against password manager tools (provided they have adequately secure access mechanisms themselves) but keep them local. Putting all your passwords on a remote server over which you have no control just does not make sense if you want to keep them secret. I know it's a convenient option, but does that outweigh losing the lot one day?
It's no more sensible than handing all the private and copyright content you generate to some "cloud service" with a vested interest in it, but rather more dangerous.
>Putting all your passwords on a remote server over which you have no control ..
I would think that putting all your passwords on a remote server over which you do have control is just as much a security risk. Unless you are a top security expert or believe security through obscurity helps.
"Unless you are prompted for a password each and every time you need to access your secrets... They really aren't any safer locally than in the cloud"
Which is why I said "(provided they have adequately secure access mechanisms themselves)" The point at issue is whether you control the security of the platform. If not, you have a huge risk you can't minimise. If you do, of course you can screw up, but that's something you can in principle control (or at least take responsibility for).
That's the problem though. Your control over the system is the weak point of using your local system to store passwords! You have access to all of your data all of the time, ergo so does any attacker that you happen to let in though a momentary lapse of humanity. And beyond that, the password itself isn't really that interesting, the hot new trend is local token theft. I don't need your password if you already authenticated for me, I have something better - a token! Again, if you are NOT asked for a password on each and every API call that your browser/application might be making, and if you are in control of your system, the same attacker can just read your keystrokes too.
It's all a shell game. The only "secure" device I might trust is inherently entirely out of my control because it won't let me control my own data.
I used RoboForm for many years. Lots and lots of passwords. Migrated systems and moved to "another" password manager. But a large number of passwords remained in RoboForm. Like you I forgot the master password! (And handwritten it down and some safe place.) Then last year, 10 years later, I remembered the password! LOL.
Don't use a cloud based password storage solution because you'll always be beholden to someone else's whim and (lack of) expertise.
I use Password Safe, which is basically a small local database for all my passwords and logins. It also generates strong passwords. Since it's not available through the internet there's no way to hack it or get at it it's vastly more secure (although at the cost of some convenience). There's also a Linux version available.
If you use cloud solutions you're gonna get burned.
Some things are not to be meddled with. My password database is certainly one of them.
I also don't store any of my precious IP and source code in the cloud (GitHub et al.). I keep hearing about all sorts of break-ins in cloud providers (CircleCI being the latest) and strengthen my belief I made the right choice.
The way I see it is, that first someone has to break the cloud service AND break a password protecting the password database AND know that amongst the tens of millions of files that they have a short opportunity to grab there is a password database there.
So I think providing you use a strong password you have nothing to worry about.
Concerning password management and LastPass, there are some great comments here. And nice articles on The Register, which is no surprise.
But I have a couple of important questions which always seem to get lost. I can run a server myself including for remote access. But ...
QUESTIONS FOR TOP PASSWORD AND AUTHENTICATION USE CASES
1. FAMILY SHARES - what to do to provide password and/or authentication security services for multiple family members?
2. ADMINISTRATION - how to ensure that the selected service can be easily maintained and used by someone other than myself?
. . . "in case I'm no longer available". There are a very large number of recipes floating around.
Bitwarden - does do sharing - see "Collections" - assume self hosting also has this feature.
Admin - As soon as you run a service (be it passwords, backups, Plex servers etc, remote access/VPN,...) for more than just yourself - e.g. family - you become the single source of failure. you are also the person they trust with their data. So unless you have a house full of trustworthy geeks, you might well be safer paying for a 3 party service...
The idea of dumping password data into some server (I refuse to say “cloud”) that you have no control over, don’t know where it is, etc etc is a complete anathema to me. Eventually it WILL be hacked and your passwords (maybe) recovered. It’s asking for trouble - truly bonkers!
As for…
“The company admits the Bitwarden License does not qualify as open source under the Open Source Initiative (OSI) definition”
…who gives a monkeys what the self-appointed OSI think?
A service that you need to log into doesn't store its passwords in a form that would be useful to anyone who recovered the file in which they are contained. Look at /etc/shadow on your own machine. The passwords are scrambled by applying some complex mathematical operations to the plain text. When somebody enters a password, its validity is checked by applying exactly the same maths to the plain text entered by the user and comparing it to the stored, scrambled password. Since you can neither recover the plaintext password (the mathematics deliberately include stages which involve discarding digits from the result, so "doing the whole thing in reverse" would require you to try all possible values for the dropped digits at each stage. This isn't impossible, it just takes a long time; as computers get more powerful, it can be done more quickly, so password scrambling algorithms sometimes need updating) nor bypass the scrambling process to have an already-scrambled password checked, a scrambled password file is essentially useless.
A password manager, on the other hand, needs to store user identifiers, passwords and the sites for which they are applicable; and these need to be stored either in plaintext, or encrypted in a manner which is recoverable by the rightful owner. You would hope that the final stage of decryption would be done only at the client end, using a key which is only held by the client and not kept anywhere on the central server ..... but you could only ever be certain of that by thoroughly analysing the Source Code.
The convienence of auto fill and password updates being shared between devices.
Obviously, you can export your passwords into a .csv and turn this into an Excel encrypted backup. Although I remember seeing some article marking password managers down for having a facility to bulk export their repository...
For those that insist on only keeping their password store locally...
You are storing passwords you need to use on the internet, correct?
Your local password store is on a computer that is on the internet, correct?
I fail to see how this is any more secure than on some computer on the internet.
I need to be able to access my password store from a multitude of devices, all on the internet. The solution I choose claims to use proper publicly vetted encryption and makes the source code available so the implementation can be reviewed. I was using Roboform, but they were evolving in a direction which went against my needs and they never implemented a Linux client. I moved to Bitwarden for the cross platform clients, "open source", and a number of other reasons. One thing that stood out was the ability to export your passwords if you wanted to use another solution. Many of their competitors rather choose lock in with no export. My master password is currently 24 characters randomly generated, I am considering 48 for the next one. I memorize in 8 character chunks, currently 3 soon 6. Not that hard and cryptographically secure.
I ditched last pass long time ago when they changed hands and started using bitwarden implementation called vaultwarden. It's written in rust, compatible with bitwarden clients and it is small enough to run in a cheapest server you can rent. However, if I had better resources, I would run the official bitwarden inside docker containers. Their scripts will do the work for you.
Also, I heard in vaultwarden comments that bitwarden people actually help third parties to stay compatible (Take it with a spoon of salt, thou).
https://github.com/dani-garcia/vaultwarden
On the other hand, LastPass has been attacked multiple times, and have recovered and fixed the issues that lead to them. Resulting in a stronger product and experienced security staff.
How can you tell whether alternatives aren't more vulnerable but simply haven't been targeted yet, as they're not currently as big?
In addition to haveibeenpwned - have a look at https://leakpeek.com/ - that lets you stick in a username, email address etc, and it will show you partially redacted passwords it has for you....
It doesn't show (that I've seen) the source, but it certainly helped me confirm which passwords were nobbled and then by proxy, what the source was.
The brand promise of LastPass was "Even if we get hacked, we don't know your password and it would be practically impossible to brute force a good master password." This seems to still be valid. I have deobfuscated my vault and the unencrypted info are my URLs and time of last visit. My master password had 65 bits of entropy. I'm pretty relaxed. As you say a lot of my dumb old passwords are already out there and I get phishing attempts all the time. That's life, not LastPass. What I am doing is:
1. changed master password (I know that doesn't cure this problem since the bad guys have the vault locked with the old MPW).
2. changing passwords at sensitive sites (you can have netflix) even though it's low risk. We all use 2FA, as well, right?
3. waiting to see what LastPass does to restore trust. I may go to bitwarden, if I'm not satisfied but switching has costs, eh?
Sorry for the nitpick, but "Spoiler alert: odds are your passwords are already out there. Don't believe me? Check your email address or phone number on HaveIbeenPwned ..." This is not accurate. All that does is say that your email address or phone number is out there. It doesn't mean that your password has been exposed, it only means your user/phone was found in a dump unencrypted.
I switched from LastPass to Bitwarden years ago. You could see this coming after the take-over and service failures.
Also had the misfortune of working for two companies that used LP, and my fellow IT colleagues refused to see the problems with it. I didn't stay long with either company because their security practices were a joke and used such weak passwords they should have just left the front door open
I made an account to post this, because I feel like a crazy man in my industry
We keep this arms race of encryption and security going why? Because we built a highway to everyone's front, and back, door
Not every device needs internet access
Like whatever device you keep your passwords in
The airgap is making a huge comeback because we who grew up with this finally understand what those who built it were thinking: they weren't, they only cared about "faster, easier, and cheaper"
Well now it's so easy and cheap that you need a special 2FA device to protect your account, because it's so "accessible"
Now you can't even trust that, as MFA spamming attacks are on the rise. What's next?
The airgap, and a return to on-prem behind lock and key
> Not every device needs internet access
Good thinking. Let's ask Microsoft, Apple, Ubuntu, Red Hat, Dell, HP, etc, etc to send us their software updates on a CD by regular mail.
Before LANs and Internet, another local area networking technology prevailed: SneakerNET, wasn't it?
When it was just me I used mSecure. However over the years we needed to share more credentials. I moved to LP 7 years ago. (Well the anniversary was on the 12th). I was on the phone with them yesterday and they clarified/claimed that BOTH the notes field within the Password template and the notes within the Notes template are encrypted.
I only realized that there was atleast confusion and at worst exposure to my notes data after listening to last week's Risky Biz podcast
One thing this highlights to me...I allowed myself too much convenience. I need more compartments. In retrospect it is silly that I stored the 2FA enrollment key (for various no LP servers) in the notes field. I think i need to make a delineation between credentials and their supporting security questions and answers (i have to store both questions and answers because I use random answers...besides trying to remember if I decided Matthew was my bestfriend in grade 1...oh no remember Matthew broke my Lego ...Andy was my best friend...wait but he went by Andrew in those day. And how long before the whole world knew my paternal grandmother was...)
Anyway I am not dumping LP yet. The first thing I am going to do is reset all my 2FAs...ugh there are over 200...but this was my bad. Atleast my master password is 40 characters long and stored nowhere except in my wetware. And given the current understanding of human memory I think of it as pretty unlikely anyone besides me can retrieve it. Now come to think of it my wife has the power. She did manage to retrieve it and it is stored on a piece of paper in her safety deposit box. It has a cryptic reminder that someone else has the 2FA bypass code.
On average I am not a security maximalist. There are tradeoffs for sure. However our clients are absolutists. They will dump us in droves if they ever have to say to their clients that we were taking acceptable business risks
I also used mSecure for the convenience but recently took a step backwards, now using KeePass / kpcli on the desktop only. It's painful no longer having passwords on mobile. For frequently used ones I have about a dozen memorized. For one-offs I scratch them on a bit of paper in my pocket, or simply wait until I am back at the desktop.
"In retrospect it is silly that I stored the 2FA enrollment key (for various no LP servers) in the notes field. I think i need to make a delineation between credentials and their supporting security questions and answers"
I have always operated on the assumption the notes field is insecure. Even if the database is encrypted as a blob, I'm worried about shoulder-surfers when I am viewing a record. Only the password field is hidden! When signing up for the service if they ask for personal info then it would only go in the note in a highly obfuscated form. Each actual secret for a service gets its own record in the password manager, e.g. for Verizon I have one "password" but 14 records...
* Verizon online
* Verizon sec? 1st school (Note the shortened question is in the title.)
* Verizon sec? Current pin
* Verizon sec? Old pin (Still need it sometimes!)
* Verizon sec? ssn4 (By my design they do not have my correct SSN on file.)
And so on.
The whole idea of storing passwords in the cloud just seems ridiculous to me. How many things have been 100% secure right up until the day they are not? Sure you have to have passwords for things that are online and hopefully everybody realises that there is always risk involved. But by storing your passwords for those things online you are automatically making each password only 50% as secure.
If there's a risk of any given password being compromised then storing that password elsewhere is twice the risk of it being compromised.
I'm far too old to remember all those passwords. And I'm far too sensible to use the same password for more than one thing. So I've got to store them somewhere, but that somewhere is in a local database.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
