70 comments

[ 3.1 ms ] story [ 96.3 ms ] thread
Time to migrate from lastPass

Any good alternatives?

Why migrate? It seems like there isnt a problem with Lastpass itself.

Apart from that: bitwarden.

There’s two options:

1. they found the breach and patched it, lies about it to save face.

2. there was no breach

Even if it’s option two, would you want to gamble on it?

Option 3:. There was a breach, but lastpass didn't keep enough logs to know that anything went wrong.
Because most users will have an inferior setup to Lastpass
Most of the effort is in moving off an insecure set of passwords. The details of the solution don't add much incremental effort. Why not do it the right way and avoid trusting a company with an awful track record? Everyone I know has a google account and a smartphone, and by extension access to google drive for cloud backup/sync of a keepass database. Lastpass cannot justify its existence.
Me as a still somewhat techie individual? No, keepass works just fine.

But you have to realistically consider what are actual alternatives. For everybody else in my family, it's not lastpass vs some cryptographycally excellent local solution. It's last pass or 1password as uphill battle vs same password of your cats name over all of your accounts. Shared by your family members. My sister in law doesn't even have to wonder what her mom's utility or bank password is - they all literally use their old dead cat's name. For everything. So moving them to Lastpass or 1password with differentiated passwords has been my life's mission for past several years.

they are the norm. Average HN poster is empathically not :-/

After looking for self hosted password managers off and on for over a year I finally started hosting my own BitWarden instance (have had it for half a year or so now) and I absolutely love it. I can't believe I went so long without a password manager but it seemed against the point to have the passwords given to and hosted by someone else.

Highly recommended!

Just don't forget your backups when selfhosting, especially offsite. And don't forget to test them regularly.
> especially offsite

And offline¹ or immutable². Some automated ransomware actively goes after common backups³ before touching the base data, more targetted attacks will too.

[1] If part of your threat model is security, not just accidental loss/damage, as it should be for everyone, this stops an attacker jumping from your base system to get at your backups.

[2] Alternatively, this will stop them modifying your backups even if they get access. Cloud providers offer what is claimed to be immutable storage, though your level of trust in them, your sensitivity to cost, and the likelihood you might someday want to properly forget something, will factor in to whether this is suitable.

[3] One reference amongst many: https://www.advintel.io/post/backup-removal-solutions-from-c...

> And don't forget to test them regularly.

A vital step that too many people skip. Or for advanced failure patterns: setting up automated tests that don't fail safe (does no alert mean all is OK, or does it mean the alert system has failed too?) and/or not monitoring to make sure that they are working.

I use Bitwarden and have no complaints so far.

But being a bit paranoid the most important passwords I keep in a KeePass-file on a USB.

A USB what? Don't leave us hanging.
Mouse. He stores them in his USB mouse on a piece of paper. No one would look in his mouse.
Many modern mice have onboard memory, actually, to store sensitivity settings and occasionally macros.

I doubt they need more than a few kb's for them, but being 2021, maybe the cheapest onboard memory chip can still hold 16MB or more, and a sufficiently cunning hacker could use it as a storage of last resort.

And I have. “Lock now” function is hidden among other items in the settings menu, when it must be accessible. Editing and using password cards is far from intuitive, and their entire autogenerated(?)/tabled(?) UI feels off in ways hard to describe. I’m constantly getting confused using it. And it is not a baby duck syndrome, as I am using it for more than two years.

There is still no better alternative if you want to leave lastpass, but what lastpass really has is a good UI.

> There is still no better alternative if you want to leave lastpass, but what lastpass really has is a good UI.

1Password. Love the Chrome extension UI coupled with the desktop app. Way better than Bitwarden in my opinion.

I have a NextCloud server for backing up and syncing my personal data. I use the PassMan plugin to store my passwords. The user interface could really use some work. Other than that it's really good.
Self hosted bitwarden (well, vault warden) is pretty good. With a lot of passwords (600) the browser extension is a little slow, but not bad. I left 1password once they moved to cloud and subscriptions and haven’t missed it.

Plus, set hosted BW gets you all the premium features, like shared vaults for the wife and family.

There was some speculation over at /r/sysadmins that this was a dump of passwords that came from the compromise five years ago. I have no way to confirm/deny that.

I have MFA enabled with the google auth app- has there been any discussion that accounts with two factor auth are pwned as well?

Lastpass used to run a phpBB forum where the login system used your lastpass master password to log in.

phpBB is notorious for security flaws. It doesn't seem unlikely that someone hacked the forum and modded it to leak user master passwords.

More info:

https://news.ycombinator.com/item?id=29706579

That speculation is in direct contradiction with everyone here who claimed their much more recent passwords had also been compromised.
Not necessarily. The 5 year old master password could have granted access to a service that made it possible to intercept the password change.
This was also happening to accounts that did not exist 5 years ago.
It might be that the previous leak completely or partially exposed the algorithm of LastPass's password generator, or some other commonly used tool, and people being targeted show up on other lists. Credential stuffing with a targeted list of generated passwords.

If passwords from other breaches fit the characteristics of a weak or compromised generator, that could also be used for targeting.

Interesting that they claim no passwords were leaked and yet just two days ago someone posted here on HN asking how their master password for LastPass could have been leaked: https://news.ycombinator.com/item?id=29705957 (which the linked article references as well)
And this is why I'm not happy to see 1password moving to an online only model. If it's only local vaults, I can understand the threat model, I have more control over it, as soon as it's in the cloud, it becomes quite a bit harder for me to feel safe.
Once it’s in the cloud, it’s already compromised.

Best way to keep a secret is don’t share it. Cloud storage is by necessity sharing the secret with the cloud server and everyone with access to it.

In general, I agree with you about avoiding cloud storage, but it's important to remember that the secret is the cleartext data. The encrypted data is not secret, and that's the whole point of encryption.

As long as you store the encrypted vault on a cloud service, your secrets are not shared.

The problem in this case is that you are running the vendor's code on your local machine to perform the encryption, and that's where the real issue is. You have to trust that that code is completely bug free. This issue is made worse by the fact that things are uploaded to the cloud, but it's not the underlying problem.

I personally use GNU Pass as its a simple local password manager, no strings attached. It can also generate passwords.
Props for pass. (Is it GNU pass though? I can't see a mention of it being a GNU utility anywhere on https://www.passwordstore.org/ - I only see it's a "Unix" password manager.)

I have a rented VPS whose main two uses are being my IRC host (irssi running in a tmux) and hosting my Git repository containing the pass password store. As long as only I can SSH into the VPS, my encrypted password collection won't leak; as long as there is no keylogger or clipboard logger on the machines I use pass on, my passwords are secure. (I assume that SSH and GPG are unbreakable, which seems good enough of an assumption for the time being. Perhaps I'll switch to passage instead of pass some time in the future.)

Do you find that the lack of a browser extension makes it easier to get phished by failing to accurately read the URL? That's one of the stronger arguments I've heard for a browser autofill feature
No idea, honestly. I think I am lucky and I do not get targeted by many phishing mails. (Let's see how much things will change now that this comment is public.)
That might be the case for normies who click phishing links or SEO-optimized phishing sites that appear on Google search results (instead of, you know, just typing the URL of the site they want).

I tend to navigate by URL or browser history, so I just don't enter phishing URLs.

An extension could save my ass in the scenario where a legit site (e.g. a shop) has been compromised and the redirect to payment services has been replaced with a malicious site, but I don't believe that's very common?

I remember when lastpass had a security hole that could expose any password in your vault by visiting a web page. They thanked the security researcher who found it with a paltry sum of $1,000.

https://www.theverge.com/2019/9/16/20868111/lastpass-bug-exp...

>In a statement posted on its blog, LastPass downplayed the severity of the bug. The company’s Security Engineering Manager, Ferenc Kun, said that the exploit relied on a user visiting a malicious site and then being tricked into clicking on the page “several times.”

This was what led me to dump them and delete my account.

I thought at the time that A) they're sloppy and B) the next exploit will 100% be sold on the black market for minimum an order of magnitude higher price.

If there were a common exploit among the people on the HN thread like a compromised chrome extension I think they would have discovered it. There were a lot of people on that thread, a bunch of invalidated hypotheses and no clear commonalities.

Edit : i made a mistake - it only exposed the last used password in the vault. Pretty bad but not quite as awful as I first thought.

> I remember when lastpass had a security hole that could expose every password in your vault by visiting a web page.

I remember when KeePass browser plugin had the same issue. The security researchers were not paid.

I'd avoid using that too then.
Would you avoid using any password storage where either the system itself or the underlying foundation has had serious vulnerabilities at some point?

Or only bad vulnerabilities triggered using JavaScript? Or would you only accept a history with vulnerabilities if security researchers were paid properly for the work they invested into finding the issues?

I tend to prefer open source but slightly obscure open source with a few unpaid maintainers and a very high attack surface? Yeah, I'd avoid that too.

I have much more confidence in open source password storage that doesnt try to autofill. Theres much less that can go wrong. This is how I store banking passwords.

A serious vulnerability puts me off but not as much as a tepid ass response that tries to downplay the severity of a really bad problem.

That makes me consider the software radioactive.

KeePass (and the forks like KeePassXC) doesn't try to autofill passwords. There's a separate browser plugin (different download, not installed or recommended by default) for KeePass that did, and that's where the vulnerability was.
I was alluding to this when I said "slightly obscure". I still use KeePass, but not that plugin.
What about 1password?
I've used 1Password for years. I recommend it to orgs I work with.
KeePass is a free software, not a service that generates revenue. Why would you expect a free software developer that is entirely funded by donations (which most likely won't even cover development costs) to pay 10,000$ to a security researcher finding a bug in their software or you will stop using their software? This is completely unrealistic. Bugs happen, free software exists. You cannot stop using all free software that had a security bug in the past that wasn't awarded with 10,000$.
I didnt say I did expect bounties from them. I just said I'd avoid using this software.

The fact remains that autofilling passwords in-browser has a gargantuan attack surface and hence the potential to go very wrong. You have to really trust whichever software you use for this.

I expected better from lastpass because I used to give them actual money. I'm not upset that some random keepass extension did this but I also wouldnt use it either.

KeePass doesn't come with the browser plugin, BTW. It's a separate, optional download.
Important to note that KeePass itself does not have an official browser plug in, all plug-ins are 3rd party and none have large commercial backing.

Several browser plug-ins are available as well as simpler solutions like a browser extension to insert the URL in the title bar and sending keystrokes to the browser to populate it.

That is a very good point. I am not sure that lack of official browser extension is a good thing though. I typically enjoy when software has a large community creating plug-ins, but maybe not when it comes to password managers.
Password manager browser extensions provide a large attack surface. They also break the browser sandbox. I wish there were a good solution

https://lock.cmpxchg8b.com/passmgrs.html

> I wish there were a good solution

The answer is right there in the article: Use the browser's password manager.

I find Firefox's password manager + Sync a good solution, and I don't understand why people don't advocate it more. It's free and open source. Mozilla is a reputable software house with a good security team. Their revenue stream does not depend on you paying for the password manager. It doesn't even depends on monetizing your personal information.

Yesterday I found it even works as a password store for all of iOS.

How do you manage passwords for things outside of the browser?
On iOS, opening up saved passwords just uses firefox's password manager. On the desktop, I just open up firefox's password page. It's always running anyway.

It works just like another password app.

Sorry for being obtuse, but FF only allows me to put in a website to save passwords. How would I use this for an extra-browser application (steam for example)?
KeePass is open source. Who would pay?
OT: The fact that Chrome offers to bring my passwords from browser to browser, means that they are being stored in plaintext by Google.

Aside from that I probably gave them permission to log in as me in one of the EULAs, why is it OK for them to store my passwords unencrypted. Who guarantees that there are no leaks at Google? Who guarantees that some malicious browser plugin (there have been MANY) has never figured out how to access my passwords - especially as if such a plugin can get the password to identify myself to Chrome, it can login anywhere to get the passwords.

Anyways, whenever I hear of leaked 1Passwords, I figure it is in such a vector - login on the browser. And the fact that they are doubling down on browser login, makes me less secure.

Paranoid, much?

> The fact that Chrome offers to bring my passwords from browser to browser, means that they are being stored in plaintext by Google.

Why do you think that they cannot bring encrypted passwords from browser to browser?

All password managers need access to the plaintext version of the password at some point... They need to put that into the login field.

Chrome syncing across browsers does not mean they are being stored in plaintext. Your login is likely given you access to a key to decrypt them.

Chrome does have an ability to encrypt the password store with a different password of your choosing. In this case syncing still happens, but each browser install requires you to enter in the second password to unlock the store.

A malicious browser plugin does not need access to your password store to steal your password. Sooner or later you are going to log into a website and it will just steal it then.

You can set your own passphrase in sync settings. This will enable end-to-end encryption and Google won't be able to read your synced data (not just passwords but also history and other synced data).
The fact that Chrome offers to bring my passwords from browser to browser, means that they are being stored in plaintext by Google.

Not necessarily. For example, Google could be encrypting your passwords using your Google account password.

All password services that allow for transfer between devices or emergency backups store the passwords in a recoverable format (encrypted rather than hashed) on their servers. This concern is not unique to Chrome's password storage.

> Who guarantees that there are no leaks at Google?

The same guarantee that all cloud services offer for non-e2e-encrypted content. If you are concerned about this, you must not use any password manager that stores passwords outside of your machine.

> Who guarantees that some malicious browser plugin (there have been MANY) has never figured out how to access my passwords

Even if your passwords are stored locally rather than on a cloud service, a malicious browser plugin can inspect your behavior as you fill in a password. Nothing will protect your credentials from a malicious browser plugin.

> Paranoid, much?

Probably. But self hosted systems exist if you want to use one.

>Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error.

Thank You. We can now all go back and enjoy our holiday.

Edit: Hold on a min. "likely triggered" means they think it is triggered in error but still not sure?

Side Note: I really dislike these "updated" articles with new reference that are not "clearly labeled at either the top or the bottom of the news. I have no idea when that LastPass statement was added to this piece, was it before the HN headline submission or after? I have no way to know if comments or HN readers here are reading the same as I am.

I haven't looked into this, but are there any self-hosted solutions that anyone could recommend? The minimum might be a browser extension (Firefox) and to let me replicate to at least two different local/cloud instances (directly or indirectly).