2FA provider Authy, password manager LastPass, and DoorDash all experienced breaches.
Read the whole story
Read the whole story
The number of companies caught up in the Twilio hack keeps growing
- Thread starter JournalBot
- Start date
I'm not a believer in online password managers. They are under heavy attack. I don't trust them enough. Not yet.
Having said that, the best ones don't actually have your master password. They could not tell you your password if their lives depended on it. The password isn't an authentication, in the technical sense. It's part of an encryption keypair. Well... maybe *a* key.
The password is built into the encryption of the database itself. Their site encrypts the database using an encryption/decryption key generated using your password. They can't decrypt your database because they don't have that decryption key. You can see this in the claims of some of the better online password managers.
Example: Lastpass - https://support.lastpass.com/help/recover-your-lost-master-password-lp020010
They have tools to let you try to recover it, but...
Again, I'm simplifying things a bit. Basically, such services, the best ones, IMO, don't have your master password. They cannot release/publish what they do not have. Hackers can't obtain it from them because they don't have it. But, likewise, if you don't prepare ahead of time, that password DB is gone.
Upvote
4
(5
/
-1)
VividVerism
Ars Tribunus Angusticlavius
Tons of people using KeePass, and probably most people using BitWarden, also use browser extensions that also use JavaScript to fill passwords in the site DOM.
I don't know about LastPass, but many commercial Internet-connected password managers have standalone apps you could use outside the browser without an extension, if you prefer. I know 1Password does.
Upvote
3
(3
/
0)
VividVerism
Ars Tribunus Angusticlavius
This same philosophy also works for online password managers, for all threats short of a supply chain attack that ships you a malicious app or extension update.
Upvote
3
(3
/
0)
VividVerism
Ars Tribunus Angusticlavius
Think of it as defense in depth. Phishing a master password is unlikely but mistakes happen. Are you always hyper aware where your keyboard focus is? Also, getting a keylogger is more likely than a keylogger that ALSO searches for and exfiltrates all your files. And, lots of people, even people savvy enough to use a password manager, are using passwords they greatly overestimate the strength of anyway.
Upvote
1
(1
/
0)
Not Internet-connected does not equal single device. 1Password (the pre-cloud version) allowed for syncing between devices in the local network.
Edit: typo
Upvote
0
(0
/
0)
I mean, that's exactly the problem with the online password managers. I'm less afraid of the encrypted password list leaking (though not entirely unconcerned) than I am a supply chain attack slipping through and compromising the entire userbase at once.
Upvote
1
(1
/
0)
VividVerism
Ars Tribunus Angusticlavius
Which could also happen with "offline" managers with auto-update mechanisms, with a browser plugin/extension that does auto update, or just being one of the unlucky to manually install a malicious update before it's discovered.
It's certainly something to keep in mind when choosing a password manager - for example, LastPass in particular seems to have limited breaches frequently for some reason, they would not be high on my list if I started shopping for a new password manager, for that and other reasons (including the use of injected JavaScript for their UI, if they're still doing that). But to some extent you DO need to trust the maker of your password manager, whether it's online or offline.
Upvote
3
(3
/
0)
Upvote
-1
(1
/
-2)
How much of this hacking activity occurs in North America and Western Europe? If not much, how do we keep the Internet from from imploding into a dystopia?
Upvote
-2
(0
/
-2)
Tips for a password manager that isn't that, and works everywhere?
I migrated from LastPass to Bitwarden a while back, I assume it's only a time before they are hit with something similar...
EDIT: Just had a thought and it turns out I didn't remove the stuff from Lastpass. Oops.
Thats definitionally impossible. Its can’t be both insulated from the internet and available everywhere, unless you are manually migrating updates. And even then, unless the device you are using is confirmed airgapped and free from all wireless antenna, its still exposed.
Upvote
3
(3
/
0)
You don't need a dedicated cloud password manager (Lastpass, 1Password, etc.) to enjoy security + anywhere access. The free and open source Keepass is an excellent local password manager that isn't cloud connected - but can provide excellent security + anywhere access as well.
1. Download Keepass app to your computer/devices.
2. Create a password-protected (encrypted) keepass data file.
3. Use any number of apps to sync that data file to your various devices - and/or your particular cloud account (Dropbox, OneDrive, Mega, etc.).
Someone breaking into your device or cloud will still need the right password to access the data file itself. And no worries about your particular cloud service accessing that data file either.
Upvote
-6
(3
/
-9)
Same could happen with Keypass if the servers that serve up client updates get hacked. It's inherent to any form of password manager more sophisticated than a notebook and a pencil.
Upvote
0
(2
/
-2)
That's not correct. Unelevated processes can't read other processes' memory, even if it's the same user. The PROCESS_VM_READ right is required, which isn't on regular processes.
An elevated process can, but then it can do anything include read system processes (though Windows is cracking down on that).
Upvote
3
(3
/
0)
I have a KeePass-based setup (KeePass 2 on Windows, KeePassXC on Mac, KeePassium on iOS). I sync the password vault file via a standard online cloud sharing service, but I have a strong master pass phrase, and also a key file which contains several hundred more bits of entropy for the password vault's encryption key. Decrypting the vault requires both the pass phrase and the key file. The key file doesn't change, so it doesn't require frequent synchronisation like the actual password vault. So I distribute it to my devices manually via local-only connection mechanisms - it's not stored on a cloud service.
I think this minimises the impact of a cloud service compromise, since the attacker would also need to compromise one of my personal devices, or find a fundamental cryptographic flaw in the KeePass implementation, to actually decrypt the password vault. And it has a relatively modest impact in terms of convenience.
Upvote
3
(3
/
0)
I've managed to make do with a portable password manager on a secure USB flash drive for years. Good for any device with a USB port (with adapter, where necessary, for USB A/C) so works on PC, phone, etc. No online access from within the password manager application required (though in my case I do, optionally, have it set to warn me when new versions are available).
I choose not to be bothered by the minor inconvenience of having to authenticate and plug in the flash drive whenever I need to access the password manager. Comes with the security of knowing that, when not in use, my passwords are effectively "air gapped" and impossible to access without my knowledge/authorization. YMMV.
Upvote
4
(4
/
0)
Upvote
0
(0
/
0)
There are plenty of ways to copy a password database without the internet...
Tips for a password manager that isn't that, and works everywhere?
I migrated from LastPass to Bitwarden a while back, I assume it's only a time before they are hit with something similar...
EDIT: Just had a thought and it turns out I didn't remove the stuff from Lastpass. Oops.
No such thing. To be able to work everywhere it needs to be on multiple devices. To be on multiple devices, there has to be a mechanism to share the password database.
Unless you want to store it on a phone and set up an ad hoc Bluetooth connection, which has its own issues.
My mom has two little notebooks, with things written on random pages throughout both of them. Whenever I visit, she always wants me to "look at something" with one of her accounts, so I'll sit down and she'll leaf through one of the books until she finds what she is looking for, hands it to me me, and says "the password is one of these," which usually refers to a list of four or more fairly robust passwords, with no username and no reference to what site they might represent. Often one or more of the passwords has been crossed out.
Rather than lock her out, invariably I pull the "forgot my password" trigger and she adds the new one to her list.
As much as writing down passwords drives me nuts, I have to admit one of those notebooks falling into the wrong hands really doesn't worry me.
Upvote
3
(3
/
0)
That's, um, exactly what I do, down to the specific clients for the various OS's. Being an old fart, I've also made sure both my wife and our estate executor have the master password stored in a safe place, and know where to find the file on my devices.
Upvote
1
(1
/
0)
https://keepass.info/help/kb/sec_issues.html#keefarce
Keepass developer mentioned it in their notes. You do not need elevated process under Windows. You just need to be running as the same user. And I've used unelevated CheatEngine to modify game memory. Pretty sure it works.
Upvote
3
(3
/
0)
It's a matter of timing. They would need to compromise Keepass exactly when someone is downloading (there are gpg and sha256 checks). That is less likely than getting compromised using cloud based ones where every single use is interacting with their servers.
Additionally you don't have to update keepass very often and can download a version, keep it around for a few months to see if any compromise is discovered, and then update. Since it stays on your computer and doesn't connect to anything it is not exactly a high risk approach especially as security updates are fairly rare.
Upvote
3
(3
/
0)
Tips for a password manager that isn't that, and works everywhere?
I migrated from LastPass to Bitwarden a while back, I assume it's only a time before they are hit with something similar...
EDIT: Just had a thought and it turns out I didn't remove the stuff from Lastpass. Oops.
Just use any local password manager (not going to make recommendations because critical mass makes any software a target) and store your encrypted DB on a USB stick, or in your email, Google drive, or whatever.
There are password managers with browser integration.... would not recommend, though. The opposite of convenience is security.
Still, for accounts you don't care about (I.e., not banking, a primary email account, or a site that has access to your payment info or medical info), built-in browser password storage is adequate. Who cares if someone hacks your ArsTechnica account, for example? As long as you're using a unique password for each site, it's likely just an annoyance at worst.
Admittedly, I do store my Amazon password in-browser, but Amazon does a good job of requiring more information for basically any deviation from the norm (new login, new shipping address, etc.)
Upvote
0
(0
/
0)
What? Cloud based syncing services don't work that way. They download local clients, same as any other client, and those clients use a local password database as well. Just they have a formal backend storage and synching process rather than an ad-hoc one. Bitwarden uses a websocket to track for notifications for application or web browser integration (or platform notifications for mobile which only works if you're paying an enterprise license fee if you're self hosted, as it requires going through Bitwarden's servers); that just signals "server side has changed, please resync". You can run completely offline perfectly fine, and when online again it'll go through a reconciliation.
*Web based* clients download to the browser every time. If you're using them regularly when there's a local client or browser integration, you're choosing to make life harder for yourself.
And watering hole attacks that poison the upgrade process usually don't get affected by the GPG or SHA256 signatures, because they compromise the deployment process that builds them in the first place. Just look at the 2017 MeDoc disaster to see how badly that can go....
Upvote
1
(1
/
0)
Upvote
1
(1
/
0)
I also use iOS so any solution for me had to work okay on iOS since I wasn't going to switch phone ecosystem just to solve this problem. I wanted a system that worked on Linux, iOS and Mac, but I'm using one of the cloud-based password services. It seems like half the people here have gone for a Keepass + Syncthing (or similar) solution but I didn't want that hassle, and I also wanted to be able to selectively share passwords with family members etc.
I do use the browser extensions (which is definitely a bigger surface area for attack) but I still feel the situation is much, much better than before I used a password manager. I don't run any of the local apps, it seems crazy to me to have to copy credentials from the clipboard where any other app running could potentially sniff it.
I hate that OSs don't have a builtin API for prompting for passwords, so the only transport mechanism those local apps can use is the clipboard, which can be sniffed by any local app. That's partly why I prefer the browser extensions; at least that way the password is only filled in by the password extension and my browser/webpage, which obviously has to get the password anyway in order to send it.
Upvote
0
(0
/
0)
Nobody's mentioned the scariest part of the LastPass attack. If the attacker had been able to use the developer account they stole to push a malware update to the LastPass browser plugin (which the browser would then silently install for you), they would be able to see and manipulate the content of every webpage you visit. They don't even need to steal your passwords when they can silently change the account number/bitcoin address of every transaction you make.
This is the reason I use KeePass instead of LastPass, and a pi-hole instead of UBlock. Browser plugins are an enormous security liability and should not be used.
This is the reason I use KeePass instead of LastPass, and a pi-hole instead of UBlock. Browser plugins are an enormous security liability and should not be used.
Upvote
3
(3
/
0)
VividVerism
Ars Tribunus Angusticlavius
Clipboard is neither the only method nor the recommended one.
Most local app password managers on Windows and Linux also have a companion browser extension to communicate with local sockets rather than the clipboard. That's harder to sniff. I assume MacOS does the same (although have not confirmed).
Again on Windows and Linux, most password managers allow for drag and drop. In Windows at least, this is separate from the clipboard. I'm just realizing I'm not sure how Linux drag and drop works. Android also offers drag and drop features. 1Password, at least, supports that (but I have not had much luck with it, for some reason it doesn't work with Firefox).
On desktop, some password managers offer an autotype feature that stimulates keyboard keystrokes.
On Android (I think this is not an option on iOS), some password managers offer a keyboard app that you can switch to temporarily, to fill passwords directly from the keyboard. It never hits the clipboard.
Upvote
0
(0
/
0)
You could certainly create a formula so you could have longer more complex easy to remember things.
Maybe do something like a phrase, and then picking certain letters based on something.
ArsTechnica
I need to remember this really annoying complicated password to let me in.
Now mix the letters
AIrnstTretcrhancipctalmi.
I'm sure there are a lot of "formulas" you could do, but that was the first one came to my mind with "first letter of each word" interspersed with each letter of the site. Looks decently random to me, and easy to remember (site+sentance) but probably also fails most complexity rules because no numbers and only 1 punctuation.
Upvote
-1
(1
/
-2)
I somehow got downvoted to oblivion over it, but this is the sort of thing I do (not that my formula looks anything like this), but it does make it fairly simple to have a unique password for every service while still keeping them all memorizeable.
Upvote
-3
(0
/
-3)
VividVerism
Ars Tribunus Angusticlavius
Those formulas that "look decently random" to a human do not look anywhere near random to a computer running a massively parallel cracking tool configured with dozens or hundreds or more commonly used pattern rules.
Just use a damn password manager, already.
Upvote
1
(1
/
0)
This is a great example of why you shouldn't. The entropy of your password is zero.
Upvote
3
(4
/
-1)
This article suggests I absolutely should not be doing that. Don't worry. There's plenty of passphrase formulas with a high level of entropy. Heck I routinely test variants of mine using online tools that tell you just how secure a password is. Mine to this day always checks out in the strongest possible result. The key to a good pass phrase is randomly dice rolling the individual words, then dice rolling some numbers and symbols as well.
Upvote
-3
(1
/
-4)
By itself, it would likely work. The problem is when a few of your passwords get compromised as various online services get compromised and someone has enough examples of your passwords to figure out your formula. Though unless you are famous, I wouldn't expect anyone to put forth the effort to figure out the pattern.
Upvote
3
(3
/
0)
Might be a good time to point out that if you're technically inclined, have all the devices you'd want to use the app available on your local network, and don't mind a little legwork, you can set up a bitwarden server locally and not depend on the cloud infrastructure.
Lots of great documentation on how to set it up:
https://bitwarden.com/help/hosting-faqs/
https://bitwarden.com/help/migration/
https://bitwarden.com/help/install-on-premise-linux/
https://bitwarden.com/help/install-on-premise-windows/
I've been going back and forth with myself about migrating all my cloud-hosted bitwarden to self-hosted for a while now. Just don't have the time to tinker like I once did. But the continuous news of breaches is a constant reminder that I really should get around to it.
[edit] I would love to see someone offer a pre-built "install server here, install clients here, done" commercial package like this, to make it easier for anyone to do, but I'm also aware that any company making a commercial product like that would want some way to have frequent recurring revenue so as to not run out of money. And that's why we've wound up with all these cloud-hosted subscription services. So IMO an open source, self-hosted option like Bitwarden, with the steeper learning curve for the admin person, is really the only option.
Lots of great documentation on how to set it up:
https://bitwarden.com/help/hosting-faqs/
https://bitwarden.com/help/migration/
https://bitwarden.com/help/install-on-premise-linux/
https://bitwarden.com/help/install-on-premise-windows/
I've been going back and forth with myself about migrating all my cloud-hosted bitwarden to self-hosted for a while now. Just don't have the time to tinker like I once did. But the continuous news of breaches is a constant reminder that I really should get around to it.
[edit] I would love to see someone offer a pre-built "install server here, install clients here, done" commercial package like this, to make it easier for anyone to do, but I'm also aware that any company making a commercial product like that would want some way to have frequent recurring revenue so as to not run out of money. And that's why we've wound up with all these cloud-hosted subscription services. So IMO an open source, self-hosted option like Bitwarden, with the steeper learning curve for the admin person, is really the only option.
Upvote
0
(0
/
0)
VividVerism
Ars Tribunus Angusticlavius
If you had suggested randomly rolling words, I'd have agreed with you. But you need to re-rolll for every site, which you're going to have trouble remembering.
Online strength meters are crap. They're mostly just looking for character classes. Some at least look for dictionary words or even common character substitution, but they won't pick up on patterns. Cracker tools definitely pick up on patterns.
If you randomly generated one passphrase and then just tweak it between every site by inserting the site name, then a leak on one site allows a straightforward attack on another. The more sites leak the greater the chances of further attacks on other sites.
There are no formulas that introduce any entropy whatsoever. The only entropy in that case is (1) what did you use as the input to the formula and (2) which of a few dozen commonly re-invented formulas did you use. The formula itself does nothing.
The article does not in any way suggest you should not use a password manager. No password data was leaked in the LastPass breach. LastPass stores passwords with strong encryption and only the users (not LastPass, and definitely not the attacker) have any access to the encryption key. They use a reasonable KDF to slow down and thwart cracking attempts on any DBs that were stolen.
Password managers don't need to be perfect. They need to be better than not using one. In this case, they would be. Your suggested formula is crap. It's obvious and commonly used, and now you've even posted it online (again, anyway...I've seen almost that exact one before). The formula is better than a single dictionary word with some 1337 substitutions and an exclamation point, but it's not good.
Upvote
3
(4
/
-1)
Tips for a password manager that isn't that, and works everywhere?
I migrated from LastPass to Bitwarden a while back, I assume it's only a time before they are hit with something similar...
EDIT: Just had a thought and it turns out I didn't remove the stuff from Lastpass. Oops.
keepass is pretty close to that. Its an open source program and you keep the file locally, but you can use a place like onedrive/dropbox/icloud to store the file and access it on mobile devices or other computers. Its not as seamless as the others, but at least the only one controlling and accessing your data is you and whomever you give your master key to.
Upvote
3
(3
/
0)
Given they are banned at work "for security", not really an effective option.
Upvote
-2
(0
/
-2)
Uh, what? Care to explain how you have calculated the entropy of a non-zero length string is zero?
Upvote
-5
(0
/
-5)
Furthermore, in over a decade that online password managers existed, there has not been a compromise of passwords held in a service store (at least that I have heard about). Yes, there were compromises of the service (like Lastpass) but they did not compromise any users password stores because of the design.
Upvote
3
(3
/
0)
Keepass has the ability to use a version of Secure Desktop for master password entry. Certainly not unhackable, but better than just a garden-variety dialog box. At least, you know where the keyboard focus is when you use that.
Upvote
2
(2
/
0)
Certainly. Entropy is a measure of the randomness that goes into making your password, measured as "number of bits" (log2) of the number of possible passwords your algorithm could have generated (assuming a linear distribution). Note that this is not the measure of randomness of any passwords that were actually created (which is ill defined), and as such cannot be measured by an online strength checker.
This is why your nine-digit SSN has zero entropy (you only have one SSN, so log2(1)) while the four digits from four dice rolls has ten bits of entropy (log2(6*6*6*6)). Conversely, an empty string can represent a password with an arbitrary entropy, if the algorithm takes a character and repeats it a random number of times (which happened to be zero). Though you probably shoudn't use such a password if you're unlucky enough to get it.
As for the algorithm you presented, neither the name of the website nor the sentence is random, therefore there is only one possible password for each website. You could argue that the sentence is a cryptographic pepper (and thus a secret), but your algorithm leaks the pepper into the generated passwords in a rather obvious way, so it's effectively not a secret.
Upvote
5
(5
/
0)