Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Infosec Thread: Yes, time to move off LastPass
 
  • Post
  • Reply
Alereon
Feb 6, 2004

Dehumanize yourself and face to Trumpshed
College Slice
:siren: Please stop ruining the security thread :siren:

* # ¿ Nov 20, 2015 21:42
  • Quote
Adbot
ADBOT LOVES YOU

# ¿ May 6, 2024 22:21
  • Quote
Alereon
Feb 6, 2004

Dehumanize yourself and face to Trumpshed
College Slice
I'm just gonna note that it's possible to disagree without being dicks to eachother, so let's all work on making this thread about security and not nerds arguing.

* # ¿ Dec 18, 2015 15:18
  • Quote
Alereon
Feb 6, 2004

Dehumanize yourself and face to Trumpshed
College Slice

FunOne posted:

Best recommendations for password managers? Surely keeping them all in a Google Spreadsheet isn't considered best practice. I'm not interested in spending money on a service though. How is Safewin Cloud?
I think LastPass is the best choice for personal use. Make sure to enable 2 Factor Authentication via Google Authenticator or something.

* # ¿ Dec 20, 2015 22:53
  • Quote
Alereon
Feb 6, 2004

Dehumanize yourself and face to Trumpshed
College Slice

bobbilljim posted:

Lastpass 2-factor doesn't actually do anything, so I wouldn't bother turning it on. Last I checked, anyway.
I guess you're talking about it not actually being required in all scenarios by default, like when offline? If security is more important than usability you can disable trusted devices and caching of credentials/vault contents, but that doesn't seem to be a good trade for most people.

* # ¿ Dec 20, 2015 23:46
  • Quote
Alereon
Feb 6, 2004

Dehumanize yourself and face to Trumpshed
College Slice

bobbilljim posted:

Could just be certain client apps, but last I checked if you have it enabled in Firefox you can sign in with the password and it will autofill any open web page you have, then you can tell the second factor popup to piss off and you still have the password filled in on whatever page. So I don't think its actually enforced, rather its up to the client app.

e: this is when I had it set to not work offline
That's the "locally cached credentials" case. If it is important to you that data not be accessible without authenticating, don't cache it locally.

* # ¿ Dec 21, 2015 01:13
  • Quote
Alereon
Feb 6, 2004

Dehumanize yourself and face to Trumpshed
College Slice

Wiggly Wayne DDS posted:

Lastpass has had too many dumb security issues. Use 1password or KeePass.
KeePass requires your own db management solution and 1password requires you to purchase a separate license for every platform, both of which are dealbreakers for most normal people. If you are a nerd and a local db works for you then not trusting anyone else with your data is obviously safest.

* # ¿ Dec 21, 2015 15:58
  • Quote
Alereon
Feb 6, 2004

Dehumanize yourself and face to Trumpshed
College Slice

Wiggly Wayne DDS posted:

Here's a rundown of an audit publicised last month: http://www.martinvigo.com/even-the-lastpass-will-be-stolen-deal-with-it/

Those are issues for people needing multi-platform solutions, I doubt that is the majority of the userbase and doesn't excuse using an insecure manager.
Lastpass isn't insecure, it just makes intelligent default choices to balance security and convenience for its users. Most people want features like trusted devices and offline access to their vault., and if you don't no one makes you keep them enabled.

* # ¿ Dec 21, 2015 16:43
  • Quote
Alereon
Feb 6, 2004

Dehumanize yourself and face to Trumpshed
College Slice

Wiggly Wayne DDS posted:

Did you read the audit at all?
Yes, it says that if credentials are saved locally to your machine, then an attacker with access to your machine may be able to gain access to your Lastpass vault data and account. This is not the threat model most people care about, and anyone that does can mitigate it by making changes to their account settings. Honestly dude you are making mountains out of molehills, Lastpass is compellingly better than the alternatives for everyone that isn't an autist and doesn't want to buy an app once for every platform they own.

* # ¿ Dec 21, 2015 16:59
  • Quote
Alereon
Feb 6, 2004

Dehumanize yourself and face to Trumpshed
College Slice

Wiggly Wayne DDS posted:

If your password manager, by default, has an unencrypted key stored (dOTP) that can be used to authenticate, obtain the encrypted vault key, decrypt the vault key, bypass IP restrictions, bypass 2FA and relies on local storage being impenetrable then you've got a bit of a design flaw. We've seen the damage in the past when Lastpass had an XSS problem that let an attacker grab any plaintext passwords from a vault silently. You're not storing your vault on a single system by virtue of using Lastpass so that is not the only possible angle of attack, and based on prior issues I can't comfortably advise people to use it for secure password storage. Especially given their response to the issues presented.
You are inventing fake concerns. The default configuration of Lastpass does not protect you from an attacker with access to your machine, because that is not a relevant threat for most users and changing the way the software works to protect against that would require usability compromises that are unacceptable to most users. Users for whom those compromises ARE acceptable can change their account settings, or hell just use KeePass if they care that much.

OSI bean dip posted:

KeePass doesn't cost money and works on virtually every platform out there. It works great with Dropbox and works fine for autists and non-autists alike.
KeePass is worthless for average users because it requires you to roll your own db storage and synchronization solution. Saying "just use dropbox" is great for autists who want to live independently, but it's absolutely not a solution that Just Works in the way Lastpass does. You're a smart guy, you know all this, so I don't get why you won't accept that LastPass offers the best balance between security and usability for most people. Let's be real, features like trusted devices and offline access to a cached db that seem like anathema to you and Wiggly Wayne are incredibly valuable to users.

Alereon fucked around with this message at 21:21 on Dec 21, 2015

* # ¿ Dec 21, 2015 21:19
  • Quote
Alereon
Feb 6, 2004

Dehumanize yourself and face to Trumpshed
College Slice

OSI bean dip posted:

My post above adequately demonstrates why using LastPass is a terrible suggestion and should be avoided at all costs. If you're the kind of person that has come to the conclusion that LastPass is necessary, you're the kind of person that is capable of setting up a cloud-based file distribution service.
Your post describes some very vague and not-at-all-compelling reasons why people should be cautious about trusting their data to Lastpass. And yes, any security professional (or someone who plays one on the Internet) is perfectly capable of setting up their own cloud-based db synch solution, but those security professionals aren't asking for advice on how to manage their passwords. Someone who asks security professionals what password management solution to use should be directed to Lastpass.

Wiggly Wayne DDS posted:

"Just Works" isn't a security concept. You may like those features but that doesn't make them the main reason a user uses software - accessibility and prominence in the landscape are major considerations. Consider how often you've pushed LastPass without finding out if a user needs to have vault access on more than one machine. Is the user making an informed decision across these products, or is their decision making impacted by other peoples' biases?
Here's the problem. Convenience is so vastly more important than your theoretical security concerns that I am stunned we are still having this discussion. This fact has been a foundational principle of information security practices for quite some time. This is because users will work around inconvenient practices with MUCH less secure practices, such as how users respond to strong password requirements by reusing passwords. This is why the priority when creating a process for users MUST be that the process be so convenient users will never be tempted to work around it.

Alereon fucked around with this message at 21:35 on Dec 21, 2015

* # ¿ Dec 21, 2015 21:29
  • Quote
Alereon
Feb 6, 2004

Dehumanize yourself and face to Trumpshed
College Slice
Super disappointing, though Karlsson does say on his blog post that the attack doesn't work if multi-factor authentication is enabled on the Lastpass account. 1Password's new Family service seems like it might finally be a viable competitor when the final app is released, hopefully they are better at writing software than the Lastpass guys.

* # ¿ Jul 27, 2016 18:03
  • Quote
Adbot
ADBOT LOVES YOU

# ¿ May 6, 2024 22:21
  • Quote
Alereon
Feb 6, 2004

Dehumanize yourself and face to Trumpshed
College Slice

CLAM DOWN posted:

Thread title
Clever but too long :(

* # ¿ Jan 3, 2018 19:03
  • Quote
  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Infosec Thread: Yes, time to move off LastPass