The best and most secure password manager

[phyzguy]

I feel better and better about my hardcopy notebook.

 

[pbuk]

This tells me off the bat that they are using the cloud, which frankly I find horrifying.

Oh no, a cloud-based password manager is using the cloud: why weren't we told? Good job we are safe on forums like PhysicsForums, no cloud-based nonsense here. Connecting computers together and storing stuff on them is all very well, but it would be stupid to allow anyone to access any of it.

Oh wait.

 

[DaveE]

I feel better and better about my hardcopy notebook.

You mean the one in your desk drawer where you probably didn't write out the whole pw anyway? Like this?

So you're in Uzbekistan or Panama and want my passwords? You might have to come here and break into my house. Sure, the NSA can get in, but it isn't as easy as it looks. You may find it easier to work on getting a whole boatload of passwords at once. You know, like, from the cloud.

BTW, go ahead and guess. Sell it in Russia. I don't care. That device is history. I'll buy disk drives from WD, but I'm not really on speaking terms with their other business units.

 

[phyzguy]

You mean the one in your desk drawer where you probably didn't write out the whole pw anyway? Like this?

Exactly! That's exactly what I do. Even if someone somehow got the notebook(unlikely), they would still need to decipher the missing characters that I don't write down.

 

[vela]

Perhaps it's unfair of me, but it doesn't inspire confidence in the security of their code.

Apparently, my lack of confidence wasn't misplaced.

Jeremi Gosney summarizing the situation with LastPass

It looks like LastPass can definitely be crossed off the candidate list of the best and most secure password managers.

 

[anorlunda]

It looks like LastPass can definitely be crossed off the candidate list of the best and most secure password managers.

Ouch. I've been a satisfied LastPass customer for several years. But after reading that blog post, I'm going to switch.

 

[Wrichik Basu]

Apparently, my lack of confidence wasn't misplaced.

Jeremi Gosney summarizing the situation with LastPass

It looks like LastPass can definitely be crossed off the candidate list of the best and most secure password managers.

Very well. I have been using Bitwarden for quite some time after LastPass limited free users to either the PC or phone. I bought the paid version of Bitwarden last month, and the primary reason was that it was OSS, and then it was fa cheaper compared to others.

Even then, I didn't delete my LastPass account. I read the article you linked in #88, and decided it was time to delete my account. After reading the article you linked, it seems I took the right decision. Now it also seems that I should change my passwords as well, which is frustrating.

 

[anorlunda]

Don't forget that you should have your most secure accounts (banks, investments, email, ...) should be protected with multi-factor authorization. If they are, a hacker who cracks your password still can't get in, and you may get notified if he tries.

 

[Vanadium 50]

It looks like LastPass can definitely be crossed off the candidate list of the best and most secure password managers.

Why?

I am annoyed with them too (and there are unquestionably things it does poorly), but not for this breach.

• Password Managers will always be targets. Popular password managers will always be big targets,.
• Passwords are not compromised. Worst case, billing information was stolen. Just like at Target. And Facebook. And Yahoo. And linkedIn. And Marriot.
• There is some evidence that this was partly an "inside job". That will always be hard to protect against. If the US Department of Defense can't, why should we expect anyone else to?

Password Managers might make you 10x or 50x as secure. It's in my view a mistake to avoid them because 10 is not infinity.

 

[vela]

Password Managers might make you 10x or 50x as secure. It's in my view a mistake to avoid them because 10 is not infinity.

I'm not suggesting avoiding password managers in general, just LastPass as the company has repeatedly made poor choices. Use a password manager from a company or project that takes security seriously.

 

[fluidistic]

Regarding Lastpass, it looks like malicious actors got access to a database contaning uncrypted info (company names, end user names, billing addresses, telephone numbers, email addresses, IP addresses which customers used to access LastPass,website URLs from password vault), as well as the entire encrypted vault of people, meaning that if they could crack the master password, they would gain access to the personal info of people. And this is what happened to several people, some of them actually stored their Bitcoin's information (as a general rule, one should never, ever, put this info on a computer connected to the Internet...).
There's a dude who lost several Bitcoin suing Lastpass for this.
https://news.bitcoin.com/lastpass-d...y-hack-may-be-worse-than-they-are-letting-on/

https://grahamcluley.com/lostpass-after-the-lastpass-hack-heres-what-you-need-to-know/

 

[Vanadium 50]

I think it's worth backing up a step and asking what problem a password manager is trying to solve. I see two:

1. Using the same password in many places (like having your car keys open your house)
2. Lousy passwords like 'qwerty'.

They are not trying to:

1. Keep yout computers safe from attacks by major world governments
2. Keep your credit card and similar information secure once the vendor has it.

Would it be nice lf these happened too? Sure. But it's not reasonable to expect a PWM to do these things, and it sure does not make any sense not to use one because it is only 99.9999% effective.

It is absolutely true that a bad actor can steal your laptop, remove the hard disk, find the erased swap file, potentially remove it, and knowing something about the PWMs data structures, recover one or more of the individual passwords. It is also true that some PWMs make this easier than others. So what? If they can do this, they can also get into your Quicken data and collection of cat videos. That's hardly the PWM's problem.

Can the PWM company lose their customer data. Sure. Every company can, many have, and those that haven't just haven't yet. Many, likely most of these, have had an "inside man", so it's only a matter of time. That's certainly a problem, but it's not the PWM's problem. Maybe it's PWM Corps's problem, but so long as they don't keep your master password (I don't believe any of the major PWMs do) it's not a PWM problem.

So use a PWM so you can use OOgs1h6&LgXkDlrC5zzUxiZ instead of qwerty. Don't sweat the details.

Can the CIA still break into your laptop. Probably. But don't sweat it; you aren't that important.

 

[DrJohn]

They are not trying to:

1. Keep yout computers safe from attacks by major world governments
2. Keep your credit card and similar information secure once the vendor has it.

Many online shopping carts don't actually store your credit card details to help them defeat hackers - the average website is not as secure as your bank's system. They transfer you to a much more secure credit card processing company which complies with all the local laws on security and that's where you enter the card details. These are companies that work world wide with the big credit card suppliers and are trusted because their security gets checked regularly, and they can afford to invest money in keeping it secure.
I know this because I had to find out how a cart that didn't store your card details was having its customers' card details stolen. Just THREE lines of extra code were added by a hacker! And they were three very simple lines of code. It took me seconds to realise what it did, although it took ages to find. The shop in question now pays to use one of these card processing specialists and the company that they use to keep themselves secure.

But I do agree with the rest of Vanadium 50's comments in that post.

PS I think you might be more at risk of a vendor storing your card details if they are a BIG company, as they tend to think their systems are better than those of a small shop making only 10 to 50 online sales a week.

PPS A friend worked on creating one of the first online banking systems. When it was finished, they were challenged to move a real £1,000,000 from one account to another, both accounts being set up and checked by the directors. Embarassingly, they succeeded! (They were surrounded by security guards from several different companies to avoid collusion with a dishonest individual). This delayed the launch of the system by a couple of months...

 

[pbuk]

I think it's worth backing up a step and asking what problem a password manager is trying to solve.

I mostly agree with this, however when LastPass refers to something as my "vault" I did expect that it would be encrypted. The fact that the web sites I use, my email addresses as well as other personal information in notes was stored in plain text and may now be easily available to bad actors is unforgivable.

It is IMHO unfortunate that the appallingly bad technical decisions taken by LastPass were not better publicised: I believe that a significant factor in this is the "Chicken Licken" reaction of the press (and posters on this website who should know better) to the concept of a password manager distracting attention from weaknesses in LastPass's specific implementation.

 

[pbuk]

PS I think you might be more at risk of a vendor storing your card details if they are a BIG company, as they tend to think their systems are better than those of a small shop making only 10 to 50 online sales a week.

You certainly are, although it's not about how good they think they are, its about compliance with the PCI standards.

In practice for most online merchants in first world countries the cost of payment gateways such as Stripe is now less than the cost of a merchant account so there is no benefit to be gained by setting up a PCI compliant system so that you can process payments yourself.

 

[vela]

the entire encrypted vault of people, meaning that if they could crack the master password, they would gain access to the personal info of people.

According to Gosney, much of the vault was unencrypted, so there is no need to crack the master password to access a lot of the information. This revelation is the one I found most surprising. Like others, I assumed the entire vault would be encrypted since that would have been the obvious design choice when storing a vault in the cloud.

Can the PWM company lose their customer data. Sure. Every company can, many have, and those that haven't just haven't yet. Many, likely most of these, have had an "inside man", so it's only a matter of time. That's certainly a problem, but it's not the PWM's problem. Maybe it's PWM Corps's problem, but so long as they don't keep your master password (I don't believe any of the major PWMs do) it's not a PWM problem.

The assumption should be that a breach will happen allowing crackers to get a copy of the vault, and the goal should be to design the software so it is still prohibitively difficult for the crackers to access any information inside the vault. LastPass, the password manager, clearly doesn't meet this criterion. That's a problem with the LastPass software.

 

[pbuk]

According to Gosney, much of the vault was unencrypted, so there is no need to crack the master password to access a lot of the information. This revelation is the one I found most surprising. Like others, I assumed the entire vault would be encrypted since that would have been the obvious design choice when storing a vault in the cloud.

This. And they are making it worse by not being transparent about what is and what is not encrypted in the so-called "vault", still only saying "stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data".

Fortunately there is better information available from an unconnected party: https://github.com/cfbao/lastpass-vault-parser/wiki/LastPass-Vault-Format

So it seems that the exposure may be less serious than it sounds, however the lack of transparency is completely unacceptable.

 

[Vanadium 50]

One problem with the situation as it stands today is that it has evolved over time. Each release builds on the old, and decisions that may have been sensible once upon a time are not so good now. I'd feel a lot better for any password manager if annually there was a complete code refresh, breaking backward compatibility, along with a single button "change every password on every site". Without that, it's just going to be whack-a-mole.

I think the "vault is unencrypted" story is not really coming at it from the right direction. This isn't a security issue, it's a privacy issue. As I understand it, my credentials for porn-u-copia (I just made that up, but I like the name) are secure, but the fact that I have an account there at all is not. But that ship has sailed - I am sure this is in Google's file on each of us.

However, none of this is a reason to think that using "qwerty" everywhere is a better alternative.

 

[MikeeMiracle]

As an IT pro I use KeyPass, it's a downloadable program which creates a password vault as a local file which is encrypted with a master password. It's an offline program, no synchronising with the web, all your data stays local to that file which you can backup and copy to another computer just like any other file.

 

[Wrichik Basu]

It's an offline program

That would be an issue for many people. I, for instance, would like my passwords accessible from any device and from anywhere. Updating at one place should show the updated version everywhere without me taking the hassle to copy again.

 

[Vanadium 50]

I'm not sure a purely local solution is ideal. I need passwords on my Windows systems, my Linux systems and in some cases my phone. Having strong passwords for some accounts and 'qwerty' for the rest is not a good idea.

I think of computer security as a resistor network. Increasing it always helps, but once most of the current is diverted to another branch, increasing it further helps only a little. I also view it like a steering wheel immobilizer on your car - if it convinces the bad actor to overlook me and bother someone else, it's done its job.

 

[fluidistic]

I'm not sure a purely local solution is ideal. I need passwords on my Windows systems, my Linux systems and in some cases my phone. Having strong passwords for some accounts and 'qwerty' for the rest is not a good idea.

I think of computer security as a resistor network. Increasing it always helps, but once most of the current is diverted to another branch, increasing it further helps only a little. I also view it like a steering wheel immobilizer on your car - if it convinces the bad actor to overlook me and bother someone else, it's done its job.

Then you could place the encrypted vault in dropbox or google drive, or something similar. This way, you recreate a LastPass-like password manager, except that it is more secure (lmao), and even if bad actors get their hands on your vault, you know they won't get any information from it.

 

[Vanadium 50]

Then you could place the encrypted vault in dropbox

This opens up another line of attack - steal the encrypted file and then attempt to decrypt it at your leisure.

Additionally, while I have privacy concerns about how LastPass does things. If I ret a brute force decryption and get gobledygook, I don't know if this is password gobledygoo or non-password gobledygoo. (I can try it, but that takes times and alerts people that an attack is in progress). But if I try a password and it gives me Quicken, Amazon, Chase and Porn-U-Copia (nobody else likes this name? Really?) I am pretty sure I have unlocked the vault.

So whil;e I don't like the design choice they made, its unfair to say there is no reason to do it this wau.

 

[fluidistic]

This opens up another line of attack - steal the encrypted file and then attempt to decrypt it at your leisure.

Then I missed your point. How do you do a synchronization between your Linux and Windows password vaults, if it isn't local? Do you have something in mind like a self hosted Bitwarden software, or something else?
I still think using google drive or dropbox is safer than LastPass, even though, as you say, you better have a strong master password because you can assume a malicious actor will get his hands on your encrypted vault.

Additionally, while I have privacy concerns about how LastPass does things. If I ret a brute force decryption and get gobledygook, I don't know if this is password gobledygoo or non-password gobledygoo. (I can try it, but that takes times and alerts people that an attack is in progress). But if I try a password and it gives me Quicken, Amazon, Chase and Porn-U-Copia (nobody else likes this name? Really?) I am pretty sure I have unlocked the vault.

So whil;e I don't like the design choice they made, its unfair to say there is no reason to do it this wau.

 

[vela]

I think the "vault is unencrypted" story is not really coming at it from the right direction. This isn't a security issue, it's a privacy issue.

It's not an either-or. It's both a security issue and a privacy issue.

 

[vela]

I haven't used Enpass, but I'm hearing positive things about it. You can use it locally or share your vault between devices using the cloud storage of your choice.

https://www.enpass.io/

 

[MikeeMiracle]

That would be an issue for many people. I, for instance, would like my passwords accessible from any device and from anywhere. Updating at one place should show the updated version everywhere without me taking the hassle to copy again.

That come's down to how security conscious you are and how much you can trust online sources. I had a similar debate about password manager previously on this forum and introduced the concept of zero knowledge policies and was assured that LastPass employed this policy and that a local solution was not required. It would seem whoever made that assertion was incorrect. I am not blaming them for being wrong, they fell for the marketing of LastPass which turned out to be incorrect and why I avoid any "big names" when it comes to storing things online.

 

[Wrichik Basu]

That come's down to how security conscious you are and how much you can trust online sources.

An alternative is to use open-source password managers like Bitwarden. LastPass is closed-source, so no one can confidently know what it is doing, but for open-source software, there is the advantage that security researchers are able to audit the code and find deficiencies.

 

[vela]

That come's down to how security conscious you are and how much you can trust online sources.

My impression of many "experts" is that they tend to overestimate the risk of sharing a vault over the cloud. So they'll tell you in one breath how to generate a strong password that will take billions of years of computing power on average to crack, and in another breath, imply that if a cracker gets that encrypted info, they'll break it in a matter of minutes.

Obviously, the right choice depends on your particular situation. If I had to protect the secret formula for Coca Cola, I wouldn't want to risk having it accessible online, but if I'm just trying to keep @Vanadium 50's credentials to porn-u-copia secret, having a vault online is a minuscule risk I'm willing to take for the great increase in convenience overall.

I had a similar debate about password manager previously on this forum and introduced the concept of zero knowledge policies and was assured that LastPass employed this policy and that a local solution was not required. It would seem whoever made that assertion was incorrect. I am not blaming them for being wrong, they fell for the marketing of LastPass which turned out to be incorrect and why I avoid any "big names" when it comes to storing things online.

LastPass did employ this policy for the encrypted information, what they call "sensitive data." The marketing wasn't incorrect in that sense, but it was misleading as most users reasonably assumed that meant all of their data was encrypted.

 

[vela]

An alternative is to use open-source password managers like Bitwarden. LastPass is closed-source, so no one can confidently know what it is doing, but for open-source software, there is the advantage that security researchers are able to audit the code and find deficiencies.

I don't see it as a real advantage because practically speaking, no one ever comprehensively audits the project's code voluntarily because it's a lot of work and requires expertise. Companies and projects can, however, hire security experts to audit their code.