Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Infosec Thread: Yes, time to move off LastPass
 
  • Post
  • Reply
Dixie Cretin Seaman
Jan 22, 2008

all hat and one catte
Hot Rope Guy

OSI bean dip posted:

How can we have this discussion about "people who play as a security professionals on the Internet" yet then turn around and go on about "convenience [trumping] security"?

Here's what we can easily tell about KeePass and a cloud-based file distribution service:

  • The source code is readily available
    • This means we know how the data is encrypted
    • This also means we can audit the source code ourselves
    • This also means that it is hard to change the source code without a third party becoming aware
  • It's easy to add an extra layer of security to your password vault
  • It's extensible with plugins that permit the use of most popular off-site cloud services

Now that we have established the things we know about KeePass, what can we say about LastPass?

  • It is not open source
    • This means we cannot know how the data is encrypted without trusting a third party to perform an audit
    • This means we cannot audit the source code ourselves
    • This also means that it is possible to change the source code without its userbase ever knowing
    • It also means that we have to trust LastPass that they'll disclose every breach
  • The other two points from the KeePass list aren't important here

If you think that your accounts are not important, then fine, use LastPass. But don't go around saying that it has adequate security because as I have already demonstrated it has been rife with problems that would otherwise not exist if we were to just use a file-based password manager.

Hold on, in the other thread you personally vouch for 1Password, which as far as I can tell is also closed-source and also not routinely audited by 3rd parties. And Lastpass seems to subscribe to a paranoid, transparent philosophy in their blog posts about data breaches, where they disclose and advise password changes even for suspicious activity where they have no reason to think user vaults were exposed. If you use a 3rd party host like Dropbox are you really expecting to get full disclosure of potential breaches? By these arguments, shouldn't you be against everything except Keepass vaults, only stored locally?

If you want to argue against any kind of cloud vault storage then do it, and acknowledge that you're leaving out a lot of users who just won't use a password manager that can't easily sync between multiple devices, including phones. But it sounds very disingenuous to ding one company for server security that is equally problematic for your preferred solutions (that is: not very problematic, as long as you use a strong password, right?)

Wiggly Wayne DDS posted:

If your password manager, by default, has an unencrypted key stored (dOTP) that can be used to authenticate, obtain the encrypted vault key, decrypt the vault key, bypass IP restrictions, bypass 2FA and relies on local storage being impenetrable then you've got a bit of a design flaw. We've seen the damage in the past when Lastpass had an XSS problem that let an attacker grab any plaintext passwords from a vault silently. You're not storing your vault on a single system by virtue of using Lastpass so that is not the only possible angle of attack, and based on prior issues I can't comfortably advise people to use it for secure password storage. Especially given their response to the issues presented.

This, on the other hand, is a reasonable argument that they have exhibited some questionable security judgement w/r/t local attacks, and given their past transparency about possible server-side breaches, I was very disappointed in the detail of that response and exactly what mitigation strategies were put into place since being notified of the issues. Only tangentially related, but I've also always been uncomfortable with Lastpass' suggestion that they can keep your vault and passwords safe on questionable computers, like those at an internet cafe, using OTPs. I don't know if anyone's directly tested how much of your info some malware could grab in this scenario, but the assertion seems wildly naive and liable to give users a false sense of security.

I've been using Lastpass for a few years and I'm not imminently terrified, but between this and the uncertainty surrounding the LogMeIn acquisition, I am looking at alternatives. I just tried installing 1Password for OS X and it errors out immediately upon opening it. Not exactly inspiring confidence here..

* # ¿ Dec 29, 2015 21:49
  • Quote
Adbot
ADBOT LOVES YOU

# ¿ May 4, 2024 22:11
  • Quote
Dixie Cretin Seaman
Jan 22, 2008

all hat and one catte
Hot Rope Guy
Guys my motorcycle has lovely brakes so what's the use in wearing a helmet?

* # ¿ Dec 6, 2016 16:26
  • Quote
  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Infosec Thread: Yes, time to move off LastPass