Password Security Catch-All Thread

I love LastPass. Discovered it here 6-or-so months ago and instantly became a premium member (my wife and I share a few accounts). Just set up Multifactor Authorization a week ago and found everything is pretty slick. Looking back, it's hard to believe I had the same password for DOZENS of accounts. ugh

Antichulius wrote:

I like the idea of LastPass working with iOS for accessing accounts without having to launch into the app to get the password-- at least that's how I'm reading what it does.

That's correct, as long as the app itself uses the share sheet.

When I first signed up for LastPass, I immediately changed any passwords for accounts that had personal or financial information involved. Everything else I just changed the next time I needed to visit the site in question over the following weeks.

LeapingGnome wrote:

I use 1Password, why no love from anyone? Do people basically see it as a paid for keypass? It does local vaults with auto syncing via Dropbox and I have been very happy with it.

IIRC last I looked at 1password you had to buy the client for each device. So it was super expensive. I see it's one price for all devices now, but it's still expensive compared to LastPass premium. And now that LP mobile access is free it really doesn't look like good value. I'm sure it's a good product though.

Gravey wrote:
MrDeVil909 wrote:

The mobile client is particularly good on Android with its autofill abilities.

Same on iOS 10 now that Apple has opened up the share extensions to developers, and it's all locked behind my fingerprint (or the master password if I choose).

Ooh, I didn't know that had been updated. Must get it working on my ipad.

LeapingGnome wrote:

I use 1Password, why no love from anyone? Do people basically see it as a paid for keypass? It does local vaults with auto syncing via Dropbox and I have been very happy with it.

I never used Keepass, but I switched from LastPass to 1Password on the advice of my company's head of technical operations, and because the company has 1Password product codes for all employees. I like it, but I wouldn't say it's any better or worse than LastPass, based on my experience with both.

Antichulius wrote:

Any reason to go for LastPass if I'm already using KeePass and comfortable with moving the file from PC to mobile manually?

The Keepass 2 update method is grossly insecure, and the developer seems to be unwilling to fix it, because it will interfere with ad revenue.

CVE-2016-5119: MitM Attack against KeePass 2’s Update Check

You can work around it by doing manual downloads, but fer chrissake, this is security software.

Antichulius wrote:

Of course I began thinking today that it also means the method of encryption is likely entirely visible. I'm not knowledgeable enough to know if that's a bad thing or not, but you do have me convinced I need to evaluate my valuations for a password vault.

The whole idea of public key crypto is that you can publicly share one key to, well, anyone, and and hold another back. This means that the algorithm can be public, public keys can be generated that are shareable, and when that public key is used to encrypt something, only the owner's *private* key can decrypt it.

Naturally, you hold your private key very securely and in multiple places, because you neither want it to get out, nor lose it.

Like this:

Anna generates a private key "A" and uses it to generate a public key "B" using a known algorithm.

Anna gives out "B" to anyone who wants to send encrypted messages to her.

Charlie feeds his text into the known encryption algorithm and encodes it with "B", the public key.

Now, because of the way the algorithm works, the only other person who can decode it is Anna, because her private key was used to create the public key and so it can access what that key encrypts.

So: having the encryption algorithm code means that it can be checked over time for back doors, weak randomization and other things that can be a problem for users over time. If it's hidden, that makes it *less* secure, because users can't analyze the code (or have it done by a trusted expert) to make sure it has no egregious or purposeful weaknesses.

Does that make sense? Now, take a quick look here to see how your master password (your private key) and your username are protected together by LastPass. These are the used to verify your identity before your *encrypted* key is sent from the server to decrypt passwords for your session.

Note that just because LastPass has your *encrypted* key and your username, they can't decrypt your passwords because they lack your master password.

Thanks Robear. Good explanation and a good link. I'm starting a slow migration to Last Pass right now. I believe I'm sold on it, though the full migration and eventual deletion of KeePass is going to take a long time and plenty of usage of LastPass to ensure a seamless transition.

Malor wrote:
Antichulius wrote:

Any reason to go for LastPass if I'm already using KeePass and comfortable with moving the file from PC to mobile manually?

The Keepass 2 update method is grossly insecure, and the developer seems to be unwilling to fix it, because it will interfere with ad revenue.

CVE-2016-5119: MitM Attack against KeePass 2’s Update Check

You can work around it by doing manual downloads, but fer chrissake, this is security software.

Worth noting that the developer HAS fixed it (as noted in the update list of the link) through the use of signed updates.

I'm not wedded to KeePass, and would be willing to switch given the right argument, but the ability to trust only myself with my encrypted password file is, for the moment, for me a critical feature. (For reference I maintain my own owncloud server (open source Dropbox) where I store my files).

While I choose to accept the risk of utilising a server to access my password file over the internet the fact I can choose to store the password on an air gapped system if I want to is important to me

It's always a balance of convenience against security. LastPass, just like any other password manager, makes your life less convenient in certain ways and times, but on balance, it offers more of the security features I am comfortable with.

Happy to help, Anti. This is stuff everyone should have at least a passing familiarity with.

Going to give LastPass a whirl right now. I tried it out years ago and found it inconvenient - don't really remember why - something to do with using on my phone I think. But the passwords continue to pile up and I need something to organize and keep them safe.

Shifter wrote:

I tried it out years ago and found it inconvenient - don't really remember why - something to do with using on my phone I think.

In the past, you had to pay for LastPass Premium to be able to use the phone apps.

The recent change was to make phone app access free for everyone.

*Legion* wrote:
Shifter wrote:

I tried it out years ago and found it inconvenient - don't really remember why - something to do with using on my phone I think.

In the past, you had to pay for LastPass Premium to be able to use the phone apps.

The recent change was to make phone app access free for everyone.

I have it all setup and it's working great. Thinking back I think it was 1password I tried out. Lastpass is pretty nifty though. Easy setup and adding sites to the vault is a breeze as well.

Hmmm, indeed.

Can't get the original article to load anymore, but the gist --

https://forums.lastpass.com/viewtopi...

https://www.reddit.com/r/privacy/com...

Essentially. site URLs are left unencrypted and just hashed (though transmitted over SSL/TLS to the servers. It's how the site logo stuff works within the vault.

Article was available when I when to it. Essentially, URLs are not hashed, but

Article wrote:

As you can see, all accounts are saving the same unprotected, hexadecimal encoded string for Google.com:

68747470733a2f2f6163636f756e74732e676f6f676c652e636f6d2f536572766963654c6f67696e

Which when decoded is:

https:// accounts.google.com/ServiceLogin

*Added a space to the URL to keep it from truncating and linking*

Everything is still transmitted SSL/TLS as you mentioned.

Antichulius wrote:

Article was available when I when to it. Essentially, URLs are not hashed, but

Article wrote:

As you can see, all accounts are saving the same unprotected, hexadecimal encoded string for Google.com:

68747470733a2f2f6163636f756e74732e676f6f676c652e636f6d2f536572766963654c6f67696e

Which when decoded is:

https:// accounts.google.com/ServiceLogin

*Added a space to the URL to keep it from truncating and linking*

Everything is still transmitted SSL/TLS as you mentioned.

So, as a user who only understands about 30% of what y'all are talking about, is this a thing to worry about, or not really? Is there any reason I should care about the URLs not being encrypted, if the usernames and passwords still are?

BushPilot wrote:
Antichulius wrote:

Article was available when I when to it. Essentially, URLs are not hashed, but

Article wrote:

As you can see, all accounts are saving the same unprotected, hexadecimal encoded string for Google.com:

68747470733a2f2f6163636f756e74732e676f6f676c652e636f6d2f536572766963654c6f67696e

Which when decoded is:

https:// accounts.google.com/ServiceLogin

*Added a space to the URL to keep it from truncating and linking*

Everything is still transmitted SSL/TLS as you mentioned.

So, as a user who only understands about 30% of what y'all are talking about, is this a thing to worry about, or not really? Is there any reason I should care about the URLs not being encrypted, if the usernames and passwords still are?

that depends on how comfortable you are exposing a very, very modest amount of meta data to lastpass. If you're using any social network then this is Chickenfeed. If you're the kind of person that goes out of their way to be anonymous on the Internet then you probably wouldn't be happy with this.

The outrage here is really that the fact they are gathering this data seems to go against lastpass's stated "we know nothing about the data you send us" stance.

DanB wrote:
BushPilot wrote:

So, as a user who only understands about 30% of what y'all are talking about, is this a thing to worry about, or not really? Is there any reason I should care about the URLs not being encrypted, if the usernames and passwords still are?

that depends on how comfortable you are exposing a very, very modest amount of meta data to lastpass. If you're using any social network then this is Chickenfeed. If you're the kind of person that goes out of their way to be anonymous on the Internet then you probably wouldn't be happy with this.

The outrage here is really that the fact they are gathering this data seems to go against lastpass's stated "we know nothing about the data you send us" stance.

Thanks, this is helpful. I care about my password security, but I'm far from an internet ghost, so I think this is probably not a big problem for me.

Just an FYI:

The cloudflare leak may or may not have affected humblebundle, but humble does use cloudflare technology, so it may be a good idea to change your humblebundle passwords, especially if that login is shared elsewhere.

See here for a full list of cloudflare sites. Notables for us here:

Curse
Patreon
Humblebundle

That's quite a list of sites, wow.

Yeah, the thing with this is that the amount of potentially leaked data is staggering, even though the amount of likely leaked data is probably relatively small.

CloudFare says only 161 unique domains affected. I understand why they don't want to say what those domains were, but looking at a list of millions of sites is not helpful either.

Hopefully those 161 sites have been notified and are in the process of emailing their users or forcing a password reset.

Quintin_Stone wrote:

CloudFare says only 161 unique domains affected. I understand why they don't want to say what those domains were, but looking at a list of millions of sites is not helpful either.

Cloudflare is one of the better companies when it comes to transparency, but I wouldn't take that 161 figure at face value.

Change passwords, but don't be in a panic.

Also, this is a good example of how even unique per-site passwords can sometimes be leaked. Which is another reason why you should two factor everything possible.

Thought I had this thread tagged. Guess that's a tag to get to later.

Antichulius wrote:

Just an FYI:

The cloudflare leak may or may not have affected humblebundle, but humble does use cloudflare technology, so it may be a good idea to change your humblebundle passwords, especially if that login is shared elsewhere.

See here for a full list of cloudflare sites. Notables for us here:

Curse
Patreon
Humblebundle

Oh, just an FYI, gamerswithjobs.com is on the 70 Megabyte master list there. As well as Discord, BundleStars, IndieGameStand, Stacksocial. So yeah, fun times.

GWJ wasn't compromised according to Cloudflare.

As for the others, I hadn't gone through the whole master file, just the notable list and top 10,000 list, so thanks for the heads up on these other ones.

Interesting security analysis performed on password manager applications by TeamSIK.

On a related note, I just set my wife up with 2FA (for LastPass). PSA to remind you to do the same!

I finally found a use-case for Keepass on my phone that LastPass couldn't have saved me. Logging in to a new device when I had no internet access of any kind.