LastPass: Notice of Security Incident(blog.lastpass.com) |
LastPass: Notice of Security Incident(blog.lastpass.com) |
However, it is at the same time fair to say that there are possible breaches for Bitwarden as well that would involve stealing information, despite being open source. Their website, the securing of the process by which their downloads and updates are produced and distributed, the way the hosting for their web vault is secured...
> we have seen no evidence that this incident involved any access to customer data or encrypted password vaults.
One way to prevent risk to your passwords in the event of a security breach is to not store them in the cloud at all. KeePass is great!
LastPass and its competitors theoretically have zero-knowledge storage of everyone's passwords, so even a full breach of their servers would fail to leak passwords.
I keep a password database on the company network with all my work passwords and I have no need to keep a copy of those credentials on a bunch of my personal devices or cloud servers.
My personal passwords are stored on my own personal devices. Syncing between them can be done using any number of methods without uploading to the cloud, but even if I wanted to use somebody else's servers to do that a properly encrypted file with a very strong password could be safely stored anywhere, so there's no need to limit myself to one company's servers. I can use whatever works best for my needs and won't have to worry about what I'd do if the one I was using goes under or becomes unavailable. In exchange for a little extra work you gain a ton of utility and resiliency
This is a dangerous fallacy. Nothing fundamentally would prevent someone who attacked their infrastructure from pushing a malicious app update or a malicious extension update which exfiltrated the decrypted library from the client side.
Simply secure the database with a password and keyfile then copy the key file manually to your mobile devices and workstation.
That way you can be certain that your cloud provider has zero knowledge of your key file and also doesn't control the application in which you enter the master password.
www.passwordstore.org and stand up your own bare git repo.
You can literary audit this password manager in 30 mins! Thus, I feel it’s more secure than a complex solution like LastPass, since the code is small and a Yubikey touch gives you a chance at one password (with other password managers the whole vault is unlocked and all passwords are at risk and may be extracted at once).
Pass has advantages over other password managers (even though it has some limitations too).
I have my pass repo somewhere on the internet and the android/ios clients have been adequate for me.
If your passwords are encrypted you can put that file on a Times Square billboard and it doesn't matter. That is the entire point of encryption, moving sensitive data across adversarial channels. If you don't trust the encryption of the software you're using, well that's a good indication to not use it at all. But if you do there's literally zero point to not use a cloud provider.
I'm guessing nation-state because it seems they stole some source code/R&D. I'd guess China. That's their entire MO. Further the Chinese economy by any means necessary. Why waste years and millions on R&D when you can just steal it?
https://www.cbsnews.com/news/chinese-hackers-took-trillions-...
For something like a password manager using client side crypto, compromising the software supply chain of the client is an interesting proposition for an attacker.
https://www.france24.com/en/20110104-france-industrial-espio...
He said they put all their resources into industrial espionage and it’s pretty much their only focus.
This is the current trend each time there is a breach: let's pretend/show that we are serious and waste money taking "security" consultants, that will in the end probably tell us obvious things.
Pay more or listen to your own employees instead and eventually go hire competent engineers instead of funding bullshit jobs.
Lastpass is supposed to be in the "cyber security" field, so it is a little bit ridiculous to say that you need external help on this subject...
This isn't hiring an auditor or consultant to recommend better security practices but more like a team of world-class detectives, investigators, and forensicists to figure out exactly what happened and how, what they might have done or taken, if they still have or could regain access, and, potentially, ideas as to who or what the culprits may be and what their objectives were. In particular, you want to have as much confidence as possible in what they may have done when they had access to your systems and that they have been effectively shut out and don't have any other access points/backdoors.
LastPass undoubtedly also has their own security incident response team - most companies probably should - but it's like the local county PD calling in the FBI when a serious or sophisticated crime occurs.
Short of serving customers malicious JS code or an app to steal passwords, the production environment referred in the article can be made totally public, without secrets in vaults bring revealed, no?
Get into their dev env (ideally unnoticed), exfiltrate the sensitive code you need, poke around their systems. Once you’ve got a handle on their code and have figured out what to add, do so and just begin the waiting game.
Maybe that’s all happened, and this attack is “air cover” for the last-stage.
Not good! All a password manager sells is trust. Without that they don't offer anything of value.
All your data is kept separate from the company, and if you depart you just need to add a credit card.
This doesn’t seem to be the case in this incident though.
That's basically what happened in the solarwinds compromise.
So unlikely.
BitWarden's UX is a little different, and in some ways inferior to LastPass. Sharing passwords with my wife feels convoluted in BW, but it works perfectly fine. You have to create an "organization" where both users join, and then add your sites/pws to. In LastPass you just share it. But I've also found BitWarden works better, especially on mobile. LastPass would fail filling in passwords on some sites, and I'd have to use different autofill methods to get it to fill. But BitWarden doesn't have the same issue and mostly just works. I also like BitWarden's built-in 2FA field for each site's password, which eliminates having to use other authenticator apps. Except you'll still want to use a 2FA app for BitWarden's master password.
We're looking at you Twitter / GitHub
Putting your passwords in the hands of a third party drastically increases your threat surface and no amount of hand-wavy "but it's not as convenient" will change this fact.
Now, it may be true that the convenience factor is very strong right now, but the solution will never be "let's keep hoping real hard that the third parties are good at this." Not unless any of the third parties are willing to take on indemnification or liability.
The proper thing to do is to figure out how we can best empower people on their own. I know it's difficult, but that doesn't fundamentally cut into the fact that "this is what SHOULD be done."
I switched over to a self hosted bitwarden, and not only is the user experience a lot better, I've got better security confidence since my password store never leaves my home network.
lastpass has to be ready for some sort of attacks I guess, it's good that they identified this early
Take Wordpress as an example, the code is open source, yet the majority of loopholes come from plugins, not really the core.
But, we never know.
Huge huge potential loss here for people until they affirm this didn't happen.
Not a good look for an online password storage service.
Breaches can and will happen to anyone and we should assume they eventually will happen to everyone. What matters is how quickly you can detect the breach how limited the impact is. It's still too early to tell exactly whats happening here yet. That said, if this only impacted a development environment that contained no customer data then this is a good example of that principle.
EDIT: I revisited the code. Looks like everything in [1] is fixed, nothing in [2] is fixed, there are now JWTs for some reason, and… they removed metadata encryption??[3][4] Or it was never in in the first place and simple-crypto-js was used for something else? Either way, it’s a current and major flaw.
[1] https://news.ycombinator.com/item?id=22587940
[2] https://news.ycombinator.com/item?id=22582570
[3] https://github.com/lesspass/lesspass/issues/185
[4] https://github.com/lesspass/lesspass/blob/314fc7386f2c29750c...
in all seriousness, Lesspass has a cool concept (I hadn't heard of them before, just looked at their website now). I'd be interested in hearing what cryptography/security experts think about it.
Even on this point I have to disagree because that's precisely what 2FA is for. Even if LastPass (or Bitwarden in my case) stole my vault's password and posted my credentials on pastebin, no one could log into any of my 2FA protected accounts. (Ironically this account on HN is one of the few that doesn't support 2FA. Oh no my internet points!)
"not your keys, not your coins" may apply in the cutthroat 2FA-less decentralized world of cryptocurrencies, but most of the rest of the world has much more nuanced threat models.
The threat isn't the service having the encrypted vault anyway; we kind of trust the encryption to be decent (though of course you can't know what technological threats are looming).
The real threat is that you're putting your password for decryption into a proprietary blob with an internet connection and auto-updates enabled. It might be sending your password random places now or maybe at some later point.
Note that even a source-available password manager doesn't really solve this issue if it's not self compiled - and most of the time you'd probably want automatic security updates enabled on something security critical. But they can put anything they want to or are pressured into putting in there.
Is the source for the live site public? 2FA could be added in an afternoon.
- passwords need to be strong, and that is inconsistent with being memorable
- passwords shouldn't be repeated
- people use multiple devices
What is the user empowering solution to those three constraints other than password managers that store in the cloud, or flat-out ending passwords in favor of biometrics or something?
Use a password manager, remember a 2nd password for your email yourself, and then use a second factor for as many things as possible. USB keys are best, but anything is better than nothing: SMS, Authy, Google Authenticator, phone call, whatever. Chrome and Safari both have password managers these days, and some Chromebooks even have a builtin second factor. 2FA is still a hassle for sure, but it's getting better all the time.
Consider a classic "grandma" solution. A little notebook with good passwords kept in the purse or wallet. The issues here are more knowable than with LastPass or whatever.
I literally have this posted on my office door at the university where I teach.
The US does it also. Can't remember the exact number but contracts above 150 million can occasionally be "helped along" by national level assets.
Guy's a legend.
For the current experiment, researchers argue that malware that managed to infect an air-gapped [offline] computer can transform and modulate locally stored files into audio signals and relay them to another nearby computer via connected speakers, headphones, earphones, or earbuds.
Which still require infecting offline computer somehow (and connected machine in close proximity as well).
Point taken though, nothing is perfect. And if everything else fails, there's always social engineering :)
> with good passwords
Well, which is it?
In all seriousness though, the two main benefits of password managers are they only autofill on the correct domain and they’ll suggest actually good passwords.
Correct, 2FA is protection in addition to your password manager. So if someone gets your unsealed vault they cannot log into any services without also compromising your second factor. 2FA is not for further cryptographic hardening of the vault itself.
> The real threat is that you're putting your password for decryption into a proprietary blob with an internet connection and auto-updates enabled. It might be sending your password random places now or maybe at some later point.
If you use Chrome and Safari your passwords are going through a proprietary blob with an internet connection and auto-updates enabled. If you use extensions for your browser they likely can steal all of your passwords.
Nothing can protect you if you don't trust any of the code you're putting your secrets into, although 2FA with some USB devices cover a mind boggling range of threats. A keylogger and screen capture combined wouldn't be sufficient to bypass them.
> Note that even a source-available password manager doesn't really solve this issue if it's not self compiled
Are you compiling your browser from source after verifying every line of code it contains? If so what makes you think you can trust your compiler?
You have to trust something. Choose your threat model. Choose your risks. Live your life.
Google et al... have already proven that they are at least decent at security and that they care about things owing to their success in the market. They've proven that they've handled this reasonably well and following their lead on how to do security in software is probably pretty good. They have both experience and skin in the game, lots of it, in the form of lots of money et al.
NOW, these password companies? NOPE. They simply don't have the right incentives in place to be trustable. (or more specifically, that they're going to be much better at securing my stuff than I will) They're too young and don't have sufficient "punishment" at the ready for me to be able to trust them much. They don't do indemnification, and liability for them isn't going to be great. I can't presume the same level of skill or care because the infrastructure/incentives aren't as presumably solid.
(Put differently, the Lifelock guy was a hero, he was at least willing to put something real on the line.)
TOTP is based on a shared secret that client and server both know (so inherently a compromised server can just skip it). For webauthn and similar, the token will sign a specific challenge, incorporating the site name and a counter value etc. The server stores the public key, but the check can be disabled.
The real risk is the auto updating client and the integrity and supply chain of the code it runs - unless you actually audit the client code, there's limited value in compiling it yourself. If the attacker can ship you a compromised signed binary, assuming the company is competent in their setup, they've compromised a development environment, code review environment, code signing environment, perhaps a CI/CD and testing environment, and then the release distribution environment. To get you to compile and install their dodgy source only requires a compromise of their development environment, as very few organisations will slow down their routine development cycle enough to add significant barriers to this one layer being compromised (as it has to be done for every commit checked in, every dependency changed, etc.)
Yes, if someone got into their supply chain, they could push a malicious update. That's also true of KeePass and every other password manager. There's no way to avoid that vector.
I recommend checking out their main page - it's got plenty of screenshots that showcase all the important features:
I'm gonna ride out LastPass until webauthn really takes off. Which could be soon based on what we're hearing from the mobile vendors.
I'd really like to see wider webauthn support, so I'm curious to know what you mean by what you're hearing from the mobile vendors please?
> I keep a password database on the company network with all my work passwords and I have no need to keep a copy of those credentials on a bunch of my personal devices or cloud servers.
That doesn't work for mobile devices. Most people have a work mobile device.
> even if I wanted to use somebody else's servers to do that a properly encrypted file with a very strong password could be safely stored anywhere
This is literally how LastPass and 1Password handle it. If you lose your key, the file in the cloud becomes useless.
> In exchange for a little extra work...
"A little extra work" that is beyond the skills of the vast majority of users.
> ...you gain a ton of utility and resiliency
As someone who used KeePass for more than 10 years until recently, I can honestly say that it was a massive reduction of utility and had no resiliency benefits.
Not the person you responded to, but: I think that most people are savvy enough to know what a password manager is, and most people are not savvy enough to be interested in the work necessary to setup, personalize, and maintaining an offline password manager that functions well across multiple devices. That doesn't sound like a niche subset to me, but I could be way off.
I found vaultwarden to be a nice alternative. It runs on my server at home, to which I connect the relevant devices by VPN. It still requires the server to be online for modification (& the VPN connected), which I find to be a bit annoying, but it solves the concurrent modification issue. Plus, passwords are encrypted at rest and the browser extension verifies I'm using the password on a legitimate website (anti-phishing).
But if you're happy with your variant, I guess that's fine as well :)
Self hosting can help insulate you from a server side bulk compromise (with adequate security measures in place yourself which, as you say, not everyone will do), but it won't deal with the more pervasive software supply chain issues of compromised development environments etc.
It's a horrible idea to leave the password for the database sitting next to the admin's workstation. But physical access is a vastly different concern for a corporation than an individual.
Threat surfaces are different for different people. I'd _love_ if my parents kept a separate password notebook instead of an unlocked note on their phone.
2FA is obviously good but different. But a notebook is an entirely offline password manager and it immediately lets people do one of the most important things which is not repeat passwords.
:)
Most of them can't and won't invest the time just to switch to 1Password. The average person isn't going to exceed that bar by a margin that even I, a software developer, wouldn't bother with.
When something is too technical for even an average developer to bother with (because it's unnecessary, not because it's hard), it is totally hopeless for the average user.
for a large amount of people, tech and non-tech alike, LastPass and 1Pass are really really good.
It's easy, unless you have actual data, what you have is an opinion.
It's already painful enough to use a cloud password manager; why would I burn hours more of time to maintain a worse experience?
I don't think your experience is representative. As I stated in my previous comment, I think the relative success of cloud-enabled password managers vs. more secure options like Keepass are a non-anecdotal form of support for this opinion. But I would be way off (which I also acknowledge).