LastPass’ Authenticator app is not secure
medium.comLastPass produces two apps, the Password Manager and this Authenticator App, which looks like a 2FA competitor to Google Authenticator.
The bug the article is detailing is in the Authenticator application, not the Password Manager application, which wasn't very clear to me on my first read.
Thanks for the clarification. This reveals a couple of other points.
This flaw is that the fingerprint/PIN auth for their TOTP authenticator app can be bypassed by manually launching one of the app's activities. This is a separate auth layer over the phone's screen lock. The first exploit path here is thus that if a malicious user gets access to your unlocked phone, they could install one of these activity opener utilities and access this app's TOTP code screen. That gets them the current TOTP codes, but not the secret for generating them. Note that this is currently the security level that Google's Authenticator app already has.
The other, which I'm a little less clear on, is that a malicious app gets installed somehow, it launches the activity, and manipulates the UI to hit the buttons and read the screen to get your current TOTP codes. I think Android apps' abilities along these lines have changed around several times between Android versions, and I'm not sure which version does what, but I think the current version requires the user to set a special checkbox in settings for an app to be able to do these things. If you can get a user to do that for your malicious app, it can do all sorts of bad things.
In both cases, the attacker would be getting current codes, not the secret, which would still be locked away safely in the app's storage. So while this flaw is kind of bad and should be fixed, it doesn't have me running for the hills, esp. since I don't even use this app.
Now I'm confused. It says it in the title? Where might the confusion stem from?
If people don't know that LastPass has a 2FA app, they might think LastPass Authenticator is the password manager app, and is affected by this bug. As a matter of fact, a number of commenters seem to think exactly that.
Right but I guess to me "password management" and "authentication" are two entirely separate concepts (i.e. authorization vs authentication being separate English words).
I can authorize someone to do something. I authenticate that a person is who he or she claims to be.
The combo username password authenticate the person as much as it authorize them to access the service.
Different meaning but connected nonetheless.
It only says it in the title if you're already familiar with Lastpass's apps offerings.
I happen to be familiar so I can read "LastPass Authenticator app" and know it is referring to their 2F/Google Authenticator competitor. But in the general sense Lastpass "Authenticator" could be the name of their password manager for all people know.
It could be titled e.g. "Lastpass's two factor authenticator app is insecure." Still accurate but also less vague for people unfamiliar with Lastpass's different apps.
Most people will only use the password manager app. I didn't realise they make a different authenticator app and assumed that this was about the password manager.
I accidentally cought LastPass doctoring their terrible track record of security in wikipedia:
https://news.ycombinator.com/item?id=15756044
This was just over a month ago, and published only here.
I looked at your post, are you referencing the removal of the entire vulnerabilities section on the grounds that it was promoting Tavis?
I can’t figure out why LastPass is still so popular. Ease of use since it’s completely browser based? They were early to market? I don’t get it.
So many better designed, more secure options out there. KeePass, Bitwarden, or 1Password to name a few.
I think it is mostly inertia and cross-platform support. Before they were acquired, they seemed to care a lot more about security, instead of just security theater.
They also have some nice crypto features: For instance, I forgot my master password, and they have a one time password reset protocol that lets them send you an unlock code that only works on previously logged in devices.
Also, it has rock-solid offsite backup built in.
Moving away has been on my TODO list for a long time.
I certainly have worried about LastPass after their aquisitions, but have no concrete grievances, save the extension seems slower than it was previously.
I like a number of features in LastPass. The auto fill, the auto password change feature, password sharing, etc.
I have a concrete grievance since acquisition...
They've started to dump crap into the Lastpass Vault. First it was adverts and then they modified the search bar to search the web rather than only your saved passwords/notes. Both attempts at gaining advertising/referral revenue and in my opinion at the cost of security.
I've disabled the idiotic search and was paying for Lastpass Premium before so don't see the ads but it is the principle that the company now places minor revenue over what I consider security which I cannot stand.
Plus I had issues with LogMeIn's business practices previously and moved to a competitor. Only to now have them follow me by buying Lastpass. I am in the early stages of looking at moving away from Lastpass (after four years).
I just moved away from LastPass due to the acquisition and migrated to 1P. I had two issues with the migration that were easily solvable by someone technically inclined.
1) Folders don't get migrated over to tags into 1P. You need to use this pearl script to do so. (google it)
2) Autofill is well umm different. It took some getting used to, but you now have to hit Cmd+\ to autofill intsead of using the mouse. It's more secure and it ends up being more "clean" I've noticed.
KeePass is anything but user friendly or convenient - it involves a lot of tinkering and not a lot of people have time, patience, or even know-how for that.
1Password has ignored every other platform other than the fruit company ecosystem for a really long time now.
Bitwarden comes close. OSS, polished, and seemingly with a business model. After checking on Firefox (on Linux), iOS, and Android apps when I wanted to install it on my Mac I found out its Safari extension doesn't exist and the Github issue is clear that they will not be working on that anytime soon [0]. Also, I read a reddit comment that there is only one full time developer and this was just few weeks ago[1]. Now I know it's an open source project but I want to use a service that is really ready to be used for my password management while I want to pay for it.
LastPass is everywhere - Windows, Linux, Mac, Chrome, Ff, Safari, IE, iOS, Android. You name it. And it has been on these various platforms since long. Sync, client side encryption, easy import from other apps, good extensions, decent support ticket TATs (even for free accounts), continuous development (however I must add that they have started to add bloat and useless gloss after the sale) - have really been consistent. This is what makes it a favourite option.
So when you say "better designed" I assume you mean better security architecture/design and yes the reason for its popularity is indeed ease of use with acceptable security for the most. I have really tried all other apps out there and for some reason or the other I keep coming back to LastPass.
[0] https://github.com/bitwarden/browser/issues/17
[1] https://www.reddit.com/r/Bitwarden/comments/7htswv/how_many_...
KeePass is anything but user friendly or convenient - it involves a lot of tinkering and not a lot of people have time, patience, or even know-how for that. It has never been and I don't see that happening in near future. In comparison LastPass is "sign up once, use everywhere".
1Password royally ignored every other platform other than the fruit company ecosystem for a really long time.
See, I am not speaking as a fanboy, I am not one. Just a satisfied user - I have really tried all other apps out there and for some reason or the other I kept coming back to LastPass.
Bitwarden came close to make me switch. OSS, polished, and seemingly with a business model. After checking on Elementary Firefox, iOS, Android apps when I went find its Safari extension (that's where I do my personal browsing) - it didn't exist, it still doesn't and the Github issue is clear that they will not be working on that [0] anytime soon. Also, I read a reddit comment that there was only one full time developer and this was few weeks ago[1]. Now I know it's an open source project but I want to use a service that is really ready to be used for my password management.
LastPass - it's not really entirely browser based, it's actually available everywhere - Windows, Linux, Mac, Chrome, Ff, Safari, IE, iOS, Android. You name it. And it has been on these various platforms since long. Sync, client side encryption, easy import from other apps, good extensions, decent support ticket TATs (even for free accounts), continuous development (however I must add that they have started to add bloat and useless gloss after the sale) - have really been consistent. This is what makes it a favourite option.
So when you say "better designed" I assume you mean better security architecture designed and yes it is ease of use with acceptable security for the most.
[0] https://github.com/bitwarden/browser/issues/17
[1] https://www.reddit.com/r/Bitwarden/comments/7htswv/how_many_...
I think you make some good points, I prefer the practical perspective.
Lastpass seems to lack a fair amount of usability polish, but it’s all relative maybe no one is better.
For example, why when adding new sites, it likes retain even super long useless query param strings that clutter the interface. Without going into detail, this is in no way technically necessary for most cases.
Also, they already have the ability to pre-associate common login sites, yet won’t do it for many popular domains. For example, there are a few stack exchange sites with different domains but that use the same credentials. Why should I have to manually set this up for a site that’s not far from the top 100 in traffic on the planet? It’s been requested, they won’t do it. Pay a damn intern to pre-associate the top 500 domains at least when needed.
There are many other practical examples.
But again, maybe the bar just isn’t that high in this category of software.
Edit: What didn’t you like about bitwardem? Haven’t had a chance to try it yet.
The ability to fill password in Android app. The last time I checked there's no competitors doing this.
I'm hoping the Autofill API in Android Oreo can bring more competition.
1password registers a specific keyboard... but I'm not a big fan of that method. It's a terrible keyboard tbh.
I was actually surprised that 1password never implemented in-app password fill using accessibility API.
Dashlane does that.
Been with it since beta and have never had an issue with it, it's the one I always recommend.
Bitwarden supports autofill through accessibility services and through Oreo autofill.
keepassdroid lets you do that via copying data to the clipboard. Not a great solution, but it works
Every password manager allow you to copy/paste your password. This is NOT a solution.
Interesting, because it works for me. Now that may not be a solution that works for you, but it clearly is a solution.
The clipboard is insecure and can be accessed by any app that is running.
It's not a secure solution, period end of story, to copy paste a password to a shared location on the device that all running processes can access.
https://developer.android.com/guide/topics/text/copy-paste.h...
I mean, there's the guide. I wouldn't put my passwords on the clipboard, personally.
Keepass2Android has a custom keyboard to auto-type usernames/passwords.
For me ease-of-use is a killer feature. Do any of the alternatives you suggested sync automatically between devices? Do they auto-fill?
1Password does. It's great.
I use 1Password at work. It's not very good and doesn't seem to work on linux, which I need for work. Add to that really clunky user management...it's just not that great usability wise. I've never been able to get it to autofill either. Lastpass on the other hand just works on all my devices. We were using Keepass before but syncing was such a massive PITA that my wife wouldn't use it. Now she at least uses Lastpass with a better password than what she was using before, but I suspect until we're robbed she's not going to see the value in security. Don't get me started on her and the 2FA grievances.
I’ve used all of the alternatives and each has pros and cons. I’ve settled on Bitwarden at the moment but may end up moving back to KeePass (again) to gain control of my data. I’ve had to refer to KeePass backups months down the road when I accidentally deleted or didn’t store a password. Feels good to have that control.
The mobile experience lacks polish on iOS with KeePass but the control and security might end up winning out for me.
I ditched 1Password because their Windows app is a catastrophe and their forcing users off to their sync service was really badly handled.
iCloud Keychain does, and it’s free, but obviously it’s limited to Macs and iOS devices.
iCloud Keychain doesn't work with all apps or even all browsers, when it doesn't there's no trivial way of copying in a password, it isn't cross-platform, and you cannot import or export existing passwords.
I consider the other products listed as actual competitors of Lastpass, I don't even rank iCloud Keychain that high, it lacks even basic features.
Copying a password isn’t that hard, you can get to it through keychain or the password section in iOS Settings.
It’s definitely not cross platform, but that’s to be expected from an Apple product.
Doesn’t support other browsers? I suppose, but for me and many other people that’s not an issue.
It works fine in for many individuals I think they could consider it a competitor. It’s certainly not an answer for MOST people, but if you’re in the right group it works great.
That is a whole lot of opinion, but not much substance. What makes LastPass inferior to these other options?
> What makes LastPass inferior to these other options?
Well, for one, the very first sentence of the article here.
The article whose "exploit" requires handing your unlocked phone to someone?
> (Edit #1, 7.30pm GMT): A lot of people are saying that this flaw requires physical access. However, as I pointed out above, you don’t need physical access, a maliciously installed application can easily access the activity and capture the code.)
So you don't need physical access you just need to install a malicious application? Okay then.
Why can one application even explore and access the views of another?
Accessibility APIs
You'd be surprised how many people (not on HN) use extremely weak (or no) unlocking mechanisms for their devices. It overlaps with the set of folks who would want to use LastPass because of how easy it is.
Do you know what is easier than using last pass for people who use weak unlocking mechanisms? Using the same password everywhere.
I'd be surprised if there was any overlap at all where you claim.
Well, I have several family members that fall in the "I use a pattern to unlock my phone or do not use anything to lock it, but store passwords in Last Pass" category. So I guess you're wrong.
And which just got revealed,and will probably be fixed.
The article that is literally not about Lastpass's password manager?
Lastpass Authenticator is not their password manager. It is a Google Authenticator competitor...
If they have a history of shitty security practices (this app), then why should we fully trust other apps they make?
You're going to double down on completely misreading the article and misquoting as to why their Password Manager is insecure? Come on...
Here, since you can't be bothered to do your own research before jumping to conclusions:
https://www.theverge.com/2017/3/22/15023062/lastpass-securit...
https://www.pcworld.com/article/2936621/the-lastpass-securit...
https://labs.detectify.com/2016/07/27/how-i-made-lastpass-gi...
None of which has anything to do with this thread, your claims, or your erroneous claim that the article was about their password manager. Keep doubling down...
Perhaps I could have clarified better, but I was speaking to the various nasty security issues they’ve had mainly.
I also find their apps to be ugly as sin, but that’s a personal preference.
When your rival is KeePass you don't really need to do much in terms of UI/UX
1. It's not easy to have all the integrations necessary to make this product 2. There ultimately doesn't appear to be that much money in it compared to other businesses 3. The least secure password manager is more willing to do the unsafe thing that is a killer feature that users want.
1Password more secure?
Surely you're joking.
Seems folks forget just how poor of a job they were doing only a year ago.
SIK-2016-038: Subdomain Password Leakage in 1Password Internal Browser SIK-2016-039: Https downgrade to http URL by default in 1Password Internal Browser SIK-2016-040: Titles and URLs Not Encrypted in 1Password Database SIK-2016-041: Read Private Data From App Folder in 1Password Manager SIK-2016-042: Privacy Issue, Information Leaked to Vendor 1Password Manager
The tradition with this company is not a serious (as in mission-critical serious) approach to security and the amount of FUD that they spread anytime they take real criticism from the community speaks volumes. They had more vulnerabilities disclosed last year than any of their competitors.
Just because you like it doesn't mean that it's secure software.
Wasn’t aware of these, but just solidifies my move away from 1PW.
They're owned by Citrix so they have automatic credibility.
In this case, the name is important too. It's easy to remember and it explains the product as well. The only alternative with a better name is 1password
it's a free version of 1Password
It doesn't have to be browser-based. If you'd rather have a stand-alone app there's one in the Microsoft Store.
The code, tech, and mindset behind LastPass is a joke. They started just after the “dark ages” of security but don’t seem to have upgraded their mental model of security since. I’ll share with you the moment I discovered something that made me cancel my schedule for the day, research alternatives, write a LastPass to 1Password converter [0], and cancel my LastPass account and subscription.
Are you ready?
You log in to their support forums and online community with the same password you decrypt your vault with.
[0]: https://neosmart.net/blog/2017/a-free-lastpass-to-1password-...
EDIT:
To answer some of the comments, since understandably not everyone is a security expert:
What happens if LastPass’s web forum is compromised and all their additional security counts for nothing?
Even if not: you have no problem with people being conditioned to enter the password securing all their passwords repeatedly into random pages for random content not related in any way, shape, or form to their vault in a web browser?
Containment is the name of the game. It’s hard enough making one app secure enough to enter your password into. Then extending that with an SSO, relying on The security of none other than notoriously crappy phpBB, vulnerable to upstream code injections, XSS, phishing attacks, and god knows what else, and you still think you can trust them to keep your master password secure?
LastPass is such a juicy target and this is such an easy attack vector that I can virtually guarantee at some point phpBB - or, more accurately, their abuse of it - will be a massive liability and the source of a huge catastrophe for them, if it hasn’t secretly already.
Of course they know to treat changes to their authentication apps very carefully and code review each and every syllable added or removed (well, I hope so). But do they review upstream patches to the forum software they use? What about the third party template they have installed? Do they hold off on patches after a security bug is discovered in phpBB so they can review the code changes? Do they even upgrade their forums? What about a vulnerability in PHP itself? Do they secure the server hosting their authentication apps in the same manner as the server hosting their forums? Do their web developers undergo the same background checks and scrutiny their core developers undergo? How many sysadmins have access to the website? Do they provide the same access monitoring to people managing an ancillary feature like their forum software?
The list just goes on forever. You’re as secure as the weakest link. All anyone that want to break into LastPass has to do is get some code into phpBB or the random phpBB themes and plugins they use and it’s game over for millions of LP users and billions of credentials worldwide.
See the problem?
My biggest gripe/concern with LastPass Enterprise (we use it) is that sharing/access control _never_ works properly.
Every time we bring someone on and try to share folders or credentials with them, we end up needing a multi-hour support ticket to get everything resolved correctly.
This shouldn't happen. It raises big alarms for me.
Do they ask you to confirm your master password over the phone so they can check on their end and see if they can reproduce the issue?
Electronic password managers never made sense to me. While you can do more to secure a single target, it is a more valuable target and one mistake costs you all your passwords. For me a physical password journal is best. While it does make you vulnerable to physical attackers, the cost invest to target someone physically is so much higher that if I have to deal with that threat level I'm already a goner. Just have to hide it from the kids.
My approach for anything remotely sensitive, or that could be used to gain access to other accounts, is to generate a LastPass password and to memorize a handful of short "salts" that I add to each sensitive password manually + using 2FA wherever it's available.
Obviously there's no 100% secure approach, but at least this makes me sleep better knowing that if LastPass were comprimized, my stored gmail, bank, paypal, work, etc. passwords wouldn't work.
Thanks for that tip. I was always worried a lost vault could leak all my accounts in one go but with this trick I think I'm confident enough to start using a password manager.
The only drawback to that is the difficulty of logging in while out of the house (I understand making priority accounts “on site access only” but what about others?) and the fact that you’re deincentivized from making more secure passwords because (even if only subconsciously) you’re going to have to type in all those characters and symbols each time you want to log in.
I think the biggest security failure is session cookies that expire too quickly or too eagerly. Having people need to enter their password so often is more dangerous than keeping them logged in (from the same IP) for a longer period of time.
If my bank would keep me authorized for basic access (review transactions, pay bills, transfer money between own accounts) without logging in each time, but required a password to add a payee or make changes to the account, I’d keep the password in a journal in a safe.
Does make it more vulnerable to things like keylogging - electronic managers skip typing completely. Also it makes people create simpler passwords than they would if it was electronic and becomes pretty unmanageable with a large amount of passwords.
I'm not saying it's the wrong way to go but if electronic password managers "never made sense" then I feel like you don't have the entire picture.
I think the threat from keyloggers is not as severe as the threat from clipboard scrapers. Apple and Google absolutely need to make a secure password transport mechanism to allow one app to fill a field in a web browser or field in another app that does not rely on the clipboard because even just expiring it after n seconds is not secure enough.
Couple of days ago they sent an newsletter email to all their subscribers telling something about "enterprise accounts". Anyway, they sent that to everyone, when obviously they meant to send to their enterprise customers.
In that moment I realised that I still had an active subscription with them and cancelled promptly.
>You log in to their support forums and online community with the same password you decrypt your vault with.
what's the issue with that? maybe they have some SSO system
They issue is that your vault key must never be available to their system, otherwise when they get hacked with the most trivial XSS now your vault is pwned. Password vaults are a hugely valuable target, worth potentially thousands of dollars on the black market, you absolutely should not be using a service that has the ability or can acquire the ability to decrypt your vault. You're better off with a plaintext file in a nondescript location on your hard drive.
Just to clarify this, because it took me a second, the point (if I understand you) is that your password is available to them at the point when you log in to their support forums. Particularly bad, because it's a site that hosts a ton of user content.
It's also really dumb, because the whole point of the product is to make it easy to not reuse passwords. They could have even had the signup process automatically create those accounts for you and insert the passwords into your vault, and it would have been just as easy for the user.
Someone who hacks the support forum (notoriously soft targets) now has access to all your passwords for everything.
It means if someone hacks into their forums and gets credentials then all your passwords are open to them.
Why?
1.) LastPass login page hashes MasterPassword on the login page to produce a hash
2.) Hash is sent to the forums, and is checked against the same hash as the vault system
3.) Hash is confirmed, and you're logged in.
1.) Later hash is grabbed by an attacker.
2.) Attacker sends the hash to get the encrypted vault
3.) Attacker gets the encrypted vault
4.) Attacker is sad, because they don't have the MasterPassword, and thus have no access to all your passwords
Note that I'm not saying that they are awesome, and/or are doing the above. But it's not immediately obvious that a MasterPassword can't hash a forum login and a vault request at the same time. I mean, that's literally what the "MasterPassword never leaves the client" is supposed to mean.
1.) Find exploit in forum software/server.
2.) Modify login.php to send form username/password to attackers server.
Except there is no forum login page, just a SAML redirect to their SSO login.
Modify login page to have a login form
At that point, it gets a little silly honestly. If you can modify the login page to have a login form, then you can also modify it to bypass any type of security system you could ever dream up. The GP here seems to want the support forum to have an independent password. Even if they did that, if we're completely changing the login form, you could change it to say "due to new security features, you now log into our forum using your master password, please enter it below". So exactly what is it that they should do, and how would that be more secure than what they're doing now?
And that link can be changed.
0.) LastPass login page is hacked with a skimmer.
1.) Game over.
Oh my god, they really do that?
I trust you to be right, but that's so incredibly stupid it's hard to believe someone selling a password manager would do that!
As it happens, I switched from Google Authenticator to LastPass Authenticator a few days ago. The app has a feature that allows you to require a PIN or fingerprint in order to use it. That feature is disabled by default. (Note that Google Authenticator has no such feature.) As I understand it, this attack allows someone with access to my unlocked phone to install a activity launcher app and then generate 2FA codes without supplying a PIN or fingerprint. Actually, for my phone they wouldn't need to bother with the launcher app, because I didn't enable the additional fingerprint/PIN feature--it seems to reduce convenience while adding little security.
Still, it's definitely a bug. They should either fix it or remove the feature so people aren't misled into thinking their two-factor codes are secure when they're not.
LineageOS users can enable Privacy Guard to protect google authenticator, which requires device credentials (pattern, finger etc.) to start app. Also don't put it on your homescreen
I'm very confused about how bad this is, the article seems unclear. Does it allow malicious apps steal the OTA codes? Does it allow malicious apps to steal the keys used to generate the OTA codes? Does it allow a user to see the keys? Is it none of the above?
All I get from the article is that the user might be able to see the OTA codes in a roundabout way. If that's the entire problem, why is it a problem?
It is difficult to understand, but it seems like the app normally has some sort of PIN protection in order to open it. This is apparently a bypass method for that protection.
Maybe I am misunderstanding, but it really does not seem like much of a big deal, as someone would need to have your phone in hand as well as your lock screen passcode.
The title seems pretty dishonest, if my interpretation of this issue is correct.
Well this is disappointing. In the past, LastPass seemed to have been receptive to patching these kinds of things.
But no follow-up via email? Maybe it's time to start looking at other options.
Props for the responsible disclosure timeline
So the moral of the story is don't let people install applications on your Android device? And the bigger moral is: don't hand someone your unlocked Android device and let them play with it for an extended period of time?
You are correct. Not sure why you were downvoted.
Wow, color me surprised. Software developers aren't perfect, and closed source software with less eyes on it tends to be even less perfect.
I will never trust my passwords all being in one place other than my brain.
You can't keep varied, secure passwords in your head unless you barely use any services.
Most people don’t use many services where security is important. It’s not uncommon to have several hundred accounts with passwords, but I have maybe 10 that I really worry about being hacked/lost. For all the crap sites I can just use $singlepassword+$servicename as password. For the few sensitive ones I use strong passwords and 2FA. I do use a manager to keep those strong passwords - but even though I have it, I can’t be bothered to use stronb passwords for all those forums, web shops etc.
Is my solution secure? No. Using a bad password for hundreds of sites is definitely not secure - but the quality of a password only needs to be proportional to the sensitivity of what it protects.
When I started using a password manager I did something similar, but I told myself every site which used the "insecure" password was linked. So I'd ask myself "If someone hacked the least consequential site I've used this password on, they'd also have hacked this site, do I care?"
It was very rare that the extra 30 seconds to add a new entry password manager wasn't justified after asking myself that question.
I think it all comes down to ease. Yes, some secure passwords is better than none, but it's just soooo easy I'd just say go with the PM
You're right, but that doesn't mean he's better off with a password manager. No method of storage is perfectly secure. Password managers have their attack vectors, your brain has others.
The attack vectors against password managers tend to be more rare and more difficult to exploit.
There are no good options until someone figures out a good alternative to passwords.
'U2F + password' is very secure and can't be phished if implemented fully. However, even Google doesn't do U2F correctly :( U2F authentication needs to happen _every_ time a new TLS session is established in order to be 100% phish proof
Somewhat true.
I use abbreviations of several different long sentences with random characters added in random positions.
To me this is far more secure than trusting a single authoritative source with 10 different random character strings that I have no real ownership of, and can all easily be stolen (or lost) at once.
I have at least 50 different passwords in my 1Password account
And 1Password supports syncing via services other than their own and each device acts as its own backup too, so you’re really only relying on their service to shuttle around an encrypted keystore to your new devices.
Ok, but the core of the argument to me is "Is having a bunch of passwords that you don't actually know all in one place more secure than having a smaller bunch of passwords that you do actually know that, still, can at most be leaked one at a time?"
For me the answer is no. I would rather have fewer technically less secure passwords than have technically more secure passwords that all live in one place. My passwords live "nowhere". There is no database breach, or peek over the shoulder that could ever compromise my entire wellbeing.
I also use 2fa wherever possible.
>Is having a bunch of passwords that you don't actually know all in one place more secure than having a smaller bunch of passwords that you do actually know that, still, can at most be leaked one at a time?
It’s been repeatedly demonstrated that yes, it is.
>It's been repeatedly demonstrated
Meaning you have consulted a sea of research that has compared the risk posed by password managers to keeping a mental catalogue of long, not-random-but-pretty-good character strings, using 2fa, and exercising proper security habits?
I don't think you could ever come to an objective conclusion, since the 99%-user doesn't have a near-autistic obsession with security like most of us.
I don’t have an obsession with security, it’s just so easy and cheap that I don’t get why you wouldn’t do it (the people with an obsession with security probably don’t even trust 1Password to sync that encrypted file anyways)
My mom, who is as far removed from tech as you can get, understands why not sharing passwords might be a good idea when one can get hacked and set of a domino effect.
And your comparison is a straw man, the real comparison is trying to remember 50 random passwords to using a password manager because there is a sea of research showing that good passwords should be truly high entropy and random.
Using a password manager doesn’t stop you from using 2fa like your comparison is worded to imply.
The answer is yes. For the large majority of users, the only thing that matters is that you never reuse your passwords. Since human beings cannot feasibly remember unique passwords for each service, password managers win.
This "problem" has precisely nothing to do with open source vs closed source. "Tell me the list of activities that are public" and "tell me the name of each activity as I launch it" are babies-first-app-analysis level and work equally well on open and closed source apps.
Are we really concerned about an exploit that requires somebody to have unlocked access to your phone?
I'm not saying that's the problem, I'm just suggesting that you have to have a lot of faith in a company to trust it with all of your passwords, especially when there's only a handful of eyes on its source code.
It's not for me, personally.
And yes, because the scariest aspect of password managers is the fact that you have basically shifted the responsibility of "I use the same password everywhere" to a different party.
Given the recent number of cripplingly awful security bugs that have been found in open-source infrastructure projects (Shellshock, Heartbleed, etc) which have been in the wild for many years before being discovered, I'm rather less interested in arguments that open-source software is supposedly more secure than closed-source due to the number of eyes that are supposedly on it. When was the last time there were any security flaws of that magnitude in the Windows Server/IIS stack?
The reality seems more like that even if anybody can look at the code, auditing security code well is damn hard, very few people can do it well, and those people basically never audit open-source projects in their spare time. How secure something is depends more on how battle-tested it is, how good the people who wrote it are, and how well and often it's been tested for security flaws by experts.
Prove that open source has more eyes than closed source. You can't because in reality it's most likely not true for the vast majority of software. Most software requires an incentive to look over the code and the skill to do it. The incentive to do it for closed source is money, open source is warm fuzzies or personal interest. I really love open-source software but code review is clearly not a benefit for the vast majority of people.
The worrying bit is LastPass' inaction since July 2017, when they were notified of the issue. For a product whose aim is to secure your credentials, this is a lax attitude to security