LastPass: Security done wrong
palant.deIt must be noted that the author of this article has a competing project, and in an article so deeply critical of LastPass, it seems like a disclaimer should be prominent. Wladimir does disclose this on the previous article: https://palant.de/2016/09/16/more-last-pass-security-vulnera...
As a fairly happy LastPass user, I would certainly like to know what ongoing threats there are here, and what the real-world likelihood that I might be exposed to those threats. Would anyone care to summarize? The linked issues have been fixed, even in Firefox, and the claim that vulnerabilities still exist are unsourced.
*EDIT: disclaimer has been added! My comment is now out of date.
Thank you for the reminder, I added the disclaimer noting that I develop Easy Passwords.
The claim that vulnerabilities still exist was unsourced six months ago - now you have proof that they do. It would be naive to assume that this was the last of them. As I explained several times already, the issue is a structural one. LastPass keeps the attack surface unnecessarily large and they are pretty bad at securing it.
The recent vulnerability reported was particularly bad, launching an arbitrary external application is really as bad as it goes - this could have resulted in a malware infestation. But the typical threat is "merely" losing all your LastPass data to a random website you are visiting (or a hacked ad script running on it).
How likely it is that bad guys will actually try to target LastPass? They seem to have at least 10 million users judging by AMO and Chrome Web Store numbers. I can clearly see that on some websites trying to exploit LastPass users can actually be lucrative. Whether it will happen to you personally, nobody can tell of course.
Awesome, thank you!
Re: unsourced vulnerabilities, only complaining about my own ability to know what that means, not questioning the validity. Yes, reports always start unsourced, necessarily.
Here's a question you should ask yourself: do you want malicious webpages or malvertising to have direct API access to your password manager?
This is the case with all password manager browser extensions. A desktop-based password manager without the browser extension does not have this risk vector. And, as we've seen with the dozens of extremely critical LastPass bugs, they're not even particularly good at securing said API. Other products may be less bug ridden, but they share the same risk vector.
I use pass[1], and I recommend it if you can stand copying and pasting. It's really not much of an inconvenience for the dramatic increase in security you get.
Here's another question to ask: "Is everyone really going to open a separate application, unlock the vault every time they want to use it (due to timeout), Ctrl+F for the URL, and then Ctrl+C out the username and password every time they want to visit a site? Also, is everyone going to create a correlated entry every time they make a new account?"
Good security is hard in practice because people are always going to default to the most convenient/simple way to accomplish their goal, and at this point, most of our security measures require someone to expend extra energy. That means it's going to be very hard to get people to do it.
We have decades of experience with this just with regard to one layer of passwords. Adding an extra layer, like a password vault, is not going to make things better.
While it absolutely true that there is more risk involved in using a third-party extension to manage a password vault than not, the actual net effect is likely better security, because if you make things too hard, people are just going to say "Fuck those annoying nerds, we're going to make every password 123456", or whatever the next-simplest answer that the system will permit is.
As for LastPass making mistakes, that's true, but the benefit you get by using a well-known product like LastPass is that Project Zero has hardened it. That's not the case for most other password vault extensions, especially those made as shims for external vaults like KeePass.
> "Is everyone really going to open a separate application, unlock the vault every time they want to use it (due to timeout), Ctrl+F for the URL, and then Ctrl+C out the username and password every time they want to visit a site? Also, is everyone going to create a correlated entry every time they make a new account?"
This is not how pass or KeePass work. I recommend you try them out and see if they're really that hard to use (hint: they're not).
If you really like browser integration, I also sometimes recommend using the built-in Chrome or Firefox password managers with good master passwords. They're actually easier to use than LastPass and its insecure ilk.
I've used KeePass for years. Am I using it all wrong or what? That's how it works on my computer. Yes, you could install a browser extension that interfaces out to KeePass (and I've used those in the past too), but that doesn't give much, if any, security benefit over LastPass; you're still exposing the attack surface to the browser's environment.
I do actually also use Chrome's built-in password manager so that I don't have to copy and paste as much.
Check out the "perform autotype" feature in the right-click menu on an entry in KeePassX.
Point is: this can be done right. I develop Easy Passwords myself, with the same/better convenience factor and without offering a huge attack surface. It's not about LastPass making mistakes, rather about them not learning from them and thus necessarily repeating them. If you still want to believe that LastPast is hardened now - well, if it makes you happier...
I actually do that (gpg-encrypted file with an org-mode table with usernames and passwords, easily accessed from within Emacs). It's not as much of a hassle as it sounds, really.
Totally agree with you on the convenience factor. Still doesn't mean I'm going to use a browser extension to securely manage my passwords. Or something proprietary. And lets me decide how and where to store/sync the encrypted blob of my password DB.
So I use KeepassX for Linux (and Keepass2Android on my mobile), which I frankly don't understand why it's not recommended way more often. It's open source, doesn't have those problems, nor does it have a company--ego--attached to it that has incentives to downplay security-issues to save face/profit. Ego is a potential attack surface.
Every time the password-manager discussion comes up, I scan the thread and check what possibly problems any of them have. And all of the other ones have at least some of those issues that I care about, even if only that the encrypted blob is stored somewhere out of your control. Except for KeepassX, for which the only "serious" downside I've read is that some big security names on Twitter seem to really dislike the GUI for some reason. Which is a fine opinion, but not one where I'd consider their expertise to hold much value over anyone else's (and personally, I disagree with).
> Here's another question to ask: "Is everyone really going to open a separate application, unlock the vault every time they want to use it (due to timeout), Ctrl+F for the URL, and then Ctrl+C out the username and password every time they want to visit a site? Also, is everyone going to create a correlated entry every time they make a new account?"
Okay, so here's how I use KeepassX for Linux:
The application is small and lightweight and therefore already open (but locked) as an icon in my systray. I have to unlock the vault due to timeout[0]. To find the entry, type a few characters in the search box, or select it from the appropriate category/folder, I put the few ones I use most in the default/top folder for even quicker access. Then I right-click the entry and select "perform autotype". Done.
"Perform autotype" seems to basically send a bunch of keyboard events: <alt-tab>, [username], <tab>, [password], <enter>. This sequence works every login form I use. There's probably exceptions, but iirc you can configure the autotype sequence. Otherwise for that one login form that is weird and annoying you can always right-click and use "copy username/password to clipboard" (which is auto cleared after X seconds). Finally if the login form won't let you autotype AND doesn't let you paste, it becomes even easier: right-click, "delete entry" and never use that service again because COME ON, really.
edit to add: the Android app, Keepass2Android is slightly more cumbersome to use, but that's mainly because I find touch screen typing my master password a bit of a pain. After that it's actually easier, when you selected the entry, you select Keepass2Android as keyboard app, which only has these buttons: [User], [Pass], [Next field], [Submit]. At entering the master password there's also a checkbox "allow quick unlock", which allows you to unlock using only the last 3 chars of your master password (for duration of a second, longer+configurable, timeout).
[0] Do other password managers get around this? I really don't see how, without getting the same exposure as I would get by disabling the timeout in KeepassX?
copying and pasting seems to be a vulnerability..especially if you get distracted for a moment, or haven't had your coffee and paste it into your search bar.
It's a risk, albeit a small one. Individual passwords are easy to change if compromised. I have personally never miscopied them. Both pass and KeePass will automatically clear your clipboard a little while after copying the password.
However, losing every single password at once, without your knowledge, direct to an adversary due to a LastPass vulnerability is a much more severe problem.
If you paste a long, random password in your search bar, what's going to happen in the time between then and changing it?
In Firefox, I believe there's a way to turn off asynchronous searching so that it won't attempt to search as you're typing. Even though DuckDuckGo is my search provider, I have that enabled anyway; I figure I'm okay with having to press ENTER to see results as a trade-off for not having my data sent to someone as soon as I start typing. Not sure if this is an option in Chrome/Chromium.
While I don't use pass, KeePassXC and KeePassDroid clear the clipboard shortly after use.
KeePass also has a handy feature that bypasses the clipboard and sends {username}{tab}{password}{enter} keystrokes directly to the browser window. The keystrokes can also be customized per web page.
Yep, KeePass has a (too short) default timeout to erase the password from the clipboard, I think it's something like 10 seconds? I increased it to 90 seconds.
That's a good point. Might be a good workaround to sort of "sandbox" the password manager from your active web browser. Have a second browser with the plugin installed that you use only to copy the password to your clipboard and then paste into the password field. I can usually remember by username for 99% of websites.
I would love to use pass but I can't figure out a decent way of getting it on my iPhone.
Sometimes I don't have my laptop with me.
Haven't used it, but it looks like there are a few apps for iOS: https://mssun.github.io/passforios/
KeePass is a good solution, too. It also has iOS apps.
I use password safe which is a windows app but also has a database format so there are lots of cross platform apps that can act on the safe file. I sync it with Google drive and have a Linux and Android app that I use to access the safe.
> I use pass[1], and I recommend it if you can stand copying and pasting.
Try browserpass. It uses pass internally. https://github.com/dannyvankooten/browserpass
+1 Agree. Lastpass has great functionality imo, and I want a level headed analysis before I jump ship to a competitor.
I do wonder though if the change in ownership last year has led to a decline in quality.
FWIW I manage a couple Lastpass Enterprise installs and I haven't seen any indicators of a reduction in quality.
Even @taviso had this (positive) follow up tweet: https://twitter.com/taviso/status/844574176165822465
Frankly, I cannot really understand him being positive about that. A vendor that rushes out a fix without verifying that they fixed the issue everywhere - that's not great at all. I definitely prefer vendors who take a few days to look at the issue properly. But then again, if LastPass did this they would have addressed the issues back in August last year at the latest and I would have nothing to write about.
yup. I checked my LastPass extension and it had updated and needed a browser restart.
Anecdotal and personal opinion, but I believe that it has. I've been a LastPass user since February 2014. I used to pay for the annual subscription because it was required to use their phone apps, but now that it isn't I find no benefit to the paid subscription, especially given how poorly some thing seem to be working.
The user experience with extensions for different browsers (Chrome, Firefox, Safari) is inconsistent. Menus look and behave differently. Some options are present (and turned on by default) in one browser's extension and absent in another. For example, Firefox's extension opens the vault every time you log in unless you uncheck a box, so if you're at a password field ready to login, LastPass decides to just get in your way.
But by far the most infuriating part for me has been the iOS app. For the past few months this is what I have to go through to use it:
1.) Open app
2.) Enter password
3.) Scan fingerprint
4.) Start looking for what I want to find
5.) App logs me out after about 30 seconds for no perceivable reason
6.) Enter password
7.) Scan fingerprint
8.) I'm now logged in, but the vault is completely empty
9.) Force close the app
10.) Open the app
11.) Enter password
12.) Scan fingerprint
13.) Finally get what I want
I really do want to switch to something else, preferably self hosted, but I haven't been able to set aside the time to do the research and export/import what I have in LastPass currently.
My experience (with the risk appetite and settings to match said appetite): 1) open app 2) scan fingerprint 3) search "ycomb.." (which limits my results to HN account) 4) tap/copy password --------------------------------------- 5) switch to HN 6) login to HN to write this comment 7) ok I lied I wrote this on my laptop, but still..!!
I was also scared when they were bought but no tragedies so far.
I've been using the iOS app since it came out and have never had a problem with it.
TouchID integration has been a godsend.
Not sure what would be causing my issues then. It's only been happening for the past two or three months on my 6S Plus.
I've always considered Lastpass to provide convenience at the cost of security, and as such am not concerned.
To me, the point is managing the dozens of separate logins you have to manage to use the web. I often can't be bothered to remember which sites I've signed up for, let alone what the username and passwords are.
For critical accounts (email, financial stuff, etc.) I'll always take the effort to memorize some high quality and unique usernames and passwords. I find this to be the best trade-off.
"Altogether it looks like LastPass is a lot better at PR than they are at security. Yes, that’s harsh but this is what I’ve seen so far."
No, it's not harsh enough for a program that knows the right password, shows it to you, but then inputs the wrong one in the password field. Of course, compared to these security issues, such UI issues are almost irrelevant. With such a simple UI to program, you'd think they'd at least get that right or fix it. And if they don't, it's likely they have much bigger problems under the hood. Over and over.
Unfortunately, all the reviews of Lastpass I read gave it 4-5 stars and it was often a recommended or editor's choice pick. Clearly, those reviewers and their publications are just a bunch of shit words to attract advertising (that includes pretty much every article on password managers I managed to read). This is a pretty important part of security. If it takes someone with expert skills in computers almost a year to find a good password manager program, not to mention days worth of work importing into and testing various solutions, what chance does your everyday computer user stand?
The way things stand with password managers right now, I'm not sure we're advising ordinary computer users correctly in telling them to use one.
> If it takes someone with expert skills in computers almost a year to find a good password manager program, not to mention days worth of work importing into and testing various solutions, what chance does your everyday computer user stand?
The reason why I hate these kinds of threads in IT communities is that we usually don't seem to talk about the issue(s) the article is referring to.
Take this one for example. There's much more discussion about what works for who than the actual content of the article. And then I followed an article linked in the comment here about getting 1Password to run on Linux. And at the bottom of the article there was a link to the HackerNews thread about that article. And the situation is exactly the same.
Out of 57 comments in that thread (https://news.ycombinator.com/item?id=9091691), only four are actually related to running 1Password on Linux, and none of them is actually related to someone actually trying the method from the article and sharing his/her experience. 53/57 comments are basically "I use X because of Y".
"The reason why I hate these kinds of threads in IT communities is that we usually don't seem to talk about the issue(s) the article is referring to."
I clearly describe the issue: "a program that knows the right password, shows it to you, but then inputs the wrong one in the password field". This isn't a bugtracker. If you want details, I'll gladly supply them. But don't accuse me of not writing something that's clearly in my post.
I wasn't referring to your own comment, but to the discussions about password managers in general (hence, the usage of "we" instead of "you"). I apologize my comment led you to believe otherwise. I found your comment relevant to the discussion and went on trying to discuss how these threads in general might have something to do with us taking so long to chose a password manager.
> The reason why I hate these kinds of threads in IT communities is that we usually don't seem to talk about the issue(s) the article is referring to ... comments are basically "I use X because of Y"
I often come to these comments on articles like this precisely because I want to see if the knowledgable folks here suggest the product/service in the article, or if not something else (in the same space).
> The reason why I hate these kinds of threads in IT communities is that we usually don't seem to talk about the issue(s) the article is referring to.
The reason why I hate these kinds of threads in IT communities is that they always devolve into criticism of what other people want to talk about.
I recommend we adopt a /meta.. tag to identify posts that are just about posting.
Is there a better alternative? Certainly not reusing passwords and if you aren't reusing passwords you'll have to manage them all somehow. I can't see a better solution.
I'm "slightly" biased but to me Easy Passwords is a better solution (see https://palant.de/2016/04/19/easy-passwords). In fact, I programed it myself :)
Syncing data between different computers is still work in progress. Then again, with it being a password generator this is less of an issue than with password safes. As long as your master password is the same you can simply create a password with the same name on another computer and it will work.
http://keepass.info/ is awesome.
Put your keyfile on Dropbox/OneDrive/whatever so it syncs to all your computers.
Keepass2Android works great and can read from most cloud storage solutions.
Don't know about iPhone.
Edit: It also has a lot of neat plugins. I use one for storing ssl certificates, which also supports key forwarding to putty.
Putting one's keyfile in the cloud just seems to me to be asking for it. You're essentially trusting a 3rd party with the keys to your kingdom.
* Compared to completely cloud-based password manager like LastPass and 1Password, it's no worse.
* The database in encrypted with your master password.
* You can optionally also encrypt it with static "Key File" that are on all your devices but not in Dropbox.
1Password seems to put saving to their cloud front and center but you can still choose to not save your passwords on their servers and use your own methods. My 1Password vaults are encrypted with my master password and synced between devices using Dropbox, I think there's also an option for directly syncing between smartphones and computers.
A) You should presumably still have a good passphrase.
B) You choose which 3rd Party to trust. There are many options with different security/trust/threat models.
(Example: lately I've been using an encrypted share in Resilio Sync where the "cloud" option for me is a dumb VPS that can share the folder torrent but does not have decryption keys into the contents.)
No. You're trusting the encryption of the password manager. No self-hosted password manager that I know of keeps your passwords in a clear text file.
KeePass is a fully self-hosted solution. The grandparent suggests using Dropbox et al for convenience (the vault is always encrypted, so it's not "giving away the keys"). However, you don't have to do that; I just use SFTP to copy the file off of my workstation when I need a fresh copy on my phone/laptop.
I don't trust dropbox, but I do trust the encryption of my password manager. Depending on how you measure, my key is somewhere between 100-150 bits, and even if that was feasible to brute force, I am not that important.
Personally, i do the same, but on Syncthing. Works very well, to need to trust in the availability of Dropbox etc.
https://keeweb.info/ is also very nice. It has a very convenient Dropbox (& co) integration.
I would like to know this as well. I tried setting up keePass on iOS, but was never able to get it to work so it seamlessly kept things in sync between all my devices (two desktop computers, three laptops, two tablets and an iphone). I then tried LastPass and so far it was worked flawlessly for me across all devices. Now I read this and I'm not sure what to do. Prior to LastPass I used the same six character password for everything. Now many of my passwords are 30+ characters long. That seems more secure, but if someone can just grab my passwords while I'm browsing then maybe it's time to go back to the same 6 character password that I can remember.
https://www.enpass.io/ is better, does the same, you sync the wallet across your machines and devices, also has browser integration. https://www.enpass.io/security/
Looks nice but no sharing options
Would love to hear from someone who has an iPhone and uses Keepass or a derivative. That's my last barrier to using it.
I do. I use the MiniKeePass app, which is free. You can export your KeePass database (.kdbx) from the Dropbox app to MiniKeePass.
Ditto. It doesn't make for a good _write_ experience, since you have to copy back to Dropbox manually, but I find that I almost exclusively _read_ passwords, so it's a non-issue for my use case.
Does this keep things auto synced up between all your devices? I'm constantly switching between different desktops, laptops, tablets, etc. and I'd love a replacement for LastPass that auto syncs just as well and also works on iOS.
As far as I know the system I described is manual only on iPhone. That is, if the database file gets updated on another device/computer, you have to manually re-import it from Dropbox to MiniKeePass to see the update there.
On desktops/laptops, if you're pointing KeePass at a database file in a Dropbox-synced folder, then it's automatic.
I may be misremembering, but I thought this was the method used by at least one other app. 1password comes to mind but I can't check it right now.
I ran into this when checking unexpected files on a client's system.
I tried Keepass but couldn't find a Mac compatible port that supported import from CSV, which kinda kills it because I already have all my passwords elsewhere and there are too many to move manually.
You can also add in KeepassHttp + PassIFox. But I wonder if these might have similar vulnerabilities as they too would be handling decrypted passwords.
True, but there are a slew of security issues (and unknowns) with KeePassHttp: https://github.com/pfn/keepasshttp/issues/258 https://github.com/keepassxreboot/keepassxc/issues/147
I've been looking for a alternative with somewhat parity with lastpass with a better security policy.
Enpass seems to be your (and mine) best choice at the moment. At least it's a standalone Qt application (not a JS-based browser one), with it's separate UI and without any autofills without asking. Bonus points for reasonably good integration with your usual clouds (Dropbox, GoogleDrive, OwnCloud, etc) for synchronization.
Cons: NOT open-source, paid cellphone apps.
That #258 issue is for if you use it remotely - which by default it isn't and I don't. The other issue you raise is based on top of that. So as long as you're using KeepassHttp with localhost then you should be ok.
So a slew is not necessarily accurate. But I take you're point, it's definitely a similar weak point that LastPass has.
Sigh. I can't ignore the red flags anymore. Time to switch off.
Is there anything automatic out there? I'm not going to use program+dropbox/cloud-provider. I need something like lastpass.
Don't suppose there's anything out there that can import the lastpass db?
If you're open to a paid option, 1Password for Teams/Families a good one. You can transfer from LastPass via CSV (https://support.1password.com/import-lastpass/).
I felt like they weren't above board previously with pricing. It wasn't fraud but IIRC prices got a big jump that was timed to be in combination with some kind of defacto mandatory upgrade. It had a bait and switch feel to it and at the time the family price across multiple devices seemed too high.
I'm still on 4.* which was a 1 time fee. I never felt like I was forced to upgrade.
That's cool, but the problem is most software is not safe to use unless it's actively maintained and offering updates from at least a security perspective.
So I don't consider that a realistic approach for most people, especially for something as mission critical as password management.
You just can't really expect proprietary software to be actively maintained indefinitely for a one-time fee. Add to the financial (and ego-) incentives to downplay security issues, I really don't think people should consider anything but open source password managers.
I bought 1Password for Mac and 1Password for iOS in 2013, have paid nothing since and use the current versions. I don't save passwords to their cloud (I use Dropbox, including sharing a vault with my spouse), maybe I would have to start paying a subscription for that.
So I just did this. Have to say that I really didn't feel comfortable with the unencrypted CSV data transfer. I made sure that time machine doesn't index it, but accessing this file in the time window needed to export/import seems like a prime attack vector to me.
Are you using 1Password's cloud sync or the older Dropbox/iCloud/other method? (Really curious about all 1Password users in this thread)
I've read a lot of reviews but many predate 1Password's cloud option.
I use their cloud sync and love it. One of the few subscription services I pay for. I also use the browser extension, which others have pointed out might not be the best, but I think it's better than one to five universal easy to guess passwords I was using before. I have it on Windows, Mac and Android and it syncs seamlessly.
Been using 1P since version 4 or so and syncing with Dropbox. It works really well and I'm quite satisfied with how quickly they resolve issues (especially security related ones)
I recently switched to 1pass, it's much better
I have 1password 4.6 and love it.
I switched from Keepass to Enpass a while ago (enpass.io). It does use 3rd party cloud accounts for synchronization, but it's fully integrated into the apps.
Has android/ios/blackberry/windows mobile clients, desktop clients for mac/win/linux/chromebook (including portable versions), and browser addons. It's not a subscription service---the desktop versions are free, and the mobile versions cost a 1-time purchase to unlock all the features. I'm very happy with it.
passwordstore.org is good if you're a nerd. It's built on standard linux tools: pwgen, gnupg, git. QTPass is a QT based multi-platform desktop gui version. That helps if you're not in the mood to be a nerd today. Android Password Store is the mobile version and integrates with Android chrome/chromium. Thanks to gnupg, pass also works in conjunction with smartcards like Yubikeys. Open Keychain on android allows you to use a Yubikey Neo with Android Password Store. PassFF is the Firefox plugin.
Usage: It's a git repo with passwords stored in encrypted text files. Syncing is done by push/pull the git repo. Since it is git, you have a record of every password you ever generated. Unlocking a password with a Yubikey requires a pin entry and a physical touch. Once entered, the key is available for further passwords without pin, but a Yubikey 4 can be configured to require a touch every time if you're worried about compromised hardware stealing your entire password database.
There's no import from other managers that I'm aware of, but it might exist. Googling stuff about 'pass' is tedious. Google for 'zx2c4 pass' and you'll have better results.
Does using PGP make it any safer than, say, simple password-based SHA-512 encryption?
It does. Using PGP in conjunction with a Yubikey means even if someone obtains your password repo, they still can't get in without your physical private key. Without using a Yubikey, an attacker would still need to obtain the private key. They couldn't just grab the vault from the cloud store and start running offline password cracking on it.
How do you encrypt using a hash function?...
While it can be done (use the secure hash to generate a key stream--but first google it because I bet there are some pitfalls to keep an eye on), I assume that the parent poster meant to indicate a symmetric encryption algorithm like AES (as opposed to asymmetric PGP), instead of a hash algorithm like SHA.
I use bitwarden. It's open source and works in browser and on phone. I haven't done any auditing myself, so I guess it's a leap of faith in that regard, but it's working great thus far.
It can import from a lastpass file.
Even though it's open source, there is a hosted instance (so the experience is much like lastpass). There was a kickstarter a while back that failed though, so I'm unsure how it's funded.
> There was a kickstarter a while back that failed though, so I'm unsure how it's funded.
The lead developer answered that here:
Keepass imports from Lastpass [0]. Not that meets the rest of your requirements, but Keepass + KeepassHttp + PassIFox work beautifully for me.
Autofills my logins and fully integrates with Firefoxes password manager so that you don't get conflicts between the browser and your password manager trying to save the same password. Also doesn't add the stupid CSS hacking that LastPass does to add their logo into the password fields breaking various site's styles.
[0]: http://keepass.info/help/base/importexport.htmlKeepass has lots of red flags for me:
- No https on site
- Update file hosted via http (not https)
- Downloads via sourceforge which has injected adware in downloads before
- FAQ downplays lack of constant time comparison instead of using constant time comparisons and being extra safe
- You have to cobble together multiple apps from multiple developers to get a full working solution; means you have to trust lots of individual entities
That being said I can hardly defend staying on Lastpass anymore.
I just wish 1Pass was crossplatform so there was a clear universal winner!
Got a link to that FAQ thing? I find downplaying of potential security issues a rather important red flag.
The https thing is unfortunate and should be fixed, but I've always got my KeepassX from a signed repo.
The cobbling together is also an important part of its strengths. In particular I want the sync of the encrypted DB to be decoupled from the app that decrypts and manages the password entry into forms (the latter being yet another entity, btw).
I'm really curious to see that FAQ entry! Because I can't imagine a scenario where timing sidechannel attacks would be relevant to a password manager app (provided the sync is decoupled, which is one reason why that's so important). If you're gonna bruteforce the master key, you'll use an external program any way, so constant time comparisons in Keepass's routines shouldn't matter? Also it's not like you could remotely trigger Keepass to decrypt 1000s of times in order to glean info from timing data, because it's not a browser plugin. Which is one of the reasons why we don't want our password manager to be a browser plugin. Again, decoupling is a strength.
- No https, agree, its a very old site, but it's not sensitive material that you're submitting. You can check the integrity of the download [0]
- Sourceforge, again not ideal but again it has very old beginnings from when Sourceforge was as respected as Github is. You can't blame the developer for the environment changing. Perhaps they're just a stickler for loyalty. I've never had any crapware with Keepass
- FAQ - I could't find your reference in the FAQ page [1]
- You have one app + plugin with a browser extension from two developers, hardly a mishmash. You know directly who those two developers are. You've no idea who was working on LastPass. I'd say it was more in the bazaar philosophy vs the LastPass cathedral.
[0]: http://keepass.info/integrity.html [1]: http://keepass.info/help/base/faq_tech.htmlYou can download the file via https [0], this is what the Chocolatey package does [1]
[0]: https://sourceforge.net/projects/keepass/files/KeePass%202.x/2.35/KeePass-2.35-Setup.exe [1]: https://chocolatey.org/packages/keepass
Sounds interesting, but requires a password program, a 3rd party plugin for the program, and a browser plugin... and yet another app to do cloud sync like Dropbox.
Sounds like a huge pain compared to LastPass, as well as increasing attack surface.
LastPass is a Cloud password program + browser plugin
So the extra layer is the plugin that is written by the same developer as the browser plugin. Which is a drop in plugin.
It's all open source so it's much easier for people to check the vulnerabilities. It's also easier to raise issues and other people to help fix them.
Separately Keepass is an offline database, so you have total control over access to it. The overhead of course is using something like Dropbox, plus probably Boxcryptor to ensure it's encrypted before it gets to Dropbox.
I've commented elsewhere here - it's similar to the Keepass bazaar vs the LastPass cathedral. Keepass might look uglier, but I trust it more.
It kinda is. I just dropped the database on my Nextcloud instance though, which has so far not suddenly caught fire.
For using with FF, I'd recommend KeeFox.
Dashlane does! Been using it for a year or so. Good experience.
https://csdashlane.zendesk.com/hc/en-us/articles/202699141-H...
I switched away from Dashlane after several years because their software has been getting progressively more unstable. Force-killing the Dashlane executable because the browser plugin has locked up got pretty old.
I love Dashlane, it's pretty magical and a massive timesaver. I use it on OSX primarily but it syncs to my Android very well.
There's an unfixed bug in the OSX client where it crashes rarely (every couple months for me) and I have to kill the process manually and restart, but it has very minor impact.
Is there any security analysis or consensus on Dashlane security vs. other password managers?
I have this problem every couple weeks as well. Killing DashlaneMASService solves it.
I will fully investigate Dashlane. I turned a lot of my non-technical friends onto password managers, and will need to update my recommendation for them with something that can both import the LastPass DB and be as convenient to use.
See the beauty of using program + cloud-provider is that all the cloud provider sees is an encrypted file. If one were to gain access to my Google Drive they would still have to crack an encrypted file which will take a while.
I feel like with lastpass the attack vector is bigger with all the fancy features.
It's encrypted on the lastpass "cloud" too. The point of it being integrated is the user doesn't have to take action to download the encrypted DB; the software does it for you.
But you don't want the software that is capable of decrypting the DB to also be responsible for uploading to a fixed cloud service!
> Don't suppose there's anything out there that can import the lastpass db?
Padlock does: https://padlock.io/howto/lastpass/
Disclaimer: I'm the developer
Check out 1Password.
Yeah, the two weak points pointed out have always been weak points. It's unfortunate, but disabling autofill has always been my recommendation.
> Altogether it looks like LastPass is a lot better at PR than they are at security. Yes, that’s harsh but this is what I’ve seen so far. In particular, security vulnerabilities have been addressed punctually, only the exact scenario reported has been tested by the developers.
This seems unfair.
LastPass fixes the initial vulnerability punctually - we do not know what they will do in the future. Is it better for them to wait, come out with a defense in depth approach, and then patch? Seems silly.
Of course, how long do we wait? Historically, I would argue, LastPass has down defense in depth fairly well - when their was a breach they were quick to not only address the vulnerabilities immediately but soon after they rolled out Content Security Policy and HSTS, two technologies that were rarely deployed in the wild at the time (and are still sadly too rare).
My suggestion to LastPass users is to:
1) Enable 2FA 2) Up your PBKDF2 Rounds 3) Disable as many browser integration features as possible
I don't recommend dropping LastPass and trying to roll your own key-sync store with KeyPass/Dropbox as some have done. I don't know of any other browser-based password manager that isn't equally weak to attacks based on browser-integration.
Alternatively, don't use a browser-based solution. This is less convenient but you'll avoid by far the largest area of attack surface.
I wonder if 1Password is equally susceptible or less so, due to the way that the extension works. Because 1Password has a native application, I believe the browser extensions merely communicate with the native application to retrieve passwords to fill when needed, instead of handling your whole decrypted vault.
Precisely this. The LastPass extension actually handles the decryption, whereas the 1Password one merely communicates with the app. 1Password should therefore be significantly more secure.
> whereas the 1Password [extension] merely communicates with the app.
wait. the communication goes what way?? You make it sound like the 1Password extension (that doesn't handle encryption, therefore is not authenticated) can request password and credential data from the 1Password app, like it's pulling data from it?
How does the 1Password app know that whatever process is making that request is in fact made by that particular browser extension, prompted by user-action on the extension that is the same user as the one that unlocked the encrypted password vault in the app? And if it doesn't why are you storing your passwords in it :)
Are we all clear on what a password manager is? Maybe we should start with a good definition, such as:
A password manager is an application that manages an encrypted database, that when unlocked by the user, can be prompted by the user, to decrypt an entry from the database, and send one or more fields of that entry to a specified receiving application's input/login field(s). Communication only flows from the user prompting, to the password manager, to the receiving application. Not the other way around.
Ok that's not a full definition yet, it also needs a bit about how to store the encrypted database, how not to sync it, not keeping any keys or plaintext in memory any longer than strictly necessary, etc etc.
But it's good if we'd have a definition like that, something that is waterproof by definition.
If it auths the application, which it didn't for quite some time. Tavis has found plenty of issues with 1Password and their team has been much more hostile and less responsive.
Can you please provide a source for this? The 1Password only bug I can find filed by tavis is [0], in which 1Password were very responsive and thankful of tavis' efforts.
I note that can't find anything on twitter that even remotely supports your allegations either.
0: https://bugs.chromium.org/p/project-zero/issues/detail?id=88...
I'm super interested in this. After a super brief Google search, I was unable to find Tavis's results. Could you kindly direct me to them?
I only had a quick look at 1Password browser extensions source code but there were no obvious red flags - much unlike LastPass. Let's see what Tavis Ormandy digs up, supposedly he found some issues.
Agreed, all seems fine checking here.
I would love to switch to a different password manager, but nothing else I've tried has quite managed to nail the usability aspect. Specifically, Lastpass's app fill functionality on Android is a huge benefit that I haven't seen in others. It also has a browser extension that works without a separate program running on your computer; I didn't even realize that was a plus until I started trying to use other apps that did that.
I guess for now I'll just turn off all of the automatic features like this I can find.
Usability is great, but we're talking about our passwords. Security needs to be put ahead of usability in this case.
If you can get both that's great, but poor usability beats having your banking and systems owned.
It's still more secure than not using a password manager. And I've found that whenever I'm in a situation where I can't use lastpass for whatever reason, I just fall back to using a password I've used many times before. Anything else I would just immediately forget.
Why would people put their bank and other important passwords like this in a password manager?
I use lastpass for over 5 years and I memorize my lastpass and my bank account passwords.
Why wouldn't the average user? The entire idea is that you'll just have to remember two passwords: your computer account, and your password manager. At least for most users, the idea that some password shouldn't be stored just opens the door to bad practices and password reuse.
For someone working on a password manager, I think the default assumption has to be that a screwup on your part will--literally--impact pretty much every aspect of a user's life. You can't assume that some passwords won't be stored.
Well my wife believes that reusing the same password with variations is more secure then a password manager. Most average users distrust a manager and won't use it.
And my imaginary uncle believes that locks attract burglars ...
My email accounts' passwords are far more important than that of my bank account, and there's no way I could put up with typing them in every 15 minutes.
On top of that, chances are that a bank login saved in a password database, which has 2FA and other sensible precautions, is probably kept safer for any one individual than the bank's systems themselves, what with the huge legacy cruft they suffer from. No-one would be able to walk into my computer, or call it, with some faked documents and social engineer themselves into my password database.
Uh, because otherwise my bank account password would be the equivalent of 1234abcd. That's what my password basically way prior to using a password manager. Now my bank password is the maximum length allowed and is what is basically a random mix of upper lower case letters, numbers, special characters.
After reading this I'm seriously considering dropping my password manager and going back to something I can remember and type in in a reasonable amount of time like 1234abcd.
I hope the new Auto Fill API [0] in Android O will make it a lot easier for other apps to add this feature.
[0] https://developer.android.com/preview/features/autofill.html
I've always been quite nervous that the LastPass two-factor authentication can be easily bypassed if your email account is compromised. On the 2FA screen there's a "If you lost your Google Authenticator device, click here to disable Google Authenticator authentication" link. No. I don't want that to be able to be disabled. I have one-time passwords for that.
You can configure quite a lot of stuff in the 2Fa settings. I have no such option for my 2Fa on Lastpass. Also, my E-Mail also has a 2Fa.
Given how many sites will send password resets and one-time-use second factor codes to email, it's pretty much imperative to have two-factor auth on your email account these days.
What to use instead that doesn't fall into the same situation and offers decent mobile/browser support?
I signed my family up for 1Password a month ago and love it so far.
Here's the 1Password Security Design Whitepaper: https://1password.com/files/1Password%20for%20Teams%20White%...
1Password has no Linux support so it's not really a drop in replacement. Android autofill functionality is also significantly worse.
Android O is getting an Autofill API [0], which should be very useful for apps like LastPass.
[0]https://arstechnica.com/gadgets/2017/03/the-android-o-develo...
I use their webapp but it's really frustrating to have to copy+paste all the time from a browser tab. Considering people have been asking for a linux client for a few years now, you'd think they'd find some time. Then again their windows app isn't really polished either.
Not supported no, but you can use the 1password DB with other tools[0].
That's too bad. I'm using LastPass because I need multi platform (Linux, iOS, macOS, etc) and multi browser support. And it has very useful features such as sharing and emergency access.
I would say Keepass 2 and Keepass2Android.
I second this. It's usable.
I've been using LastPass for a few months and have loved it, but maybe I'll consider switching to 1Password.
<rant> However, can I just rant for a second about how these security assessments and blog posts fold out? The beginning of my career was spent thinking I was going to go into this field (one of my degrees is in Information Assurance) and the #1 thing that persuaded me to switch to building software instead was the attitude and approach of the security field.
If it's not 100% secure and we all agree that it's the 100% best way to do something, it's the end of the world and anyone using LastPass is an idiot who will have all of their passwords hacked and their life ruined. (Remember when the draft for client side storage was announced? You would have thought armageddon was upon us based on the reaction of the security industry.)
Big picture here -- most people re-use a short, simple password on all of their sites. Using a password manager, even one with a few things that it can and should improve, is a HUGE step in consumer behavior. Bickering amongst ourselves and boasting for crapping on someone's company is not the right approach to increasing our entire society's security stance.
Want to actually help?
1. Create more resources to help consumers pick, use, and adopt a password manager with super simple setup process. Even the current methods that all password managers use of generating, saving, and autofilling passwords are too complex and cumbersome for the average consumer. Heck, even MFA is seen as a huge waste of time and barrier to logging into people's accounts by the majority of people right now.
2. Create more resource to educate developers of these services, helping them to see what they should do and how they should do it, not bragging about your ability to tear down a service they spent hours slaving over. Get over yourself and actually help society. (https://www.owasp.org/index.php/OWASP_Guide_Project is a great example of this)
Looking for an example? Apple's iTouch. Yes -- it's not the most secure option. People leave their fingerprints all over the place and they can be lifted and used to unlock a phone. But look at the other option -- using no passcode, or a 4 digit passcode that's easy to guess or look over a shoulder. Is it the most secure option? No. Does it raise the level of security for our society as a whole by providing a realistic security barrier that the average consumer can use? Yes. </rant>
Thank you for putting into words my exact thoughts. Though, I'm cynical enough to believe that people would rather moan about how much password managers suck (Why can't everyone just memorize a different 30 character string for each of their 200+ websites? Losers.) and not do anything productive to fix it. I wish I had the skills to do so.
Interested to hear what the HN community thinks about 1Password
Initially hesitated to switch to 1Password since some of our team used Linux but eventually we all switched to Mac so that went away.
Much happier with 1Password since we switched from Lastpass. Consistent UI, proper OS integration, multiple separate vaults, not to mention the security story seems better (I've seen several LP vulnerabilities of concern but not yet seen a 1PW one that worried me).
How well does it work on iOS? Does it auto sync between all devices like LastPass does?
I used 1Password for quite a long time but have since switched to LastPass mostly due to Linux compatibility and u2f integration
1password's Windows version does run under Wine, including the browser extension. It's been a while since I did it, but I think there was some sort of browser extension validation feature that had to be disabled. Not 100% up to the security standards of their other platforms, but it's functional.
I used it (1P) and it was super, but mac only - no Linux client. Just switched over to Enpass, and its very like 1Password, only they do provide a linux client. So far its great, very happy with it.
How is enpass's (cryptographic) design and security compared to 1Password?
LastPass does not have u2f yet, do you mean 2Fa? They have Yubi Cloud, but not u2f.
My mistake, yes, 2fa
LastPass currently does not support U2F officially [0]. How are you using U2F with LastPass?
I was really surprised that I was able to get 1Password for Windows working under Wine, even 1P Mini works with the browser extensions. It's not terribly reliable, though.
I like it. I'd give them a 10/10 if they'd offer a Linux client, too. An official API would be nice as well.
The database format is open, and there are linux tools for it:
I've used 1Password on Mac / iPhone / iPad for years and it's one of my few must have apps. It's been great, other than a few annoyances with mobile app and upgrade pricing (sorted now, in a logical way). Syncing has always been solid and I've never had any corruption issues.
I've been tempted to do away with the extra clicks and just use iCloud Keychain and encrypted Notes, but 1Password feels like less of a black box at this point (maybe just because I've been using it longer). It also seems smarter about filling out forms than the browser-native options in Chrome and Safari — not perfect, but better. I don't use their subscription service, just the desktop and mobile app.
I'm a long time lastpass user, it does enough for me. Different strong password for every website I use except but never store email, banking or hosting accounts. On another note the cheapest premium 1password is three times the cost of premium lastpass.
Thinking about it I'm really only using it for convenience, security/strong passwords is in second place.
no linux support and shit android support means it's a hard pass for me.
Can you be more detailed about "shit android support"? I'm currently trying it out and didn't seem so bad, similar to how I currently use LastPass in Android in general. Apparently I need an extra click to actually copy a password there, but I also saw they have an integrated keyboard (https://support.1password.com/android-keyboard/), which I haven't looked at yet.
Yep. Complete deal breaker. I think I want a FOSS self-hosted solution.
I really like it. Much nicer to use than Lastpass in my opinion.
How much time have you spent using both? Have you ever used KeyPass? I see people recommending it and I wonder if you have any experience with it.
How about Enpass?
Uses SQL Cipher, which uses "Algorithms provided by the peer reviewed OpenSSL crypto library".
Given all the problems with OpenSSL, I really wished they used something like BoringSSL.
> Given all the problems with OpenSSL, I really wished they used something like BoringSSL.
For basic crypto algorithms, there's little to no difference. Most of the changes in BoringSSL are in higher-level code, like TLS and certificate management.
I've taken it as a sign that 1Password must be a fairly good choice as I very, very rarely see it pop up on here.
That could also indicate fewer people use it?
1Password has over 15 million users across Mac, Windows, iOS and Android platforms.
Wrong metric to use. Just because nobody talks about it doesn't mean it's a "good" choice. It might be better for all you or I know, but using how many hacker news posts you see for something like this is not a good way to evaluate a product.
Commentary / Opinions on how this compares to a KeePass+DropBox solution would be quite interesting to me.
It seems password managers please some of the people some of the time, and unnerve many of the people all of the time.
I use KeePass+SFTP personally. Something like a password manager I won't trust to a cloud service.
Has anyone considered using DerivePass yet? (https://derivepass.com/) It doesn't store passwords anywhere at all, just the domain and login information, both of which are encrypted with your master password.
(Disclaimer: I'm the author of it).
Not sure how people like online password managers. The consequence will be far worse than selling your online attitude to Google by using their online services in case of a security breach. It pretty much gives your online self up to hackers.
With that said, I only use offline managers and this is only for Mac but Locko by Binarynights is clean and easy to use. The downside is that it's browser extension can't remember basic auth credentials but other than that I like it. I can also back up the encrypted database easily with a script.
(Seems the link is gone from their site with the release of forklift3 but the page still exists. http://www.binarynights.com/locko/ )
With KeePass, a Yubikey and Syncthing you have a pretty solid system which you can carry around with you, without having to trust any third party with any data (or service availability). Arguably you could even leave out the Yubikey and still get a great degree of security.
I'm interested to hear what the HN community thinks about keeping passwords in iCloud-based Keychain (Safari) or whatever Google's alternative is called.
I don't care about portability. Why would I want e.g. 1Password instead of simply using Apple Keychain.
Thanks!
Here is how I think about it: It is a spectrum.
You can have high accessibility / ease of use or you can have high security. You can't have both.
By storing your info on a remote server, you are trusting they will protect your data. Maybe they will, maybe they won't.
It is just a matter of finding a balance you feel comfortable with. Personally, I don't store my passwords on any cloud service, carry them on a thumb drive and don't use services that expose them to the browser. Could I lose a thumb drive? Sure. I rate the chances of someone picking it up and knowing how to exploit it as very low.
How do you deal with passwords on your mobile device?
Type them in by hand.
It does mean I have to have a computer around with me though. I don't really use a lot of apps, I mostly have my bank apps and those stay logged in.
1Password has a lot more features than the default Keychain, smarter autofill to begin with. If that's worth it to you that depends on which features of 1Password you'd use.
I've been a LastPass user for a few years and I use the browser extension everyday. As an admin of several websites, the the extension has been a time saver.
I thought I had no illusions about the inherent insecurity in using LastPass, but I guess I was wrong. I use Yubikey and disabled autofill long ago, but I was still vulnerable. Their response to these exploits is maddening. "Our investigation to date has not indicated that any sensitive user data was lost or compromised." This when they can't verify if passwords were compromised as LastPass servers weren't involved in this exploit.
So I guess I need to switch to a different service. Any suggestions?
I've struggled with this too.
I love how I can share passwords with a team using LastPass (share just access, share ability to view, share ability to edit). For me... it's more about getting the team using the right tool than individuals. There are probably better individual solutions than LastPass, but I don't know of any that are better for teams. I know that having a tool that lets you share passwords is inherently risky... but I still think LastPass is less risky than people sharing via PostIt, or sharing via emails... or less risky than not sharing passwords in that "hit by a bus" scenario we always talk about.
I tried Enpass, 1Password, and KeePass for individual use... none of them were horrible (I liked 1Password the most). Enpass let you sync your vault with the storage option of your choice... so you could sort of do team passwords that way. Typically I don't want to share all my passwords, just a few... and like I would want to share different subsets with different people... so that "share your vault" option wasn't ideal for me.
Usability-wise, I love how LastPass fills in my credit card info and address on forms I tell it to. And how LastPass can automatically update passwords for many common sites. And gives me a report of passwords that are weak, old, and duplicate -- the "global rank" on LastPass is a game and I want to get a high score. Ha. (Full disclosure, I tried each casually for less than a week... there may have been things I missed.)
Been on LastPass for a long time, generally happy with them and haven't found anything that better fit my needs, but clearly these reports that they aren't taking security as seriously as they should be are troubling.
EDIT: Going to look at https://1password.com/teams/ in the next week or so. I don't think this option existed last time I looked at 1Password.
A request to https://1min-ui-prod.service.lastpass.com was necessary to attack this, that request has a referring URL sent by default by Chrome / Firefox / Safari.
I'm a big fan of 1Password.
I use passwords.google.com
It works well with chromium on linux and on my android phone. It's free, has all the security of a google account including u2f, chromium integration is flawless on linux, and works well with chrome on Android.
Note that you can't use the web interface if you've encrypted your Chrome password store with a passphrase
How long has this been around?
The HN community seems to be giving a lot of praise for 1Password, Lastpass and Keepass occasionally. But rarely mention Dashlane, I'm curious as to why ?
Dashlane isn't open source, nor is it available on Linux. That is going to prevent a lot of people from even considering it.
Lastpass / 1Password are not open source either.
Great reason to not recommend them either!
The Dashlane Windows app does work under Wine.
Dashlane is the only password manager that looks normal enough to be used by the non-tech members of the company. I've found its sharing feature invaluable, I can get the whole team on it using 2FA and passwords don't get emailed around anymore!
I used to be a Dashlane user. It just got worse and worse over time, the password sharing was incredibly buggy. Their support would always give me excuses and never have fixes. It got to be a nightmare. I switched to 1Password and love it.
Honestly surprised there aren't more players in this space but it seems really hard to get into.
It's interface and usability is also ridiculous on windows, and it's the most expensive of all.
Could you elaborate ?
I literally just decided to jump into the world of password managers this past weekend. I went with LastPass
Does anyone know of an extension based program, that doesn't rely on an application, that just uses a keepass file stored in the cloud? I really like the idea of KeeWeb, but I wish it could be part of an extension, with support for things like automatic detection and autofill.
Does anyone use Keeper? How is it? I need a password manager that supports Linux so it seems that LastPass, Keeper, Enpass, and Keypass are the only options. https://keepersecurity.com/
I can recommend https://www.passwordstore.org/
I used it (1P) and it was super, but mac only - no Linux client. Just switched over to Enpass, and its very like 1Password, only they do provide a linux client. So far its great, very happy with it. * reply to comment above re 1Password
I use `pass` on linux/mac, which creates a directory of .pgp encrypted plaintext files for each password for each website.
https://www.passwordstore.org/
I sync this directory to my mobile device using megasync (linux packages and Android app available).
https://aur.archlinux.org/packages/megasync/
https://play.google.com/store/apps/details?id=mega.privacy.a...
Then I use `pass` on Android via the "Password Store" app (and the APG app to manage my PGP keys on mobile).
https://play.google.com/store/apps/details?id=com.zeapo.pwds...
The whole UX is super easy. Basically just PGP, plaintext files, and copy/paste.
If you want to have some more features than default pass while keeping your third party apps there's also gopass (https://news.ycombinator.com/item?id=13551692) that was posted a while ago.
1Password is different from LastPass; the article is about the latter.
Yip, misreplyed to a comment asking about 1Password
"* reply to comment above re 1Password"
Why are you copy and pasting it again in the same thread?
This is about Lastpass, not 1Password.
I just noted that my lastpass extension was updated by Firefox. Is this fixed?
I never liked it, but I won't pretend it's because I'm some security genius. Just found it very unpleasant to use
From a strict security standpoint, maybe all of this is true. But I see strong PR as a feature, not a bug...at least until password manager market penetration is closer to 100% than it is to 0%.
Once you've adopted a password manager, you've limited the scope of potential abuse, and you've decreased the pain of recovering from abuse that does happen. Being forced to change passwords used to be a stressful problem for me, and now it is not. Before, I would procrastinate changing passwords after a breach, because I knew how hard it would be. With lastpass, I literally changed every password in my vault in less than a half hour.
The PR matters because it's too easy to hear some bad news and give up on trying to be secure. If the PR prevents people from giving up, I'm all for it.
These are security critical pieces of software. Like, AV, if the password manager makes it easier to compromise your access in bulk, that's a very very bad thing. This doesn't need to be targeted, just throw some JS into an ad and pwn up 100s of 1000s of accounts. That's actually worse.
My black hat method is much easier than that, and it doesn't even require a black hat skillset.
1) Download two datasets from different massive breaches. You can find plenty of them with plaintext passwords on any torrent tracker.
2) Correlate email and password combos across datasets. Don't worry, you'll find 10s of millions of people who don't use password managers and reuse passwords.
3) profit
If you have reason to believe you're being targeted, any breach is a problem. But until my method no longer produces results, theres no reason to believe black hats will go through any additional effort to obtain the average person's creds.
I am almost ready to file a lawsuit.
Context:
What I am after is a password manager that has the option to NOT store anything in the cloud at all. I want encrypted storage to be stored locally. No exposure outside my network. Inter-device synchronization done manually or automatically within the confines of said private network.
I would also like to store data beyond uid's and pwd's. For example: secret questions and their answers, account and pin numbers, company tax id's, bank account numbers, passport numbers, etc. In other words, data you might need handy that should be encrypted.
I've been using a program for a number of years. The program started exactly as I described above: Network only synchronization.
Over the years they have mutated the program to cloud based storage. And, over the years, they have done this without warning to users or seeking any kind of authorization.
Imagine if you are using software that only stores data locally and syncs over your network only to wake up one day to discover that the latest update uploaded all of your secret data to their cloud-based system WITHOUT your permission. And, to make things even worst, they progressively eliminated the network sync option.
The current version doesn't even ask, the minute you edit a record or create a new one it shoots it up to the cloud. Unbelievable.
Years ago I asked about this. I have an email from the support assuring me the data would never be stored on the cloud. Time to file a lawsuit?
Anyhow. Is there a tool fitting my description above? I don't care if it's free or paid. I simply want my data to never move outside my network unless I want it to.
Have you looked at https://1password.com/? And it looks like https://www.enpass.io/ has similar capabilities, but I don't use it so I'm not sure exactly.
1Password keeps a local encrypted file. The "integrations" are 1Password knowing default locations to look to store the file in the right directory.
KeePass is a free as in freetard application that doesn't have any sort of cloud capabilities.
They don't make it obvious, but 1Password still offers a standalone version on Windows/macOS. And KeePassX allows you to manage your own synchronisation.