The best and most secure password manager

[vela]

the entire encrypted vault of people, meaning that if they could crack the master password, they would gain access to the personal info of people.

According to Gosney, much of the vault was unencrypted, so there is no need to crack the master password to access a lot of the information. This revelation is the one I found most surprising. Like others, I assumed the entire vault would be encrypted since that would have been the obvious design choice when storing a vault in the cloud.

Can the PWM company lose their customer data. Sure. Every company can, many have, and those that haven't just haven't yet. Many, likely most of these, have had an "inside man", so it's only a matter of time. That's certainly a problem, but it's not the PWM's problem. Maybe it's PWM Corps's problem, but so long as they don't keep your master password (I don't believe any of the major PWMs do) it's not a PWM problem.

The assumption should be that a breach will happen allowing crackers to get a copy of the vault, and the goal should be to design the software so it is still prohibitively difficult for the crackers to access any information inside the vault. LastPass, the password manager, clearly doesn't meet this criterion. That's a problem with the LastPass software.

 

[pbuk]

According to Gosney, much of the vault was unencrypted, so there is no need to crack the master password to access a lot of the information. This revelation is the one I found most surprising. Like others, I assumed the entire vault would be encrypted since that would have been the obvious design choice when storing a vault in the cloud.

This. And they are making it worse by not being transparent about what is and what is not encrypted in the so-called "vault", still only saying "stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data".

Fortunately there is better information available from an unconnected party: https://github.com/cfbao/lastpass-vault-parser/wiki/LastPass-Vault-Format

So it seems that the exposure may be less serious than it sounds, however the lack of transparency is completely unacceptable.

 

[Vanadium 50]

One problem with the situation as it stands today is that it has evolved over time. Each release builds on the old, and decisions that may have been sensible once upon a time are not so good now. I'd feel a lot better for any password manager if annually there was a complete code refresh, breaking backward compatibility, along with a single button "change every password on every site". Without that, it's just going to be whack-a-mole.

I think the "vault is unencrypted" story is not really coming at it from the right direction. This isn't a security issue, it's a privacy issue. As I understand it, my credentials for porn-u-copia (I just made that up, but I like the name) are secure, but the fact that I have an account there at all is not. But that ship has sailed - I am sure this is in Google's file on each of us.

However, none of this is a reason to think that using "qwerty" everywhere is a better alternative.

 

[MikeeMiracle]

As an IT pro I use KeyPass, it's a downloadable program which creates a password vault as a local file which is encrypted with a master password. It's an offline program, no synchronising with the web, all your data stays local to that file which you can backup and copy to another computer just like any other file.

 

[Wrichik Basu]

It's an offline program

That would be an issue for many people. I, for instance, would like my passwords accessible from any device and from anywhere. Updating at one place should show the updated version everywhere without me taking the hassle to copy again.

 

[Vanadium 50]

I'm not sure a purely local solution is ideal. I need passwords on my Windows systems, my Linux systems and in some cases my phone. Having strong passwords for some accounts and 'qwerty' for the rest is not a good idea.

I think of computer security as a resistor network. Increasing it always helps, but once most of the current is diverted to another branch, increasing it further helps only a little. I also view it like a steering wheel immobilizer on your car - if it convinces the bad actor to overlook me and bother someone else, it's done its job.

 

[fluidistic]

I'm not sure a purely local solution is ideal. I need passwords on my Windows systems, my Linux systems and in some cases my phone. Having strong passwords for some accounts and 'qwerty' for the rest is not a good idea.

I think of computer security as a resistor network. Increasing it always helps, but once most of the current is diverted to another branch, increasing it further helps only a little. I also view it like a steering wheel immobilizer on your car - if it convinces the bad actor to overlook me and bother someone else, it's done its job.

Then you could place the encrypted vault in dropbox or google drive, or something similar. This way, you recreate a LastPass-like password manager, except that it is more secure (lmao), and even if bad actors get their hands on your vault, you know they won't get any information from it.

 

[Vanadium 50]

Then you could place the encrypted vault in dropbox

This opens up another line of attack - steal the encrypted file and then attempt to decrypt it at your leisure.

Additionally, while I have privacy concerns about how LastPass does things. If I ret a brute force decryption and get gobledygook, I don't know if this is password gobledygoo or non-password gobledygoo. (I can try it, but that takes times and alerts people that an attack is in progress). But if I try a password and it gives me Quicken, Amazon, Chase and Porn-U-Copia (nobody else likes this name? Really?) I am pretty sure I have unlocked the vault.

So whil;e I don't like the design choice they made, its unfair to say there is no reason to do it this wau.

 

[fluidistic]

This opens up another line of attack - steal the encrypted file and then attempt to decrypt it at your leisure.

Then I missed your point. How do you do a synchronization between your Linux and Windows password vaults, if it isn't local? Do you have something in mind like a self hosted Bitwarden software, or something else?
I still think using google drive or dropbox is safer than LastPass, even though, as you say, you better have a strong master password because you can assume a malicious actor will get his hands on your encrypted vault.

Additionally, while I have privacy concerns about how LastPass does things. If I ret a brute force decryption and get gobledygook, I don't know if this is password gobledygoo or non-password gobledygoo. (I can try it, but that takes times and alerts people that an attack is in progress). But if I try a password and it gives me Quicken, Amazon, Chase and Porn-U-Copia (nobody else likes this name? Really?) I am pretty sure I have unlocked the vault.

So whil;e I don't like the design choice they made, its unfair to say there is no reason to do it this wau.

 

[vela]

I think the "vault is unencrypted" story is not really coming at it from the right direction. This isn't a security issue, it's a privacy issue.

It's not an either-or. It's both a security issue and a privacy issue.

 

[vela]

I haven't used Enpass, but I'm hearing positive things about it. You can use it locally or share your vault between devices using the cloud storage of your choice.

https://www.enpass.io/

 

[MikeeMiracle]

That would be an issue for many people. I, for instance, would like my passwords accessible from any device and from anywhere. Updating at one place should show the updated version everywhere without me taking the hassle to copy again.

That come's down to how security conscious you are and how much you can trust online sources. I had a similar debate about password manager previously on this forum and introduced the concept of zero knowledge policies and was assured that LastPass employed this policy and that a local solution was not required. It would seem whoever made that assertion was incorrect. I am not blaming them for being wrong, they fell for the marketing of LastPass which turned out to be incorrect and why I avoid any "big names" when it comes to storing things online.

 

[Wrichik Basu]

That come's down to how security conscious you are and how much you can trust online sources.

An alternative is to use open-source password managers like Bitwarden. LastPass is closed-source, so no one can confidently know what it is doing, but for open-source software, there is the advantage that security researchers are able to audit the code and find deficiencies.

 

[vela]

That come's down to how security conscious you are and how much you can trust online sources.

My impression of many "experts" is that they tend to overestimate the risk of sharing a vault over the cloud. So they'll tell you in one breath how to generate a strong password that will take billions of years of computing power on average to crack, and in another breath, imply that if a cracker gets that encrypted info, they'll break it in a matter of minutes.

Obviously, the right choice depends on your particular situation. If I had to protect the secret formula for Coca Cola, I wouldn't want to risk having it accessible online, but if I'm just trying to keep @Vanadium 50's credentials to porn-u-copia secret, having a vault online is a minuscule risk I'm willing to take for the great increase in convenience overall.

I had a similar debate about password manager previously on this forum and introduced the concept of zero knowledge policies and was assured that LastPass employed this policy and that a local solution was not required. It would seem whoever made that assertion was incorrect. I am not blaming them for being wrong, they fell for the marketing of LastPass which turned out to be incorrect and why I avoid any "big names" when it comes to storing things online.

LastPass did employ this policy for the encrypted information, what they call "sensitive data." The marketing wasn't incorrect in that sense, but it was misleading as most users reasonably assumed that meant all of their data was encrypted.

 

[vela]

An alternative is to use open-source password managers like Bitwarden. LastPass is closed-source, so no one can confidently know what it is doing, but for open-source software, there is the advantage that security researchers are able to audit the code and find deficiencies.

I don't see it as a real advantage because practically speaking, no one ever comprehensively audits the project's code voluntarily because it's a lot of work and requires expertise. Companies and projects can, however, hire security experts to audit their code.

 

[Ivan Seeking]

I have used the same password manager for over 20 years.

I have a word doc with my passwords and abbreviated names of the sites. So for starters, many people wouldn't even know the site the password applies to. For example, if I know BBB is Bed, Bath and Beyond, it is obvious to me but likely not to most hackers.

But the key is the password itself. I have an encryption process I have always used and it only exists in my head. I modify the existing password as I enter it. An example would be to take your saved password, ignore the 2nd, 4th, and 6th characters, and increment the first character by 2. So I can hand you my saved passwords and they would do you no good.

 

[anorlunda]

Am I correct saying that for accounts that make use of multifactor authorization, a compromised password still does not give bad guys account?

I have switched PW managers, now I'm trying to decide if it is necessary to change the passwords on my most critical accounts; all of which have multifactor authorization.

Even more bothersome would be to get new credit card numbers assuming that the old ones might be compromised. The news discusses the fact that login data was encrypted and URLs not encrypted. They don't mention CC numbers/expiration/security code info stored in Lastpass under the "Payment Card" feature.

 

[Vanadium 50]

Am I correct saying that for accounts that make use of multifactor authorization, a compromised password still does not give bad guys account?

Even with single factor, these compromises do not unlock your account. The central password manager database does not (at least for the good PWMs) know your master password.

Since they don't have it,. they can't lose it.

 

[anorlunda]

Even with single factor, these compromises do not unlock your account. The central password manager database does not (at least for the good PWMs) know your master password.

Since they don't have it,. they can't lose it.

Sorry, I should have repeated what was said earlier in this thread. The unencrypted URL info identifies the juicy targets for bad guys to try to crack your PW with conventional cracking methods. Cracking one, is 100x times faster than cracking 100.

Of course, if the bad guys see how poor I am, they won't target me anyhow. Millionaires and billionaires should be more worried. That is one of the very rare cases where leaks of my private information may benefit me. Poor people make bad targets.

 

[Wrichik Basu]

I came across a detailed article "decoding" the breach statement issued by LastPass on December 22 last year, written by a security analyst: https://palant.info/2022/12/26/whats-in-a-pr-statement-lastpass-breach-explained/

As mentioned earlier in the thread, the vault of the users was breached, but the master password wasn't, since it's not stored. But, the hashed form of the password is stored. LastPass uses the PBKDF2 algorithm to store the hash of the master password. The number of iterations used in this algorithm for most accounts is 100k. This is far lower than the OWASP recommendation of 310k iterations at that time, but would still make getting the password by brute force difficult. Here's the caveat: LastPass originally used only 5k iterations, and later upgraded to 100k. But some accounts are still sitting with 5k iterations. Reportedly, a few accounts are configured with just 1 (one) iteration. These accounts are quite vulnerable, as their master passwords can be decoded from the hash by brute force without too much effort.

The metadata lost in unencrypted form contained the following:

company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service

Therefore, this is not only a privacy issue (as pointed out by many in this thread), but also makes the users a subject to pishing attacks. In addition, LastPass also stored the IP of the users (all devices from where the user was logged in) in plain text form. Thus, the attacker can now have better knowledge about the whereabouts of the users.

Most probably, LastPass has an option to change the number of iterations manually. The current OWASP recommendation is ≥ 600k, so if anyone here is (still) using LastPass, please make sure to increase the iterations in your vault.

---

I recently paid for a subscription for Bitwarden. I used the free version for some time, and thought it was decent. I had a free LastPass account for some time, and deleted my data from there after buying Bitwarden.

And then this surfaced: https://palant.info/2023/01/23/bitwarden-design-flaw-server-side-iterations/

In short, Bitwarden uses 200,001 iterations; 100,001 client-side and 100k server-side. But the server-side iterations actually are useless. Many users were enraged, and they posted threads like this and this, which were marked as "feature requests" by Bitwarden. Fortunately, Bitwarden, too, has an option to increase the number of client-side iterations. You need to go to the web vault → click on your account picture at the top right → Account Settings → Security (left panel) → Keys tab and increase the number of iterations.

 

[anorlunda]

As mentioned earlier in the thread, the vault of the users was breached, but the master password wasn't, since it's not stored.

The details can be dense. The master password was as you said, but the encrypted passwords of sites stored in the vault were also stolen. Those do not have the same protections as the master password.

Recent news said that the hacker also got the user's backups. I'm scratching my head at the significance of that.

I was a long time satisfied user of LastPass, but now I switched to a different one. I read that they lost 60% of their customers in December. My reason for switching was their poor transparency, not their security.

 

[Wrichik Basu]

the encrypted passwords of sites stored in the vault were also stolen. Those do not have the same protections as the master password.

The encrypted fields are encrypted with 256-bit AES algorithm that requires the user's master password to decode. LastPass's defence is, it doesn't store the master password. But if the hacker can brute force decode someone's master password due to the low number of iterations, all encrypted passwords will be lost. If the master password was weak, then the user is responsible and not LastPass, as they have a policy of a minimum 16-character master password. Notably, this rule was enforced later, and many accounts still have an 8-character password and were never notified to change it. LastPass's defence: how can they notify the user if they don't even know the master password?

Recent news said that the hacker also got the user's backups. I'm scratching my head at the significance of that.

The vaults lost were the backups. In the August 2022, the hacker got some code and technical data, which they used to target another employee, and then got the credentials of the 3rd party cloud storage where LastPass stores their data centre's backup copies.

Apparently, LastPass took a lot of time, and probably invested in highly paid attorneys, to write an email which tells the users that they shouldn't be held responsible for what happened.

 

[Vanadium 50]

The unencrypted URL info identifies the juicy targets for bad guys to try to crack your PW

Sorry, I missed this message too.

Yes, it does. But Google and their ilk also keep track of what I sites I visit. That ship has sailed. And it's not a good reason to use 'qwery' because password managers are insecure.

And I think I mentioned that there are security implications to encrypting the vault. If a trial key returns www.porn-u-copia.com, it is likely to be correct. If it returns 1&Ra6M0toCnEPNHi, how do you know?

hash

A hash? The horror! The horror!

First, one thing is very clear. Lots or people, here and elsewhere, do not believe in public key encryption. The central idea is that your opponent already knows the key and already knows the algorithm. Keepiing them secret may slow her down, but is not necessary for security.

Now, if your master password is lousy, it does not matter what has and has not been hacked. One merely logs on with 'qwerty' and that's that. So expecting a PWM to protect you against a bad password is unrealistic.

Now, onto the vault. There are two options. One is to return the vault to anyone who asks for it. The other is to require partial information to release the vault. Those are your choices. A has like an 8-bit checksum will require on average over 100 attempts to download the vault. Nine bits and it's a thousand, and so on.

The cost of this is that the security of the master password is decreased by the same number of bits, My master password has about 60 bits of entropy, so decreasing this to 52 is not good, but survivable. If you use one of the most 1000 commonly used passwords, this will reduce the entrop to 2 bits. Not good.

No PWM will protect you from a lousy master password.

Classical cryptography theory says 'don't do this'. Why might you want to? By not giving the vault to just anyone, you can slow an attacker down, and possibly identify the threat. So while such a design might be formally less secure, it may be more secure in practice.

There is a lot I don't like about the LastPass design, but I recognize that there are design choices to be made and these choices have their pros and cons. Critics getting the vapors because the chosen design has a downside strikes me as unserious.

Further, discouraging people from using a PWM and a good password because its not perfect does not help them if they go back to using qwerty everywhere,

 

[Vanadium 50]

LastPass announced some more details today. Three interesting facts:

1. One exploit was a company laptop,
2. One exploit was a cloud-based backup. (I don't know why this wasn't encrypted)
3. Information from the two exploits was combined (so probably a single actor).

 

[fluidistic]

A flaw in keepass allows one to retrieve the master password: https://nvd.nist.gov/vuln/detail/CVE-2023-32784. The fix will be available to the masses in July.

Thankfully it,doesn't affect keepassxc.

 

[Wrichik Basu]

A flaw in keepass allows one to retrieve the master password: https://nvd.nist.gov/vuln/detail/CVE-2023-32784. The fix will be available to the masses in July.

Thankfully it,doesn't affect keepassxc.

From the GitHub repo containing the proof-of-concept of the vulnerability:

What can you do​

First, update to KeePass 2.54 or higher once available. Second, if you've been using KeePass for a long time, your master password (and potentially other passwords) is likely in your pagefile/swapfile and hibernation file. Depending on your paranoia level, you can consider these steps to resolve the issue:

• Change your master password
• Delete hibernation file
• Delete pagefile/swapfile (can be quite annoying)
• Overwrite deleted data on the HDD to prevent carving (e.g. Cipher with /w on Windows)
• Restart your computer

Or just overwrite your HDD and do a fresh install of your OS.

 

[vela]

It looks like the consequences of the LastPass breach may be being felt by some.

https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-stolen-in-lastpass-breach/

 

[Vanadium 50]

Is this a statement about password manager security or of crypto-wallet security?

In real-world banking, a PIN plus a card (two factor right there) can get a few hundred dollars. A check and a signature up to about $10,000. Above $10,000 and it's a check, a signature, and at least a phone call. (Three factor) I have a bond ladder set up, and every week > $10,000 comes in and goes out, and every week my bank files a report on that with the feds.

But crypto? Guess the secret word and you have access to whatever is there.

 

[fluidistic]

Is this a statement about password manager security or of crypto-wallet security?

In real-world banking, a PIN plus a card (two factor right there) can get a few hundred dollars. A check and a signature up to about $10,000. Above $10,000 and it's a check, a signature, and at least a phone call. (Three factor) I have a bond ladder set up, and every week > $10,000 comes in and goes out, and every week my bank files a report on that with the feds.

But crypto? Guess the secret word and you have access to whatever is there.

Almost. There's something called BIP39 standard which was proposed back in 2013, a few years after Bitcoin was born, which consist in generating a private key (complex looking private key) from a series of generally either 12 or 24 words, taken out from a list of 2000 words. (see there for the interested: https://www.blockplate.com/pages/bip-39-wordlist).
Many crypto people use this standard to keep their funds safe. They tatoo the secret words on steel, or paper, etc. This is not very secure because if someone else sees their list of words, they have access to the funds.
However it is possible to use a passphrase on top of the list of words, consisting of a combination of any character or number in such a way that in order to retrieve your funds (your private key), you need both your list of words and your passphrase. You can then physically hide your list of words, and keep your passphrase in an encrypted password manager's vault. This way a hacker would have to hack you both physically and computationally to retrieve your funds. This is much more secure than using a list of words.
The advantage over banks is that you can transfer your funds whenever you want, quicker than with a bank. Not a big advantage you may say, fine enough. But it's not trivial that banking is safer than this method, to me, either.

 

[Vanadium 50]

I don't see this as fundamentally different than a password. 2000 words is 11 bits, and 12 of them is 132 bits. That's roughly a 20 or 21 character password - better than is typical, and much better than "abc123" or "qwerty".

Now, if you are asked "What is the third word on your list?" this reduces the protection down to 2 characters, but it also adds protection against interception. If someone finds out the 3rd word on your list is "gallon" it doesn't help them if next time they are asked the 6th word on the list.

However, I think people are learning that the risk in crypto is not your enemy, but your friend. The people who run the exchanges etc. are at least as likely to steal from you as an outside bad actor.

Back to the topic at hand, LastPas has just announced that they will require master passwords to be 12 characters. So protecting your zillion-charachter random string with "qwerty" is a thing of the past.

 

[fluidistic]

I don't see this as fundamentally different than a password. 2000 words is 11 bits, and 12 of them is 132 bits. That's roughly a 20 or 21 character password - better than is typical, and much better than "abc123" or "qwerty".

A physical ''cold wallet'' stores your list of 12 words, i.e. password (so can be hacked if stolen), which is bad security wise. The passphrase however isn't. And it needs not to be made of words. It has to be typed by the user, either on their dedicated hardware (safest way, since not linked to the Internet), or on a computer (riskier). I think this is pretty secure. But if one gets drunk or something like that, maybe it's possible to retrieve the funds without too much troubles.

Now, if you are asked "What is the third word on your list?" this reduces the protection down to 2 characters, but it also adds protection against interception. If someone finds out the 3rd word on your list is "gallon" it doesn't help them if next time they are asked the 6th word on the list.

I try to follow you, but this is over my head. Why would the knowledge of a word on a 12 words list reduce the protection to essentially 0? And what do you mean by interception?

However, I think people are learning that the risk in crypto is not your enemy, but your friend. The people who run the exchanges etc. are at least as likely to steal from you as an outside bad actor.

I agree. It also doesn't make sense to keep your cryptos in a centralized exchange if the goal is to own your own money (something banks fail at, too)

Back to the topic at hand, LastPas has just announced that they will require master passwords to be 12 characters. So protecting your zillion-charachter random string with "qwerty" is a thing of the past.

I'll go for qwertyqwerty.

 

[Vanadium 50]

If you have an un-secure channel and an eavesdropper catches the password exchange, now he has your password. If the exchange is not "what is your password?" but "what is the third password on your list?" interception does the bad actor no good if the next exchange is :what is the sixth word on your list?"

There are in fact more secure ways to do even this, but the basic idea is that someone can reveal things about one's password to prove she knows it, without revealing the actual password. If you like, given a password P and a challenge C, there is a function f(C,P) the produced the response R If someone knows P, they can always provide the correct R for any given C, and if the system is designed well, this provides no help in determining the correct R for a different C.

I'll go for qwertyqwerty.

It isn't the password manager's fault if someone picks a lousy password. You can't fix stupid.

 

[fluidistic]

If you have an un-secure channel and an eavesdropper catches the password exchange, now he has your password. If the exchange is not "what is your password?" but "what is the third password on your list?" interception does the bad actor no good if the next exchange is :what is the sixth word on your list?"

There is no password exchange when communicating with a cold wallet. The device gets some transaction to sign (coming from the internet computer machine), it signs it if you physically approve it, and sends the signed file back to the computer. The private key is generated on the cold wallet hardware and is never transmitted to the internet computer.
If you take a screenshot of your seedphrase however, or store it on an internet connected computer....

There are in fact more secure ways to do even this, but the basic idea is that someone can reveal things about one's password to prove she knows it, without revealing the actual password.

This is a zero knowledge proof, right? I have many questions related to this, I constantly think about posting them on PF.

If you like, given a password P and a challenge C, there is a function f(C,P) the produced the response R If someone knows P, they can always provide the correct R for any given C, and if the system is designed well, this provides no help in determining the correct R for a different C.It isn't the password manager's fault if someone picks a lousy password. You can't fix stupid.

Yep. I was just kidding.

 

[Vanadium 50]

Yes, I was talking about so-called zero-knowledge proofs.

Fundamentally, the problem is that we have two ways to establish identity: something you have, and something you know. "Something you have" can be lost, stolen, or forged. "Something you know" can be forgotten or revealed. In that environment, one cannot build a perfect system: one that always lets authorized people in and never lets unauthorized people in.

Password managers are not perfect, but for the vast majority of people they are better than not using them.

 

[fluidistic]

Yes, I was talking about so-called zero-knowledge proofs.

Fundamentally, the problem is that we have two ways to establish identity: something you have, and something you know. "Something you have" can be lost, stolen, or forged. "Something you know" can be forgotten or revealed. In that environment, one cannot build a perfect system: one that always lets authorized people in and never lets unauthorized people in.

Password managers are not perfect, but for the vast majority of people they are better than not using them.

My understanding is that you can establish a system that involves both something you have and something you know, at the same time. Either of them isn't sufficient to "unlock" your secret treasure. The something you have might be that 12 or 24 words list that is used (partly) to retrieve your private key. You can have it at different physical places to avoid any fire, nuke and accidents. If someone finds it, they won't be able to retrieve your funds, even though they are 1 step closer to do so, they are still too far. It can also be stored in a "cold wallet". If you use it that way, I see no obvious weakness nor threat of losing it.
Then there is the something you know, the only thing that you should really know. Not your birthday nor your name, but your password to decrypt your password's manager's vault. I assume some people might keep a copy on a physical object in case they have a terrible accident and want their families to retrieve their funds. In that vault there should be a passphrase that must be used in conjunction with your 12 words list in order to access your treasure. Overall the scheme is not perfect, but not bad, IMO.

Agreed for your last sentence.