586 comments

[ 2.6 ms ] story [ 377 ms ] thread
> was able to gain access to certain elements of our customers’ information

This is frustratingly vague. This incident started 4 months ago, and you can't provide any details?

If it wasn't such a PITA to move off LastPass, I would do so. They got me.

How is it a PITA to move off lastpass? I switched to Bitwarden and it was a piece of cake. Exported all passwords. Imported all passwords. Pretty much all password managers can import/export as a CSV or similar.
It's easy if you don't share passwords with others. I have my whole family and business using it, and there's lots of shared folders.

Convincing my wife and colleagues to all switch simultaneously isn't feasible unless this data fiasco gets worse.

It'll only going to get worse. Better move now before it's too late.
I tried migrating from LP to BW and got import errors. Bitwarden's error message was very vague (along the lines of "sorry, something went wrong") and I haven't been able to track down what entries were causing the issue. I've tried 3 or 4 times including trying to reproduce with subsets of the full collection but it's too much of a pain with hundreds of accounts and I so far haven't been motivated enough to manually transfer them or to write a selenium script to do it automatically.
Moving to vaultwarden (the open bitwarden server implementation) was also really easy. Just installed the package in Arch, setup the vhost in nginx, put the vhost into my local DNS and slightly adjusted the vaultwarden config file. Now I use bitwarden clients everywhere and point them to my server.

Since I don't feel 100% comfortable having my self hosted things on a public IP, I put it only on my LAN. For remote access (e.g. phone) I use wireguard.

Just check your data after re-importing the passwords. LastPass sometimes has issues with the export (see elsewhere in this thread) and does not export attachments at all. You have to move attachments manually.
You can't export all the passwords, some extra fields are not exported by LastPass, so there is your PITA when some site asks a security question you had an answer to in that unexported field
> If it wasn't such a PITA to move off LastPass,

It's really not. As the quality of their software declined severely starting around 4-5 years ago, I put off moving because I assumed it would be a huge hassle. It turned out to be surprisingly easy. I have since deleted my LastPass account and wouldn't trust that company to mop my floors.

I don‘t think the quality of the product was any better previously; they were the first to offer cloud hosted password management as far as I remember and that, plus being cheaper than 1Password last time I compared, are their only benefits in my opinion.
I did it over the course of a few months. My choice was keepass since is opensource, battled test, and works everywhere as if it was lastpass.
How smooth is the hotkey autofill experience? Does it identify websites and fill out login forms properly? (I prefer not to rely on sites' "remember me" boxes or ephemeral cookies).

Any compatible Android app?

In Android, I use Keepass2Android Password Safe app by Philip Crocol. As far as my experience goes, it is quite smooth and for the most part it is able to fill out the login form properly.
I can't speak for any browser integration but I use the app's autofill and it works great.

Several, I personally like KeePassDX but Keepass2android is also there, possibly others I don't know about.

I'm using keepass2android offline on Android, with the password file synced using syncthing. Works great.

It also has autofill that comes up in any supported app when it recognizes a password field that it can autofill. Quite seamless.

It also took a little mucking around to install it's custom keyboard and I had to run some adb command to give it permission to auto-switch keyboards, but now it's setup it's pretty good.

You can open an entry in keepass2android, then it will auto-activate the keyboard and you get buttons so you can auto-type any field from that entry into anything.

On Windows I'm using KeepassXC and the KeepassXC browser extension. It hasn't been perfect, I had to manually enable simple http auth for that to work, and sometimes it seems to miss login fields.

Also I had to manually add the URL for some existing sites (I was using KeePassDroid only on Android before so the URL entries weren't filled).

There's no way I could find to go to a site, then I would like to just click a button and choose an existing entry to fill into it.

But once I've manually added the URL entries, it's pretty seamless and auto-recognizes that there are entries that it can fill.

Overall I'm very happy with the whole setup.

(comment deleted)
Lastpass has had so many security incidents I have no idea why anyone uses it anymore when the whole product is supposed to be Security.
> We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.

Sure sounds like they found passwords or keys in the development environment breach back in August, and nobody bothered to change those after knowing they were hacked.

The most shocking thing for me. The real stopper for anyone who is still trying to keep their trust in LastPass.
Password managers are a huge security antipattern and this will probably have to happen a couple dozen more times before infosec bloggers with affiliate marketing deals stop promoting them.
No one who uses unique passwords can remember them forever. It's a compromise of post-it notes vs managers. Either that or do account recovery every time you need to do your taxes (SOL for encrypted files though).

I sadly write passwords down, but dream of a better option.

Post-It notes are a safer option than password managers. And it's absolutely outrageous to say this: But not every single account you have needs a unique password. Just ones which can actually allow someone to impersonate you meaningfully, cost you money, or gather sensitive data about you.

Response to @palata because of rate-limiting: The problem is people tend not to only put unimportant accounts in their password managers. They also put their bank and email passwords in there, and to my true horror: People have started storing their TOTP tokens in their password managers, which effectively reimplements single-factor authentication!

I do post-it notes and a couple of master passwords for things I don't care about, so I don't disagree. I need to make 2 points though. 1, enough 'non-sensitive' data can eventually become sensitive when taken as a whole, and 2 post-it notes are less secure if they are at a place of employment, think teachers.

Maybe the best option is one of those physical access password managers like KeePass

KeePass on something normally-offline like a thumb drive is probably a decent compromise where needed, but I'd still encourage people to keep their most sensitive passwords either undocumented or partially/incorrectly documented.
Well then at least those accounts that are "less important" are probably not worse off in a password manager than sharing one password, are they?
Where do you store your TOTP tokens, then? Post It note?
Definitely not where you store your passwords! In my case, since I don't store my passwords on my phone, I have my TOTP app there, and then for backup, I print the QR codes when I set up TOTP and secure them in the physical world. Restoring my 2FA setup to a new phone is easy: I just scan through the stack of paper!
(comment deleted)
> People have started storing their TOTP tokens in their password managers, which effectively reimplements single-factor authentication!

The thing is that many services are now requiring TOTP in places where I don't want it, since I was already using a strong/unique password, and the TOTP requirement is effectively just to protect the service from having to deal with users who get their passwords stolen. If you're going to make me use TOTP where I don't want it, I'm going to automate its input.

I think you'd be drastically better off not wasting effort with a strong/unique password on places you "don't want" MFA, in favor of using MFA, which is always better at defeating an attacker than any password.
The effort of using a strong/unique password is trivial. The effort of using MFA on my phone is not.
Someday one of these password managers is going to be hacked wide open and it is NOT going to be pretty.
I don't use them, but my conclusion is that at least one major cloud password manager has been hacked already without any disclosure. If they disclose it, the company should logically be dead. Thus, the incentive would just be to cover it up.
Can you elaborate more? Which? Why do you think this? I also agree with you and I think it’s one that rhymes with shome paus werd. But I think it happened early in their “cloud” journey
Are you talking about 1Password? What makes you think that?
Thanks to the GDPR a coverup is no longer an option.
How do you figure? If a company never reports an incident, how would the government regulator know about it?
They will at some point. A whistleblower, the attackers themselves, the leaked data showing up somewhere on a forum and getting picked up by reporters, etc. etc. At the scale at which any of the popular passwords managers operate, IMO it would be impossible to keep it a secret for long. So taking the risk of jail time only delaying the inevitable... doesn't make sense.
Totally agree, this is why I don't trust any of them. Massive targets with extremely strong incentives to stay quiet about security issues.
Most of them are build without having decrypted passwords or keys for them on server, so attacker would need to get to the point where they can craft malicious update to the client (or exploit the client)
Dependency exploit would be the way for 1Password etc, which are now basically wrapped web apps.
even with everything, given the norms of lock files for even the most basic of web apps, you're still at "need to roll out a client update".

Now that's not to say that something can't be sneaked into other work! But the bar is a bit higher than "take over a dependency"

that's what happend to solarwinds, it out worked pretty well for the hackers there
Only web apps have dependencies?
Web apps are potentially re-downloaded every time you use them.
1. Get access to build infrastructure (e.g. via supply chain attack)

2. Inject code in build to export user's passwords to remote server after update is installed

Simple, but not easy.
This is a good point, but on the other hand, couldn't any application be hijacked in the same way to include a keylogger/upload plaintext password DBs stored locally by browsers/etc? Somehow this hasn't happened on a mass scale that I'm aware of.
Not exactly, because the JavaScript code can change and be delivered at ANY time. No code signature verification is involved.

An offline password manager is updated a few times a year, and will go through OS repository distribution, with verification of the signature for changes. Or you can download the software from the source website and check the signature.

Extension has the passwords so just need to suck them through a straw. Getting a keylogger on someones machine probably requires getting them to run an executable or a zero-day exploit.
Worth noting that open-source projects where your password store is saved locally are vulnerable to the same attack.
This kind of thing has already happened. Chinese hackers got into the Juniper VPN source code and replaced a key pair with their own. They even updated the tests so that it would pass. This went unnoticed for years.
Arguably it wasn't secure in the first place if it had backdoor like that.
It doesn't have to a backdoor. A malicious employee can have access to the keys.
The core problem is really that passwords suck and should never be the entirety of authentication. Time for hardware tokens! (admittedly there are some big problems when people lose tokens, but at least that's not a problem of insecurity ;-))
Depends on how you define "insecurity". Availability is one of the pillars of security, so even your joke falls apart.

Several years ago the trendy thing to do for security was to get a USB-A security dongle and lock your important accounts with it. Nowadays, laptops from several major manufacturers no longer ship with a USB-A port, so if you need to log in again and don't have a USB-C dock handy, you're locked out until you can find one.

Isn't availability usually from the service still being accessible in a technical sense? Password lockout policies will also result in people being locked out often until manual review or the use of some (hopefully secure) second factor. With hardware tokens there just needs to be an established - and efficient - process to replace them or allow access on an ad-hoc basis for exceptional cases (a bit iffy perhaps but also possibly necessary given practicalities). There's no dispute that passwords mean you don't have to worry about things like what USB ports your laptop has, but that's mainly because of the fact they're just strings that you type in which is also their entire issue for phishing/hacking etc.

Either way, availability can be compromised by a hack due to passwords being phished and I think I'd prefer dealing with hardware tokens than the fallout of being phished or otherwise suffering credential compromise. That said at this point I probably wouldn't issue hardware tokens en masse until proper processes are in place to manage them (and their loss/breakage/etc) - it's certainly not solved to my satisfaction yet.

Sure it’ll result in a lot of issues for minor sites, but most critical services mandate 2FA. So just don’t keep your password and 2FA in these services.
There were rumors a couple years ago that this already happened to one of them.

My layperson's armchair guess is that a successful attacker would probably seek to keep it quiet.

If you were a bad person, and you got access of tons of credentials from one of the major trust-us password managers, would you:

1. Focus on finding and looting big-payout cryptocurrency stashes, as quietly as you can (so you can keep doing it longer, before news gets out of how)?

2. Sell to a state actor to use for probably high-value purposes, while keeping it quiet?

3. Something else, and would that involve keeping it quiet, or making a big noisy mess?

Most hacks, these days, seem to fall into one of three categories:

1. State actors

2. For profit criminals

3. Teens for lulz and street cred

I guess the first group would probably keep it pretty quiet. The second would keep it quiet until they've abused the data as much as they want to, then sell the remainder on the dark web. The third would make a big noisy mess right away.

And all those people who called us stupid for critiquing the idea of trusting your logins with a third party will pretend they knew it all along.
That's why for anything important one should use separate MFA, not stored in the password manager.
Great, now I'm going to have to rename my dog.
I never pick a real answer to my security questions. It just seems pointlessly dangerous.
they never know that i secretly use the name of my imaginary pet from grade 1 rather than my actual first pets name.
I use random strings and store them in a Passwordsafe db. Ever since the Sony PSN hack which IIRC did include secret questions and answers.

(I may be mistaken, but I do know it was absolutely the last time I gave a company true information for security questions).

How do you keep track of phony answers to security questions if they are different for each site? If it is the same phony answer for every site, it is not any safer to use real answers to the security questions.
You store the answers in your password manager and treat them like passwords
Yup. You pretty much have to do this. I love signing into my bank's bill payment system. "You appear to know your password and possess your second factor. But what's your favorite book? <all lowercase favorite book> WRONG YOUR FAVORITE BOOK IS ACTUALLY <starts with an uppercase book> NOW YOUR ACCOUNT IS LOCKED."

Even if you're using real answers, you will be locked out of your account if you don't treat them like passwords. Eventually.

Worse yet, real answers are just weaker passwords. Mother's maiden name? Childhood friend? Elementary / high school? For a targeted attack, against most people, this is very insecure in the all information online age. Nobody needs to know your 20 character password if they have your social media page.
in the notes field of the appropriate keepass entry.
I generate the password and stored them in my password manager under the notes. 1Password added functionality seemingly recently to add security questions and generate a random word string that I use these days.
I hate password managers. They sign you out way too often and god forbid you’re on another PC.
How often is way too often?
My work provides me with a 1Password subscription (for both work personal use) that I take advantage of that is pretty good. I think they only require you to reauthenticate with your master password once every two weeks or something. I use a PIN, biometrics, or my Apple Watch to unlock it when it timeouts in between that two week period, and I've had no problems syncing between several of my devices.
1Password on my Mac lets me set it to never require re-authentication with my master password, though it does seem to keep switching back to 30 days.
You can set how often they log you out, and I have a phone...
Note that you should not generate a random password like D27fX$0f7RyD for your security questions. These are designed to give to a human operator on the other end of a phone. If an attacker calls up the account recovery line, gets asked for a security question, and just says "heh, I think it was a string of random characters", there's a decent chance the human operator will let them into the account. As you say, use an actual word string (passphrase) generator, which is a bit less susceptible to this attack.
Yep, if you can choose the question, choose something like "What was your first pet's name?" and then make up something silly like "Mister Poopy Eyes" (a conceivable child-given pet name).
memorable symbols and the site name

!%!%example.com%!%!

I used to do something like this. I avoid it now, and use a pass phrase of a few words as answers to these questions, stored as a password.

It was clear to me after I had to read such a security question answer over the phone to unlock an account the CSR was perfectly happy with "gibberish over the phone == gibberish in front of me", meaning my attempt to secure things made it less secure in the end.

Pick your three favorite movie characters for which there is a lot of information about them (name, town where they grew up, age, dog with a name, etc.). Rotate through these three. Append the name of the service. Dog's name? buddylastpass

There will be no reuse, because for Facebook it would be buddyfacebook or dugfacebook, or something else… but you will always be able to guess it in three tries. A computer system doing some kind of pentest isn't going to parse out the "facebook" or "lastpass". A human might, but that's why you rotate through three names. At the point where you have a human targeting your account and actually thinking about your inputs you are probably !@#$ed anyway.

I have a small orange password book… oddly. If that gets stolen I think I’d be in big trouble. However it doesn’t have my email address in it. Answers to those inquisitions of a password reset nature are within.
Same. I use random passwords for any required security questions. It is funny when you call customer support and they ask you to verify a security question though.
Have you ever tried to see if they'd let you bypass the question? I've wondered if saying "it's a bunch of gibberish" could work.
In my experience, this usually works, especially with banks.
I haven't tried, but I am not on the phone with support much as I go to great lengths to avoid calling haha. The one time I had to verify my security question, I told the representative that its a long, random character string and they waited for me to open up my password manager to read it out to them.
I've certainly heard people speculate that would be the case. I always just put together 2-3 words unrelated to the question, e.g. my first grade schoolteacher is "Antique Campfire".
I've done something like this with my bank, I tell them it's a bunch of nonsense because the security question recovery is just a variation of a weak password so we'll need to validate me some other way. They always can
I was on a first date and forgot my wallet so the first place we went was the bank. I had to repeat all my info 3x. I leveled with them and pointed to my date and said I need $100. They gave me the $100.
Anecdotally I've heard of this type of social engineering working. It's probably better to use some randomly generated real words. Another poster suggested diceware.
I didn't even have to try. I was prepared to read off the random string, and the operator went with some other piece of information from my profile instead.
I think the best way to do this is to use a passphrase so that it's clear that it's not just gibberish but you have the benefit that it's random text. Obviously at the end of the day, it all comes down to the person on the other end of the phone but I suspect they'd be more suspicious of someone saying "it's a bunch of gibberish" when they can see "grumpily siberian pampers panorama unroll aloof masculine mandatory" versus "YpZVpyQHsmPATt1P" (also the former is much easier to read over the phone).
I have had this problem, and failed the security check when I told them I had to look it up. Which was a little silly because I just hung up and called back and did it again with the list in front of me.
i use diceware. my mothers maiden name is sternness-ardently, and i am a proud graduate of blade-purge-satin-dash elementary!

…apparently.

blade-purge sounds like a good name for a metal band
That's gotta be a diceware option, right?
Did that dude just tell you she likes cloth?
Just today we received an email with a password reset request from a person who:

could not login into the customer portal because he lost/forgot the password

could not perform the password recovery procedure because his answer for the security question is some nonsense like 'blade-purge-satin-dash'

*shrug_emoji*

Sometimes these questions are just asinine.

I ran into one once that a 6 character minimum length for the answer.

Just checked: 'Your favourite computer game?'.

> I ran into one once that a 6 character minimum length for the answer

This is a problem too, but at least it works if you manage to talk to a living person - even if you don't remember exactly how did you wrote something you can prove you know the answer for the security question. With 'cp359-qreor-534wej' as an answer you have no chance.

As someone who forges security questions, and at the risk of playing No True Scotsman, we keep these answers in the database with our passwords And yeah, if we lose the database I guess we're screwed, but tbh, after ample backups, the risk of the database being leaked is way higher than the risk of losing it despite replication.
It’s seems more dangerous to be in doubt about your answers to security questions
I've had good results from refusing to play this security theatre.
I have sooo many pet and mother maiden names, but I can't remember any of them because they are all `openssl rand -hex 32`
Years ago for my university student account, you were allowed to provide the question. I figured I would never need to use it, so I set the question to "Dicks?". I was very immature and thought that was funny.

A few years later after the semester break I forgot my password. I had to email IT to reset it, and they replied "Please provide the answer to your security question: Dicks?". And I had to reply "Yes no problem, the answer is Dicks". It was an awkward email exchange, but in my defence I had immediately remembered the answer so it served its purpose.

Was expecting answer to be something like: Moby&Tracy.
I just create a new imaginary dog.
My first dog's name is Lassie, spelled LC_ALL=C < /dev/urandom tr -dc '[[:graph:]]' | head -c16
Better yet, my second college girlfriend's name is spelled the same. So is the make and model of my third car.
it's so baffling to me that people give ALL their password to a third party, commercial, organization...
It's supposed to be E2E encrypted with your master password plus an additional key.
Supposed. But few do research, even fewer do audits.
For most people, non-technical people in particular, their biggest exploit risk is they re-use the same username and password everywhere, one website gets popped and their creds get in the open, and then people use those creds to get into everything else.

Anything that gets them to use unique, strong passwords for everything vastly improves their general security, even if they are using a third party, commercial organization.

Yep. I fell in the trap of using repeat passwords because I was lazy. One of them leaked and someone overseas started using my personal Plex server. I setup LassPass the next day and changed everything to unique strong passwords. LastPass is cross platform and the convenience is worth what the risk for personal use.
I don't agree with it but it is far from baffling.
Come on now. How is that baffling?
in what other tech stack is it a good idea to have all your eggs in one basket?

that's why it's baffling. The convenience is outweighed by the possible loss.

What is the alternative strategy? I think for most people before password managers the strategy would be "have one egg".
There are lots of enterprise tech stacks where you have a single (or single-as-possible) centralized secret store… it’s far from uncommon, I.e., Hashicorp Vault, AWS Secrets Manager, Google Cloud KMS.
What percentage of the population even thinks about "tech stacks"? That's the group of people who probably already is using something else. Everyone else is still catching up to not having a password that's just "password1234"

People get their credential compromised via shared passwords way more than compromises of Lastpass or Chrome or 1Password. Sure, it's a bigger risk if your manager is compromised, but for most people it's as much "eggs in one basket" as people only having one bank account which is probably true of nearly everyone.

> password that's just "password1234"

it's even worse than that. The world's most common password is... password.

I'm not sure about that. According to The Plague, the four most common passwords were God, love, sex and secret.
Wiki says that some companies agree[1] that "123456" and "qwerty" are the most popular. "password" seems to generally be in the top 10.

What's interesting on these lists is the presence of Dragon and Monkey - am I mistaken or is it due to CJK users entering a Chinese character that got translated somehow? Wouldn't that mean some of the most popular passwords out there are single unicode characters? Surely not...

[1] https://en.wikipedia.org/wiki/List_of_the_most_common_passwo...

The alternative is spreading your eggs all over the farm, with no way to keep track of where they all are. Many will be put somewhere, then forgotten about.

Do you really think that’s safer?

For many, the ease of setup and maintenance is worth the risk.

The general population is not going to setup their own open source password manager solution. So going with an easy to use commercial password manager is better than not using one at all.

What's the alternative?

1. Have people manage their own secrets storage? Most people don't have the time or ability do this securely either. I'd rather pay someone else to secure infra, code, distribution, encryption, backups, etc. for me.

2. Reuse the same password on every site? One site gets hacked and now you're screwed.

3. Memorize a unique, long password for every site? Not feasible.

Third-party/commercial password managers are the best solution for most people, practically speaking.

Passwords suck. Move on to something better.
I'll be sure to tell the 100+ sites I have saved logins for to move on to something better.
like what ?
It is a hard one because the only computing/memory device you have with you at all times, requires no batteries and not connected to any networks (yet) and not vulnerable to probing/observation (yet) is your brain! But memory is too unreliable unless everyone trains for it.

Crypto keys are great but you can lose them and once shared they are keys to you kingdom.

Specific security devices are great but you need to remember to have them with you. They can get lost or broken so you need backups.

Google authentication is convenient but they can ban you. It is also a 3rd party to trust.

Passwords suck but might be the best of the worst. Advantages: password managers can be used to make password useless for other sites and people conceptually understand it.

It is quite a hard problem!

Webauthn passwordless is the answer right now.

Obviously doesn't work for many sites cause people are still convinced passwords are good.

The alternative to fully cloud-based solutions would be a local, open source kdbx client (Keepass, KepassXC, etc) with the password database situated on a cloud storage (Dropbox/Google Drive/etc). This way, one gets the best of both worlds.
This can be a nice compromise, but it's not without downsides. Personally, 99% of the authenticated software I use is in my browser, and the usability of an extension that has a little badge to tell me I have an account on this site and autofill capabilities is really tough to pass up. Further, because it's an extension, it can know what site I'm on, which all but eliminates my risk of falling prey to phishing attempts.
KeepassXC does have a browser extension.
Why go through all that trouble? The passwords database or storage in 1Password is encrypted. It is only ever decrypted on a local device.
How is cloud storage more secure than a password managers web interface ?
I've never used password managers, partly because I don't trust them and partly because I've found an alternative that I feel is secure enough and more convenient. I split my passwords into two parts, one secure part that is memorized but reused and one weak part that is written down but not reused.

The main ways people are hacked are re-use of passwords and writing passwords down. If someone gets access to one of my passwords, trying it in other sites won't work. If someone finds the written parts of my passwords, that won't work either as they would need to know the secure part of the password that I memorize. I can even easily take the written part of my password with me if I want to use a password on a different computer.

The only issue with this technique would be if someone finds multiple passwords of mine, they might be able to figure out the scheme and brute force other passwords, but if someone already has multiple passwords of mine and is taking the time and effort to go after me individually then I figure I am probably screwed any which way.

Then what should folks do? The alternative is having to "run your own encryption" by running your own Password manager on your own infra or re-using passwords
I'll do you one better. This is an encrypted base64 password with access to 5 ETH on Coinbase:

    U2FsdGVkX19mCN0qo7cyA5EfxgVqPQkygGlHqNgv1jM=
Guess it and post here and I'll supply you with the username
This. And their business model is literally to convince people to trust them with their most valuable secrets. Behold the power of marketing.
Are you also surprised that people run their entire SaaS business on a third party?
(comment deleted)
Can someone in the know comment here on the succinct and honest scope of breach of passwords stored by LastPass users?
They're encrypted/decrypted by the user's password locally in the app or extension.
How does it work for passwords which you shared with your team on their enterprise plan?
Exactly what I thought too but there appears to be a lot of dislike for LastPass on HN and I’m not seeing any evidence to back it up, perhaps it’s just a dislike for cloud based solutions
Guess what, they will keep getting hacked and it doesn't even matter
Just a reminder: if you are deciding to migrate from LastPass to something else, the password export malfunctions for unknown reasons. If you have memos, it could be a character in the memo.

You must make sure the exported CSV file has everything!

It also didn't export attachments when I used it (long while ago now though)
This is years ago now, but every ampersand in my passwords came across wrong. I can't recall if it was missing or url encoded, but even passwords weren't safe.
I'm still finding passwords in Bitwarden to old accounts that have `&amp;` in them. Thanks, LastPass!
Your password is safely html encoded for distribution on the web.
Like on Hacker forums? :)
That is especially surprising, considering that passwords are more than likely going to contain special characters.
LastPass's own generator puts them in there.
Avoid such trouble is why I want to avoid using symbols for password. Just use more alphanum characters for strength.
Or just use proper tools that work.
I want to as well, but annoyingly there are many sites that insist on a "special" character because their strength measure says "low" for the 20 character alphanumeric string I generated %-}
My favorite is when they actually limit what special characters you can use. Must include 1 of x special characters. Why? I always just assume they baked their own password storage and couldn't figure out how to handle the whole set of special characters
Multiple times I've found that this is caused by a web application firewall that is intended to mitigate SQL injection attacks. So they disallow the characters that would commonly be used in those attacks.
On those sites, I generally insert the same fixed uppercase-and-symbol string on my zbase32ed-entropy passwords. Zbase32 tends to produce numbers already, and that combo tends to satisfy the silly sites.
> the password export malfunctions

oh wow, what a surprise.

This really hurt me last year, when I migrated away. I didn't realize at the time how much didn't come with, so I've been playing the reset / recovery game since.
I feel your pain. I switched to KeePassXC, and will never use an online password manager again.

For a password management company, they can't even be bothered to fuzz their export functionality. QuickCheck works unreasonably well on `import(export(a)) == a`.

But maybe it's intended to be buggy, in order to keep you in their walled garden. Clearly the sync between devices works, so they have solved this problem.

> Clearly the sync between devices works, so they have solved this problem.

Presumably they don't use CSV to sync, they're using a saner json/etc. data structure that they're not letting us export ourselves. Seriously, being limited to CSV in this day and age...

I keep thinking I should reset my passwords anyway (not moving of apples keychain tho) and should probably just move off using gmail at same time!
Uh oh, now I’m paranoid my LastPass export didn’t have everything, and I deleted my account years ago
Personally, I'm more paranoid concerning whether the deletion actually worked when I deleted my LastPass three or four major security incidents ago...
You should probably change all your passwords anyway..
Too much work. At that point, it’s easier to just hack the LastPass servers.
I migrated from LastPass years ago and ran across this error. Sounds like they still haven't fixed it.
Also if you try to export multiple times it will start spitting out exports full of duplicates. Only safe way is to export right after a fresh session login.
Wow. Is LastPass generally just really bad software? These bugs mentioned in this subthread make it sound like amateur hour.
It's packed with enormous amount of bugs that make the day to day experience terrible.

I want to move but I'm terrified of the export process

(comment deleted)
I moved to 1password a few years ago and haven't regretted it for a second. I still have Lastpass installed, but it's probably getting to the point I can delete it.
OK, wait, you still are using some other cloud password provider?
I moved to BitWarden a year ago after a billing problem with LastPass that their support handled badly. I haven't had any problems with the migrated data and I finally deleted my LastPass account last month.
Likewise, deleted my LastPass account after a year with Bitwarden. I regret suffering LastPass’ UX for so long.
my major concern is that I have:

* custom "items", so instead of "Password", I also have my own * attachments, which I know 100% are not exported. There is a CLI app to help with that, but still horrible * I have large notes with weird characters, which makes me concerned if they will be exported properly * Last time I checked, the CSV seemed very broken (not respecting the standard), I'd be surprised if it imports properly

That's the reason why I haven't moved.

I'd move to bitwarden, but the lack of tags is too much for me. I use tags everywhere, I don't want to deal with directories anymore, so 1Password it is.

As today I attempt to perform the migration, their export to CSV outputs a CSV with 2 lines of my 700+ passwords. The HTML in the page shows a lot of items, but if I save directly from there, it's poorly formatted, it won't import anywhere.
Last I checked, they still didn't have a useful Content-Security-Policy header on their Web Vault (which would prevent XSS), and also didn't have a way to separate "being logged into the extension" from "being logged into the Web Vault".

I... would definitely not recommend them, no.

The UX is surprisingly bad, and has been for a long time.
It’s the worst desktop software I’ve used in several years. The UX makes no sense, it’s full of bugs, it performs badly, they’ve had multiple breaches. I can’t think of a single thing it does that’s even approaching average, let alone good.
Well, this completely explains where one of my Truecrypt volume passwords disappeared to after migrating away from LastPass years ago. Too bad the account has long since been deleted.
Is there an api to fetch all the data instead?
Being that the blob is never decrypted off your local machine, it would have to be a local data API.
That's fine too!

They seem to have a CLI to export attachments!

I'm curious what did people migrate to, and is there any feature disparities?
1Password. The largest feature disparity is 1password is designed and built by competent engineers. The history of breaches and technical mistakes Lastpass has made over the years is amazing for a tech company let alone a password manager.
How is the user experience though? "Designed and built by competent engineers" is reassuring in the face of security breaches, but often means it's less convenient to interact with on a day-to-day basis.
1Password has the best UI/UX of any that I've used. It's clean, pretty, and solid in my experience. Honestly it's a joy to use which I prioritize in the software I choose to use daily.
I've tried LastPass, 1password, and Bitwarden. Bitwarden has been my favorite as I can selfhost it if I want (open source fork with feature parity)
Used BitWarden for years, happy with it. Recently switched to Nord Pass, also happy with it. Not sure about feature disparity though, just mentioning some ideas in case you're researching alternatives.
Any specific reasons for the move away from BitWarden, or move to Nord Pass?
My wife and I switched from Lastpass to Bitwarden early this year. Glad we did, considering all the news! Password sharing is different, since you have to make a group/organization and share the password in there. But once that was figured out, it's been a better experience with less bugs. It doesn't look slick, but it's more functional.
Is it obvious that it failed (e.g. displays an error), or does it just silently skip over the entry?
I just exported my own vault with the latest version, it was ok for me. I have plenty of passwords with all kinds of special characters. Still, be sure to review the CSV file. If anything looks weird, double check that the password is the same in your LastPass vault. As with all backups/exports, you should always do a sanity check of the data.

One issue I ran into: the CSV file that "downloaded" in the browser didn't have all of my passwords, only about ~20 of ~400. I had to copy and paste the CSV text in the browser to a new CSV file with a text editor. But upon reviewing that, the format of the passwords was fine.

I had a problem not with the password data but with the content of some notes (or whatever it is called in LastPass)

I have been a paying customer of Lastpass for about 15 years. I moved to Bitwarden for all sorts of reasons. I work in technical information security so it was also for that teason (but not only)

We were considering self-hosting but sadly Bitwarden is still stuck on MS SQL ;/

There was some apparently compatible rust implmementation in PostgreSQL tho...

Have you tried Vaultwarden? (Ex bitwarden_rs). It is in Rust and it's absolutely fantastic.

I self host it for a year or two and it is a single container. The BW officer docker distribution is a nightmare.

Add to that a proxy with caddy and you get a great solution.

What would be considered a good alternative?
Bitwarden, Keypass and 1password seem to be some of the most popular ones.
Bitwarden is great. There is even an opensource implementation of bitwarden server you can self-host that includes premium features for free.
Maybe I lucked out? I migrated to Bitwarden early this year and so far all of my passwords have worked. I also made sure to compare the site entries in both. One thing that can't transfer were attachments in LastPass secure notes. So I had to download each one individually and upload them to Bitwarden.
Man, outputting data to a CSV is a very difficult computing problem. /schadenfreude
Yeah, in any migration—if you can—it's good practice to run both simultaneously for a while until you're convinced you've checked everything and you're ready to drop the old for the new without much downtime.
Kudos to the CEO for disclosing this as it's happening and writing the post. This disclosure post is direct, forthright about what's known, specific about engaging help, and explicit about notifying people as more happens. Hacking sucks, but the CEO's post is IMHO on the right track.
Ridiculous take. Absolutely zero kudos because it was obvious to everyone that this was the most likely outcome way back in August. Back in August the company issued a bullshit statement that they'd ruled out that the intruder accessed customer data. Now they are saying they did lose customer data.
(comment deleted)
Not to mention, this is mentioned nowhere on the LastPass page itself - only on that of the corporate owners.
Hacking is why we’re here. It’s criminal and exploitative behavior that sucks.
Depending on the specifics it may be a legal requirement to disclose. FTC does not look fondly in hiding data breeches. At all.
The conspicuous lack of detail in this statement doesn't bode well...
It's not unusual when the investigation has just started.
They known enough to say "We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information."

I'd want to know what information they have gained access to.

I used to be a lastpass customer a few years ago, until I switched to Bitwarden. Can you tell me that you actually delete users data when they delete their account? Or do you keep backups which were also hacked? i.e. are your ex-customers also affected?
What does the hacker news community think about Google Chrome's internal password manager?
The one where you can just launch chrome and click the eyeball icon to see what the password is? Or does chrome have something fancier I am not aware of?
Usually requires a system password to actually see them.
I’m disappointed, but I can’t say I’m surprised. I once tried to contact their support team after getting effectively locked out of my account, only to have the support form return a 5XX error upon submission. I dropped them right then and there.
What does HN community feel about Google chrome's internal password manager compared to third party ones?
I'm not sure if they fixed it, but in the past any process that was running in your user account or admin on your PC could dump the plaintext of this trivially, for many years.

Reply to @jeffbee: You basically have to have that threat model, because ordinary users are running dozens of untrustworthy processes on their machines. Real world security has to assume the user is not a security expert.

A process running as my user or admin on my PC can also just inject input events to transfer money out of my bank account. You cannot have a useful threat model that models yourself as a threat.
If you're a lastpass user, might be wise to avoid logging into lastpass until they update with a resolution - if the attackers got into the build server they could craft attacks that would exfiltrate passwords after user decrypts
LastPass is architectured so that your master password is never sent to their servers. Decryption of your vault happens locally on your device. Maybe such an attacker might get your email address (username).
Well, it should go without saying but their architecture cannot be trusted at this point.
Unless the attacker is able to modify the LastPass client to upload your masters password.
the architecture that was just hacked? Maybe in the next version of the update you'll find the architecture has mysteriously changed as well.
Is there a web UI ? If yes - I guess an attacker can just send "bad" JS to the client and steal the master password no? Or inject a malicious update. Most people probably have auto updates?
Yes, this is one of the concerns. In theory a browser addon should take a while for the bad guys to update and publish, but are the existing addons downloading and using server-provided JS? One would hope not, but that's hardly a safe assumption these days. I know Mozilla takes a pretty hard stance against this sort of thing, but it's not all caught in review. And then there's the electron style apps - those should be static too, right? right?? Also not a safe assumption. And yes, there is a pure-web UI where the code is downloaded from their servers.

Anyway - it's not a good position to be in.

> are the existing addons downloading and using server-provided JS? One would hope not, but that's hardly a safe assumption these days

This reminds me of a very brief security review I did of a 3rd-party browser extension that was being installed on everybody's laptop at a previous job. The extension itself had very little code, it was just something that bootstrapped with code from the company's servers. There was no real way to review it or freeze a reviewed version.

The kicker was that the server-provided JS was being loaded over plain http (and no, nothing was checking signatures or anything like that).

I think I misread the initial comment. Yes, if the build server is compromised code could be injected into the next build/release cycle to pilfer your master password. Not only that, but also anything else in the vault since it is decrypted locally and visible to the extension.

Still, local decryption is more secure than sending the master password to the server (so, just compromising the server holding your vault wouldn't be enough to steal your password). I think I will switch to BitWarden which uses the same approach, LastPass seems to be getting hacked alot nowdays.

Are you certain bitwarden has not? I read a thread here some time ago where 1password was bragging that they have never been breached, and someone basically commented back "they have never been breached that they are aware of".

I am concerned at some level on the lastpass breaches, but I am less affected so far than I have been by the equifax, target, and t-mobile breaches. I have had years of free credit monitoring since each one of those handed out enough data to compromise my identity several times over.

As a workaround one can log in offline via the browser extension to export one's database (by default at least).

Edit: hadn't considered that addons also autoupdate by default when back online.

Wouldn't the devs know if a malicious LoC had been built into the client and distributed to take master passwords from the browser? Idk much about browser extensions, but I think they would have been able to figure out if something malicious went out to last pass clients, no?
Fuck. If you're a lastpass user, you kind of don't have a choice. I can't log into accounts I use for socializing, work, banking, etc. without lastpass
I just spent a couple of hours resetting my most important passwords and writing them down on paper.

Won’t be touching LastPass again except offline, while I figure out where to go from here. I had been putting off finding a better password manager, but this is the last straw.

Will never understand why people use managed password management services when things like the KeePass KDBX format exist.
Basically the entire password manager space is the result of "security fatigue". Telling everyone that every single unimportant website they log into requires a unique high security password makes people use bad solutions that make their security worse, like storing all their passwords in a cloud-based single point of failure.
Multiple devices? Central management? I use KeePass so I don't know, but I assume there are valid reasons
You can use KeePassium for mobile, store your kdbx file on ftp or google drive. Not difficult. Takes only one time setup then all good for life.
when you have an employee leave your company can you reroll or disable all their work account passwords in keepass? (no; this is good for the user and not useful for the org, but that’s the use case.)
If I were going to steal passwords for my company, I'd steal them before I quit / got fired or did something illegal.
Yes. Because their passwords should be linked only to their own work accounts and not be shared passwords. Even if you used lastpass at work, nothing stops an employee from storing it again somewhere else.
If you wish to understand, all you have to do is ask someone outside the hn-tech-bubble.
"someone outside the hn-tech-bubble" saves their passwords in excel sheet without protection.
That's not far enough outside the bubble. People just reuse passwords, or add a suffix to a base password, or forget their passwords and email reset each login.
Time for hardware tokens based on DNA, so that nobody gets online unless they are exactly and uniquely who they are, and fully trackable from all points of contact. To get in, you must have the token. Bad actors lose access similar to jail time. Unless they can hack their DNA to be unique again, they don't get back in except on parole or after punishment.

My guess is this way of solving old problems may create new ones due to that pesky problem called human nature.

Isn't DNA more of a "username" than a password?
DNA is easier to lift from unsuspecting victims than it is to hack your alphanumeric code. Thought theft at scale with DNA based systems would be hard. Unless, you’re the government, in which case, good luck.
(comment deleted)
Wouldn't this be easily bypassed by, say, picking up a hair on a street and fabricating the token?

If so, at least bad actors won't have the incentive to cut off your finger or pull an eye out as with the other biometric authentication options :')

That's how the voodoo doll myth was created.

And to the OP, any shared secret that you cannot change in case of compromise is kind of a bad idea.

The Verge has more information [1]

"This comes just months after LastPass confirmed that hackers had stolen some of its source code in August and had access to LastPass’ internal systems for four days before getting detected. It looks like this new attack is connected, as Loubba says it determined that hackers gained access to user data “using information obtained in the August 2022 incident.”"

https://www.theverge.com/2022/11/30/23486902/lastpass-hacker...

Far better than the blog post, which leaves out crucial info.
Just read it looking for that extra info and not seeing it? the blog post and this article seem to have the identical information in them. The blog post is in a series, so for background on the "four days in august" you can scroll down.

it's certainly not acceptable that all they are saying is "certain elements of our customers’ information." very unacceptable, if it's credit card numbers or home addresses, they have to reveal that. the current language makes it look like they want to hide some kind of very bad news which is worse. Also their August post indicated that the developer account that was compromised had no access to customer data, so why exactly was that wrong.

Perhaps the attacker determined how the software interacts with customer information, by reading the source code, and was able to exploit the information somehow.
They may have missed it, as I did.

The current update fits pretty well exactly on my screen, so I saw no hints that it was a series. After seeing the usual corporate speak and signoff, I assumed that was it.

I went looking in their history of posts for more information on the August incident but couldn't find anything, as the older installments do not show up individually.

Nah, the blog post was eventually updated with all the missing information. The updates weren't there when I originally commented.
Just the usual semi-annual LastPass related compromise.. nothing to see here..
Just in time to give a boost to passkeys. https://fidoalliance.org/passkeys/
These probably won't replace password managers, just result in passkey managers... Dashlane already supports passkeys & 1password just announced intent to support soon.
How do they "manage" passkeys? There's nothing to manage except your fingerprint/face authentication.
You get some form of cross-platform sync. Apple, Google, and so on each have syncing, but in their ecosystem only. You can break out with the QR codes, but this might not be the preferred solution to some.
Given that Apple and Google (at least) are collaborating on a shared standard, shouldn't cross-platform sync be possible?
They're essentially certificates, so most implementations will only store them on-device, and most implementations I've seen seem to favor the phone as the device you use.

It really depends on the platform - but in short you'll either need a phone, or be locked into an ecosystem (browser, OS, etc) making using them on multiple devices & browsers difficult or impossible. A password manager supporting passkeys makes this easy as you can 1-click generate a passkey, and 1-click sign-in to services from any device or browser.

Given that Apple and Google (at least) are collaborating on a shared standard, shouldn't lock-in to an ecosystem not be a thing?

And: does using a third-party passkey manager open up passkeys to the same security issues as password managers? Specifically, more than remaining within the Apple-or-Google-supplied system?

It's shared standard in the sense that all implementations will be the same, AFAIK passkeys you generate on iOS systems aren't easily used on windows ones, etc. Or they'd require scanning a QR code from a phone which IMO sucks when a password manager has it in the browser already.

Also what security issues with password managers? There's some potential concerns with extension-based over OS based systems, but if your device is compromised where someone can actually access memory then they'd both be equally void to some extent, AFAIK there's nothing seriously concerning security wise on a password manager vs keychain, etc.

And here I am still just using KeePass.

I feel like passwords can be way too sensitive to entrust to a third party. Even if you can verify that it is secure, you could still find yourself in a jam if their service goes down or is otherwise inaccessible.

You don't have to worry about any of this with a KeePass database. You just have to deal with the very mild inconvenience of keeping your database synchronized across devices.

> You just have to deal with the very mild inconvenience of keeping your database synchronized across devices.

Which is pretty easy with SyncThing. Other services like Dropbox are also fine if you have a sufficiently high entropy password. The danger isn't in the "online", but a third party being able to decrypt your passwords.

> Which is pretty easy with SyncThing

Is SyncThing available for iOS? I thought it wasn’t but I’d love to be wrong.

iOS seems to require some sort of File Provider implementation for syncing, which seems to work anywhere from terrible to mediocre.

But maybe I misunderstand the situation.

(comment deleted)
> Which is pretty easy with SyncThing.

That keeps the whole database file synchronized, sure. But KeePass synchronizes at the level of each entry.

"Other services like Dropbox are also fine if you have a sufficiently high entropy password"

That's why you add that binary key file to the mix that you liberally distribute to all your devices. But that you carefully keep far off your sync platform. The danger of a weak password is when a device falls into the wrong hands, a compromised sync platform is much less of a concern (if the file is in the mix).

This, very much so. I use KeepassXC (Strongbox on iOS) with Seafile to sync the database files. It's only gotten better over the years, and I'd rather see my donation money go directly to the developers than get slurped up into some SaaS that doesn't care about me or security anyway.
Does your sync setup work in realtime in the background? Earlier this year I was evaluating iOS devices and a showstopper was the apparent inability to have keepass database updates push-synced: the closest I got was a scheduled copy of the file at a given time daily, but my nightmare was making a change on one device, needing that change on the iOS device, having it not be there, and not having network to go fetch it. It'd be neat if you've got a way to make this work more like Syncthing on Android.
No, that's a limitation in the setup but it's something I am willing to live with. I can make edits on my computer and "pull" them onto my phone, but not the other way around.

However I think this is a limitation of the app itself more than a limitation of the system in principle. As far as I can tell, the developer decided to only support a couple of the most popular cloud sync platforms. Maybe guess there is no consistent API for that sort of thing in iOS.

The password managers that I'm aware of store your vault locally on-device, even if they also sync to a cloud service.

That said I agree with you I would never use a cloud-only store for passwords!

I keep them local too, but I haven't found a solution on how to keep my laptop and phone in sync.

It is not fun having to type a 30+ character password consisting uppercase+lowercase letters, numbers and special characters on a mobile device.

But it has helped me to keep my phone clutter free, so maybe there's an upside to it too :)

KeePass2android and KeePassDX can help on Android. You can self host such as on NextCloud
I use a combination of a local only solution for the "master list" of passwords that I backup to cloud storage (which is not synced to my phone) in conjunction with the saved passwords & sync capabilities of Firefox for accessing it on my phone. Occasionally I'll be in a position where I'm on my phone and Firefox doesn't happen to have my latest password saved, so I just initiate a password reset for whatever that service is, set it to a new password, and then circle back later when I'm back on my machine to update my local only storage solution. It's not the most streamlined and user friendly, but it works well enough.
I use Syncthing for that. It syncs over my home WiFi network only.
As mentioned throughout this thread, Syncthing can seamlessly sync between Android phones and Windows/Linux hosts. There are apps for iOS as well, but they can be a bit more finicky due to Apple's app sandbox implementation.
> It is not fun having to type a 30+ character password consisting uppercase+lowercase letters, numbers and special characters on a mobile device.

I find that it's much faster to type an all lowercase password that's a bit longer to get the same strength.

Last time I tried it the UX for sharing/collaborating on a keepass database was horrendous at best. Has that improved in the intervening years?
> You just have to deal with the very mild inconvenience of keeping your database synchronized across devices.

For HN crowd that is likely easy. (I also use that solution)

I haven't touched KeePass in a while(especially since it always had its quirks outside of Windows, being .NET), but KeePassXC which started as a merger of all the various patches to KeepassX(the QT implementation), has been very active. It has a more secure browser integration than the original had, although it's worth noting that nothing ever came close to the accuracy of 1Password when it comes to website quirk integration[1]. There's also TouchID, OTP, better encryption and Yubikey integration of the top of my list.

I'd suggest using it in conjunction with Keepass2Android and KyPass(on iOS, someone mentioned Strongbox), although the Keepass2Android syncs and merges properly and the iOS does not.

[1] https://keepassxc.org/project/

On iOS there is strongbox and keepassium also.
I just bought Strongbox Pro just a couple of minutes ago. It's much nicer than KyPass. It's a bit pricey, but worth it if you can afford it.
KeePassXC is the desktop app I use across Windows, Linux, and Mac. It is fantastic. There are also multiple good apps for iOS, and I presume Android.

In my comment I used KeePass to refer to the database and not the specific application I use to manage it.

> you could still find yourself in a jam if their service goes down

This is true for many password managers that sync with the cloud. I use 1Password and I've made sure that I install apps on at least a couple of devices because the apps a local copy of the password data that can be accessed offline.

I've done that with another password manager that I used in the past too.

I used KeePass in the past and would likely still be using it if I didn't get 1Password free (free family account if your employer has a business account) and if I didn't need to have secure sharing with my wife.

Let me know if you know of a secure, convenient way to share password entries with another person using KeepPass that doesn't involve you sharing the your whole password database. I know you can have yet another password database that only contains shared records... but that definitely fails the convenience factor.

Yes, if you can keep your password local it's still the best option.

Sadly, once your use case becomes complicated and you need to share between devices, and potentially have partial sharing between people (e.g. your spouse, your parents etc.), it becomes a nightmare to manage. In particular trying to explain how sync is supposed to work with a third party on iOS is just pain.

I'm eyeing at self-hosted BitWarden instances, but then I kinda fear to someday be the one shooting myself in the foot and nuking everyone's literally life critical credentials...