Tiago PeixotoDec 22, 2022

Using apps like LastPass — which require you to upload your passwords and a bunch of other info on all your online accounts — has always been the epitome of stupidity.

This is why: https://arstechnica.com/information-technology/2022/12/lastpass-says-hackers-have-obtained-vault-data-and-a-wealth-of-customer-info/

LastPass users: Your info and password vault data are now in hackers’ hands

Password manager says breach it disclosed in August was much worse than thought.

Ars Technica
Show threadKonrad KordingDec 23, 2022
@tiago not using one and having a key logger steal your info is worse
Show threadTiago PeixotoDec 23, 2022

@kordinglab
No, with a keylogger they can get your master password, so you're screwed either way.

Also, there's plenty of middle ground between not using a password manager and using a proprietary one that uploads all your passwords to the cloud.

Show threadKonrad KordingDec 23, 2022
@tiago what makes the 1passwd attractive to me is that I can use it on all my devices. Its easy to install. I reasonably trust them (although my trust was apparently a bit misplaced). And because I never have to type passwords (apart from master password) it feels safe.
Show threadTiago PeixotoDec 23, 2022

@kordinglab I understand it's very convenient.

But the idea that there is a central service that stores thousands of people's passwords if frankly absurd from a security perspective.

I understand that the passwords are encrypted before they are uploaded, but the attack surface becomes so large that I would never feel safe with such a system.

I store my passwords with the Gnome keyring and Firefox. I also only need to type the master password. But my passwords never leave my machine.

Show threadKonrad KordingDec 23, 2022
@tiago but how do the passwords get to your phone? And also, as long as the master password does not leave my machine, is the attack surface a problem?
Show threadTiago PeixotoDec 23, 2022

@kordinglab They don't get to my phone. I lose that convenience. There is usually a trade-off between convenience and security, and this is what I choose.

The larger attack surface is a problem because encryption is not fail-safe, and now there is a central point of failure.

Don't underestimate the ability of someone cracking your master password if they have access to the raw ciphertext. See here: https://social.skewed.de/@gsuberland@chaos.social/109559625014104081

Besides, it may not be necessary for attackers to crack your master password. If they can crack one of your hundreds of encrypted passwords — for example because it's a simple password, or has been generated with a known or faulty algorithm, the attacker can go from there.

Graham Sutherland / Polynomial (@[email protected])

if you run into anyone trying to discount the severity of the lastpass breach by saying the master keys are impossible to crack, ask them how lastpass' key derivation works, what a credential stuffing attack is, and how well PBKDF2 scales on GPUs. given the details, it looks like anyone whose data was in the breach and who also reused their master password elsewhere is in imminent danger of having all their passwords compromised, as is anyone who used a relatively common password.

chaos.social
Show threadGabe The EngineerDec 23, 2022

@tiago @kordinglab

The lack of convenience with passwords _is_ the issue.

Far more breaches have occurred due to password reuse (often associated with credentials stuffing) than from attacks on password managers.

Cloud sync of passwords is a security-convenience trade-off, but for me personally, with it. And at the macro level, likely worth it as well.

Show threadTiago PeixotoDec 23, 2022
@gdbassett @kordinglab No, the trade-off you mention doesn't exist. I don't reuse passwords, and they are all randomly generated and stored encrypted with a master password. I just don't upload them to the cloud. The attack surface is strictly smaller.
Show threadTiago PeixotoDec 23, 2022

@gdbassett @kordinglab
I would be tempted to use a “cloud” service if I could use my own server like @nextcloud or something.

I just think that central server with hundreds of thousands of people's passwords — even if encrypted — is a truly terrible idea.

Show threadGabe The EngineerDec 23, 2022

@tiago @kordinglab @nextcloud "running your own server" is an interesting thing. (I once thought MS should make a personal server for homes and still run a Synology.)

On the one hand it would be highly beneficial for lots of people to have their own servers. On the other, it prevents those people from taking advantage of economics of scale that have been highly beneficial (think Gmail's ability to filter spam). And there is still the single point of failure in the software produced.

Show threadTiago Peixoto

@gdbassett @kordinglab @nextcloud (I would not trust MS with any of this.)

We would not need to have a single server per inhabitant of the planet, it would be fine to have a larger granularity. Remember the ISPs in the old days, from where you would get your email? That was the right model.

I run my own server and my spam filter works just fine. We can have economy at scale by sharing filters, trained ML models, etc.

Dec 23, 2022 at 2:12pmWeb
Show threadGabe The EngineerDec 23, 2022

@tiago @kordinglab @nextcloud in Microsoft's defense, they provide some of the best security on the planet these days.

Local ISPs are reliant on the software provided them and often lack the robust operations necessary to handle common cyber threats. (What local ISPs is running a multi-person 24/7 dedicated soc.)

Show threadTiago PeixotoDec 23, 2022
@gdbassett @kordinglab @nextcloud MS is subject to US government subpoenas, and for all I know probably actively collaborates with NSA mass surveillance.
Show threadGabe The EngineerDec 23, 2022
@tiago @kordinglab @nextcloud Ultimately you have to pick your poison. All software is made somewhere. https://mastodon.social/@dcoderlt@ohai.social/109547448673528370