Securopean
Ghost0x0@securopean
While i firmly believe a password manager is a good idea, the devil is in the details. The lastpass compromises, has me thinking about some stuff
Around how that’s setup and what my risks might actually be.
Also what I should tell friends and fam that I know use lastpass.
@ghost0x0 Absolutely, same here, and I'll be quizzed on this over Christmas. I'm currently (strongly) leaning towards the 1Password model when family ask me, but I don't know enough about the product yet to recommend it.
@securopean
I moved off of lastpass a while ago, but only just removed my lastpass about a month ago.
I moved to Bitwarden, it mostly what I recommend now. And I do tell people about keepass also.
And yea upcoming random pop quiz’s will happen.
Binary Large Octopus@ghost0x0
Same here, using and recommending Bitwarden as well. While the password manager should be a solid peace of software, I find it equally important to also educate the person you recommend one to about the importance of the master password and how to choose a good one.
@securopean
Same here, using and recommending Bitwarden as well. While the password manager should be a solid peace of software, I find it equally important to also educate the person you recommend one to about the importance of the master password and how to choose a good one.
@securopean
yea solid on bitwarden, but looking at it more deeply.
so far, i am solid on bitwarden, and thats what i recommend. BUT: i an more deeply looking at bitwarden, and its model.
Sasha Kotlyar 🌻 
@securopean Agreed. While I self-host Bitwarden (Vaultwarden, really) behind a ZeroTier network, I usually discourage people from doing the same unless they really know what they're getting into. (Self-hosting requires excellent backups, too.)
Adam Shostack 
@securopean I hate to pick a nit in the context of all your good work here, but I disagree that attribution matters, and especially that it matters to our threat models.
What we know is one attacker was caught. We can't know their motives or what they'll do over time. We can make assumptions about those which (generally) lead to us convincing ourselves that all the very hard work of changing lots of passwords doesn't matter.
@securopean Also, experimentally removing your CW in my boost as part of playing with Mastodon
Alun Jones@adamshostack @securopean To put it another way, if Putin dies tomorrow, and Russia suddenly becomes a utopian state based on peace love and universal harmony, and all those Russian hackers disappear, the threat model hasn't changed.
Maybe the likelihood of a regionally-exposed threat being exploited decreases, but that's a bit of a stretch, given how many other threat actors there are, and assuming that the knowledge escapes and is spread to parts of the world who still want in to your data.
Maybe the likelihood of a regionally-exposed threat being exploited decreases, but that's a bit of a stretch, given how many other threat actors there are, and assuming that the knowledge escapes and is spread to parts of the world who still want in to your data.
@adamshostack My thought process on this is that if I think through potential worst-cases as to what people might have stored, knowing who the attacker was and what their motivations potentially are may give some insight into what data will most immediately be at risk (e.g. will this be dumped somewhere for sale). I don't use LastPass so this is second-hand knowledge to me, but as I understand it the "notes" fields were essentially free-text. I wonder too how many people even know of this breach outside of our own echo chambers, and I see a bit of false security as well ("I have 2FA enabled on my vault").
Phillip Hallam-Baker@securopean Take a look at the Mathematical Mesh. It is an infrastructure whose primary purpose is to manage private keys across multiple devices. It uses novel threshold cryptography to allow for a seamless user experience.
The credential vault is end-to-end encrypted and only the user's endpoints ever have decryption capability.
The system is designed to be resistance to certain types of supply chain manipulation of devices. It takes multiple compromised for any breach to occur.
It is all open source and open specification and no proprietary service either. Open as in open.
B^n@securopean great thoughts. Thanks for sharing! I've heard plenty of people jump on the bash LP and promote BW. I appreciate the contrasting point of view.
Teknikal_Domain@securopean If you want to look at BW self hosted, check out Vaultwarden. Third party but, really, it should be the default option. Take a look at how that one's setup and configuration looks and feels?
I'd also argue that, in my opinion, you don't want to pick a user's master password for them. That just means they'll compromise it by having to write it down somewhere, or leave some reminders because it's not memorable. Fundamentally, if a user can't follow security practices enough to come up with something better than "password1" as their barrier to all their data, I don't think it's the job of a password manager to get in the way. It's a password manager, not an all encompassing infosec auditor hired to point out every security misstep.
amComma 
@tek_dmn @securopean It might be good idea to move to more password-less approach. Have something like Yubikey to unlock main vault.
But then we have another problem of a cost, setting it up and keeping TWO of them in case you lose one. It almost seems unfeasible to have that happen :/
But then we have another problem of a cost, setting it up and keeping TWO of them in case you lose one. It almost seems unfeasible to have that happen :/
The Computer Cellar@securopean we’ve been recommending Bitwarden for a while, ever since LastPass went to an almost-paid-only model. What would you cite as specific concerns with them, and should we consider recommending something else?
@computercellar Hey, I haven't really looked into BitWarden, but I'm wondering what I'm missing when people say they are moving from LP to BW as the core product looks very similar to LastPass to me - encrypted online vaults, protected by user-chosen master passwords. (Obviously the self-hosted BitWarden has a different risk model, and might be a good option for someone who really understands what they are doing.). 1Password has made an attempt at finding a solution to the weak master password problem, and some of the other options mentioned here take different approaches (e.g. storing data in a personal vault only).
@securopean you’re only as secure as your master password, that’s for sure.
atomicangel@securopean I personally decided to selfhost BitWarden, largely because I trust myself to handle the inherited risks.
It also gives me the luxury of telling those that I have added to it that the attacker would need some specific pieces of information to actually mount a credible attack, which I find unlikely.
I also don’t think self hosting it is that difficult for those of us that know what to do, and encourage others to consider hosting it for their family as a way to protect them from themselves.
Johannes Ullrich (maybe not a bot)@securopean Back in the day, 1Password had a brilliant peer-to-peer syncing feature. As long as both devices were connected to the same network, they would sync. No cloud was required. No self-hosted server was required. But that went away when they went subscription. Let's face it: This breach results from technical decisions driven by their business model to sell subscriptions. All password managers offering cloud-syncing are vulnerable to some extend.