Password Security Catch-All Thread

MrDeVil909 wrote:

Holy crap the Yahoo breach was 2014!!

Yep. This is when my nice, well controlled email address turned into a daily tsunami of spam.

Still need to get around to moving a few accounts off it. Just can't get rid of it since I keep forgetting What sites I use infrequently are still attached to it.

My wife uses Yahoo mail and hasn't had any issues, thanks possibly to the 24 character LastPass generated password, but I'll get that changed.

*Legion* wrote:
Gremlin wrote:

Heh. And now my strategy of using a password manager to store not just the password for my almost entirely unused Yahoo email, but also the randomly-generated answers for the security questions pays off. Why yes, I can change my mother's maiden name.

Yep. Right there with you.

My poor mom. High school must have been tough with a name like Jill hGrudb+"[email protected]:yfndgsg63GIva.

Are you related to the hGrudb+"[email protected]:yfndgsg63GIva family in NJ?

Gremlin wrote:

Eh. I'm not vulnerable to this particular issue because I have updates turned off and I don't use browser integration or anything.

But it might be time to think about switching to KeePassX.

I was looking at Keepass vs KeepassX this morning.
I've bounced around between both of them in the past and am currently using Keepass2.

One of the things stopping me going back to keepassx is that despite a fork being created to add yubikey challenge and response to keepassx 3 years ago no response from the developer to the pull request.

I love the off-line nature of keepass, the idea of trusting my password database to an online service worries me.
Yes I sync my database file across my computers with Dropbox (which will become owncloud when I'm happy with my setup) but my rationalisation for this is the password file and the means to unlock that file are never both stored or passed over the internet.

And yes the problem originally discussed has now been patched but always worth keeping an eye out for someone doing it better.

Alyosius wrote:

Yes I sync my database file across my computers with Dropbox (which will become owncloud when I'm happy with my setup) but my rationalisation for this is the password file and the means to unlock that file are never both stored or passed over the internet.

That's how LastPass works too, just transparently to the user.

Two separate things are generated from your Master Password: an authentication hash that gets sent to LastPass to authenticate you as a user, and a decryption key which does the Vault decrypting, which does not get transmitted anywhere.

So just like storing your encrypted KeePass blob on Dropbox, your encrypted LastPass vault gets uploaded to LastPass, but the means of decrypting it does not.

LastPass has done very well for me. Makes it easy to really lock down accounts that are important or that I use frequently, while letting me keep simpler passwords for stuff that I don't really care about. Mostly I care about access via theft of password hashes and the like, so the ability to manage monster passwords for financial stuff rates high for me.

I know there are threats out there that can go past reasonable security measures, but I figure that they can likely go past really strong security, too, if I'm targeted like that. It's the everyday annoying stuff that I want to avoid, so that I don't have to talk to my bank every 3 months. (I do take further steps, of course.)

THIS JUST IN
Lastpass now works cross device without going premium.

Just converted from Keepass. Thankfully I didn't have a lot of passwords. I had to redo most of them as they didn't contain the web addresses.

Also in this month's HumbleBundle you can get 1 year of LastPass for $7.50.

https://www.humblebundle.com/lifehac...

LeapingGnome wrote:

Also in this month's HumbleBundle you can get 1 year of LastPass for $7.50.

https://www.humblebundle.com/lifehac...

I saw that but why would I need to pay for it? To get rid of the ads? The ability to use it on any device is now free. I'll go look for a comparison chart but seems pricey to just get rid of ads.

EDIT
Premium adds:
Additional multifactor authentication options
Desktop Application Passwords

I'll stick with the free.

I'm officially a LastPass convert. Little miffed that I paid for premium and the next morning they offered multi device for free. But the money has already been well spent in the time I've saved and the increased security.

Any reason to go for LastPass if I'm already using KeePass and comfortable with moving the file from PC to mobile manually?

Antichulius wrote:

Any reason to go for LastPass if I'm already using KeePass and comfortable with moving the file from PC to mobile manually?

Mostly just if you wanted increased convenience. LastPass is a better user experience than moving a vault around manually, but the core principles are the same.

One thing to consider is if you really are comfortable with moving that vault around frequently. Do you ever find yourself not updating passwords for a long time because of the hassle of re-copying the vault? If so, then maybe consider LastPass. Changing passwords needs to be a low-impact thing in however you manage passwords.

The one issue I had with exporting and importing my Keepass set was if you don't have the URL of the site entered in Keepass it will create the Lastpass entry as a note instead and it is all but useless. As I only had 25 passes or so in Keepass it was not difficult for me to recreate them.

The export is an XML doc so you could export and update the folder/urls in the form and hope the import sorts it for you. The import also created a new set of folders based on the name of my xml file. I'm just going with it.

So far I'm liking the convenience of whenever I encounter a site that I have no entry for I can choose to add the login/pass to the database or skip it.

*Legion* wrote:

Mostly just if you wanted increased convenience. LastPass is a better user experience than moving a vault around manually, but the core principles are the same.

Dropbox?

DanB wrote:
*Legion* wrote:

Mostly just if you wanted increased convenience. LastPass is a better user experience than moving a vault around manually, but the core principles are the same.

Dropbox?

Yep, Dropbox, one-Drive, G-Drive all work with syncing Keepass.

It has not escaped my attention that by the time you add dropbox to your keepass system you might as well be using LastPass

I have used Dropbox with KeePass as well. As for updating passwords, it's a weekly task on my list to update a few of the oldest and then update the file Of course, more devices than my PC and phone would be more hassle than it's worth to do anything manual.

Will LastPass sort by oldest (and show date of lay change) for easy pw updating rotation?

Antichulius wrote:

Will LastPass sort by oldest (and show date of lay change) for easy pw updating rotation?

It has a "security challenge" feature that will give you a sortable list of when you last changed each password, even making a separate list for any passwords that haven't been changed in the last year (as well as compromised, duplicate, and weak password lists).

Mantid wrote:
Antichulius wrote:

Will LastPass sort by oldest (and show date of lay change) for easy pw updating rotation?

It has a "security challenge" feature that will give you a sortable list of when you last changed each password, even making a separate list for any passwords that haven't been changed in the last year (as well as compromised, duplicate, and weak password lists).

Now that certainly appeals. Maybe I'll up my planned Humble purchase and try it out. I have a habit of setting up accounts when I'm not near my KeePass, so I use an easy dummy password and then change it when I'm entering it into KeePass. A report of the ones I've missed or forgot to update sounds really nice.

DanB wrote:

It has not escaped my attention that by the time you add dropbox to your keepass system you might as well be using LastPass

Well... one of these options is completely free.

It's awesome that LastPass free is now multi device, but I've been using it happily for years now so I'll continue to pay to support them.

Antichulius wrote:
Mantid wrote:
Antichulius wrote:

Will LastPass sort by oldest (and show date of lay change) for easy pw updating rotation?

It has a "security challenge" feature that will give you a sortable list of when you last changed each password, even making a separate list for any passwords that haven't been changed in the last year (as well as compromised, duplicate, and weak password lists).

Now that certainly appeals. Maybe I'll up my planned Humble purchase and try it out. I have a habit of setting up accounts when I'm not near my KeePass, so I use an easy dummy password and then change it when I'm entering it into KeePass. A report of the ones I've missed or forgot to update sounds really nice.

Yeah, that's not an ideal situation. LastPass is literally a click away whenever you're online. I'm an unashamed fan and proselytize any chance I get.

Can you talk me though LastPass security measures? I take comfort in the offline or quasi-offline nature of KeePass (with Dropbox sync) that limits the chance someone can get ahold of the encrypted file. That's been my primary concern about joining a pool of people storing passwords with the same company. Encryption is great and all, but knowing I'm the only one with the file is a great comfort. Particularly when cracking it is the door to everything.

Security and convenience seem to have an inverse relationship and to have more of the latter you have to lose some of the former. Admittedly, I haven't really dug in to places like LastPass. I'm sure they have a solution that I just don't know about.

Antichulius wrote:

Can you talk me though LastPass security measures? I take comfort in the offline or quasi-offline nature of KeePass (with Dropbox sync) that limits the chance someone can get ahold of the encrypted file. That's been my primary concern about joining a pool of people storing passwords with the same company. Encryption is great and all, but knowing I'm the only one with the file is a great comfort. Particularly when cracking it is the door to everything.

Security and convenience seem to have an inverse relationship and to have more of the latter you have to lose some of the former. Admittedly, I haven't really dug in to places like LastPass. I'm sure they have a solution that I just don't know about.

Legion explains it quite nicely above, and most of it is beyond me tbh. But I do know your vault is encrypted before it gets to the lastpass servers.

The convenience comes in the browser plugins and mobile clients. Generating a password is one click in your browser and a quick pop up to save it. The mobile client is particularly good on Android with its autofill abilities. Obviously if you leave everything logged in it's a risk, but that's on you. And if you lose a device you can log it out from the lastpass website.

Where I'd argue it's more secure is the fact it won't tempt you to do something like temporarily use a less secure password.

MrDeVil909 wrote:

The mobile client is particularly good on Android with its autofill abilities.

Same on iOS 10 now that Apple has opened up the share extensions to developers, and it's all locked behind my fingerprint (or the master password if I choose).

Antichulius wrote:

Can you talk me though LastPass security measures? I take comfort in the offline or quasi-offline nature of KeePass (with Dropbox sync) that limits the chance someone can get ahold of the encrypted file. That's been my primary concern about joining a pool of people storing passwords with the same company. Encryption is great and all, but knowing I'm the only one with the file is a great comfort. Particularly when cracking it is the door to everything.

It may be "comforting" to restrict access to your password vault, but that is not where your security comes from.

Here is my larger rant on that. But tl;dr: Encryption isn't just "great and all". Encryption is the security. A secure password vault is secure even if you send a copy to everyone in the world. If the encryption isn't sound enough for that, then you should not use it at all.

Restricting access has value, it's why we still want LastPass to keep vaults from being leaked, and use two-factor authentication on our LP accounts to make them harder to access. But that's just a bonus. Your security comes from the encryption, not hiding the vault. If it didn't, then you might as well just hide a plain text password file instead.

I use 1Password, why no love from anyone? Do people basically see it as a paid for keypass? It does local vaults with auto syncing via Dropbox and I have been very happy with it.

Thanks for linking the rant, Legion. I don't think I'd found this thread when it was posted, so it was a new read and gave me some good thoughts to mull over. Your point about encryption being the key (more or less because we can't guarantee the safety of the file) does make me want to review the encryption of KeePass. I figured open source was a boon in that I could trust the program to do what it claimed or issues to be exposed. Of course I began thinking today that it also means the method of encryption is likely entirely visible. I'm not knowledgeable enough to know if that's a bad thing or not, but you do have me convinced I need to evaluate my valuations for a password vault.

I think I'm really trying to dig into what people know/have experienced with LastPass because the Bundle is a good opportunity for me to switch, and I may almost be ready to do so, but I want to be sure before I move so much sensitivity into the personally unknown.

Maybe last question: Was LastPass the one that had the plaintext issue for passwords transferring though an extension? If I recall correctly, it was just an issue with the browser extension but not the program itself?

LeapingGnome wrote:

I use 1Password, why no love from anyone? Do people basically see it as a paid for keypass? It does local vaults with auto syncing via Dropbox and I have been very happy with it.

I think LastPass is the main topic currently because of the Humble Bundle it is currently in. At least that's my main reason for considering it -- and the love it's getting here.

Okay just browsed around and answered my own question. It wasn't LastPass. I think I'm going to give it a run. I like the idea of LastPass working with iOS for accessing accounts without having to launch into the app to get the password-- at least that's how I'm reading what it does. I'll probably sign up, load a half dozen passwords for a test run and if I like it spend the day it'll take to move my hundred or more passwords over.

And yes, the idea of no longer using less secure passwords temporarily appeals to me, too.