|
Proteus Jones posted:Lol, at iClown keychain. Youre clever. I'm sure Chinese users are big fans
|
# ? Feb 25, 2018 01:07 |
|
|
# ? May 28, 2024 13:10 |
|
Welp, at least they'll still claim to be secure.
|
# ? Feb 25, 2018 01:16 |
|
Potato Salad posted:Has icloud keychain come up itt before? everyone has bugs, it's about how you respond to them. apple patched it promptly when a researcher disclosed it to them. lastpass has a history of balking. (also FWIW the apple flaw was way less braindead than lastpass's mistakes. "sophisticated attacker MITMs you while your device is actively communicating to the mothership" versus "anyone visiting a website while using their extension gets owned".) keechain is all about ease of use for non-technical people which makes it weaker by default than lastpass or keepass, but aside from that it's fine. the real problem is it doesn't make sense unless you live 100% in the apple ecosystem. edit: oh yeah, and don't use anything from apple, google, or microsoft if you live in china and are afraid of your government, because they all bend over for the PRC waloo posted:How does this change, if at all, for somebody using a chromebook a lot? Klyith fucked around with this message at 01:40 on Feb 25, 2018 |
# ? Feb 25, 2018 01:34 |
|
waloo posted:How does this change, if at all, for somebody using a chromebook a lot? A small notepad with your passwords written down in it, preferably attached to or stored in your wallet. This is infinitely less likely to get your poo poo stolen than using LastPass.
|
# ? Feb 25, 2018 01:46 |
|
Anyone who continues to use and advocate for LastPass after everything that has been said in this thread is not worth saving. They're also a liability to the organisation they work for because they'll create problems elsewhere due to their inability to see the forest from the trees.
|
# ? Feb 25, 2018 02:13 |
|
Proteus Jones posted:Right now, 1Password has the edge for me. I’ve used them for years, my group at work uses it. The development team actively engages its customer base and is quick to respond and disclose bugs. Hell, as seen earlier in the day, they already rolled in an update to their subscription based client to use the secure password check API with Have I Been Pwned. They’ve also stated they will roll this into the Watchtower service for non subscription customers in a future update. Thanks, that's what I'm looking for a recommendation.
|
# ? Feb 25, 2018 02:38 |
|
ElCondemn posted:Thanks, that's what I'm looking for a recommendation.
|
# ? Feb 25, 2018 03:06 |
|
anthonypants posted:Just in case it comes up in the future, how many times does someone need to tell you something before it sticks? Not sure, maybe if people weren't accusing me of being an idiot for asking legitimate questions it would happen pretty quickly. But I guess that's how y'all like to interact, it's an odd strategy to treat people like idiots to prove how smart you are.
|
# ? Feb 25, 2018 03:12 |
|
ElCondemn posted:Not sure, maybe if people weren't accusing me of being an idiot for asking legitimate questions it would happen pretty quickly. But I guess that's how y'all like to interact, it's an odd strategy to treat people like idiots to prove how smart you are. You’ve been a member here for 13 years, how is this news to you?
|
# ? Feb 25, 2018 03:35 |
|
Here was your question:ElCondemn posted:
Here was the response to your question: wyoak posted:LastPass's browser integration was found to be severely broken a couple times as well. They've had a bunch of flaws (some really dumb, some not so much) for a company based around security, which makes it hard for me to trust them. Truga posted:Also, the problem with lastpass isn't that they got caught with bugs, it's that they got caught doing really loving stupid poo poo, repeatedly. All software has bugs, but some exploits manifest from bugs, others out of incompetence. The kind of poo poo lastpass keeps producing is the latter ones. Wiggly Wayne DDS posted:here's an audit publicised nov 15: cheese-cube posted:It's not just that they were breached and that serious exploits were found in their software, it's that they responded to it in an extremely poor manner. These days it's more of a "when" than an "if" for companies being breached and/or their software being exploited. This means that they need to plan for these scenarios and know how to respond. The folks behind LastPass clearly did not plan for such a situation either through lack of understanding or not giving a gently caress. Either way, their lacklustre response to the incidents and their attempts to downplay them have shown that they don't give two fucks about security. Wiggly Wayne DDS posted:
Here was your dogshit interpretation of the problem: ElCondemn posted:So reading through your links the only really concerning bit is the custom_js stuff. I think most browser integrated password managers would have similar client side exploits. If your goal is perfect security then using anything that isn’t self hosted and air gapped is going to fall short of that. I think the trade off is probably worth it, at least for average users. Maybe you have those people blocked but it was only after that point when people started calling you an idiot.
|
# ? Feb 25, 2018 05:06 |
|
waloo posted:How does this change, if at all, for somebody using a chromebook a lot? If you don’t mind paying for the cloud subscription then you can still use 1Password (X). e: I use this on my Linux machines btw. I had it running just fine in both Chrome and Chromium. The only thing that’s annoying is that the default hotkey (ctrl alt \ or whatever) doesn’t work in Linux for some reason? Not a big deal but I don’t like change Boris Galerkin fucked around with this message at 06:49 on Feb 25, 2018 |
# ? Feb 25, 2018 06:39 |
|
https://twitter.com/Burrito_Tim/status/967639428272459776
|
# ? Feb 25, 2018 06:57 |
|
Klyith posted:1password, Keepass ..... iCloud keychain Apple will expose your passwords. Again. And again.
|
# ? Feb 25, 2018 07:02 |
|
I just use KeePass with the Kee extension for Firefox for matching passwords against the URL field. I'm not going to be super about this.
|
# ? Feb 25, 2018 07:43 |
|
Password Safe is still fine right? I use it at home with the safe file stored on a BitLockered iSCSI LUN because I don't really care about browser integration or cloud syncing or whatever. Works for me and pretty sure it's safe.
Pile Of Garbage fucked around with this message at 13:31 on Feb 25, 2018 |
# ? Feb 25, 2018 12:53 |
|
KeepAss my passwords, secure documents, and heirloom jewelry like your father's watch. Nation state actor couldn't crack this crack.
|
# ? Feb 25, 2018 13:25 |
|
anthonypants posted:Here was your dogshit interpretation of the problem: Please tel me what I’m saying thats dogshit or where I’m defending lastpass? Sorry that I wasn’t explicit but I was trying to determine what made 1password or other options more secure. I’ve read the articles about lastpass but I wasn’t seeing any argument or article that showed why other options were immune or better than lastpass in those scenarios. This isn’t D&D maybe you could afford to be less of an rear end in a top hat.
|
# ? Feb 25, 2018 16:47 |
|
Lastpass is garbage. Therefore anything which isn't Laspass is significantly less garbage.
|
# ? Feb 25, 2018 17:08 |
|
...which articles did you decide to read and treat as more trustworthy than the responses in this thread?
|
# ? Feb 25, 2018 17:29 |
|
ElCondemn posted:Please tel me what I’m saying thats dogshit or where I’m defending lastpass? So from my point of view you asked about password managers like LastPass and if you look at anthonypants's post you'll see that people gave you reasons for why LastPass was poo poo. Then you proceeded to stick your fingers in your ears and go lalalalala and assert that it wasn't poo poo because of reasons, which prompted someone else to say to you "looks like you're already invested in LastPass and nothing we say will matter."
|
# ? Feb 25, 2018 18:04 |
|
ElCondemn posted:Please tel me what I’m saying thats dogshit or where I’m defending lastpass? Sorry. It's hard to not be aggressive towards obtuse people who are dangerous to themselves and others. Do you understand why we are telling you that LastPass is garbage? Yes or no. And explain your answer.
|
# ? Feb 25, 2018 18:18 |
|
This thread has LastPass PTSD
|
# ? Feb 25, 2018 18:29 |
|
Boris Galerkin posted:So from my point of view you asked about password managers like LastPass and if you look at anthonypants's post you'll see that people gave you reasons for why LastPass was poo poo. Then you proceeded to stick your fingers in your ears and go lalalalala and assert that it wasn't poo poo because of reasons, which prompted someone else to say to you "looks like you're already invested in LastPass and nothing we say will matter." I think it’s clear that people have strong opinions about lastpass, but nothing I said was ignoring the links or comments people posted, other than the insults and accusations that I’m a lastpass fan who’s a ”danger” to people. I still think it’s fair to say that the client side issues are probably going to be common among browser integrated password managers. The server side stuff like the custom_js issue is very concerning and I’m definitely moving away from lastpass for that (among other) reason. However the core encryption model is still solid but the implementation and their response to issues seems to be a pretty big problem. Nothing I’ve said is controversial, unless you’re a huge rear end in a top hat who thinks they’re a genius for making GBS threads on others. Regardless of all of that if you’re goal is to get people to move to another option feel free to point out the flaws in lastpass but then maybe describe how an alternative does it better. making GBS threads on my original choice doesn’t do anything to fix the problem. apseudonym posted:This thread has LastPass PTSD Clearly ElCondemn fucked around with this message at 19:06 on Feb 25, 2018 |
# ? Feb 25, 2018 19:00 |
|
Stop using lastass or fuckoff?
|
# ? Feb 25, 2018 19:05 |
|
ElCondemn posted:I still think it’s fair to say that the client side issues are probably going to be common among browser integrated password managers. This is line of thinking that sets people off in this thread with LastPass. The client side issues are only common if the people building it are incompetent, and you probably don't want to run a password manager written by incompetent engineers. LastPass is a special level of lovely and comes up often enough in this thread to cause us sadness. I just use the built in chrome password manager/generation because lol.
|
# ? Feb 25, 2018 19:05 |
|
i did mention them being repeatedly breached and ignoring that the attacker's had far more access and capabilities than pr said right
|
# ? Feb 25, 2018 19:10 |
|
apseudonym posted:This is line of thinking that sets people off in this thread with LastPass. The client side issues are only common if the people building it are incompetent, and you probably don't want to run a password manager written by incompetent engineers. I don’t know about that, there are lots of common patterns in software design that turn out to be terrible. The good companies know this and update their software regularly to keep ahead of these problems. For example meltdown, heart bleed, this recent CSS issue, these things happen. It’s useful to know which companies deal with these issues properly and which don’t. That’s not to say lastpass is following good modern design principals in the first place. apseudonym posted:I just use the built in chrome password manager/generation because lol. I was using chrome previously but then everyone got a phone and wanted to share passwords with each other.
|
# ? Feb 25, 2018 19:17 |
|
Wiggly Wayne DDS posted:i did mention them being repeatedly breached and ignoring that the attacker's had far more access and capabilities than pr said right Please respond to this ElCondemn
|
# ? Feb 25, 2018 19:21 |
|
Wiggly Wayne DDS posted:i did mention them being repeatedly breached and ignoring that the attacker's had far more access and capabilities than pr said right Maybe I missed it in the articles that were linked but other than the custom_js issue they seem to have quickly resolved the server side issues (which again I said is one of the major reasons I'm moving away from them). The client side issues I believe are endemic to that security model, at the very least the client side issues didn't seem to be simple poo poo like checking the page title over the URI and required a compromised client to do things like intercept the master key. I can think of plenty of ways most other password managers could be compromised in the ways that the articles you linked have done, I haven't seen anyone post articles showing how other options are immune to these types of attacks (unless you count the run a VM to browse your email model as a valid solution). ElCondemn fucked around with this message at 19:31 on Feb 25, 2018 |
# ? Feb 25, 2018 19:27 |
|
Unless you're being paid by Lastass things will surely get to a point where you have to take a step back and think "Wow, OK I'm sure stretching definitions and garbage to meet those pre-described sales points, is that even my responsibility anymore?"
|
# ? Feb 25, 2018 19:46 |
|
Wiggly Wayne DDS posted:
you earlier acknowledged they were hacked but only seem to think that custom_js is the issue. all those statements just above that section on what lastpass could hypothetically do? those are what attackers on lastpass' infrastructure can do ElCondemn posted:Maybe I missed it in the articles that were linked but other than the custom_js issue they seem to have quickly resolved the server side issues (which again I said is one of the major reasons I'm moving away from them). The client side issues I believe are endemic to that security model, at the very least the client side issues didn't seem to be simple poo poo like checking the page title over the URI and required a compromised client to do things like intercept the master key. I can think of plenty of ways most other password managers could be compromised in the ways that the articles you linked have done, I haven't seen anyone post articles showing how other options are immune to these types of attacks (unless you count the run a VM to browse your email model as a valid solution). can you elaborate on the requiring articles to explain why different password managers are immune to vague types of attacks? what if your concern in that area so it can be explained to you why that documentation doesn't exist, or why it does but you've just not used the correct wording to find it
|
# ? Feb 25, 2018 19:55 |
|
ElCondemn posted:I don’t know about that, there are lots of common patterns in software design that turn out to be terrible. The good companies know this and update their software regularly to keep ahead of these problems. For example meltdown, heart bleed, this recent CSS issue, these things happen. It’s useful to know which companies deal with these issues properly and which don’t. Updates are a necessary but not remotely sufficient component for having a secure product. If you're product repeatedly has P0 security issues updating quickly doesn't forgive you not addressing the issues that let them happen in the first place. Doubly so if you're claiming to be a security critical product. Repeatedly having the same class of vulns without trying to address the problem is irresponsible. You should expect your password manager to be proactively designed to be secure, which LastPass doesn't seem to be.
|
# ? Feb 25, 2018 19:57 |
|
Wiggly Wayne DDS posted:you earlier acknowledged they were hacked but only seem to think that custom_js is the issue. all those statements just above that section on what lastpass could hypothetically do? those are what attackers on lastpass' infrastructure can do I'm reading what you posted, you're just too stupid to understand what I'm saying about it. Honestly you really are an idiot who doesn't understand the difference between a client side exploit and a server side exploit. Wiggly Wayne DDS posted:which client side issues are endemic to the security model? you seem to enjoy convincing yourself that you're the only sane one here. once again there is no requirement for compromising the client to intercept the master key. you are completely misunderstanding what is happening and are not willing to explain your side at all. if you can "think of plenty of ways most other password managers could be compromised" then please do tell, we'd be lost without your wisdom in the matter. Web based authentication strategies are "secured" by the addition of SSL/TLS, it's trivial to hijack a session if you can MITM the session/cookie data. If your client is compromised you can do the same thing over a secure channel because one end is compromised. You can argue that they're doing stupid things (like keeping a local hash of a recovery key) but there are lots of companies that do this kind of thing and I'd guess some of them might be other password managers that I might use... which brings me to the next point Wiggly Wayne DDS posted:can you elaborate on the requiring articles to explain why different password managers are immune to vague types of attacks? what if your concern in that area so it can be explained to you why that documentation doesn't exist, or why it does but you've just not used the correct wording to find it I don't require poo poo, I'm saying if you are die hard against LastPass and want people to move off it going on and on about how lovely it is isn't going to help someone make a better decision. I was hoping to find other articles explaining how an exploit that's possible through LastPass is mitigated by 1password/whoever. Because as I see it right now if nobody has spent the time to audit these other providers why should I assume they're doing the right thing? I didn't find any articles that did that kind of security comparison with my google searches. cheese-cube posted:Unless you're being paid by Lastass things will surely get to a point where you have to take a step back and think "Wow, OK I'm sure stretching definitions and garbage to meet those pre-described sales points, is that even my responsibility anymore?" Good point, no reason to discuss security in a thread about security... apseudonym posted:These aren't good examples for defending poor software engineering practices, especially in their own product, it's just name dropping some bugs that got press lately. The CSS thing isn't even a bug. It's not a bug, but lots of people were implementing software that didn't take into account the possibility of a CSS element modifying the DOM dynamically as a security concern. I'm also not defending poor software engineering practices, I'm just saying that poo poo comes up and often it's pointless to blame a company for not being able to predict the future. apseudonym posted:Updates are a necessary but not remotely sufficient component for having a secure product. If you're product repeatedly has P0 security issues updating quickly doesn't forgive you not addressing the issues that let them happen in the first place. Doubly so if you're claiming to be a security critical product. This is just silly, look at all the CVEs that Cisco puts out, it's always the same type of poo poo and sometimes it's super critical. I'm not saying Cisco is the security standard we should aspire to, I'm just saying it happens and one way of determining whether you should jump ship or not is in how the company responds to the security concerns. ElCondemn fucked around with this message at 20:21 on Feb 25, 2018 |
# ? Feb 25, 2018 20:15 |
|
Yes, everybody else is stupid and you're a genius. Just install LastPass and on your passwords never getting exposed.
|
# ? Feb 25, 2018 20:17 |
|
Absurd Alhazred posted:Yes, everybody else is stupid and you're a genius. Just install LastPass and on your passwords never getting exposed. Totally what I'm saying...
|
# ? Feb 25, 2018 20:21 |
|
This attitude of “well I’m going to keep promoting insecure software because I demand you prove a negative first” is what makes much of this industry poo poo.
|
# ? Feb 25, 2018 20:24 |
|
Trabisnikof posted:This attitude of “well I’m going to keep promoting insecure software because I demand you prove a negative first” is what makes much of this industry poo poo. Who's got that attitude? who's defending LastPass? I'm asking questions to make a decision about which other password managers I should be using.
|
# ? Feb 25, 2018 20:26 |
|
ElCondemn posted:Who's got that attitude? who's defending LastPass? I'm asking questions to make a decision about which other password managers I should be using. “Just asking questions” and then ignoring the answers so you can smugly tell us all that no one will answer your questions correctly.
|
# ? Feb 25, 2018 20:28 |
|
Trabisnikof posted:“Just asking questions” and then ignoring the answers so you can smugly tell us all that no one will answer your questions correctly. Really? Because I said I'm moving to 1password, not because everyone overwhelmingly agreed on it, but because maybe one or two people mentioned it and nobody went nuts over the suggestion.
|
# ? Feb 25, 2018 20:30 |
|
|
# ? May 28, 2024 13:10 |
|
You're not genuinely after a discussion, you're sealioning
|
# ? Feb 25, 2018 20:30 |