Ravenhurst ๐คฆโโ๏ธ
EvaPour one out for all of the security practitioners who are going to have to spend the holidays patiently explaining that using a password manager is still good, actually, to people who have glanced at a headline about the latest LastPass breach.
Sabrina Web 
๐@evacide and if people are so worried about that breach, they can always use an offline password manager, like keepass
rootless@sabrinaweb71 @evacide or the one built into the browser
Fox Trenton ๐ฑ@sabrinaweb71 @evacide Been using KeePass portable for years.
I have two files, actually. One is 'Lite', which has the passwords (and notes) to simpler, more common, everyday places, like tech blogs or social conmmunities.
The second I store on a thumb drive (plus backup in a volume file), that contains Lite plus the more "serious" passwords, like banks, paid services, Google (which I don't log in to that often) and so on.
I have two files, actually. One is 'Lite', which has the passwords (and notes) to simpler, more common, everyday places, like tech blogs or social conmmunities.
The second I store on a thumb drive (plus backup in a volume file), that contains Lite plus the more "serious" passwords, like banks, paid services, Google (which I don't log in to that often) and so on.
Tom Foale@sabrinaweb71 @evacide
Keepass can be difficult to set up properly, I was going to write a blog on it.
Keepass can be difficult to set up properly, I was going to write a blog on it.
@askquantum @evacide I'd be happy to read it
thoughts have been thinked@evacide ok but serious question: is LastPass less secure than other password managers? I hear about their breaches quite often.
Stone Bear 
@antimatter @evacide As a thirty-odd-year systems admin, I wouldn't touch LastPass with a ten-meter pole at this point. HOWEVER, I do use a password manager semi-religiously: KeePass/MacPass. It's a bit more complex than something like 1Password, but it means my passwords are in cloud storage of MY choosing - or not! and they're encrypted *before* being sent to the cloud. If I hadda pick one for the cloud, I'd say 1Password or Bitwarden. (1Password has the option to use 3rd party cloud ๐ )
Tiago "Salvador" Souza@stonebear @antimatter @evacide people seem to underestimate the fact that not everyone is an InfoSec worker. It's fine to have those discussions among peers, but frankly it does a disservice to the larger audience. Having people using a password manager rather than not by itself is a huge win.
@tssalvador @antimatter @evacide True, _and_, when the fit hits the shan, _which one_ is important. I gave alternatives that would fit both the nerd and the ... less technically inclined, b/c I know different technical levels toot here. _However_, having one with major problems is worse than not having one at all; you're sitting there thinking you're being ubersafe and that sucking noise is your bank accounts being drained... people need to know which is what.
@stonebear @antimatter @evacide possibly yes. I think LastPass will be fine for most still, assuming that they don't fall for the phishing.. I have been a LastPass user since when Steve Gibson recommended it on Security Now over at @TWiT, although I have been tempted to switch to #bitwarden and might finally give it a go, but I tell you I'm already dreading it. The trouble it took me to convince my wife to use in lieu of her one "same password everywhere" approach has been horrendous
Sherri Davidoff@antimatter @evacide All it means is that LastPass has detected and chosen to report when they are hacked. Itโs a GOOD thing that they are sharing this information. Many other tech companies either donโt detect or donโt report when they are hacked. For example, see: https://www.engadget.com/2017-10-17-microsoft-bug-database-hacked-in-2013.html
@sherridavidoff @antimatter @evacide Doesnt make it any better that they reported it because its been a known flaw for years, and users should be more conscious of where they are putting their data in the first place
@antimatter @evacide @Il Ya, I have just seen plenty of other tech companies get hacked and sweep it under the rug. The recent trend toward more transaparency is better. Bummer that they were vulnerable, but thatโs par for the course right now.
dsic@antimatter @evacide all Iโd say is look at the list of LastPass security incidents on their Wikipedia page ๐
Rui Malheiro@antimatter it's very secure, however it relies only only on your master password to encrypt the data, inexplicably doesn't encrypt all of your data and has had a few issues with how they handle their own security. Others have a better track record.
https://cybernews.com/best-password-managers/1password-vs-lastpass/
@evacide
Wladimir Palant@antimatter Difficult question to answer.I hate it how LastPass consistently downplays issues when they make them public. Also, they definitely arenโt great security-wise, and Iโve written on their shortcomings repeatedly.
Trouble is: other password managers arenโt great either, particularly the commercial cloud-based providers. Iโve looked into many, and the only one I could somewhat recommend is 1Password. Yet 1Password also failed to migrate away from PBKDF2. So if they are hacked, password data for high-profile targets is certain to be decrypted.
@antimatter Actually, turns out that 1Password solved this issue. They have an additional truly random key, so PBKDF2 is fine. See https://support.1password.com/secret-key-security/. @evacide
Locksmith@WPalant @antimatter @evacide I have not read the white paper, but it is reasonable to assume the secret key is wrapped with a key derived from the password, using PBKDF2, and stored in the personal device. Is that the case?
@locksmithprime No idea, but I wouldnโt know why it matters. As long as both the secret key and the password have to go into the derivation of the encryption key, one has to know both to decrypt. In fact, protecting the secret key with the password might make it easier to guess the latter, should the secret key data leak.
@WPalant @antimatter @evacide I understood that the secret key is in fact the data encryption key. The password would allow access to that key (by means of perhaps unwrapping). Thus the strength would eventually fall onto the password. But let me check the white paper.
@WPalant ok. The secret key is xored with the result of pbkdf to generate a wrapping key to wrap the actual data encryption key.
Shokk@WPalant @antimatter @evacide looks like they are still pushing it https://support.1password.com/pbkdf2/?utm_source=google&utm_medium=cpc&utm_campaign=18388341772&utm_content=&utm_term=&gclid=CjwKCAiAqaWdBhAvEiwAGAQltuxO6nVS5Arfcte3Tus3gBbLs4vM8JsMGujfht2y7t_9Du79vEncJBoCThYQAvD_BwE&gclsrc=aw.ds
Have they said if they plan to ever move to KDF or anything else?
@shokk As I learned, 1Password has a truly random secret key to complement userโs password. Not as user-friendly, but then even PBKDF2 is in fact safe. @antimatter @evacide
Jeffrey GoldbergDisclosure. I work for 1Password, a competitor of LastPass.
The problem (in this case) is the consequence of being breached. We have built 1Password so the the consequences for users of a similar breach would be minimal. There are real differences in the security architecture of different password managers that can make
I wrote about a relevant difference a year ago.
@evacide Death to passwords!!!
particles@evacide spent about 5 hours helping my mom change passwords ๐ซ
Aaron Mills 
@particles @evacide I did the same recently... and then made a new KeePass file for the top 3 of hers to keep in escrow on her behalf. She still has trouble with the idea that her email address is the username for a different service, but she doesn't log into that service with her email password. And I won't let her make it harder by letting her use OAuth, which would be an exception to that rule where the email credentials actually do log her in to a third party.
@hutchinsonmini @evacide 1Password does have the feature where it can save that you signed into a site with OAuth but it got confused with one of the sites my mom used, saying that she used Okta to sign in but it wasn't -- it was just that website's signin system.
It is not a fun process to keep track of passwords.
Lisa@evacide @Steampunk_Prof Explaining to people that putting all your eggs in one basket really is a good idea, right after the basket's been run over by a truck.
Steampunk_Prof
David Short ๐ช๐บ ๐ต๐ธ ๐ณ๏ธโ๐@evacide I have always wondered about this. Given that the password manager has to send all your passwords to the browser in plain text, why not use the built-in password storing function of the browser? This would seem to reduce the attack surface?
Troed Sรฅngberg@troed @evacide that begs the question about the key used to encrypt the manager/browser comms. If the browser knows the key and is compromised, an attacker would have that key. Unless modern browsers have a dedicated API that allows pass through of encrypted passwords directly to the remote service?
@dwasmkuk The browser does not know the key - the user has to input it after a reboot / regularly etc. The strength of that user-known master password is what protects the (now leaked) vaults.
(I'm a LastPass user, with a very strong master password. I haven't done any mitigation, yet)
@troed do you enter the key/master password into the browser or into Lastpass?
Mark@evacide Cloud password managersโฆ I donโt know. Better to beat keypassXC + cloud storage + encrypted drive into submission. And yes, I would pour one out for anyone explaining how to set that up across devices.
Nazar Tokar@evacide fortunately there are alternatives such as #Bitwarden, #Onepassword or others, but yes, password manager is a must have for everyone
Kevan@evacide If you ask me, nobody should use the breached one anymore. They kind of failed at their main responsibility.
Notorious EIP@evacide I would, but migrating to bitwarden and changing countless passwords yesterday drove me to drink it all.
@evacide Honestly I wish I had that problem. My audience still isnโt even aware of the concept.
Raygan ๐@evacide I love bitwarden
echarlie@evacide I'm still telling people to just write down good passwords in a notebook. Not because online password managers are bad, but because they're not that usable for the tech-unsavvy, and they understand the threat model of a book.
Johan Wรคrlander ๐ฆ@notecharlie @evacide I guess the only problem with that is a risk of leaning towards shorter, simpler passwords that are easier to type in every time you need them?
Other than that, passwords in a book definitely eliminates 99% of the credible threats out there. You're mostly just at risk from someone being after you, personally, who is willing to put a lot of effort and risk into accessing your accounts.
Stuart Schechter@evacide Pour one out for the usability researchers who are going to spend the holidays patiently explaining to the rest of the security community how all password managers fail users at the master-password creation step.
@MildlyAggrievedScientist @evacide I honestly don't know what's lacking, how would you improve that?
@hutchinsonmini @evacide they could train users to learn a strong master password or remove the need for a memorized password entirely.
See more in this thread:
https://mastodon.social/@MildlyAggrievedScientist/109570067261307863
MLF.@evacide Iโm in this toot and I donโt like it :(
Todd Grotenhuis
ocdtrekkie@evacide I was hoping this would finally break infosec of this belief, but I think we'll need a couple more breaches, from the looks of it.
Antti Peltola โ@evacide I would recommend KeePass for hackers and SafeInCloud for normies.
In both you maintain access to the password database yourself which is an extra layer of security.
Synchronisation between devices happens in your cloud of choice like Google Drive and both applications are free.
Ask Leo! ๐๐ป
gojira@evacide Iโve tried getting my parents to use 1Password for years. They prefer a pocket sized spiral notebook written in pencil. ๐ง
rsanheim@evacide Yup. I've always trusted 1password way more w/ security than lastpass, and tried to get non-techie folks to use it. 1P is rock solid, even if the latest version has some questionable UX things going on.