Password Security Catch-All Thread

I think *which* manager you use matters much less than using *a* manager.

TempestBlayze wrote:

I am surprised not many people around here are using 1Password. I actually switched over from Lastpass and like the experience better. At the end of the day however, they do the same thing.

I just don't like the pricing for 1Password. I use all types of Operating systems (IOS, OSX, Windows, Android) so I would have been punished, financially, for using it on all my devices. Last pass is just 12 bucks / year to use anywhere you want.

Lastpass is free if you don't need mobile integration.

I've never even looked into 1Password, I tried KeePass, then LastPass and I bought into LastPass and haven't looked back. Looking at it now 1Password seems crazy expensive.

Malor wrote:

Personally, I just don't think storing your passwords on any cloud service is a good idea. You have only their word that they can't decrypt your files -- and the government, at the very least, can require them to lie to you.

This is what kept me from using any password manager for a long time. I almost pulled the trigger on KeePass a couple of years ago, but I did not feel I could trust an online-based solution. I did not even feel that solutions which kept your file local were any better unless I did are more network monitoring than I really wanted.

I've finally decided to change tune and start using LastPass. I still have some misgivings, but having done some reading, and seeing information like what *Legion* wrote, I feel a little better.

The fact that LifeHacker recently reminded me of the topic did not hurt, either.

Basically, I feel the risk of using LastPass (or something similar) is less than the risk I was imposing upon myself through poor password habits. Having the tools to generate strong and unique passwords, and the encouragement to do so, really helps.

I looked into using 1password as well, but decided on LastPass because I want to be able to access my passwords at home & work (both on PC), and might want to use their Android app as well.

Hrdina wrote:
Malor wrote:

Personally, I just don't think storing your passwords on any cloud service is a good idea. You have only their word that they can't decrypt your files -- and the government, at the very least, can require them to lie to you.

This is what kept me from using any password manager for a long time. I almost pulled the trigger on KeePass a couple of years ago, but I did not feel I could trust an online-based solution. I did not even feel that solutions which kept your file local were any better unless I did are more network monitoring than I really wanted.

I've finally decided to change tune and start using LastPass. I still have some misgivings, but having done some reading, and seeing information like what *Legion* wrote, I feel a little better.

I looked into using 1password as well, but decided on LastPass because I want to be able to access my passwords at home & work (both on PC), and might want to use their Android app as well.

That's why I started using Password Safe along with the Android/iOS/Mac/Windows app. I don't trust LastPass or any of the cloud providers, especially as most of them are based in the USA. PasswordSafe (and associated apps) all sync to a safe that I have stored on a server in my house, and I just recently pushed that safe up to Dropbox. To me, it's the best of both worlds, since I'm retaining as much control as I can while still being reasonably connected.

Yep, that gives you basically the best of all worlds.... you have a password manager, you have both local and same-house server storage, and you have an encrypted cloud backup that's (hopefully, anyway) completely impenetrable to anyone but you.

Possible weak point there: how good the encryption is on the password file, as well as how good your password is. Remember that, as soon as it goes over the wire, it can be bruteforce-attacked by anyone with a tap anywhere on that wire, so the encryption needs to be good, and the master password needs to be excellent.

Malor wrote:

Possible weak point there: how good the encryption is on the password file, as well as how good your password is.

Remember that, as soon as it goes over the wire, it can be bruteforce-attacked by anyone with a tap anywhere on that wire, so the encryption needs to be good, and the master password needs to be excellent.

The password is 14 characters and the full mix (upper, lower, special, number). I'm changing it in a couple of weeks (I aim for once a quarter).

I don't know how to audit how good the encryption on the file is, but I do know they've been examined by Bruce Schneier and Wikipedia shows that PasswordSafe was updated to the TwoFish algorithm in the 3.XX series. That brings me some peace of mind, and the reason I've stuck with it for the time being.

Yep, that's probably about as good as you'll reasonably get. One of the things we learned from Snowden: good encryption works. There's just a lot of crappy encryption with lousy code.

Oh, and I'd suggest not using a password of a fixed length, because if someone happens to tag that in a 'facts' file about you (not as crazy as you might think), that means they won't have to search all the passwords up to 13 characters. Rather, generate your passwords so that they're at LEAST X characters long -- and then never tell anyone the value of X.

Lastpass has been hacked and some info taken. They are urging everyone to reset their master password. Servers are currently overloaded...

mrtomaytohead wrote:

Lastpass has been hacked and some info taken. They are urging everyone to reset their master password. Servers are currently overloaded...

Didn't get any notice or see notices anywhere, but I just managed to change mine. Not entirely sure if other passwords should be reset. The auto-generated ones are easy, it's the ones I have to type which are the headache.

From the LastPass blog:

If you have a weak master password or if you have reused your master password on any other website, please update it immediately. Then replace the passwords on those other websites.

Because encrypted user data was not taken, you do not need to change your passwords on sites stored in your LastPass vault. As always, we also recommend enabling multifactor authentication for added protection for your LastPass account.

I think my master password is alright, but it's probably due for a change anyway. Already use multifactor authentication.

No sweat.

Edit: "You last changed your LastPass master password 1365 days ago." Okay, yeah, time for a new one.

Master password updated.

Thanks for the clarification. Glad it wasn't worse of a breach. I need to look into multifactor at some point.

Gravey wrote:

From the LastPass blog:

If you have a weak master password or if you have reused your master password on any other website, please update it immediately. Then replace the passwords on those other websites.

Because encrypted user data was not taken, you do not need to change your passwords on sites stored in your LastPass vault. As always, we also recommend enabling multifactor authentication for added protection for your LastPass account.

I think my master password is alright, but it's probably due for a change anyway. Already use multifactor authentication.

No sweat.

Edit: "You last changed your LastPass master password 1365 days ago." Okay, yeah, time for a new one.

Ha! I last reset my password 54 days earlier than you!

Sorry for no link originally, I heard from a friend and then only found a quick artilcle before posting.

My master password had been over two years old. Changed.

There are a bunch of multifactor options (I have a Premium account), and I have no idea how to pick one. Can anyone here comment on how they work and how they differ?

KeePass ftw.

Damn, I think that'd pretty much sink a company like LastPass.

Thanks for posting this, though. I reset my password even though I no longer use the service.

misplacedbravado wrote:

There are a bunch of multifactor options (I have a Premium account), and I have no idea how to pick one. Can anyone here comment on how they work and how they differ?

I use Google Authenticator on my phone since I'm already using that for Gmail et al. I didn't know there were other options.

Gravey wrote:
misplacedbravado wrote:

There are a bunch of multifactor options (I have a Premium account), and I have no idea how to pick one. Can anyone here comment on how they work and how they differ?

I use Google Authenticator on my phone since I'm already using that for Gmail et al. I didn't know there were other options.

They added YubiKey and bunch of other tokens. Google Authenticator is my choice, as it's always around and you usually need it just once per device.

Quintin_Stone wrote:

KeePass ftw.

IMAGE(http://i.imgur.com/xibh4MV.jpg)

Quintin_Stone wrote:

KeePass ftw.

Finally, my slightly Luddite and overly paranoid choice pays off!

I'm kinda angry because I don't trust them to tell us what really happened.

DanB wrote:
Quintin_Stone wrote:

KeePass ftw.

Finally, my slightly Luddite and overly paranoid choice pays off!

Same here. KeePass and miniKeePass for my phone/tablet. Manually copy the db file from my desktop once a month unless I change something vital.

OK, let's talk about LastPass and this leak, as there seems to be a lot of misunderstanding about what it means security-wise.

Your security does not come from a service's ability to control access to your vault. That is just bonus. Rather, your security comes from the quality of the hashing/encryption, and that alone.

The idea that an offline password vault like KeePass is significantly more secure is a folly. Even if you do not intentionally put your vault in the cloud, you are putting it on a machine running other software which could be compromised and push that vault file to a remote entity. Your security does not come from access control to your vault file. Your security comes from the quality of the vault's encryption that prevents someone from decrypting that file. Every other factor is a distant, distant second.

You should, at all times, consider your vault file exposed.

That's not to say access control is meaningless. It is a meaningful additional layer. But mistaking access control as the primary source of security is what leads to some confusion.

In other words, if you are willing to use LastPass, you should be willing to do so even if your salted hash (which was leaked) and your password vault (which was not) were forever posted by LastPass on their front page for the world to download.

Likewise, if you are willing to use KeePass, you should be willing to do so even if your vault were posted online for every hacker to download. If it can not hold up in such a situation, then it is unfit to use.

It is true that with LastPass, you are counting on the security of two separate things: your vault, and the salted hash that represents your master password. Both of these, however, are very well secured, particularly after LastPass upgraded their hashing algorithm a few years ago. In reality, there is little need for anyone to go scrambling to update their master passwords, even though it is good practice to do so, and sensible to do so after the leak. But in practice, the hashes generated by that algorithm (with the work factor cranked up as LP did) are light years beyond any practical offline brute forcing.

For those that think KeePass is giving them superior security, consider the fact that KeePass's vault format uses a custom key derivation function that predates PBKDF2, apparently in order to maintain backwards compatibility. Someone was complaining about it on HackerNews just today after reading through the KeePass source and calling its implementation into question. LastPass uses PBKDF2 for its key derivation, which is widely used and understood, not home grown (1Password also uses PBKDF2).

That said, all of these vaults should be considered secure enough for general personal use. But no one should be under the illusion that controlling access to the vault file is where your security comes from.

For all of these tools, the biggest threat is not the forced decryption of the vault, but a malicious update to the client software. This is every bit as true for offline clients like KeePass and 1Password as it is LastPass, but it is fair to recognize that LastPass is an automatically updated browser extension, and a malicious update being made and reaching users is probably a little bit more viable in that situation than it is for the others.

DISCLAIMER: I am not a crypto expert (or even a crypto novice) and you should not bet your life on my descriptions or advice.

*Legion* wrote:

You should, at all times, consider your vault file exposed.

Well yeah, I'm just making a quick quip about my likely very unnecessary rejection of LastPast LastPass as closed source also requires that you trust that their code does what it says.

This paper, reviews a number of current password storage systems (although not LastPast);
https://www.cs.ox.ac.uk/files/6487/p...

tl;dr: they are all rubbish except PasswordSafe v3

DanB wrote:

Well yeah, I'm just making a quick quip about my likely very unnecessary rejection of LastPast LastPass as closed source also requires that you trust that their code does what it says.

LastPass is proprietary, but it's not 100% accurate to say it's strictly closed source. Many (most?) users are using LP through browser extensions written in JavaScript that are easily extractable and reviewable. This, of course, does not extend to the mobile apps (though it does to the same browser plugins in a mobile browser, like Firefox on Android).

In that regard, LastPass is somewhat open to source code review, but no, this is not as good as being a complete open source project on all platforms (and with the code nicely available in a public version control repo). But it does mean there are at least some windows to peek in and not a complete black box.

This paper, reviews a number of current password storage systems (although not LastPast);
https://www.cs.ox.ac.uk/files/6487/p...

It bears mentioning that this was from a few years ago, and some of the vaults have updated - most notably, 1Password adopted PBKDF2 sometime after that paper.

*Legion* wrote:
This paper, reviews a number of current password storage systems (although not LastPast);
https://www.cs.ox.ac.uk/files/6487/p...

It bears mentioning that this was from a few years ago, and some of the vaults have updated - most notably, 1Password adopted PBKDF2 sometime after that paper.

Ahh, I hadn't seen a date on it. I have been idly waiting for a *nix port of PasswordSafe for sometime now

I think it was 2012, so it's not ancient, just behind any recent updates.