LastPass Accounts Can Be 'Completely Compromised' When Users Visit Sites

Reader mask.of.sanity writes: A dangerous zero-day vulnerability has been found in popular cloud password vault LastPass, which can completely compromise user accounts when users visit malicious websites. The flaw is today being reported to LastPass by established Google Project zero hacker Tavis Ormandy who says he has found other "obvious critical problems". Interestingly, Mathias Karlsson, a security researcher has also independently found flaws in LastPass. In a blog post, he wrote that he was able to trick LastPass into believing he was on the real Twiter website and cough up the users' credentials of a bug in the LastPass password manager's autofill functionality. LastPass has fixed the bug, but Karlsson advises users to disable autofill functionality and use multi-factor authentication. At this point, it's not clear whether Ormandy is also talking about the same vulnerability.

Expected

[Anonymous Coward]

Well, that's the cloud for you. Stop connecting stuff that doesn't need to be connected.
The best firewall- route to null

Re:Expected

[Sneftel]

The exploit doesn't seem to have anything to do with "the cloud". Once you're logged in to LastPass and your vault is downloaded, password decryption and form filling happen locally.

Re:

[green1]

Then why give all your passwords to a third party in the first place? Seems like this is pretty much the expected outcome.

You're not supposed to use the same password on multiple sites, because if someone gets access to that password, they get access to all the other sites too. Thing is, by putting all your passwords in a keyvault behind a single password, you've done exactly the same thing!

If I'm going to make my passwords vulnerable by having one password that will get in to multiple sites, I'll do it the

Re:Expected

[SScorpio]

If a site has shitty password storage and is compromised that password is leaked and their are bots that try logging into other sites using the same credentials. By having different passwords for different sites you can prevent this.

There are password vaults that keep everything local if you are worried about security.

Re:

[green1]

But this site DOESN'T keep it local, and that's exactly the point.

Re:

[SScorpio]

And it's still better than your terrible example of using a single password for all sites. Sites HAVE been hacked, other sites HAVE been logged into via bots because someone used the same credentials on multiple sites.

LastPass only stores an encrypted blob. Any decoding is performed client side.

Re:

[green1]

And now there's one more site that can be hacked, and it will provide an "encrypted blob" that the attacker can easily decrypt and get your password for EVERY site, not just a couple.

Password managers that have ANY online component are a massive security breach. You'd be more secure using the same password you use for your password manager on all those sites independently, same password will compromise everything (no different from if the password manager is compromised) but you only have N sites that can b

Re:

[green1]

If you can decrypt it using a password, so can they. If you can't, you might as well use a random number generator instead of a keystore.

Re:

[LichtSpektren]

Well, that's the cloud for you. Stop connecting stuff that doesn't need to be connected. The best firewall- route to null

Hey, don't blame the cloud. I'll state on record that I store my passwords in the cloud. I have a KeePassX database that syncs via ownCloud. But decrypting the database requires both my master password, and a key file that I only store locally. So even if the ownCloud server's breached, my data is not in danger. (As an extra precaution, I also encrypt everything before I put it in my cloud folder, but that's just paranoia.)

The problem again is LastPass. Nobody knows if their security practices are any go

Re:Expected

[Sneftel]

The problem again is LastPass. Nobody knows if their security practices are any good, and the attack surface is huge.

Well, their online security practices are relatively unknown, but they're also kind of beside the point. Yes, LastPass won't hand out someone's vault without some sort of authentication, but that's just fences around brick walls. The real means of security is in the client, which is the only part capable of decrypting the vault (decryption keys never being uploaded). The client source code is available and has been audited, so you can feel pretty good about that, short of the Ken Thompson hack or the possibility of the local computer itself being hacked (which, of course, would affect any password manager).

Re:

[LichtSpektren]

The password manager shouldn't connect to the Internet in the first place. But you're wrong that the LastPass client is the only attack surface; somebody can compromise my account. And I don't know what the LastPass company (LogMeIn) does to keep my account information safe.

Re:

[Asgard]

Compromising the account only gets them an encrypted blob -- only the client can decrypt it.

(Now, nothing says LastPass can't publish a subverted client, I've never heard how that is protected against).

Re:

[LichtSpektren]

Compromising the account only gets them an encrypted blob -- only the client can decrypt it.

(Now, nothing says LastPass can't publish a subverted client, I've never heard how that is protected against).

Somebody can brute force your master password once they have your encrypted vault.

Re:

[Sneftel]

One generally uses a long, complex password for their password vault (which is fine, since you only have to remember the one password). This, combined with PBKDF2 backed by SHA-256 iterations, means that it's not realistically possible to brute-force the vault before the sun goes out.

Re:

[VirginMary]

"One" might do that but what about "Two" or "Three"? Do they do that, too? I very much doubt it.

Re:

[Sneftel]

I have no idea. Probably not. They probably use "password1" for all their sites. Whom shall we blame for that?

Re:

[Swave An deBwoner]

Eve would blame Bob and Alice.

Re:

[jgriffith325]

I don't doubt it. Why would someone who uses short, simple passwords be using a password manager in the first place?

Re:

[vux984]

One generally uses a long, complex password for their password vault (which is fine, since you only have to remember the one password).

No. One does not. Because one needs to repeatedly enter that password in everytime one access anything, from as menial as slashdot to as important as one's bank.

Plus one needs to be able to enter it on a smartphone too; again... repeatedly.

Remembering a long complex password is easy. Repeatedly entering it over and over and over again is painful. So the practical length of most people's vault key is relatively short.

So while my bank password is long and complex and random, and i don't even know what it is;

Re:

[PRMan]

So, KeePassX sounds identical to LastPass, then.

Re:

[mrchaotica]

The difference is that using KeePass I can choose where I want to store the vault (in any random vendor's cloud or in no cloud at all), which means not only that I can pick the place with the security I prefer, but also that an attacker has a lot more places to look for it.

Re:

[LichtSpektren]

Not at all. I don't do anything illegal that I am aware of. I just don't want hackers having all my passwords, and infosec is a hobby of mine.

Re:

[Big Hairy Ian]

Just goes to show the only safe place to store your password is in your head!

cloud password vault is vulnerable

[fustakrakich]

Yeah most vapor is easily penetrable. Imagine what would happen to an airplane if it wasn't.

Would it really be incorrect to assume that keeping a local text file with your passwords is quite a bit more secure than anything in the Cloud?

Re:

[cdrudge]

Would it really be incorrect to assume that keeping a local text file with your passwords is quite a bit more secure than anything in the Cloud?

How do you access your locally kept text file when you're not on your local desktop? That's the advantage that a cloud-kept password gets you. Of course it comes with the disadvantage that it may be more vulnerable, so some might say that the disadvantage isn't worth the advantage.

Re:

[fustakrakich]

How do you access your locally kept text file when you're not on your local desktop?

Oh c'mon... Do I really need to spell out where you can keep a local copy?

Re:

[cdrudge]

So you're going to keep a local copy on your work computer, and your home desktop, and your cell phone, and your tablet, and your friend's computer, and your...

Re:

[fustakrakich]

You've gone off the "deep end" with the absurdities there, buddy. You work for the IOC [slashdot.org]?

*sigh* I guess I do have to spell it out... Keeping it on my cell phone should be sufficient, wouldn't you agree? I mean, you know, I usually have that one with me, even when I'm on the shitter.

Re:

[mrchaotica]

Reading my 30-random-character password off my cellphone and manually typing it in to my desktop is not my idea of a good time. Therefore, I use keepass and store the database on a cloud drive sync'd between systems so I can copy-paste on each.

Multifactor authentication is a datamining scheme

[Anonymous Coward]

The entire "2FA" concept is simply an info grab masquerading as security theater. In what way is it supposed to improve my security by A: Giving a piece of information that is NOT strictly need-to-know to to some random weirdo on the Internet, and B: Tying the security of that thing to said third-party service?

This is not security. This is simply an attempt to grab information masquerading as security theater. Real security has always worked based on the premise that a piece of information exists that is kn

Re:

[Troed]

People who don't understand encryption thinks it's a bad thing.

People who understand encryption shrug their shoulders. I don't care the slightest where my encrypted blobs of data end up.

It looks like the best system for my needs...

[wiredog]

...is a notebook with usernames and passwords written down in it. Primarily because any system I use has to work on Linux, Mac, Windows, iOS, and Android.

I don't actually write down the password, but a description of it. "Usual, first letter cap, +9*3, without old First Sergeant's name" type of thing.

Not exactly...

[myowntrueself]

The headline says 'Lastpass accounts can be completely compromised'.

But this isn't a method of getting the Lastpass account password itself, its a way of getting passwords for specific sites that the malicious site is trying to get passwords for.

That isn't 'completely' compromising the Lastpass account.

Re:Not exactly...

[execthis]

Thank you for the sanity. So many derisive and uninformed posts, so much schadenfreude being shoveled out, and not enough basic factual information.

Another thing to consider is that a lot of sites seem to be designed that you can't just autofill to login. Nowadays you have to first click a login link which causes a dropdown form to appear.

I have to ask myself, of the say 10 most frequent sites that I use Lastpass to login to on a regular basis, could any other sites I've visited be ones attempting to maliciously impersonate those sites and steal my credentials? The likelihood is very small.

Re:

[Rolan]

Not to mention that it's not a zero-day.... The vulnerability has already been patched and the patch pushed to users.... Of course, if it's not a zero-day and it's not "completely compromised" it's a lot less interesting.

Re:

[mrprogrammerman]

Why not pretend to be lastpass.com and just get the lastpass credentials and then you get all the passwords?

What's the answer?

[wcrowe]

Remembering lots of passwords is not possible for most people.

Keeping all the passwords the same is not smart.

Using a password vault seems logical, except that any such vault is a huge target for hackers. Certainly any vault in the cloud is just a disaster waiting to happen.

Two-factor authentication is probably the best solution -- unless your phone is at the bottom of the river, or your employer puts you in a spot where phone service is non-existent, like the basement. Of course, for those of you who are

Re:

[jon3k]

Two-factor authentication is probably the best solution -- unless your phone is at the bottom of the river, or your employer puts you in a spot where phone service is non-existent, like the basement.

Some services (ie Google) allow you to have a backup phone number. So my advice is buy yourself a cheap Android phone with a pay as you go SIM just for these types of situations. It's cheap insurance. Some people even use a freedompop sim which is totally free. So $50-$100 onetime cost for the phone [amzn.com] and $0 monthly cost.

Re:

[wcrowe]

Yes, getting a cheap feature phone just for this purpose is very tempting. That's a good idea.

Re:

[execthis]

Thank you for that information. I think the upside of this is that maybe it will prod people to take two-factor authentication more seriously.

By the way, never saw 21:19 before. I love it. Reminds me of 17.1.

Re:

[wcrowe]

The thing I personally dislike about two-factor authentication is that I have to give a bunch of people I don't even know, my phone number. However, it would be tempting to get a cheap feature phone just for this capability.

Ha! 17:1 is truly wise. I not only love 21:19, I lived it, for 19 years. :-)

Re:

[eheldreth]

SMS verification is a form of 2fa. Not all 2fa is SMS based. In fact SMS is generally regarded as weakest and least desirable form of 2fa. TOTP is much better and can be done with a phone based client like Google's. I use a combination of TOTP, hardware token based 2fa depending on what the site supports. All sites should be prodded to support hardware token based 2fa.

Read about FIDO U2F to better inform yourself of the options that exist and where things should be heading.

Re:

[wcrowe]

That was informative. Thank you.

Re:

[green1]

Keeping all the passwords the same is not smart.

Using a password vault seems logical, except that any such vault is a huge target for hackers. Certainly any vault in the cloud is just a disaster waiting to happen.

And therein lies the problem.
For a password vault to work, there has to be a way to access it. To secure it you need something like a password. So now you have one password that gets you in to the password vault, which then has the passwords for everything else.

This is no more secure than just using that same password on every site, in fact it's probably less secure as you now have one more site that can be compromised.

Why not a password hasher?

[ma++i+ude]

Password managers seem like an inherently terrible idea, particularly onlines ones.

Can someone explain to me why password hashers are not more common? I've used one for years and really can't understand why nobody else does. Take the master password, append (a portion of) the site's domain name, and hash to arrive at a random password. There's only one password to remember, you get a unique strong password for every website, and everything can be done offline without storing anything anywhere. There are extra refinements to create new passwords to replace e.g. compromised ones, or conform to the site's password length and other requirements, but they are trivial. Extensions are available for browsers [google.com] and mobiles [google.com].

Re:Why not a password hasher?

[AmiMoJo]

Because password hashers are no more secure than password managers that auto-generate long random passwords. If an attacker steals your master password they still get everything. Due to the requirement to meet password length and other requirements, and to allow for changing compromised passwords you still need a file containing those details. There is no benefit over simply encrypting that file with the master password.

You are right about online password managers though, they are an absolutely terrible idea as multiple Lastpass breaches go to show. Use an offline password manager, optionally storing the encrypted file in the cloud if you need it to be portable, but with all the decryption happening outside your browser.

Re:

[ma++i+ude]

If an attacker steals your master password they still get everything.

True, but how exactly would they get your master password? You never need to enter it anywhere online, just your offline, one-way hashing algorithm. Obviously keeping this one master password safe is extra important, but as you only need to remember one, you can probably afford to give it a bit more entropy.

Due to the requirement to meet password length and other requirements, and to allow for changing compromised passwords you still need a file containing those details. There is no benefit over simply encrypting that file with the master password.

Except this file does not need to be secure in any way.

Re:

[LichtSpektren]

A password vault like KeePass can utilize both a key file and a master password. Even if my password is keylogged, I have another layer of security insofar that the attacker needs to also be able to access my local drive. The hasher doesn't have this sort of 2FA.

Re:

[green1]

If you have to have a file on your local drive, what's the benefit to the cloud portion?

And if the cloud portion allows you to download the file you need locally to a new machine, what's the benefit to the file on the local machine?

I'm sorry, one way or the other it's a stupid idea.

Re:

[SScorpio]

The key file doesn't change, the password vault file will change as you add and change passwords.

You manually copy the key file locally to any device you want to be able to open the vault.

The vault itself is synced via a cloud service so all devices can access the latest passwords.

If someone were to get into your cloud storage they could get the vault, but not the key.

This method doesn't protect against locally exploited or physical access, but it stops online security breaches.

Re:

[green1]

So, as I suspected, there's no reason to have the cloud portion, you're better off just having the passwords stored locally as it's MUCH more secure.

Re:

[Khyber]

"Even if my password is keylogged, I have another layer of security insofar that the attacker needs to also be able to access my local drive"

If there's a keylogger on your system, your hard drive is likely compromised as well, given how most malware works now days.

Re:

[AmiMoJo]

True, but how exactly would they get your master password? You never need to enter it anywhere online, just your offline, one-way hashing algorithm.

Exactly the same as an offline password manager, so no benefit.

Except this file does not need to be secure in any way.

It does. If someone has your salt and the URL of the site, and say that site gets compromised so they have the hash of your hash too. Now they can brute force your master password, and then get into every other site you used it with, and your file has a handy list of URLs where it will work.

It's actually worse than using the master password to encrypt the password file. It's less convenient too; with an encrypted file you can store the user name

Re:

[ma++i+ude]

True, but how exactly would they get your master password? You never need to enter it anywhere online, just your offline, one-way hashing algorithm.

Exactly the same as an offline password manager, so no benefit.

Right, compared to an offline password manager there's no security benefit. I use KeepassX for a few high-security things like financial accounts, but find offline password managers much less convenient for everyday stuff. With a password hasher you can use a JavaScript version from anywhere. (Yes, keyloggers would be an issue. And I host my own copy to make sure it's not backdoored.)

Except this file does not need to be secure in any way.

It does. If someone has your salt and the URL of the site, and say that site gets compromised

...or they are the site owner...

so they have the hash of your hash too. Now they can brute force your master password, and then get into every other site you used it with, and your file has a handy list of URLs where it will work.

First of all, in practice I don't back up the settings file anywhere, as almost all sites wor

Re:Why not a password hasher?

[SScorpio]

Say there is a security breach and you are forced to update your password. With your hasher you now need to update every single site to use the new password.

With a password vault with unique passwords for every site you change the password for that single site and you're done.

Re:

[ma++i+ude]

Say there is a security breach and you are forced to update your password. With your hasher you now need to update every single site to use the new password.

No, you have at least two options:

1. Change the site tag. For example, on the Password Hasher Chrome extension, you can hit the "Bump" button which replaces "slashdot" with "slashdot:1" and gives you a new unique password. The new tag gets stored in the extension settings. I don't use this but it works, and would be good for sites that actually require periodic password updates.

2. Change your master password for that site only. I use a completely different master password for the two or three sites which I

Re:

[chihowa]

With the first option, you introduce the need for some state information that you need to store and forever be able to retrieve (and possibly sync between your other devices). You now need a persistent database and you've lost any advantage over just encrypting random passphrases.

The second option starts to move you away from the simplicity or having a single passphrase to remember and eventually leads to just as complicated a situation as just memorizing different passwords for different sites. What happen

Re:

[ma++i+ude]

With the first option, you introduce the need for some state information that you need to store and forever be able to retrieve (and possibly sync between your other devices). You now need a persistent database and you've lost any advantage over just encrypting random passphrases.

Well, maybe. But this state is not highly confidential so you can for example let Chrome store it in the cloud. In practice the number of times a password change is required is small (at least for me), so you can either brute force it (bump until you find the right password) or reset your password if this happens.

The second option starts to move you away from the simplicity or having a single passphrase to remember and eventually leads to just as complicated a situation as just memorizing different passwords for different sites. What happens as the list of compromised accounts increases and some accounts are compromised a different number of times?

Again I see your point. But I've used this system for close to a decade now and I'm only using two master passwords so far. How many passwords have you memorised in the last ten years?

I should emph

Re:

[chihowa]

I actually like your hash system quite a bit, which is why I'm trying to poke holes in it!

I haven't had to change passwords often and I keep them in an encrypted database instead of memorizing them. I've lost the entire database or some of the entries in the past, so I like the idea of being able to reconstruct the passwords without needing an encrypted list of them. I'll be keeping the encrypted database anyway, because I store other information in it, but generating the passwords with the hash method coul

Re:

[SScorpio]

Again I see your point. But I've used this system for close to a decade now and I'm only using two master passwords so far. How many passwords have you memorised in the last ten years?

Less than a half dozen. One for the password vault, encrypted phone unlock, PC login, work login and one or two others I'm forgetting. The rest are all just random unique passwords per site.

One issue I see with your hash is using it for sites that have piss poor password policies such as your password can't be over X charact

Re:

[ma++i+ude]

One issue I see with your hash is using it for sites that have piss poor password policies such as your password can't be over X characters long, or it has to contain letter, number, and limited list of symbols, etc. Your hash could possibly not match the requirements. What do you do in this case?

The final step of the hashing algorithm maps the resulting hash into a character string. The algorithm allows you to customise this mapping to use only a given subset of characters, or given length. Using this feature will require you to store this metadata in your state file, because you rarely get reminded of these password limitations at login, only at registration. Fortunately these sites are rare; the default policy of 8 characters with alpha + numeric + special – and the algorithm makes sure you

Re:

[PRMan]

Multiple LastPass breaches that have never affected me in the least? There are different levels of breaches. I'm sure that somebody stole my password vault from LastPass at some point. I am also sure that they haven't cracked it yet, since my master password is not simple.

Re:

[Anonymous Coward]

Randomly generated passwords are more secure than ones based on fixed values that are hashed without salt.

Of course, you're right that online password managers are not secure.

Re:

[Isao]

Because it reduces security. You are then using the same password on every site. (Since the other component of the hash is known.)

Same vulnerability every password manager has

[Kinwolf]

So lastpass can be tricked to think he is on the real twitter page. Newsflash, so can a human. So the human will also enter his password on that page, no matter the password manager he use.

Re:

[KingMotley]

Stop trying to dismiss terrifying news articles by using common sense.

Re:

[AmiMoJo]

It's a slightly different problem. Imagine a site with a hidden login form that impersonated Twitter and made Lastpass auto-fill your Twitter username and password. So at a minimum you should disable auto form filling in Lastpass.

Now imagine an ad network serving up this malware to millions of people.

Where is the Bad Summary Tag?

[Aero77]

This problem isn't specific to LastPass. If a bogus site is masquerading as the real site, any system that doesn't have extensive site validation checks will fail, including and especially, remembering passwords.

Re:

[LichtSpektren]

This problem isn't specific to LastPass. If a bogus site is masquerading as the real site, any system that doesn't have extensive site validation checks will fail, including and especially, remembering passwords.

The vulnerability isn't just phishing somebody's login. It's exploiting a bug in the LastPass client that allows you to compromise the user's account after phishing for just an individual site password.

Long Since Patched by LastPass

[tylenool]

This article is nothing but a sensationalist headline. The concept and reading through the guys process were great, but he did alert LastPass prior to posting and collected $1000 as a bounty.

Re:

[110010001000]

You are right. No big deal. Only before he collected $1000 all of our passwords were compromised. No big deal. Good thing everyone updated too. If not, no big deal. He got $1000.

Clickbait Title

[michaelcole]

"Note: This issue has already been resolved and pushed to the Lastpass users."

Yes, it's important, but the title's present tense is a lie: "LastPass Accounts Can Be 'Completely Compromised' When Users Visit Sites "

Solution: Use the right OS

[lky]

Seems to me this very problem is what operating systems like Qubes were designed to address.

Since you can run the browser in two different environments for different purposes, it is possible that you only have Lastpass accessible when you're visiting trusted websites and you use the browser in the "untrusted" environment which does not have access to Lastpass when you surf random sites.

Then for someone to use this method to get your passwords, they have to hack a website you consider trusted.

Problem solved

Re:FUCK MILLENNIAL SNOWFLAKES

[LichtSpektren]

Remembering passwords is terrible security practice. It leads to password reuse, very weak passwords, written down passwords, forgetting to change your passwords at least yearly, etc.

Using a password manager is ideal. The problem is using LastPass specifically is dumb; it's proprietary and closed source, so nobody has any idea what's going on with those passwords, nor if the company behind it is using optimal security practices. It plugs into your browser, so the attack surface is basically your entire computer.

Use a FOSS password manager that store your passwords locally (i.e. does not connect to the Internet) and through an encrypted hash, like KeePass. LastPass is a bad idea on a number of levels.

Re: FUCK MILLENNIAL SNOWFLAKES

[LichtSpektren]

Actually, closed source software is better. If there's a vulnerability in open source software, anyone can look a the source code, find the security holes, and then exploit them. Closed source software is definitely far more secure.

... in other words, security by obscurity. That's not a discredited practice or anything. [schneier.com]

Re:

[KingMotley]

No. It uses a standard, well known encryption algorithm - specifically https://en.wikipedia.org/wiki/... [wikipedia.org] and https://en.wikipedia.org/wiki/... [wikipedia.org] as stated here https://lastpass.com/how-it-wo... [lastpass.com] so the encryption technique isn't security by obscurity. That took a total of 10 minutes to find out, and that isn't what was broken.

Re:

[LichtSpektren]

No. It uses a standard, well known encryption algorithm - specifically https://en.wikipedia.org/wiki/... [wikipedia.org] and https://en.wikipedia.org/wiki/... [wikipedia.org] as stated here https://lastpass.com/how-it-wo... [lastpass.com] so the encryption technique isn't security by obscurity. That took a total of 10 minutes to find out, and that isn't what was broken.

I wasn't talking about LastPass, I was responding to the person arguing that closed source is inherently more secure.

Re:

[LichtSpektren]

You're a dumbass. But I expect nothing else from a millennial. Closed source is one layer of security along with memorizing passwords and encryption. Removing any layer of security is stupid. Opening up the source so anyone can find vulnerabilities and exploit them is as stupid as removing encryption and storing passwords plaintext. You millennial snowflakes really are pretty stupid.

That's funny, I didn't know Bruce Schneier was a millennial. Oh well. Use closed source security solutions if you like. After all, why use something FOSS that you can patch in minutes when you can wait for your vendor to take their time and do it for you? [pcworld.com]

Re:

[LichtSpektren]

...After all, why use something FOSS that you can patch in minutes when you can wait for your vendor to take their time and do it for you? [pcworld.com]

Not everyone is Microsoft, the company fixed it overnight.

But that's the problem. I have to *trust* that they'll proactively and competently fix security holes. That's the inherent flaw in proprietary security patches.

Re:

[Archangel Michael]

"Trust" is subjective. I have to "Trust" someone.

Re:

[tomxor]

"Trust" is subjective. I have to "Trust" someone.

But apparently the OP doesn't have to trust anyone... In which case I'm pretty sure that before using his computer he reads and comprehends every single one of the millions of lines of code that comprise his open source software stack before compiling and using it on his open source hardware which he has painstakingly verified with a TEM after going through the RTL source to make sure the fab wasn't trying to subvert his privacy.... All while being wrapped in a giant tinfoil snowball orbiting Pluto to keep

Re:

[LichtSpektren]

Using open source doesn't guarantee that you or anyone else will be able to or can be bothered to fix it. We are not all experts at every aspect of every open source software we use.

But that's the beautiful thing about open source. A bug is reported, and for whatever reason the maintainer won't fix it (incompetence, laziness, untimely death, etc.). You can recompile the project yourself with the fix. I did this very thing with a Thunderbird extension that the maintainer forgot about but broke with a new TB release; somebody left the fix in the reviews.

If Microsoft or some other company declares a project EOL, no luck in hell you're getting that fixed.

Re:

[LichtSpektren]

YHBT (twice). YHL. HAND.

I'm aware he's trolling, but if it gives me an opportunity to open up the discussion to people reading the thread, why not take advantage of it?

Re:

[sirber]

Keepass + Browser saved passwords, works flawlesly.

Re:

[LichtSpektren]

KeePass is not necessarily safer: http://www.harmj0y.net/blog/re... [harmj0y.net]

Why don't you read the article you quoted?

"To reiterate from the last KeePass post, KeePass is not “bad” or “vulnerable” – it’s a much better solution than what we see in many environments, and the developers did pretty much everything right when coding it (including strong in-memory protections and DPAPI). Still, some admins/companies sometimes tend to see solutions like this as a silver bullet, so one point of this post is to (again) show that practical attack vector

Re:

[TechyImmigrant]

> store your passwords locally and through an encrypted hash

I'm a cryptographer and I don't know what that means.
If I presented the encrypted hash of my password to a web site, it would tell me my password is wrong.
The storing of a hash of a password, encrypted or not is the business of the authenticator at other end.

Maybe you meant to say: A password manager should encrypt, integrity protect and store you passwords locally.

Re:

[LichtSpektren]

You're right, I spoke with imprecision. Mea culpa.

Re:

[LichtSpektren]

It leads to password reuse, very weak passwords, written down passwords, forgetting to change your passwords at least yearly, etc.

Only if your memory is complete shit. Maybe you should lay off of the drugs.

I take it you have 30+ instances of stuff like P8i*SDz=!E4i^\4#b}~A45kcHf^^S remembered?

Re:

[Xicor]

i try to have secure passwords for everything, but some of the things i have issues with are all of the changing requirements for each website, password length limits, etc. It is hard enough to come up with secure passwords that are different for every site that you can still remember. (usually involving some sort of algorithm that changes the password on a site-by-site basis but still is rememberable).

It is far more difficult to remember hundreds of passwords when 20 of them have a password character limit

Re:

[Speck'sBacon]

And get off my lawn!

Re:FUCK MILLENNIAL SNOWFLAKES

[LichtSpektren]

All millennials suck. I hate millennial snowflakes. Just remember your damn passwords and you'll have no trouble. Fuck millennials and their lazy security. Die in a fire.

Yea guys we millennials should remember our 200 passwords the same way the tech savvy Gen X people do...make them all the same! Or better yet, do what I already see everyone else doing and write them all in a notebook and keep in your top desk drawer. Sooo much better than us millennials and our lazy security...

True story: somebody told me once that he made all of his passwords his social security number, because he was tired of remembering so many. If the site required letters in addition to numbers, he would suffix it with his initials.

Even more horrifying than that, his email address was his full name and birth year @ hotmail.com...