Tiago PeixotoUsing apps like LastPass — which require you to upload your passwords and a bunch of other info on all your online accounts — has always been the epitome of stupidity.
Konrad Kording@tiago not using one and having a key logger steal your info is worse
@kordinglab
No, with a keylogger they can get your master password, so you're screwed either way.
Also, there's plenty of middle ground between not using a password manager and using a proprietary one that uploads all your passwords to the cloud.
@tiago what makes the 1passwd attractive to me is that I can use it on all my devices. Its easy to install. I reasonably trust them (although my trust was apparently a bit misplaced). And because I never have to type passwords (apart from master password) it feels safe.
@kordinglab I understand it's very convenient.
But the idea that there is a central service that stores thousands of people's passwords if frankly absurd from a security perspective.
I understand that the passwords are encrypted before they are uploaded, but the attack surface becomes so large that I would never feel safe with such a system.
I store my passwords with the Gnome keyring and Firefox. I also only need to type the master password. But my passwords never leave my machine.
@tiago but how do the passwords get to your phone? And also, as long as the master password does not leave my machine, is the attack surface a problem?
@kordinglab They don't get to my phone. I lose that convenience. There is usually a trade-off between convenience and security, and this is what I choose.
The larger attack surface is a problem because encryption is not fail-safe, and now there is a central point of failure.
Don't underestimate the ability of someone cracking your master password if they have access to the raw ciphertext. See here: https://social.skewed.de/@gsuberland@chaos.social/109559625014104081
Besides, it may not be necessary for attackers to crack your master password. If they can crack one of your hundreds of encrypted passwords — for example because it's a simple password, or has been generated with a known or faulty algorithm, the attacker can go from there.
Graham Sutherland / Polynomial (@[email protected])
if you run into anyone trying to discount the severity of the lastpass breach by saying the master keys are impossible to crack, ask them how lastpass' key derivation works, what a credential stuffing attack is, and how well PBKDF2 scales on GPUs. given the details, it looks like anyone whose data was in the breach and who also reused their master password elsewhere is in imminent danger of having all their passwords compromised, as is anyone who used a relatively common password.
Gabe The EngineerThe lack of convenience with passwords _is_ the issue.
Far more breaches have occurred due to password reuse (often associated with credentials stuffing) than from attacks on password managers.
Cloud sync of passwords is a security-convenience trade-off, but for me personally, with it. And at the macro level, likely worth it as well.
@gdbassett @kordinglab No, the trade-off you mention doesn't exist. I don't reuse passwords, and they are all randomly generated and stored encrypted with a master password. I just don't upload them to the cloud. The attack surface is strictly smaller.
@tiago @kordinglab While you should be applauded for sacrificing convenience for security, based on my experience cataloging breaches for the Data Beach Investigations Report you are likely the exception.
@gdbassett @kordinglab Which is a sad state of affairs, specially in view of the article linked a the top of this thread.
@tiago @kordinglab yeah, the security community if well aware of the LastPass breaches. Honestly we're appreciate their executive leadership being so forthcoming though we are waiting to hear more specifics about what fields are and aren't encrypted to pass judgement.
@gdbassett @kordinglab Regardless of the severity, a distributed system would not be susceptible to any of this.
@tiago @kordinglab assuming there are no vulnerabilities present in the software on every server (https://www.greynoise.io/blog/2022-a-look-back-on-a-year-of-mass-exploitation).
2022: A Look Back On A Year Of Mass Exploitation
Researchers at GreyNoise Intelligence have added over 230 tags since January 1, 2022, which include detections for over 160 CVEs. In today’s release of the GreyNoise Intelligence 2022 "Year of Mass Exploits" retrospective report, we showcase four of 2022's most pernicious and pwnable vulnerabilities.
@gdbassett @kordinglab No, this assumption is not needed! Of course every implementation can have a vulnerability. But *all else being equal*, a distributed one has a strictly smaller attack surface in this context, since even if it is compromised, you cannot get *all* passwords at once.
@tiago @kordinglab but you don't need to get all the passwords at once, just before security response occurs. And that's tends to be a race between the attackers scripting and a small orgs ops.
@gdbassett @kordinglab I don't need to tell you that small servers are also less important targets.
If find the “quality of software” argument strange, since it's same for every scenario.
@tiago @kordinglab Attackers tend to be economically driven. A rising issue is to take critical vulnerabilities, automate their exploitation, and then sell the access.
In our 2022 report (page 31, figure 43), from honeypot data, we observed a type of attacker sales funnel from scanning for hosts to executing an exploit.
@tiago @kordinglab Again, this is not to say this would apply to you. I have no doubt you'd secure and patch your servers and services with alacrity. (Many security folks do as well.) My concern is the broader population.
@gdbassett @kordinglab I honestly don't understand how having a centralized global password storage can somehow be better for the broader population. I think this is madness.
@tiago @kordinglab Thankfully there isn't a single centralized password manager. There's lastpass, 1Password, bitwarden, the password managers in browsers, in OSs, and many others.
And it's definitely a balance (and one that isn't settled in the security community). For example, a common solution is to use 1password and sync the vault through something like dropbox.
@tiago @kordinglab Here's @fsmontenegro, a friend and one of the best security analysts in the world, pontificating on how the security community sees the lastpass incident: https://infosec.exchange/@fsmontenegro/109563471808329552.
Fernando Montenegro :donor: (@[email protected])
Content warning: long-ish, related to LP disclosure
Fernando Montenegro 
@gdbassett @tiago @kordinglab You're too kind. I'm just trying to process it for my own edification - as I observe my own emotions reacting to this, I can see where I may be able to improve moving forward. That's all I can hope for...
hrbrmstr 🇺🇦 🇬🇱 🇨🇦@hrbrmstr @gdbassett @kordinglab @tiago
That's what I lean towards. I need to find a way to support family usage (mobile devices, multiple browsers, ...).
That's what I lean towards. I need to find a way to support family usage (mobile devices, multiple browsers, ...).