The best and most secure password manager

[Ivan Seeking]

I have used the same password manager for over 20 years.

I have a word doc with my passwords and abbreviated names of the sites. So for starters, many people wouldn't even know the site the password applies to. For example, if I know BBB is Bed, Bath and Beyond, it is obvious to me but likely not to most hackers.

But the key is the password itself. I have an encryption process I have always used and it only exists in my head. I modify the existing password as I enter it. An example would be to take your saved password, ignore the 2nd, 4th, and 6th characters, and increment the first character by 2. So I can hand you my saved passwords and they would do you no good.

 

[anorlunda]

Am I correct saying that for accounts that make use of multifactor authorization, a compromised password still does not give bad guys account?

I have switched PW managers, now I'm trying to decide if it is necessary to change the passwords on my most critical accounts; all of which have multifactor authorization.

Even more bothersome would be to get new credit card numbers assuming that the old ones might be compromised. The news discusses the fact that login data was encrypted and URLs not encrypted. They don't mention CC numbers/expiration/security code info stored in Lastpass under the "Payment Card" feature.

 

[Vanadium 50]

Am I correct saying that for accounts that make use of multifactor authorization, a compromised password still does not give bad guys account?

Even with single factor, these compromises do not unlock your account. The central password manager database does not (at least for the good PWMs) know your master password.

Since they don't have it,. they can't lose it.

 

[anorlunda]

Even with single factor, these compromises do not unlock your account. The central password manager database does not (at least for the good PWMs) know your master password.

Since they don't have it,. they can't lose it.

Sorry, I should have repeated what was said earlier in this thread. The unencrypted URL info identifies the juicy targets for bad guys to try to crack your PW with conventional cracking methods. Cracking one, is 100x times faster than cracking 100.

Of course, if the bad guys see how poor I am, they won't target me anyhow. Millionaires and billionaires should be more worried. That is one of the very rare cases where leaks of my private information may benefit me. Poor people make bad targets.

 

[Wrichik Basu]

I came across a detailed article "decoding" the breach statement issued by LastPass on December 22 last year, written by a security analyst: https://palant.info/2022/12/26/whats-in-a-pr-statement-lastpass-breach-explained/

As mentioned earlier in the thread, the vault of the users was breached, but the master password wasn't, since it's not stored. But, the hashed form of the password is stored. LastPass uses the PBKDF2 algorithm to store the hash of the master password. The number of iterations used in this algorithm for most accounts is 100k. This is far lower than the OWASP recommendation of 310k iterations at that time, but would still make getting the password by brute force difficult. Here's the caveat: LastPass originally used only 5k iterations, and later upgraded to 100k. But some accounts are still sitting with 5k iterations. Reportedly, a few accounts are configured with just 1 (one) iteration. These accounts are quite vulnerable, as their master passwords can be decoded from the hash by brute force without too much effort.

The metadata lost in unencrypted form contained the following:

company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service

Therefore, this is not only a privacy issue (as pointed out by many in this thread), but also makes the users a subject to pishing attacks. In addition, LastPass also stored the IP of the users (all devices from where the user was logged in) in plain text form. Thus, the attacker can now have better knowledge about the whereabouts of the users.

Most probably, LastPass has an option to change the number of iterations manually. The current OWASP recommendation is ≥ 600k, so if anyone here is (still) using LastPass, please make sure to increase the iterations in your vault.

---

I recently paid for a subscription for Bitwarden. I used the free version for some time, and thought it was decent. I had a free LastPass account for some time, and deleted my data from there after buying Bitwarden.

And then this surfaced: https://palant.info/2023/01/23/bitwarden-design-flaw-server-side-iterations/

In short, Bitwarden uses 200,001 iterations; 100,001 client-side and 100k server-side. But the server-side iterations actually are useless. Many users were enraged, and they posted threads like this and this, which were marked as "feature requests" by Bitwarden. Fortunately, Bitwarden, too, has an option to increase the number of client-side iterations. You need to go to the web vault → click on your account picture at the top right → Account Settings → Security (left panel) → Keys tab and increase the number of iterations.

 

[anorlunda]

As mentioned earlier in the thread, the vault of the users was breached, but the master password wasn't, since it's not stored.

The details can be dense. The master password was as you said, but the encrypted passwords of sites stored in the vault were also stolen. Those do not have the same protections as the master password.

Recent news said that the hacker also got the user's backups. I'm scratching my head at the significance of that.

I was a long time satisfied user of LastPass, but now I switched to a different one. I read that they lost 60% of their customers in December. My reason for switching was their poor transparency, not their security.

 

[Wrichik Basu]

the encrypted passwords of sites stored in the vault were also stolen. Those do not have the same protections as the master password.

The encrypted fields are encrypted with 256-bit AES algorithm that requires the user's master password to decode. LastPass's defence is, it doesn't store the master password. But if the hacker can brute force decode someone's master password due to the low number of iterations, all encrypted passwords will be lost. If the master password was weak, then the user is responsible and not LastPass, as they have a policy of a minimum 16-character master password. Notably, this rule was enforced later, and many accounts still have an 8-character password and were never notified to change it. LastPass's defence: how can they notify the user if they don't even know the master password?

Recent news said that the hacker also got the user's backups. I'm scratching my head at the significance of that.

The vaults lost were the backups. In the August 2022, the hacker got some code and technical data, which they used to target another employee, and then got the credentials of the 3rd party cloud storage where LastPass stores their data centre's backup copies.

Apparently, LastPass took a lot of time, and probably invested in highly paid attorneys, to write an email which tells the users that they shouldn't be held responsible for what happened.

 

[Vanadium 50]

The unencrypted URL info identifies the juicy targets for bad guys to try to crack your PW

Sorry, I missed this message too.

Yes, it does. But Google and their ilk also keep track of what I sites I visit. That ship has sailed. And it's not a good reason to use 'qwery' because password managers are insecure.

And I think I mentioned that there are security implications to encrypting the vault. If a trial key returns www.porn-u-copia.com, it is likely to be correct. If it returns 1&Ra6M0toCnEPNHi, how do you know?

hash

A hash? The horror! The horror!

First, one thing is very clear. Lots or people, here and elsewhere, do not believe in public key encryption. The central idea is that your opponent already knows the key and already knows the algorithm. Keepiing them secret may slow her down, but is not necessary for security.

Now, if your master password is lousy, it does not matter what has and has not been hacked. One merely logs on with 'qwerty' and that's that. So expecting a PWM to protect you against a bad password is unrealistic.

Now, onto the vault. There are two options. One is to return the vault to anyone who asks for it. The other is to require partial information to release the vault. Those are your choices. A has like an 8-bit checksum will require on average over 100 attempts to download the vault. Nine bits and it's a thousand, and so on.

The cost of this is that the security of the master password is decreased by the same number of bits, My master password has about 60 bits of entropy, so decreasing this to 52 is not good, but survivable. If you use one of the most 1000 commonly used passwords, this will reduce the entrop to 2 bits. Not good.

No PWM will protect you from a lousy master password.

Classical cryptography theory says 'don't do this'. Why might you want to? By not giving the vault to just anyone, you can slow an attacker down, and possibly identify the threat. So while such a design might be formally less secure, it may be more secure in practice.

There is a lot I don't like about the LastPass design, but I recognize that there are design choices to be made and these choices have their pros and cons. Critics getting the vapors because the chosen design has a downside strikes me as unserious.

Further, discouraging people from using a PWM and a good password because its not perfect does not help them if they go back to using qwerty everywhere,

 

[Vanadium 50]

LastPass announced some more details today. Three interesting facts:

1. One exploit was a company laptop,
2. One exploit was a cloud-based backup. (I don't know why this wasn't encrypted)
3. Information from the two exploits was combined (so probably a single actor).

 

[fluidistic]

A flaw in keepass allows one to retrieve the master password: https://nvd.nist.gov/vuln/detail/CVE-2023-32784. The fix will be available to the masses in July.

Thankfully it,doesn't affect keepassxc.

 

[Wrichik Basu]

A flaw in keepass allows one to retrieve the master password: https://nvd.nist.gov/vuln/detail/CVE-2023-32784. The fix will be available to the masses in July.

Thankfully it,doesn't affect keepassxc.

From the GitHub repo containing the proof-of-concept of the vulnerability:

What can you do​

First, update to KeePass 2.54 or higher once available. Second, if you've been using KeePass for a long time, your master password (and potentially other passwords) is likely in your pagefile/swapfile and hibernation file. Depending on your paranoia level, you can consider these steps to resolve the issue:

• Change your master password
• Delete hibernation file
• Delete pagefile/swapfile (can be quite annoying)
• Overwrite deleted data on the HDD to prevent carving (e.g. Cipher with /w on Windows)
• Restart your computer

Or just overwrite your HDD and do a fresh install of your OS.

 

[vela]

It looks like the consequences of the LastPass breach may be being felt by some.

https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-stolen-in-lastpass-breach/

 

[Vanadium 50]

Is this a statement about password manager security or of crypto-wallet security?

In real-world banking, a PIN plus a card (two factor right there) can get a few hundred dollars. A check and a signature up to about $10,000. Above $10,000 and it's a check, a signature, and at least a phone call. (Three factor) I have a bond ladder set up, and every week > $10,000 comes in and goes out, and every week my bank files a report on that with the feds.

But crypto? Guess the secret word and you have access to whatever is there.

 

[fluidistic]

Is this a statement about password manager security or of crypto-wallet security?

In real-world banking, a PIN plus a card (two factor right there) can get a few hundred dollars. A check and a signature up to about $10,000. Above $10,000 and it's a check, a signature, and at least a phone call. (Three factor) I have a bond ladder set up, and every week > $10,000 comes in and goes out, and every week my bank files a report on that with the feds.

But crypto? Guess the secret word and you have access to whatever is there.

Almost. There's something called BIP39 standard which was proposed back in 2013, a few years after Bitcoin was born, which consist in generating a private key (complex looking private key) from a series of generally either 12 or 24 words, taken out from a list of 2000 words. (see there for the interested: https://www.blockplate.com/pages/bip-39-wordlist).
Many crypto people use this standard to keep their funds safe. They tatoo the secret words on steel, or paper, etc. This is not very secure because if someone else sees their list of words, they have access to the funds.
However it is possible to use a passphrase on top of the list of words, consisting of a combination of any character or number in such a way that in order to retrieve your funds (your private key), you need both your list of words and your passphrase. You can then physically hide your list of words, and keep your passphrase in an encrypted password manager's vault. This way a hacker would have to hack you both physically and computationally to retrieve your funds. This is much more secure than using a list of words.
The advantage over banks is that you can transfer your funds whenever you want, quicker than with a bank. Not a big advantage you may say, fine enough. But it's not trivial that banking is safer than this method, to me, either.

 

[Vanadium 50]

I don't see this as fundamentally different than a password. 2000 words is 11 bits, and 12 of them is 132 bits. That's roughly a 20 or 21 character password - better than is typical, and much better than "abc123" or "qwerty".

Now, if you are asked "What is the third word on your list?" this reduces the protection down to 2 characters, but it also adds protection against interception. If someone finds out the 3rd word on your list is "gallon" it doesn't help them if next time they are asked the 6th word on the list.

However, I think people are learning that the risk in crypto is not your enemy, but your friend. The people who run the exchanges etc. are at least as likely to steal from you as an outside bad actor.

Back to the topic at hand, LastPas has just announced that they will require master passwords to be 12 characters. So protecting your zillion-charachter random string with "qwerty" is a thing of the past.

 

[fluidistic]

I don't see this as fundamentally different than a password. 2000 words is 11 bits, and 12 of them is 132 bits. That's roughly a 20 or 21 character password - better than is typical, and much better than "abc123" or "qwerty".

A physical ''cold wallet'' stores your list of 12 words, i.e. password (so can be hacked if stolen), which is bad security wise. The passphrase however isn't. And it needs not to be made of words. It has to be typed by the user, either on their dedicated hardware (safest way, since not linked to the Internet), or on a computer (riskier). I think this is pretty secure. But if one gets drunk or something like that, maybe it's possible to retrieve the funds without too much troubles.

Now, if you are asked "What is the third word on your list?" this reduces the protection down to 2 characters, but it also adds protection against interception. If someone finds out the 3rd word on your list is "gallon" it doesn't help them if next time they are asked the 6th word on the list.

I try to follow you, but this is over my head. Why would the knowledge of a word on a 12 words list reduce the protection to essentially 0? And what do you mean by interception?

However, I think people are learning that the risk in crypto is not your enemy, but your friend. The people who run the exchanges etc. are at least as likely to steal from you as an outside bad actor.

I agree. It also doesn't make sense to keep your cryptos in a centralized exchange if the goal is to own your own money (something banks fail at, too)

Back to the topic at hand, LastPas has just announced that they will require master passwords to be 12 characters. So protecting your zillion-charachter random string with "qwerty" is a thing of the past.

I'll go for qwertyqwerty.

 

[Vanadium 50]

If you have an un-secure channel and an eavesdropper catches the password exchange, now he has your password. If the exchange is not "what is your password?" but "what is the third password on your list?" interception does the bad actor no good if the next exchange is :what is the sixth word on your list?"

There are in fact more secure ways to do even this, but the basic idea is that someone can reveal things about one's password to prove she knows it, without revealing the actual password. If you like, given a password P and a challenge C, there is a function f(C,P) the produced the response R If someone knows P, they can always provide the correct R for any given C, and if the system is designed well, this provides no help in determining the correct R for a different C.

I'll go for qwertyqwerty.

It isn't the password manager's fault if someone picks a lousy password. You can't fix stupid.

 

[fluidistic]

If you have an un-secure channel and an eavesdropper catches the password exchange, now he has your password. If the exchange is not "what is your password?" but "what is the third password on your list?" interception does the bad actor no good if the next exchange is :what is the sixth word on your list?"

There is no password exchange when communicating with a cold wallet. The device gets some transaction to sign (coming from the internet computer machine), it signs it if you physically approve it, and sends the signed file back to the computer. The private key is generated on the cold wallet hardware and is never transmitted to the internet computer.
If you take a screenshot of your seedphrase however, or store it on an internet connected computer....

There are in fact more secure ways to do even this, but the basic idea is that someone can reveal things about one's password to prove she knows it, without revealing the actual password.

This is a zero knowledge proof, right? I have many questions related to this, I constantly think about posting them on PF.

If you like, given a password P and a challenge C, there is a function f(C,P) the produced the response R If someone knows P, they can always provide the correct R for any given C, and if the system is designed well, this provides no help in determining the correct R for a different C.It isn't the password manager's fault if someone picks a lousy password. You can't fix stupid.

Yep. I was just kidding.

 

[Vanadium 50]

Yes, I was talking about so-called zero-knowledge proofs.

Fundamentally, the problem is that we have two ways to establish identity: something you have, and something you know. "Something you have" can be lost, stolen, or forged. "Something you know" can be forgotten or revealed. In that environment, one cannot build a perfect system: one that always lets authorized people in and never lets unauthorized people in.

Password managers are not perfect, but for the vast majority of people they are better than not using them.

 

[fluidistic]

Yes, I was talking about so-called zero-knowledge proofs.

Fundamentally, the problem is that we have two ways to establish identity: something you have, and something you know. "Something you have" can be lost, stolen, or forged. "Something you know" can be forgotten or revealed. In that environment, one cannot build a perfect system: one that always lets authorized people in and never lets unauthorized people in.

Password managers are not perfect, but for the vast majority of people they are better than not using them.

My understanding is that you can establish a system that involves both something you have and something you know, at the same time. Either of them isn't sufficient to "unlock" your secret treasure. The something you have might be that 12 or 24 words list that is used (partly) to retrieve your private key. You can have it at different physical places to avoid any fire, nuke and accidents. If someone finds it, they won't be able to retrieve your funds, even though they are 1 step closer to do so, they are still too far. It can also be stored in a "cold wallet". If you use it that way, I see no obvious weakness nor threat of losing it.
Then there is the something you know, the only thing that you should really know. Not your birthday nor your name, but your password to decrypt your password's manager's vault. I assume some people might keep a copy on a physical object in case they have a terrible accident and want their families to retrieve their funds. In that vault there should be a passphrase that must be used in conjunction with your 12 words list in order to access your treasure. Overall the scheme is not perfect, but not bad, IMO.

Agreed for your last sentence.

 

[Vanadium 50]

Having one thing and knowing one thing is not inherently better or worse than knowing two things or having two things.

You can still lose or forget things. Many "security experts" are so worried about a bad actor coming in and depriving you of your stuff that they do not think about the risk of losing or forgetting the key, which also deprives you of use of your stuff.

The two solutions for this would be a "master key" which unlocks everything, which now has the risk that the master key can be stolen, and am authentication system that requires M out of N keys. As mention earlier, bank transactions sort of do this already.

 

[Vanadium 50]

Well, I am likely to switch from LastPass.

It's too secure. It's locked me out of my account several times. The issue is that it seems to be very fussy about using a YubiKey. You need to give your master password, wait for the YubiKey prompt, tell it not to use the YubiKey (!) but to use a different MFA, then remove and replace the YubiKey, and then enter the PIN and touch the YubiKey. You have five shots to get this right, and in the right order.

My LastPass support ticket has been in the works for a week. I don't think they even understand the symptoms yet. There is a one-day turnaround, and every day they want a screenshot or description of something that has already been described. There is no "try this" from them at this time.

Unless there is a fast turnaround, I think I'll be switching.

 

[Tom.G]

I'm wondering if the popularity of Password Security Software is based on angst, personal insecurity, corporate decrees, or actual need... as perhaps national security reasons.

A FIrewall/Virus Scanner/Sandbox approach is quite protective... and A LOT less intrusive!

 

[Vanadium 50]

A FIrewall/Virus Scanner/Sandbox approach is quite protective... and A LOT less intrusive!

Huh?

They do different things.

I don't want to use the same password for an online store as my bank. If the store has a security leak, I don't want to give the crooks access to my bank account too. Further, I want to use more secure passwords. Qwerty is a bad passsword. B4y%mnyHCgrcUAWH is better. Well, at least it used to be before this post. A password manager makes it easy to use stronger passwords.

 

[Vanadium 50]

Update: LastPass asked me if I wanted to give up troubleshooting. They haven't yet said "Try X and let us know what happens". (Other than "reinstall everything and see if it helps" which I did before I contacted them.

 

[Tom.G]

Huh?

They do different things.

I don't want to use the same password for an online store as my bank. If the store has a security leak, I don't want to give the crooks access to my bank account too. Further, I want to use more secure passwords. Qwerty is a bad passsword. B4y%mnyHCgrcUAWH is better. Well, at least it used to be before this post. A password manager makes it easy to use stronger passwords.

Ahh, OK.

I interpreted your use of passwords as when you operate locally, as booting or running specific software. I agree passwords are useful and necessary when interacting with various sites that have personal information.

Sorry for the confusion.

Cheers,
Tom

 

[Vanadium 50]

They haven't yet said "Try X and let us know what happens"

Well, they just did. They said to shut all the MFA off except for YubiKey and see what happens. What happens is exactly what you expect - I was locked out.

1Password? BitWarden?

 

[Vanadium 50]

LastPass tech suppoty tried to blame YubiKey, but YubiKey tests all pass. They are back to "disable MFA"...days pass.." enable MFA"....days pass. It's really hard to conclude that anyone there has a clue.

Any suggested alternatives?

 

[Tom.G]

Any suggested alternatives?

Don't do anything on-line that is sensitive enough to require a password!

(I know, not real practical/convenient for many folks.)

 

[Vanadium 50]

Yeah, that's not really practical.