LastPass users locked out due to MFA resets(bleepingcomputer.com) |
LastPass users locked out due to MFA resets(bleepingcomputer.com) |
Hope people don't fall for the stupid thing that Google/Apple et al are trying to do, either.
But for me, I keep an encrypted text file and get the passwords my using emacs or vim. I generate passwords using:
tr -cd "[:alnum:]" < /dev/urandom | fold -w 16 | sed 10q
and with the result I may replace 1 character with what they call a "special character". To me that avoids a lot of worry.
Do you realize that 99.99% of the population in the world, including maybe 99% of the people here, don't do that? Similar to those comments that say "I don't use a cell phone", sorry what is your point? You realize that your very unique way of living and your life experience don't apply to others, and your comment is meaningful to just about nobody but you? Do you actually expect people to read your comment from there?
It’s about as secure as anything (esp after the swap file issue was resolved).
Yes, you can roll your own, but that's not a scalable solution if you're an org or have requirements that lay outside using a Textfile.
1Password and Bitwarden help with this. Your use case might be different and that's fine.
I work for a company that makes a password manager, and at least one clear benefit, versus copy/pasting from somewhere, even for tech savvy users is phishing resistance (the password manager browser extension should not fill your password on a website which doesn't match the website associated with that credential) which is how password gets stolen in practice when they are not reused (not re-using is the main benefit of a PM, but your home-made system does solve that issue too)
They are other benefits more on the convenience side (mobile as you mentioned and even not having to switch app each time you need to grab a password...) which matters more for most people than security (or so they believe at least)
If you look at it from the opposite perspective the value is clear - this isn't a tool for people who can generate and store their own passwords, it's a tool for people who got their Facebook hacked because they used the same password for everything for years and hey, this app can help avoid that mom, let me show you how.
Similarly government services gimp the web interface of tax, medical, etc. and try to push you onto mobile apps.
I can't fight this trend. Good for you that you can opt out of this nonsense.
Creating a SQL schema with a "Secrets" table and maybe some audit logging and organizational extras should take a seasoned developer ~30 minutes. Throwing a CRUD web app on top of this and making it accessible to your employees - maybe another day or 2.
I really don't know why you'd risk this sort of stuff with a 3rd party. It just boggles my mind. What are they doing that you can't do? Even a 3 person startup can probably find time around a weekend to knock this out once and for all.
Edit: clearly I missed an important point. We don't care about browser integration. I am not going for 1:1 feature replacement. If you seriously believe "a safe place to keep internal text" is an extremely hard problem that absolutely must be outsourced, I don't know why you would even be involved in technology.
Security seems to be missing entirely from the requirements, for one thing. Access control as well.
But now, thanks to your comment, I finally understand.
FWIW I’m on 1Password and it hasn’t had any of these issues, either. I would not spend dev time on this as a startup/software company founder.
No it would take a junior developer 30 minutes; a seasoned developer would look at you sideways and recommend self-hosting something like Bitwarden.
I highly doubt your engineer is doing proper cryptographic handling of data like they do.
If you use Django's default hasher, for example, you get more hashing rounds in the default config and they increase those periodically (the latter part that LastPass is struggling with, per the article).
https://github.com/django/django/blob/650ce967825aa192222391...
Browser and phone integration: autofill, autoupdate. You can do that too, but it’s not a trivial effort. It’s important because otherwise users will sacrifice security for convenience.
Lastpass also knows how to autochange for some sites. It was hard to lose when I left.
Typically you just need to wait for a user to log in, then validate the password against the old hash and create a new stronger replacement hash. Ending all sessions is a good way to log everyone out and force that. But I'm confused.
If weak password hashes were leaked, then the passwords need to be changed too. Increasing the rounds doesn't prevent attacks on the previously leaked weak hashes. Maybe they expect everyone already did that but some people did it before they increased the hash rounds?
The MFA reset shouldn't be related to the increase in hash rounds, those are unrelated. So they must suspect the MFA seeds were also stolen, but aren't saying it, right?
They were stolen but weren't very clear about it.
From their summary of their latest security incident[1] it says attackers stole:
> Backup of LastPass MFA/Federation Database – contained copies of LastPass Authenticator seeds, telephone numbers used for the MFA backup option (if enabled), as well as a split knowledge component (the K2 “key”) used for LastPass federation (if enabled). This database was encrypted, but the separately-stored decryption key was included in the secrets stolen by the threat actor during the second incident.
This summary links to a page[2] with more information, but actually on this page they give less information, saying only:
> [Customer Secrets accessed includes] Multifactor Authentication (MFA) seeds - MFA seeds assigned to the user when they first registered their multifactor authenticator of choice to authenticate to the LastPass vault.
1: https://blog.lastpass.com/2023/03/security-incident-update-r...
I assumed they were just increasing the rounds as a general good practice. The best time to plant a tree was ten years ago, the second best time is now, and all that.
I mean, if you have a password manager, it means that you somehow care about your passwords. If you have LastPass, it means that you chose something that was not the default Google Wallet or Apple whatever-it-is-called.
Are there so many LastPass users who haven't followed the news in the last 2 years?
The bitbetter project[0] shims bitwarden licensing for personal use. It might be better if you're looking for complete feature parity and client support.
I'm aware that the backend doesn't implement every API Bitwarden has but I've also never noticed any missing features. It did take some time before Bitwarden Send was implemented, but I can't fault the devs for that. I also expect the upcoming BW passkey support to take a while to make it to Vaultwarden.
Personally, the whole organisations thing is only a nice to have when it comes to hosting Bitwarden. The standard Bitwarden installation eats up gigabytes of memory for (I assume) optimizations for large installations that most self hosters probably don't really need.
Any idea what's missing?
Vaultwarden does add TOTP support, which the free official server didn't last time I checked, so while it may be missing features, it also unlocks features you wouldn't have without paying.
[0] https://bitwarden.com/help/install-and-deploy-unified-beta/
I use keypass, it stores all passwords in a file, encrypted. The file can be stored in Onedrive/Dropbox/ etc.
But the point is, if all the aervers in the world go down, I have all my passwords in a local copy. There is also an android app.
You can even edit the database file independantly on desktop and on mobile and it will be able to merge two cobflicting files
What's the point of all that garden-walling and 30% tax and hoops you have to jump through if there's still malware?
There's lots of reasons not to use LastPass but I don't think this is high on this list.
[1] https://support.lastpass.com/s/document-item?language=en_US&...
Pretty much all password managers including Lastpass do store the vaults on your device and you can access them offline. The issue here is the borked MFA reset.
1Password apps store local state in an SQLite database. They then package up that database and encrypt it with your chosen master password and a randomly generated password. (The random password is only to protect users who picked a weak master password against a server breach, so it's stored in plaintext on your computer). That encrypted file is uploaded to their server.
There is also an android (and iOS) app. If you edit independently conflicts are merged.
I have a file of hints which are only meaningful to me. Even if a malefactor got hold of the file, it wouldn't help them. (no, I'm not going to give examples; if you can't think of some combinations of characters that only you can remember, then fine, use a password manager). I'm always thinking of new ones, too.
You don't need a unique one for every site, either. Having 15 or 20 that you choose at random means that an invalidated one doesn't affect everything you do.
Occasionally, the Hint file has an actual gibberish password with no hint, where I have to copy/paste it. I think this is fine once in a while.
All I really have to remember is the password for the place where that file is stored, and my email's. Often it happens that my stored hint doesn't work (maybe I forgot to update it), but every site has a Forgot Password link.
I suppose there's some assurance that if I'm indefinitely locked out of the account then at least hackers are, too?
Also I use 1Password at work and find it a bit doddery compared to LP, which is no speed daemon itself.
We know they do, since they got their backups stolen not even a year ago lol.
And why would you even trust a cloud based product. If I can't see the hosted source code storing the password then I'm not trusting it regardless.
An example is whether a website's login form works with browser autofill. If it doesn't, it probably means the person who built that page doesn't use browser autofill, which means they probably use the same password on all their personal accounts, which is terrifying. (Bad example for a product that's supposed to replace the browser's built-in password manager, but you get the idea.)
"It's so convenient!" "I don't like having to manually sync between devices with <100% local password manager>!"
Convenience addicts making excuses for their next hit of convenience... no matter how severely convenience harms them.
Convenience has long been an underrated aspect of security. If you make the secure option as convenient (or even more convenient) than the insecure option people will do it. Of course security is always in opposition to convenience to some degree (otherwise we wouldn't have passwords at all, just type in your username to log in, we trust you completely), but minimizing the inconvenience is key to making the system secure in practice. If you make the system too inconvenient people will just work around it no matter how secure it is in theory.
I think we are beginning to understand this and things are improving, but many legacy systems still suffer. For example NIST guidelines have accepted this and now recommend against time-base password rotation[1] but many organizations still enforce it.
1- is industry gold standard 1password or bitwarden ? Key requisite: edge or FF browser extension. (I dont use mobile password management apps and will never do so)
2 - in light of the LP breaches. Do I change all my pw accounts, the master LP account, or both??
Out of an abundance of caution, it would be prudent to change the passwords for the most critical accounts in your life initially. Things like your bank, email, Google. Accounts that losing control of would immediately make you go "oh shit, I can't do X that I need for daily life". Then slowly over time change the less critical ones.
Strangely enough, some places don't fix it when they learn about it. I'm not sure why though, as that makes no sense to me.
Granted, this is just for personal use, and i can totally see a use case for a password manager in a company / corporate environment.
Simply put, after all the reports of last year's breach, I assessed how vulnerable I am. First, my LastPass settings were such that I shouldn't be too affected by their breach; among other things in their self-assessment report, I had the "new" healthy default of 600K iterations. Also, the three most important accounts forming the basis of my online identity were never on LastPass and had unique passwords.
(And yeah, I understand that the security issue isn't purely on technical merit but also a social question of LastPass' reputation as a company. But on a personal level, I didn't really care that much. Moving on...)
Hence, on a personal basis, I didn't see much reason to switch out. The alternative would be the hassle of evaluating a new password manager, exporting data from LastPass, setting up the new password manager on my devices, importing my pre-existing vault, tweaking the new password manager so it behaves as I expected, etc. I know I'm playing the world's smallest violin with this grievance but that's really how it was. I think there was also a confluence of other factors why I didn't want this hassle on my plate at the time (e.g., I remember this was end of last year and I'd rather focus on my holiday arrangements).
I did reach out to family members whom I might've recommended LastPass to in the past though, and advised them to switch out. I didn't believe they could make the same self-assessment that I did.
In the end, I did switch to Bitwarden though. I did go through the hassle as I thought I would but articles like this make me glad I did. The decisive factor for why I did it anyway was that I realized that I might have some passwords/keys in my vault that I use professionally so, out of professional prudence, I switched. Were I not a developer, I might not have had this factor at all.
You want to irritate non-technical people? Tell them that they need to use a password manager.
You want to irritate even technical people? Tell them that the password manager you had to force them to use is going to be replaced by a new one, and _they_ have to do the export/import steps -- despite the fact that their boss is breathing down their neck for four projects that are late, half of which they have no control over.
I'm glad I don't have to worry about the Lastpass breach, but I can absolutely commiserate with anyone who has to care about password managers for other people.
People hate passwords. You can explain to them why passwords are important, how people from the outside can do all kinds of nasty things if you pick weak ones, but people will ignore all that because they never need to deal with the fallout.
When these people eventually get hacked, they will blame their computers, their antivirus, their browsers, the websites they use, and most likely also the most recent person who touched the computer.
Password security is like herding toddlers. This is why I'm looking forward to a future where physical keys and passkeys are supported essentially everywhere. We don't even need them as 2FA because they work fine as a first factor in most cases, though 2FA would be much better of course.
And to be honest, whoever manages normal people's IT is probably partially to blame for the hate most people have for passwords. Things like monthly password resets, session tokens that last less than a work day, separate passwords with slightly different usernames across different applications, and all kinds of other useless limitations are why people hate passwords so much: using a password manager once or twice is fine, but having to use it to copy/paste passwords every other hour is tedious and terrible.
Companies unable or unwilling to fix their terrible password setup should invest into something like Yubikeys to at least make the process less frustrating. The difficult part is getting a backup when people lose their keys, but you can probably use passwords as a fallback until a new key can be arranged.
At least for a personal account, the 1password import tool worked flawlessly (as far as I can tell after about a month switched) .
Does it not work for enterprise? Or perhaps each would have to run it?
It’s such an important lesson for informed people, and tech people, especially, to learn: our context is absolutely not the common one. Things that are obvious and clear to us are a world away for most others.
Partially, laziness, partially hard to change flows, partially hard to migrate, partially I don’t believe that it’s THAT bad, though the last one is the one I’m least sure.
I had already left by then but I would have otherwise.
https://community.bitwarden.com/t/implement-multi-account-se...
Password managers have a stickyness to them. Moving is hard. There are import/export functions, but I found all of them have issues.
Moving needs to be fast and seamless enough that I can move my entire family without hassle. Thats why I'm stuck.
It’s just called “Passwords”. Consistent with “Mail”, “Notes”, “Reminders”, “Calendar”, but it doesn’t have a dedicate app like the others (it’s inside System Settings).
The global company I work at uses it, they have an enterprise-wide contract. Migrating to something else is just a massive PITA, extra costs & sure downtime.
Keepass plus syncthing works for me; Keepass' autotype is great.
1. The main competitor everyone knows about, 1Password, has its own problems. (I gave up on it a couple years ago after learning that you can't quit the goddamn MacOS application when it's logged out. It literally requires you to be logged in to make use of a super-secret-strong quit that doesn't leave some daemon on the system. Which is incredibly irritating when you're trying to just run a software update but instead you have to type your super long and secure password manager password.)
2. Transitioning passwords is hard even once you find a good alternative. One should change passwords after a breach, but there are basically three options: (a) use the automated password changing within the old password manager. But if you don't trust your password manager after a breach, it's probably a bad idea to use the automated password changing feature of said password manager and end up with your new passwords in the insecure service. (b) import everything to a new password manager and change from there. But if you have a lot of passwords, there's a good chance the new password manager won't be able to automatically change them all, and then you'll either have to carve out a huge amount of time to do it all at once, or have a mixture of secure and insecure passwords in the new password manager, which seems very problematic. (c) gradual transition: move the mission critical passwords first and change them on the spot, then as you use a less important service, change the password for that and move it to the new service as you go. Which makes sense, but means you'll still be using the shitty old one for a while.
1. Comb through your last pass, and delete cruft
2. Signup for 1password https://1password.com/switch/
3. use their auto import tool to pull from lastpass
4. Profit for ~3 months just for safety
5. Delete each item in last pass (who know if they do hard or soft delete?)
6. Request account deletion https://lastpass.com/delete_account.php
I can't see how any business would allow secrets to be stored on hardware they don't control
Earlier versions allowed the store to be on other sites like dropbox for syncing or on your own servers or a mix.
Note I do use 1password as I don't need any corporate secrets at the moment. It allows me to use other browsers than Safari and also Windows and macOS
If businesses can't trust any of that, then we wouldn't have any online businesses.
I can have an offline password manager that just works, for free, and I don't have to worry about backdoors or hackers or incompetence.
LastPass has known issues and IT departments can make an understandable recommendation to the business to pick Bitwarden even with a slight cost premium. There is nothing to justify the insane premium 1Password demands. I have seen them lose multiple contract opportunities because of this.
Note: The dollar quotes are made up numbers, but the percentage differential is real. 1Password is often 50% higher in total cost.
All of my banks use a mobile app for confirming transactions, which requires me to login. Sometimes that requires reauth not just biometrics. I'm not going to go home and try and type a 20-30 character password into a phone when trying to pay for car parking.
It syncs via git and syncthing.
I think I've been using this longer than BitWarden gas existed and will be using it after something happens with BitWarden and triggers another migration.
Once again, a one-time learning and cost of setup has saved me countless headaches and time not spent migrating over the years.
I use password store (pass command-line utility) at its core it's GPG encrypted files in a local git repo, with a convenient command-line utility to manage them. It's cloud-free, runs on my local machine. If you need to sync, you can use git push/pull to do that.
I don't use it from mobile as I do very little on my phone that requires a password, but if you need that there are options:
I would be careful about judging the experience of all online password managers based on LastPass.
But it does mean that if one of those passwords gets leaked and the service that leaked it takes a while to notice, you now have X other services that are compromised and you don't even know it.
There are breaches on haveibeenpwned for my email that I was never notified of. If I were reusing passwords, each of those would represent a possible security breach in unrelated accounts.
Maybe they're like diseases you have that aren't any threat to your health.
If some site is really important, then yes: you do need a unique password for it.
Seems like you do, in the form of a hints file. You even protect it with a password. You’re using a bespoke solution, sure, but you’re still using something to manage your passwords. You could do all that trickery with an off-the-shelf password manager.
or is that a hint that's only meaningful to you? /s
"human validation of domains" : not sure what you mean here but I think it's a theoretical problem, not a real one.
If you're afraid of misspelling your bank's name and landing on some malware, you can enter the bank name in your search engine.
• Pros - actually secure
• Cons - takes about 18 seconds longer and teeny tiny bit of cognitive effort
Options 1 and 2
• Pros - Caters to NPCs and other entities incapable of thought, effortless
• Cons - horrific and lengthy track record of brutally failing to perform the SINGLE necessary function, keeping passwords secure.
At some at the company I work for, we decided to changing hashing algorithms and we did it on the fly when user authenticated again. Users were happy, we were happy.
But as someone already said here, there's a high probability that the OTP seeds were stolen so that's why they are doing this forced reset for MFA re-enrollment.
I have an app in the Play Store and received some unsolicited requests to install (and get paid for!) adding some extra jar file to my app and hosting someone else's apps in my account. Attackers put in a lot of effort to sneak in.
[1] https://www.wired.com/story/apple-app-store-malware-click-fr...
[2] https://www.reddit.com/r/KeePass/comments/13o0s0q/ioskeepass...
Having fewer malware would still be a worthy goal. That said, I’m not defending the App Store. It’s still riddled with junk, ads, casinos for children in the form of free-to-play games, and adult casinos disguised as children’s games.
https://soyacincau.com/2021/04/17/ios-app-games-for-children...
I can imagine a security professional explaining to a random person everything they ought to do to be secure. Not gonna happen.
The core problem with the LastPass breach was their response to it, not necessarily that they were pwned in the first place. Like, the whole point of password protected vaults is to make this situation less harmful.
What they do know is how annoying it was to have to set up LastPass, entering each and every password, dealing with accounts and setup and recovery keys, and the process of getting used to it.
Unless LastPass adds a button that says "click here to switch to a competitor", I doubt their remaining customers will ever leave the problem.
And whether it's passphrases or passkeys, we still haven't solved the problem of the gajillion other accounts people will have to log into to do work that are nowhere near that standard.
Your password store is a single file, it can be encrypted, backed up (or not), distributed/synchronized between your devices (or not). It belongs to you, not to a third party.
The inevitable rejoinder is, "what happens if someone gets that file?" Well, what happens if someone gets your piece of paper?
Considering it's in my house there is short list of suspects, unlike exposing it to the entire world VIA TCP/IP, but yeah i get your point.
> Will you ever use a password manager.
Not for personal matters and that is a personal choice. My way ain't broke and i ain't fixin it. A password manager smells like something that could break, get compromised, or go out of business at any time without any warning and i don't like the smell of it.
I also code with Notepad++ with none of that autofill suggestion crap and doesn't take 8 smoking cores to fucking type a sentence if that tells you anything about my personality. Get off my lawn!!!
I did change them. Very quickly for the important ones, more slowly for the others.
I'm with GP. Something's are worth taking a modicum of effort and doing right. Especially for this, especially for this audience.
Given how it has been going with LastPass, I don't see how one would still trust them with their passwords.
If "convenient + good" isn't good enough and your credential is compromised, your solution fails completely, 0% score.
If "inconvenient + better" does prevent the compromise of your credential, then it is an absolute success, 100% score.
Prioritizing convenience over security while selecting your password manager is like prioritizing keyless entry over functioning brakes while shopping for a used car - it's clearly a stupid decision even from the perspective of a layperson.
I'll shed zero tears as I play the world's smallest violin when people who've made such decisions have their identity stolen, home forclosed, and savings drained because "muh convenience!"
But in practice, making people change their passwords regularly ends up with them inventing convenient workarounds to avoid the mental overhead of having to learn a new password constantly. “Last month I used `Passw0rd!23`. This month I’ll use `Passw0rd!24`.” And then when their password DB is inevitably breached, an attacker has a pretty great guess as to what their password will be next month.
In a perfect world where everyone perfectly followed perfect instructions to the letter, convenience isn’t critically important. In the one we actually live in it, is. And it’s not just me saying this.
Is this your polite, roundabout way of saying "A number of users are literally so stupid that they're incapable of making rational decisions in their own password management practices"?
I would tend to disagree. I think most people have the capability to follow instructions and act responsibily, when they want to. We really shouldn't be letting the general public drive 3-ton SUV's capable of rapidly accelerating to 120+ mph (200+ kmh) if that weren't true, right?
It's not like I don't store in the cloud, since my database is in the cloud. Why would I store the keyfile next to the database?
It’s a very real and not theoretical problem. For example, someone sends you a link to a Google Doc. You open it and the page looks exactly like the real deal, but the domain is `signin.googledocs.com` or `login.googgle.com`. Even a technical user could not be paying attention and be fooled by that, manually entering their email and password. Because a password manager would only auto-fill your password on the correct domain, you have an extra reason to be suspicious and note something is amiss.
Yes, of course all of these kind of attacks can be avoided by "just don't do anything dangerous", but in the real world we are all flawed and mess up. No human can be perfect, and relying on never making a mistake makes you vulnerable. Anyone serious about security makes it hard to do the wrong thing.
Hardware security keys are an even better solution, but not every site supports them. Both is by far the best option.
How is this possible? I must have at least 50 passwords I use with some regularity and many more I use once a year or so. All my passwords are at least 16 characters long and totally random. Are you able to remember that without compromises like repeat passwords or patterns used for generating them (including website name in password or similar)?
https://www.eff.org/deeplinks/2016/07/new-wordlists-random-p...
This generator uses a different wordlist with about 18000 words.
https://1password.com/password-generator
Using a quick back-of-the-napkin calculation, you get roughly this amount of entropy from 1password's wordlist when compared to random alphanumeric strings [a-zA-Z0-9]:
- 5 words ≈ 12 chars
- 6 words ≈ 14 chars
- 7 words ≈ 17 chars
- 8 words = 19 chars
- halvers persia dutiful manes party
- append medalist society duke disobey
- acoustic halo assuage upkeep dexter
- area theist motile align trespass
Anyone else reading this: do not just remember your passwords. Unless you’re Lord Nikon, if you can remember more than a handful of passwords, it’s because they’re weak enough to be memorable. Or worse, used in more than one place!
Use a password manager. Always. For everything.
Nor are my passwords weak. Okay; seeing as one of my passwords expired lately.
U0ptz#^7--9
You zero pee tee zee hash up-thinggy 7 dash dash nine
Another:
L0@!tF..9w&
Lel zero at metal-gear-solid-noise tee follow dot dot nine walks and
I find that stuff very easy to remember. I just make a fantasy story based on the password.
L9d£5"s
Little 9 ducks cost 5 said sir.
HNr!##@t
Hacker News really can suck balls at times.
> And why would you even trust a cloud based product.
1Password's security model sounds pretty reasonable to me. The convenience of having my Passwords backup and synced to my devices is worth the tradeoff in security in my case.
I've got close to 1500 stored passwords. How does one even start to remember those?
You don't have to store passwords in an off-the-shelf password manager; you can store secure notes and files. In other words, you could continue to use your current method of hints but with more organisation.
Point being that what you’re doing is not meaningfully different from using a password manager, you just manage your passwords in an uncommon manner.
As far as I know. Maybe someone does do that?
Anyhow, password managers cost money. This doesn't.
And there are plenty of free (and open-source) password managers.
https://en.wikipedia.org/wiki/List_of_password_managers
It’s fine that you don’t want to use an off-the-shelf password manager, but if you’re not familiar with how they work in practice, perhaps you should not advise people to not use them. Your system is a way to manage passwords and from your description seems to be more complicated than most people (especially non-technical users) would bear.
When implemented correctly a password manager storing the database shouldn't have any information (keys) to decrypt the database. Only the user & the client knows this information, and it never leaves the client.
There is still the matter of authenticating to the password manager service to retrieve the database. There's a couple of ways to do it, but usually a strong password hash (least desirable and I think this is what LastPass uses) or a Password Authenticated Key Exchange (PAKE) in which the service keeps an authenticator to verify your password/credentials but the authenticator cannot be reversed or attacked to determine the password (similarly observing the PAKE transaction over the wire or MITMing it won't allow any attack to find the password).
Even if the authentication aspect fails and someone could download all the databases, the database should be protected with at minimum a slow password hash, so a dictionary attack should be very slow. I believe LastPass has stuffed this up in the past. On the other hand, 1Password took a proactive stance despite a hit to the UX by requiring a password + "secret key" which is I believe at least a 128-bit secret that's mixed together to come up with a high entropy password that is used to encrypt the database - so an attacker will have a hard time with any 1P database.
Put bluntly, as a 1P user I'm the least bit concerned that the database is stored in the cloud. I guess the only thing I have to worry about is a surreptitious version of 1Password being distributed to my machine which may capture/exfil my password & secret key. I guess not being open source is a net negative here. So I do place some trust and faith in AgileBits to protect their supply chain and software distribution. Their reputation depends on the security of the service after all.
Edit: what do you consider "complicated"? Compared to all the inevitable complications of a PW manager and browser extensions? Not to mention screwups like the LastPass one.
Any less sophisticated user needs to be told that. If you go to some classes for new computer users, I'm pretty sure that'll be in the first hour.
Anyhow, HN readers don't fall in that group.
All in all, it does take (much) more than 30 minutes.
It’s certainly not perfect, but I’m not quite sure these issues are consistent enough to be indicative of BitWarden’s quality. I mean if its lost your passwords I would assume that’s something worth making an issue about on their GitHub?
Do we know that considering how they handle iframes and how lax they seem about it?
That's because you don't have or don't know about all those custom fields that don't get exported by LastPass, which turns real migration from 30min to many hours
Also it'd be wise to change passwords during the migration as well given all the hacks, which is another set of hours
I would argue if password updates are required because of LP's insecurity, that's really not a migration issue, that's just a LP issue.
If you're still using LP, and haven't been bitten by this, do it now. Do the migration.
Once the migration is done, start rotating passwords as soon as you can.
I have over 300 passwords, multiple cards. Multiple notes. All synced flawlessly.
Any shortcuts used by extensions based on the WebExtensions API are changeable. If you're on Firefox, press Ctrl+Shift+A (or go to about:addons), open the gear menu, and click "Manage Extension Shortcuts".
I had to modify the native CSV with some vim magic to add a line delimiter for each record so it allowed for spanning over multiple lines in order to successfully import each entry - which also required the importer to allow for an additional EOR marker.
Even then there wasn't a 1:1 column match between pw apps.
Without this step though all sorts of hell breaks loose, and if you don't notice the columns got out of sync during import because a note had a few commas in it what good is it to you really. It's a hell of a mess that you may not notice until its too late.
There should also be a verify feature for any import that can query the original source via some API calls - or use that to do the import. Of course nobody is going to provide that because it means users can leave their ecosystem too easily - but the other thinking is customized backups to a PGP destination suitable for direct import via the sale API calls.
This was for LP to KeePass BTW.
* Use a different name for each account * Use different "personal information" (date of birth, etc.) for every account * Track "security" questions and randomly-generated answers for each account, for services that still use that terrible approach * Track which phone number is associated with each account, for services that uses SMS MFA codes * Attach list of one-time recovery codes to accounts that use those * Attach source of credential information when credentials were sent by someone else for e.g. testing
There's six reasons off the top of my head. I'm sure there are more.
Custom ones are usually all banking sites. One does not use standard field names so bitwarden does not detect it. Another has an extra field for user . (Bank customer company id, password then particular user's name).