Security Issues with LastPass on Android
abhyudaya.devThese aren't really novel security vulnerabilities or anything, just some common sense things to be aware of so you don't shoot yourself in the foot: generated pronounceable passwords might not strictly follow the length that you set, don't paste your passwords into the address bar of a web view, and don't set a weak master password.
> might not strictly follow the length that you set
Why on earth not? It’s very easy for a computer to check the length of a string, and compare that to a number, there’s absolutely no reason and no excuse for deferring that to the user.
The end user should have every expectation that a generated password will conform to the minimum length setting, and other password settings that are exposed.
Failing to generate passwords that meet the promised criteria is a bug, and not something users should need to have “common sense awareness of”.
Thats right, we should blame the victim for trusting the tool.
Password managers are increasingly mandated by organisations, and Lastpass is a very common recommendation. Even in the minority of technical users that use this kind of tool I expect small mistakes - like accidentally pasting a password in a URL. A good tool doesn't let you shoot yourself in the foot by escalting that to a non-obvious leak. The password length being wrong is 100% on the tool. Th weak master password and the duplicates are again, things the tool shouldn't do - it claims to give good quality security reports.
With respect to Lastpass specifically, I dislike the tool immensely. Ive had to use it a number of times and have always found its UX significantly buggy - included blatant failures like not saving passwords with no indication; coupled with the acquisition by LogMeIn and I'm incredibly distrustful.
There are only three meaningfully "correct" recommendations for password managers as of today, depending on the use case: 1Password, Bitwarden, or KeepassXC.
1Password is fantastic, but expensive and closed source. Bitwarden is open source, but lacks certain auditing, team and sync features useful for enterprise. KeepassXC is excellent and open source, but with zero collaboration features is only suitable for self use.
There's some collaboration features. You can create "keeshares" between multiple separate databases. All the databases can append, update, or read the share.
You can't delete an entry but you can deprecate it and stop updating it (it's not actually feasible to revoke access anyways).
Keeshares seem new, I hadn't heard about them. Seems… interesting. Thanks for pointing them out.
There's also 'pass', created by Jason Donenfield, who also created WireGuard. But I think it's not for laypeople.
Have you taken a look at saas pass that has 2fa as the default and the password manager identifies sites with 2fa?
disclaimer: was involved on the 2fa part of it.
I used SaaS pass at work for a while, and it made my day a little bit worse every time I had to use its 2FA. The app's login on push notification thing was very slow, and would fail too often (maybe 5-10% of the time). I ended up using the QR code scanning for 2FA more often than not, but even that was slow, not even accounting for for the time it takes a human to unlock their phone and open the app. Doing thing multiple times throughout the workday was a real drag.
It's a shame, because I think the idea of it is nicer and no less secure than Google Auth, but I'd much rather enter 6 numbers than wait for the app.
Disclaimer: This was around a year ago, perhaps it's improved since.
And how did you come up with this list of 'correct' password managers?
Quite simply through experience.
Do you think KeePassXC is better than original KeePass?
Absolutely, xc has been far better maintained in the last few years.
I used LastPass for a few years, but switched to bitwarden over a year ago.
Mainly driven by the combination of price increases, no improvements (and possibly getting worse) at things like the auto-fill buttons conflicting or not working with many apps I was using, the duplicate entries it would create, failure to match Android apps and web logins, and the constant battle to try to get it to work with several internal apps and test systems (same top-level domain, where I have a mix of unique and common logins) while also working on the web generally.
Bitwarden has per-domain selection of match type (full host, base domain, or regex), and a non-interfering UI. I can't think of a single thing LastPass does better.
Most people realize they can hurt themselves if they use a hammer wrong. If someone can be expected to put four years of their life into a degree or prepatory trade training they can be held accountable for not caring enough to spend 10 minutes reading about effective use of their password manager.
That's not the reality though. The current wisdom in security seems to be to follow reality. To eliminate shooting foots by both users and developers. See NaCl crypto library, libsodium, Noise protocol, Signal app, Tarsnap and restic, Brian Warner's magic-wormhole, Signify/Minisign, Filippo Valsorda's 'age', WireGuard.
Are there more?
It's not just security. This applies generally where people will shoot at their own feet. In C++ I can apparently have an atomic integer and increment it:
Rust has atomics but they don't work that way.std::atomic<int> n = 0; n++;
Hmm. Why doesn't Rust's "AtomicU32" just implement AddAssign? If it implemented the AddAssign trait then you could at least write:let n = std::sync::atomic::AtomicU32::new(0); n.fetch_add(1, std::sync::atomic::Ordering::SeqCst);
.. and that looks much nicer, it elides all that stuff about memory models, consistency, and... oh...n += 1In the C++ code, the programmer thinks this variable n "is" atomic. It's an atomic integer right? But that's not a thing. C++ is mapping atomic integer operations, which are a thing, onto the type, and not making the integer itself magically atomic, it's just an ordinary (aligned) integer.
So if we tweak both examples to do some slightly trickier arithmetic...
Once again, Rust seems much more verbose, but, wait, actually this isn't the same as the C++. This is probably what the C++ programmer intended but what they actually wrote means this:std::atomic<int> n = 0; std::atomic<int> m = 0; n++; m= m + n; use std::sync::atomic::{AtomicU32, Ordering}; let n = AtomicU32::new(0); let m = AtomicU32::new(0); n.fetch_add(1, Ordering::SeqCst); m.fetch_add(n.load(Ordering::SeqCst), Ordering::SeqCst);
Well that's just crazy. Now m can change between when we load from it, and when we add n to it, and then we store back this out-dated value. We definitely didn't want that. But it looked sane because C++ fools us into believing "Atomic integers" are a thing, which they actually aren't.use std::sync::atomic::{AtomicU32, Ordering}; let n = AtomicU32::new(0); let m = AtomicU32::new(0); n.fetch_add(1, Ordering::SeqCst); m.store(m.load(Ordering::SeqCst) + n.load(Ordering::SeqCst), Ordering::SeqCst);
Too short passwords being generated sounds like an issue that IMO violates user expectations, the other two do not.
Hi! I am the author of this post. I think that taking the user to `www.foobar.com` when he/she typed `foobar` does violate the expectations for most users. All browsers which I've used take the user to their selected search engine. Most people outside of HN do not know that what they type in that search bar would be visible to anyone listening on the wire.
It's funny how this expectation had changed over time. In early browsers like Mosaic and Netscape, the expectation was that you'd enter a domain name or full URL and there would be a DNS query. When newer browsers incorporated search into the address bar, many of us considered this to be leaking information to search providers. For quite a while I disabled that feature.
After lastpass's recent policy changes around free multi-device use, I finally decided to switch password management services. I don't really mind spending like $10/year for password management but lastpass was slow/buggy/frustrating enough that I didn't want to pay for it.
The whole process took probably three minutes front-to-back. Lastpass lets you export your passwords in a CSV, which you then upload to any other service which automatically imports them. Very easy. If you're frustrated with lastpass I recommend the switch. Personally I chose Bitwarden because it's open source.
I also switched from LastPass to Bitwarden, and over the past couple years of using it I have had zero criticisms.
Bitwarden has worked great for me. Use it for personal stuff. At work we are stuck with lastpass, and it's such a pain to use.
My only complaint about bitwarden is that folder management in the macos app is not great. Adding passwords to new folders requires writing in the entire directory path. And i have to memorize the entirety of it, writing it incorrectly leads it to create new directories with those badly spelled names.
I've been a lastpass premium users for a few years. The thing that annoy me the most is lastpass somehow really slow down any page that has a lot of text fields on it. A webapp I regularly used was so slow (often freeze for 2-3 minutes when displaying a huge form) I thought the developer probably didn't care about performance at all (seem to be using react), but nope, turns out lastpass was the culprit. After disabling lastpass, the page with the huge form now loads in seconds instead of minutes. I wonder what lastpass do with the dom to cause this massive slowdown.
Anyway I decided to move to bitwarden last week and it works pretty great. No noticeable slowdown at all.
One thing I wish Bitwarden would add is the ability to make templates, and also the ability to add barcode-type fields, which would generate the actual barcode when viewed.
It doesn't export attached files if you have those. Didn't tell me that either (though it was over a year ago now).
I personally have been using LastPass since it came out. I am much more secure than if I didn't use LastPass. A friend loved trying to break into my accounts for fun so I feel like I was a much more secure person just for stupid reasons. (It really was a game and nothing he did was nefarious)
Companies that use password managers are infinitely better off with one then without. My co-workers would repeat their passwords and make them incredibly simple and easy for anyone to break the it with basic social hacking. My old company had the lowest level of tech skills and the company contracted their IT work and had the stupidest password policy. You just had to change one digit. So the joke was people would just +1 their passwords and they would know how long they worked there.
Repeated passwords is something people do because we all have hundreds of passwords if they don't have a password manager. Even me and my paranoid ways had several because I had to use a system that was based on the url of what I using.
> Companies that use password managers are infinitely better off with one then without.
I second that opinion. I've worked in really large companies and I was blown away by the number of people who had {CompanyName}{number} as their password, where number is the amount of times the system required them to change their password. In a company with 6000 employees, we are talking 15-20% of all employees, including senior staff, engineers and manager with access to personal information of tens possibly hundreds of millions of people. This often falls into the category of "Nah, it's fine, I'm safe". And while there are circumstances in which you can feel secure in regards to your personal security at home and everything, we are talking large corporations with endless amounts of internal and external projects many are absolutely unaware of. Example: https://rtb-dsg.companyname.com which uses the company-wide ldap for authentication. Most people inside and outside the company have no idea what rtb-dsg is and it's better to keep it that way. So it's best to avoid taking chances.
I'm more and more worried about a supply chain attack on LastPass/KeePass. To the point that I'm skittish about upgrading them.
It feels to me like we need someone with huge resources, like Microsoft/Gooogle/Apple... to buy them and apply their methods against this attack.
For example, where are the binaries built? Who controls the accounts used to upload the installers? Do they regularly pay security teams to try to find vulnerabilities?
To be clear, I'm not worried about the code, but I'm very worried about the downloadable binaries.
(I work for another password manager company). Your questions are fair but not specific to password managers. All software can be victim of this kind of attacks. People tend to think it's worse when their password manager is compromised rather than another software, but the truth is that a troyan in (say) your text editor can very well be used to compromise your device and steal all your passwords.
But you are right, securing the code base and the CI is a big part of making sure a software is secure.
Oh, and I cannot comment for the software you listed specifically, but I would strongly recommend that you update regularly software you use. Even if they don't create any vulnerability in their own code, they probably use some code dependencies, and it's unlikely that there are never vulnerabilities in any of those (and as per my previous comment, this is true of all software, not only password managers)
At least on mobile, Apple and Google are in charge of the supply chain, given their control of the App Store, Play Store, and Chrome Web Store. I would assume that apps with very large user bases go through extended vetting and the company accounts are more locked down than individual developer accounts. For example, I doubt any one person has the credentials to log into App Store Connect and publish a new Facebook binary.
Won't enabling 2FA through TOTP or Yubikeys make your worry go away?
I dumped lastpass when they started forcing free accounts to choose between desktop and mobile. I had been considering paying for a family account, but trying to force me to do it by removing features was unacceptable. Because of this, lastpass will never see a dime from me and another company will have the opportunity to serve me.
> I had been considering paying for a family account
Your consideration doesn't pay for dev time. No one cares about pushing free users or 'considering' users off the platform at monetization time. Shit or get off the pot.
That said, no one blames you for doing comparison shopping at monetization time either.
>Your consideration doesn't pay for dev time.
But rather than asking users to pay for newly developed premium functionality, they asked long term users to pay for things that they already had and had always been provided for free.
>Shit or get off the pot.
In this metaphor, they started charging people for using a previously freely accessible pot while they were in mid-shit.
Economics change and companies change. IIRC the company has been sold twice and maybe the new company can't underwrite the ongoing maintenance or just refuses to?
Do users have a right to exist under legacy covenants when things at the company have changed?
Again, this is why I advocate for shopping at monetization time. The company has altered the deal, maybe you should alter it further?
Yeah, I absolutely agree with that. I personally moved my family to Bitwarden and am very happy so far.
> had always been provided for free
IIRC, mobile usage _was not_ free, but later became free.
It was free when I signed up.
its 10 bucks a year for family... The change was years ago too. I think its time to get over it.
Removing features to force conversion is a shady practice and I want no part in a company that finds this acceptable. If they find this acceptable, there is nothing preventing them from doing this again when I am not premium enough. I would rather shit in a pot that won't disable my ability to clean up after I have started.
I think it actually is fine within a product category like password managers where data is highly portable and switching costs are low. Platforms with lock-in doing this however...
I'm not into infosec, but trusting a password generator blindly seems like a dangerous practice. I always make sure to double check LastPass generated passwords and make them as long as possible. I only expect LastPass to remember my secrets and it does that just fine.
I do not like another Lastpass behaviour. If your laptop dies and you are logged into web extension, upon re-starting the browser session Lastpass straight away asks you for 2FA without asking for master password. On top, if you do not login into that 2FA instance but keep the tab open it keeps the session alive for infinite time and if your laptop dies again upon re-start you will now have 2 lastpass 2FA windows open. And so on. It will let you log you in through one of the 2FA tabs, until you change focus to the other 2FA tab then your lastpass will be logged out until you login again through tab in focus.
I use algorithmic passwords. I have an algorithm that takes in several parameters and generates a unique password per service. For example, my algorithm `f` might be:
f(domain, secret_word, secret_sentence, rules)
= UPPER(KEY_TO_RIGHT(domain[0:3])) + secret_word + secret_sentence[LENGTH(domain)] + LENGTH(domain) + PAD_TO_20("X")
So if my secret word were "bottleneck" and my secret sentence were "It is a truth universally acknowledged, that a single man in possession of a good fortune, must be in want of a wife." my algorithm generates the following passwords:
google.com:
f("google", "bottleneck", "It is a truth universally acknowledged, that a single man in possession of a good fortune, must be in want of a wife." , rules)
password = "HPPbottleneckacknowledged,6"
(note that "HPP" are the letters on the keyboard shifted right from "GOO")
microsoft.com:
f("microsoft", "bottleneck", "It is a truth universally acknowledged, that a single man in possession of a good fortune, must be in want of a wife." , rules)
password = "ZOVbottlenecksingle9"
The "rules" parameter is because some sites have length restrictions, symbol restrictions, and you may have to truncate the password or replace symbols. Also in "rules" is how many times you've changed a given password. I store the "rules" in a google doc.
Anyway, the nice thing about this system is that the algorithm is in your brain and you can use it to generate the password for a given service without relying on a password manager. So theoretically if I got stranded in Europe as a tourist and my phone got stolen, I'd still be able to get into my accounts (assuming 2FA isn't enabled...).
Password managers definitely generate more secure passwords, but my goal isn't to be the most secure, it's to strike a balance between the things I care about (and I care about being able to get into my accounts if I somehow lose access to my password manager).
I'm not a big fan of the algorithmic password systems. In practice you need to remember some bits of state for each separate website, because of different password rules or because you had to reset the password. This results in either needing to memorize a lot of information or writing it all down somewhere. The former has the same problems as memorizing passwords without assistance. And if we need to write it down, then we might as well write down a long and totally random password for each website.
If the worry is losing your phone, some of the popular services such as Bitwarden can also be accessed via a web interface, without installing the app.
Writing down website rules (ie which websites have length requirements, etc) is not the same as writing down passwords. The former is already public information. I keep track of website rules in a Google doc for reference and if compromised it does not give an attacker any information that isn't already public.
If BitWarden can be accessed from a browser it means all my passwords are on their servers, whereas with an algorithmic password generator the passwords are in my brain alone
Better not sign up for services at ycombinator.xyz.
That's very interesting. I would love to read this student's paper once it comes out.
Hi! I am the author of this post. Thanks a lot for your feedback! I hope to make it public very soon.
Please let us know when/where you do! This is really cool :D
What are the other two popular password managers you are looking at?
Bitwarden and Dashlane
Bitwarden. With U2F keys and Authy on a mobile for backup.
Accept no substitutes.
I've switched to self hosting vaultwarden
Nice article. Love your website. Small, no bloat, how the entire internet should be
why can't people just use keepass and be done with it?
Keepass has no multi-user support. Their site admits as much: https://keepass.info/help/base/multiuser.html
"Multiple users can log into the same database with the same password" isn't multi-user support. It's important to keep several passwords synchronized between family members and very useful to be able to securely share individual passwords with friends on occasion. Without ACLs and user accounts, this is impossible.
There's no official mobile app, which means I have to trust some random developer or live without basic quality of life features such as autofill.
It doesn't support U2F, instead requiring plugins to use a one-time password form of 2FA.
look man. i get it. you want ease of use, the same reason you have "browser sync" capability enabled when you only use your laptop to surf internet. I get it. I have successfully trained my family, over 5 years now to use keepass. they keep one file on their phone, all changes to their logins go into that file and often that file gets dumped to a secure backup. it works. I get the whole excitement about centralized passwords, quick one click logins, zip zip and all but the sad fact is, it takes 2 seconds to copy paste from keepassdroid which is on github if you are concerned about "random developer". without internet access, whats the best this app developer can do? delete files? oh my.
the multi user support is fine but 90 of users have just a bunch of email logins they need to keep rotating. you shouldnt carry your important credentials like bank codes and stuff on live anyways so whats the big deal if you have to remember to rotate a file every 3 months or so? or is that a big deal and being too lazy want to subject yourself to hacks and bugs that will leak data? good luck to you
Because 1Password exists.