"This comes just months after LastPass confirmed that hackers had stolen some of its source code in August and had access to LastPass’ internal systems for four days before getting detected. It looks like this new attack is connected, as Loubba says it determined that hackers gained access to user data “using information obtained in the August 2022 incident.”"
Just read it looking for that extra info and not seeing it? the blog post and this article seem to have the identical information in them. The blog post is in a series, so for background on the "four days in august" you can scroll down.
it's certainly not acceptable that all they are saying is "certain elements of our customers’ information." very unacceptable, if it's credit card numbers or home addresses, they have to reveal that. the current language makes it look like they want to hide some kind of very bad news which is worse. Also their August post indicated that the developer account that was compromised had no access to customer data, so why exactly was that wrong.
Just a reminder: if you are deciding to migrate from LastPass to something else, the password export malfunctions for unknown reasons. If you have memos, it could be a character in the memo.
You must make sure the exported CSV file has everything!
This really hurt me last year, when I migrated away. I didn't realize at the time how much didn't come with, so I've been playing the reset / recovery game since.
I feel your pain. I switched to KeePassXC, and will never use an online password manager again.
For a password management company, they can't even be bothered to fuzz their export functionality. QuickCheck works unreasonably well on `import(export(a)) == a`.
But maybe it's intended to be buggy, in order to keep you in their walled garden. Clearly the sync between devices works, so they have solved this problem.
This is years ago now, but every ampersand in my passwords came across wrong. I can't recall if it was missing or url encoded, but even passwords weren't safe.
Well, this completely explains where one of my Truecrypt volume passwords disappeared to after migrating away from LastPass years ago. Too bad the account has long since been deleted.
Also if you try to export multiple times it will start spitting out exports full of duplicates. Only safe way is to export right after a fresh session login.
I just exported my own vault with the latest version, it was ok for me. I have plenty of passwords with all kinds of special characters. Still, be sure to review the CSV file. If anything looks weird, double check that the password is the same in your LastPass vault. As with all backups/exports, you should always do a sanity check of the data.
One issue I ran into: the CSV file that "downloaded" in the browser didn't have all of my passwords, only about ~20 of ~400. I had to copy and paste the CSV text in the browser to a new CSV file with a text editor. But upon reviewing that, the format of the passwords was fine.
I had a problem not with the password data but with the content of some notes (or whatever it is called in LastPass)
I have been a paying customer of Lastpass for about 15 years. I moved to Bitwarden for all sorts of reasons. I work in technical information security so it was also for that teason (but not only)
Maybe I lucked out? I migrated to Bitwarden early this year and so far all of my passwords have worked. I also made sure to compare the site entries in both. One thing that can't transfer were attachments in LastPass secure notes. So I had to download each one individually and upload them to Bitwarden.
Yeah, in any migration—if you can—it's good practice to run both simultaneously for a while until you're convinced you've checked everything and you're ready to drop the old for the new without much downtime.
1Password. The largest feature disparity is 1password is designed and built by competent engineers. The history of breaches and technical mistakes Lastpass has made over the years is amazing for a tech company let alone a password manager.
Used BitWarden for years, happy with it. Recently switched to Nord Pass, also happy with it. Not sure about feature disparity though, just mentioning some ideas in case you're researching alternatives.
My wife and I switched from Lastpass to Bitwarden early this year. Glad we did, considering all the news! Password sharing is different, since you have to make a group/organization and share the password in there. But once that was figured out, it's been a better experience with less bugs. It doesn't look slick, but it's more functional.
> We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement.
EXACTLY why so many companies opt to stay on-prem, to the amazement and bewilderment of every vendor sales rep that calls on the phone.
Go ahead and ask them which Cloud providers their company uses. Ask them which open-source libraries their SaaS uses. Ask them to show you the audits they've performed on THEIR supply chain this year. You won't get any answers.
So sick and tired of everyone jumping on the "more links in the chain is better" bandwagon.
> Ask them which open-source libraries their SaaS uses. Ask them to show you the audits they've performed on THEIR supply chain this year. You won't get any answers.
Well, even with private cloud and on-prem these are pretty relevant questions...
I Worked with a government organization where I was part of the team on-boarding a new on-prem system. It was purchased through a tender, where on-prem was a requirement. The product was SaaS by default, but they offered an on-prem version. We pretty much got a copy of the stack of containers and docker-compose file that they used to run their SaaS offering.
While running the application, I was missing a lot of context, since logging was minimal, so I asked the company how to connect a log store to get an overview of all the sub-systems. There was no option for this (then how did they monitor their SaaS?). So I used docker to get command line in the containers and see if I can find some logs there to then get into a log store. In one of them, I noticed an error because something in the container was trying to phone home with telemetry, to a server that wasn't owned by our supplier. 'Luckily', our on-prem box didn't have an internet connection, because of the sensitivity of our data.
This was when I realized that our supplier didn't roll their own containers, but just used off the shelf stuff they didn't even audit. So who knows what their SaaS offering was leaking from these containers? I mentioned this to both internal IT architects and the supplier and nobody really seemed to care.
This is a supplier that was named 'Leader' by Forrester and got a $30M funding round last year.
And, to be fair, it's a large part of the Docker experience.
I recently had a pretty much identical experience with a vendor that is industry leading in their sector and counts most large companies among their customers. Just imagine what their cloud looks like.
A supply chain attack on these guys wouldn't even be difficult, and the only reason I can imagine we haven't heard about it is that we just haven't heard about it.
LastPass blog post on Sept 15 said the hack was accomplished with a compromised developer machine:
> Our investigation determined that the threat actor gained access to the Development environment using a developer’s compromised endpoint. While the method used for the initial endpoint compromise is inconclusive, the threat actor utilized their persistent access to impersonate the developer once the developer had successfully authenticated using multi-factor authentication.
This is similar to other recent hacks, e.g. where a crypto company was hacked when a developer opened a malicious PDF he thought was a job offer.
So, in other words, being on cloud vs. on prem, and potential supply chain hacks, had nothing to do with it.
So sick and tired of everyone jumping to conclusions to fit their preconceived notions of what is good/bad when it comes to security.
When you're on prem you only have to worry about your own employees opening sketchy PDFs. When you're not, you have to worry about everyone in your supply chain opening sketchy PDFs.
Nevermind the fact that the next time a major world conflict occurs, the big 4 cloud providers will probably be destroyed, taking about 90% of the western economy with it.
This + the fact that privacy regulations are on the rise will make SaaS providers adapt to a world where customers data cannot be kept on the SaaS prem.
I would suggest to split this problem into two different problems - the processing ("data in use") vs data on rest. Each of these problems should be tackle with a different solution/approach.
I'm working on the tackling the second approach and if anyone want to talk just reach out (reply/mail/link/whatever you prefer)
This was the immediate and exact same thought I had the moment I read the first sentence of the post. Then I stopped reading. Clearly this was not an engineering decision, and passwords should be trusted to no one but competent engineers and cryptographers.
Product idea! A little e-ink display (let's call it a Password Storage Device or PSD) with a tiny processor and enough memory to store all your passwords. Make them cheap enough that you can have a few redundant copies in various places.
- OS sees the device as a keyboard
- Two versions. One with bluetooth, and one with only USB for a little more security.
- Open source software package to sync your collection of PSDs
- Open source browser extension to autofill passwords
- Tiny keyboard on the device (detachable to share between your collection?)
Usage:
1. Install browser extension
2. Navigate to a password field
3. Follow prompt to populate password
Alternate usage:
1. Manually search for password using the device keyboard
2. Click into password field in browser
3. Press button on device to have it type the password
Or of course you could just view the password on the device if you prefer.
No offense, but this is such a hacker solution. :) And as mentioned, already exists in many forms.
Passwords and login credentials are dead. No user wants to deal with them. Password managers are a solution to somewhat sanely and securely manage this complexity, and not something that the average user wants to think about. In that sense, they don't improve security overall, and introduce many other issues (a centralized honeypot, in the case of services like LastPass).
The industry has been trending towards OTP, FIDO, WebAuthn, and all sorts of identity solutions, instead for years now. It's clear that nobody wants to manage credentials, and having a separate security device is not something mainstream audiences will adopt, so maybe by integrating it with smartphones, this will finally catch on.
It will likely take years for most of the industry to move away from passwords, and we'll likely still require traditional credentials in some cases. The myriad of standards out there is a hurdle for adoption, but it feels like we're settling on something that might be usable for everyone.
Considering that 99% of web app password authentication reduces to email authentication via ‘forgot password’, a good first step would be dropping the password and just using emailed tokens (or links) directly.
You would also likely need a way to get this to work on a mobile phone too. I know from personal experience that there is plenty of times nowadays that I end up logging in to various places using my password manager (not lastpass) on mobile.
You could have it MITM between your keyboard and computer. Depending on the mode it records your key presses to an entry, or replays an entry. Otherwise it just passes through.
Probably just needs a screen and like 3 buttons: record/play/navigate mode (use your keyboard to actually navigate).
I won't lie but I lost you in the steps mentioned here. Finally, IMO, people just want auto-fill/auto-logged in instances without having to enter OTP/type password/do 2FA etc. No matter how you slice it, that's the way people want. Now, how do I compress all these requirements within the boundaries of what is acceptable as a provable source of identity, it becomes a harder problem than you describe.
PS: I have worked in computer security and I am drunk. Eat your salt
If you're a lastpass user, might be wise to avoid logging into lastpass until they update with a resolution - if the attackers got into the build server they could craft attacks that would exfiltrate passwords after user decrypts
Fuck. If you're a lastpass user, you kind of don't have a choice. I can't log into accounts I use for socializing, work, banking, etc. without lastpass
I just spent a couple of hours resetting my most important passwords and writing them down on paper.
Won’t be touching LastPass again except offline, while I figure out where to go from here. I had been putting off finding a better password manager, but this is the last straw.
Wouldn't the devs know if a malicious LoC had been built into the client and distributed to take master passwords from the browser? Idk much about browser extensions, but I think they would have been able to figure out if something malicious went out to last pass clients, no?
LastPass is architectured so that your master password is never sent to their servers. Decryption of your vault happens locally on your device. Maybe such an attacker might get your email address (username).
Is there a web UI ? If yes - I guess an attacker can just send "bad" JS to the client and steal the master password no? Or inject a malicious update. Most people probably have auto updates?
Databases: Keepass on pc and keepassdroid on android (saved as not kdbx files, stenographically passworded inside a jpg renamed as a wav, manually backed up between pc and phone, suits me.
Its a pain, but not as painful as being lastpassed!
From the KeePassXC FAQ: "Additionally, you can use a key file filled with an arbitrary number of random bytes or a YubiKey to further enhance your master key"
Dropbox works really well with KP and I used it for years. The problem was that I ended up with more devices than Dropbox supported for free so I switched to Syncthing. If you only have three devices use Dropbox.
Syncing with Dropbox worked well for me. When you deal with an adversarial server holding your ciphertexts, you have to be a bit careful with the encryption. But keepass is good, AFAIK.
Syncthing improves the security, for instance, just in case a vulnerability creeps into the keepass code.
It works, but I had problems with the Windows Dropbox client failing... silently, so my wife and I would end up with different versions of files, or not being able to "send" them to each other because her client was down and we wouldn't know.
Syncthing works, has no central server to be beholden to, is free, and I have much more stability with it.
I once started an interview process as a senior developer at Goto, the company behind LastPass.
The contact was a first phone call where someone simply asked the number of experience I had in software development, Java programming, etc. I thought it was weird that basically all they got from the phone call was a bunch of numbers. The weirdest part tho what that they asked how many years of experience I had in... open source? "How many years of experience do you have in open source?"
(Probably because the recruiter had a list of tech and skills required and simply went through it.)
Anyway, I went with it and eventually got a coding assessment. The docx document told me to implement a little deck of cards in Java using classes and inheritance. This was for a senior position.
You laugh at that coding assignment for a senior position but you'd be surprised how many "senior" people interview that would struggle with that and be unable to complete it.
It's a great way to weed out the junior devs that cheated their way through school (or are too dumb to figure it out via stackoverflow) and the senior devs that haven't actually done any real programming in a long time.
An engineer at our competitor got laid off and my PM found out and hired the guy to do FPGA work. My PM knew the guy through some contracts we had with the competitor and assumed he was an expert in the field. Turns out the guy was more of middleman between program management and the engineers so while he could talk about the work, he hadn't really done it in like 10 years. My PM got the hiring expedited and since we don't really do interview tests in our industry, the guy was now on our team before anyone could ask any pertinent questions.
Long story short, the FPGA team starts assigning him work but it's taking way too long and he's asking for more documentation and for help on things that he definitely would have worked on in his supposed previous job. Eventually we all figure out that he kinda overstated how fresh his skills are and we transition him to a sort of documentation role so he wasn't burning hours on things he just couldn't handle. While he was perfectly capable of doing that kind of work, it involved a lot of insight to our design so it took him a while to get onboarded to the system and able to properly describe the design. Eventually he was doing good work and got the project to the point where he wasn't needed but he left a bad taste in everyone's mouth. We could have hired two junior engineers to do the work he was doing for the same price and probably gotten it done much faster. After the guy transfered over to another project, we reamed out our PM about his hiring decision and begged him to give us some input next time. Of course, due to the waste of money from the last guy, the functional managers stopped taking hiring inputs from our project and would just assign whoever the fuck they thought we needed despite the kind of roles we actually needed.
No doubt when GP refused to complete the coding assessment the people who designed it thought “aha! Yet another non-coder filtered out by our process!”
I'm currently doing interviews for a senior firmware dev position and was stunned by this. Today I talked to a guy who couldn't tell me what an interrupt was in any technical detail. His coding was worse than a first year college students. 5 of the 6 people I've talked to so far bombed the coding portion.
I have a different perspective. I feel that specific coding task tells me absolutely nothing about the seniority of the person performing the task and tells me very little about their qualifications.
And very low ability to do any improvisation.
Without specifying every detail of implementation task will not be completed.
Even in areas that don't require very specific solutions, and need to just work.
This type of self-referencing and self-congratulatory comment is what makes this website worse and worse little by little. You don't add any meaningful information or knowledge and it is something shallow a kid would say to look cool in front of his friends. I am not attacking you, you can do better.
I disagree. The information "Goto has obviously horrible hiring tactics that select Programming-101-graduates for senior positions WHILE operating a security-sensitive product" is meaningful.
Sounds silly, it’s a shame you didn’t get past the initial screen. It’s a process that has to be humored and you could have added a lot of value just by joining and then patching their hiring process.
When I was teaching in high school the deck-modelling thing is one that the kids come up with a lot especially when it came to doing their term project. I love the idea of being asked to implement a deck of cards using Java and inheritance! Here’s my implementation:
SUITS = “♠♥♦♣”
RANKS = “A23456789XJQK”
deck = {(s, r) for s in SUITS for r in RANKS}
That’s about all you can commit to. Suits and ranks should probably be enums but we can start from these three lines and see how it goes.
Sorting? Depends on the game. Value? Depends on the game, and some games give the same card two values. Inheritance? Shared behavior depends on the game and is orthogonal to the card itself and often is dependent on game state as well as what card you have. Are we even playing a game, or is this just for rendering poker themed wallpaper? Calling it a “deck” is probably wrong. A deck is ordered and may have duplicates… it depends on the game! This is more of a pack than a deck.
It’s probably an amazing question for interviewing candidates in person to see how far they dig into the premise. As a take-home question, you could probably spend a minute on the code above and then an hour on implementing three different games. Maybe that was the original docx, but it didn’t sound like it.
public enum Color {
RED, BLACK
}
public enum Suit {
Diamonds(RED, '♦'),
Hearts(RED, '♥'),
Clubs(BLACK, '♣'),
Spades(BLACK, '♠');
Color color;
char symbol;
public Suit(Color color, char symbol) { this.color = color; this.symbol = symbol; }
}
public enum Rank {
Ace('A'),
Two('2'),
//...
}
public record Card(Suit suit, Rank rank) {
// ...
}
The question is fundamentally broken because data objects shouldn't be inheriting anything. That's in almost all cases bad design that demonstrates only that you have no clue how to write sensible object-oriented code.
You wouldn't want to check whether a poker hand has a pair by using a bunch of instanceof's or getClass()-shenanigans. You also don't want to encode knowledge about poker into into the card object. That's just data.
Some other things you could do with a deck of cards to add useful functions.
Shuffle
Draw
Deal
Cut
Pile
Turn
Now imagine you have pinocle uno and cribbage as games. they each start with a different set of cards, but can use the functions above. The fact that it’s a 52 card deck with suits and ranks isn’t stated by GP, and there’s also the optional jokers.
For a real game, you’d probably need the back of cards as well for animation, and maybe you implement card designs to give the game some customization - now the deck needs some more properties or methods.
After all of that, think of whether the generic deck could be used to play magic or pokemon by using inheritance.
For lastpass, the closest parallel they might have to a deck is a password generator. Implementing that would seem like work. The deck stuff is all premature optimization for a single game, but they are checking your knowledge of inheritance, so just go along with it.
Many card games have a reduced deck - e.g. lots of French card games use a 36-card deck. Some card games use multiple decks mixed together (e.g. Canasta). Some have extra cards (jokers are common, there are others); some have entire extra suits (e.g. games that used to be played with various forms of tarot decks).
All this stuff needs to be parameterised, and suddenly you have an enterprise-worthy class hierarchy and a ton of complexity before you've even really started on game-specific stuff.
> It’s probably an amazing question for interviewing candidates in person to see how far they dig into the premise. As a take-home question, you could probably spend a minute on the code above and then an hour on implementing three different games. (Maybe that was the original docx, but it didn’t sound like it.)
I did a take home for Walmart Labs once and they completely ghosted me. What a complete waste of time.
I have interviewed many “senior” candidates who can’t do simple coding exercises. I think that starting out with a simple exercise like that weeds out a ton of people without putting undue burden on the good developers.
Bro wat? This comment is basically "I'm too smart to work for this company".
Your ego will be your downfall.
There is so much I can learn from a developer, junior OR senior by just seeing how they implement something simple like that. I feel like you have a full fledged case of Dunning Kruger effect. Since you don't know what exactly they were looking for, you brush it off to "LeL, LaST pAsS so DuM aSsEsMeNt".
I did. Interview for AWS principal engineer position and their screening call had a 20 minutes make a code like structure to solve this problem. They did not ask me to write Java or anything compiled but something that shows I can actually turn my idea into some for of code.
I think having such kind of question is very much expected and I would wonder if a company does not have it for external/unknown hires.
There were rumors a couple years ago that this already happened to one of them.
My layperson's armchair guess is that a successful attacker would probably seek to keep it quiet.
If you were a bad person, and you got access of tons of credentials from one of the major trust-us password managers, would you:
1. Focus on finding and looting big-payout cryptocurrency stashes, as quietly as you can (so you can keep doing it longer, before news gets out of how)?
2. Sell to a state actor to use for probably high-value purposes, while keeping it quiet?
3. Something else, and would that involve keeping it quiet, or making a big noisy mess?
Most hacks, these days, seem to fall into one of three categories:
1. State actors
2. For profit criminals
3. Teens for lulz and street cred
I guess the first group would probably keep it pretty quiet. The second would keep it quiet until they've abused the data as much as they want to, then sell the remainder on the dark web. The third would make a big noisy mess right away.
Most of them are build without having decrypted passwords or keys for them on server, so attacker would need to get to the point where they can craft malicious update to the client (or exploit the client)
I don't use them, but my conclusion is that at least one major cloud password manager has been hacked already without any disclosure. If they disclose it, the company should logically be dead. Thus, the incentive would just be to cover it up.
Can you elaborate more? Which? Why do you think this? I also agree with you and I think it’s one that rhymes with shome paus werd. But I think it happened early in their “cloud” journey
Sure it’ll result in a lot of issues for minor sites, but most critical services mandate 2FA. So just don’t keep your password and 2FA in these services.
The core problem is really that passwords suck and should never be the entirety of authentication. Time for hardware tokens! (admittedly there are some big problems when people lose tokens, but at least that's not a problem of insecurity ;-))
Depends on how you define "insecurity". Availability is one of the pillars of security, so even your joke falls apart.
Several years ago the trendy thing to do for security was to get a USB-A security dongle and lock your important accounts with it. Nowadays, laptops from several major manufacturers no longer ship with a USB-A port, so if you need to log in again and don't have a USB-C dock handy, you're locked out until you can find one.
Readit News
"This comes just months after LastPass confirmed that hackers had stolen some of its source code in August and had access to LastPass’ internal systems for four days before getting detected. It looks like this new attack is connected, as Loubba says it determined that hackers gained access to user data “using information obtained in the August 2022 incident.”"
https://www.theverge.com/2022/11/30/23486902/lastpass-hacker...
it's certainly not acceptable that all they are saying is "certain elements of our customers’ information." very unacceptable, if it's credit card numbers or home addresses, they have to reveal that. the current language makes it look like they want to hide some kind of very bad news which is worse. Also their August post indicated that the developer account that was compromised had no access to customer data, so why exactly was that wrong.
You must make sure the exported CSV file has everything!
For a password management company, they can't even be bothered to fuzz their export functionality. QuickCheck works unreasonably well on `import(export(a)) == a`.
But maybe it's intended to be buggy, in order to keep you in their walled garden. Clearly the sync between devices works, so they have solved this problem.
One issue I ran into: the CSV file that "downloaded" in the browser didn't have all of my passwords, only about ~20 of ~400. I had to copy and paste the CSV text in the browser to a new CSV file with a text editor. But upon reviewing that, the format of the passwords was fine.
I have been a paying customer of Lastpass for about 15 years. I moved to Bitwarden for all sorts of reasons. I work in technical information security so it was also for that teason (but not only)
oh wow, what a surprise.
EXACTLY why so many companies opt to stay on-prem, to the amazement and bewilderment of every vendor sales rep that calls on the phone.
Go ahead and ask them which Cloud providers their company uses. Ask them which open-source libraries their SaaS uses. Ask them to show you the audits they've performed on THEIR supply chain this year. You won't get any answers.
So sick and tired of everyone jumping on the "more links in the chain is better" bandwagon.
Well, even with private cloud and on-prem these are pretty relevant questions...
I Worked with a government organization where I was part of the team on-boarding a new on-prem system. It was purchased through a tender, where on-prem was a requirement. The product was SaaS by default, but they offered an on-prem version. We pretty much got a copy of the stack of containers and docker-compose file that they used to run their SaaS offering.
While running the application, I was missing a lot of context, since logging was minimal, so I asked the company how to connect a log store to get an overview of all the sub-systems. There was no option for this (then how did they monitor their SaaS?). So I used docker to get command line in the containers and see if I can find some logs there to then get into a log store. In one of them, I noticed an error because something in the container was trying to phone home with telemetry, to a server that wasn't owned by our supplier. 'Luckily', our on-prem box didn't have an internet connection, because of the sensitivity of our data.
This was when I realized that our supplier didn't roll their own containers, but just used off the shelf stuff they didn't even audit. So who knows what their SaaS offering was leaking from these containers? I mentioned this to both internal IT architects and the supplier and nobody really seemed to care.
This is a supplier that was named 'Leader' by Forrester and got a $30M funding round last year.
And, to be fair, it's a large part of the Docker experience.
I recently had a pretty much identical experience with a vendor that is industry leading in their sector and counts most large companies among their customers. Just imagine what their cloud looks like.
A supply chain attack on these guys wouldn't even be difficult, and the only reason I can imagine we haven't heard about it is that we just haven't heard about it.
> Our investigation determined that the threat actor gained access to the Development environment using a developer’s compromised endpoint. While the method used for the initial endpoint compromise is inconclusive, the threat actor utilized their persistent access to impersonate the developer once the developer had successfully authenticated using multi-factor authentication.
This is similar to other recent hacks, e.g. where a crypto company was hacked when a developer opened a malicious PDF he thought was a job offer.
So, in other words, being on cloud vs. on prem, and potential supply chain hacks, had nothing to do with it.
So sick and tired of everyone jumping to conclusions to fit their preconceived notions of what is good/bad when it comes to security.
When you're on prem you only have to worry about your own employees opening sketchy PDFs. When you're not, you have to worry about everyone in your supply chain opening sketchy PDFs.
Nevermind the fact that the next time a major world conflict occurs, the big 4 cloud providers will probably be destroyed, taking about 90% of the western economy with it.
I would suggest to split this problem into two different problems - the processing ("data in use") vs data on rest. Each of these problems should be tackle with a different solution/approach.
I'm working on the tackling the second approach and if anyone want to talk just reach out (reply/mail/link/whatever you prefer)
Deleted Comment
Deleted Comment
- OS sees the device as a keyboard
- Two versions. One with bluetooth, and one with only USB for a little more security.
- Open source software package to sync your collection of PSDs
- Open source browser extension to autofill passwords
- Tiny keyboard on the device (detachable to share between your collection?)
Usage:
1. Install browser extension
2. Navigate to a password field
3. Follow prompt to populate password
Alternate usage:
1. Manually search for password using the device keyboard
2. Click into password field in browser
3. Press button on device to have it type the password
Or of course you could just view the password on the device if you prefer.
Passwords and login credentials are dead. No user wants to deal with them. Password managers are a solution to somewhat sanely and securely manage this complexity, and not something that the average user wants to think about. In that sense, they don't improve security overall, and introduce many other issues (a centralized honeypot, in the case of services like LastPass).
The industry has been trending towards OTP, FIDO, WebAuthn, and all sorts of identity solutions, instead for years now. It's clear that nobody wants to manage credentials, and having a separate security device is not something mainstream audiences will adopt, so maybe by integrating it with smartphones, this will finally catch on.
It will likely take years for most of the industry to move away from passwords, and we'll likely still require traditional credentials in some cases. The myriad of standards out there is a hurdle for adoption, but it feels like we're settling on something that might be usable for everyone.
User authentication has been a hot mess for at least two decades. Passwords need to go.
https://www.crowdsupply.com/sutajio-kosagi/precursor/updates...
Probably just needs a screen and like 3 buttons: record/play/navigate mode (use your keyboard to actually navigate).
PS: I have worked in computer security and I am drunk. Eat your salt
Which, as someone else explained below, is far superior to plain text passwords.
Won’t be touching LastPass again except offline, while I figure out where to go from here. I had been putting off finding a better password manager, but this is the last straw.
Edit: hadn't considered that addons also autoupdate by default when back online.
Keepassxc supports Yubikey, so you can lock it down strongly!
https://keepassxc.org/docs/#faq-keepassx
Syncthing improves the security, for instance, just in case a vulnerability creeps into the keepass code.
Syncthing works, has no central server to be beholden to, is free, and I have much more stability with it.
The contact was a first phone call where someone simply asked the number of experience I had in software development, Java programming, etc. I thought it was weird that basically all they got from the phone call was a bunch of numbers. The weirdest part tho what that they asked how many years of experience I had in... open source? "How many years of experience do you have in open source?"
(Probably because the recruiter had a list of tech and skills required and simply went through it.)
Anyway, I went with it and eventually got a coding assessment. The docx document told me to implement a little deck of cards in Java using classes and inheritance. This was for a senior position.
I did not do that and withdrew my application.
An engineer at our competitor got laid off and my PM found out and hired the guy to do FPGA work. My PM knew the guy through some contracts we had with the competitor and assumed he was an expert in the field. Turns out the guy was more of middleman between program management and the engineers so while he could talk about the work, he hadn't really done it in like 10 years. My PM got the hiring expedited and since we don't really do interview tests in our industry, the guy was now on our team before anyone could ask any pertinent questions.
Long story short, the FPGA team starts assigning him work but it's taking way too long and he's asking for more documentation and for help on things that he definitely would have worked on in his supposed previous job. Eventually we all figure out that he kinda overstated how fresh his skills are and we transition him to a sort of documentation role so he wasn't burning hours on things he just couldn't handle. While he was perfectly capable of doing that kind of work, it involved a lot of insight to our design so it took him a while to get onboarded to the system and able to properly describe the design. Eventually he was doing good work and got the project to the point where he wasn't needed but he left a bad taste in everyone's mouth. We could have hired two junior engineers to do the work he was doing for the same price and probably gotten it done much faster. After the guy transfered over to another project, we reamed out our PM about his hiring decision and begged him to give us some input next time. Of course, due to the waste of money from the last guy, the functional managers stopped taking hiring inputs from our project and would just assign whoever the fuck they thought we needed despite the kind of roles we actually needed.
[0] https://www.joelonsoftware.com/2006/10/25/the-guerrilla-guid...
You might be surprised.
However, your comment comes across as an attack intended to maybe silence his experience.
It’s arguable whether a simple senior filter and “HR stuff” is a red flag or not, but how does it make this site worse?
When I was teaching in high school the deck-modelling thing is one that the kids come up with a lot especially when it came to doing their term project. I love the idea of being asked to implement a deck of cards using Java and inheritance! Here’s my implementation:
That’s about all you can commit to. Suits and ranks should probably be enums but we can start from these three lines and see how it goes.Sorting? Depends on the game. Value? Depends on the game, and some games give the same card two values. Inheritance? Shared behavior depends on the game and is orthogonal to the card itself and often is dependent on game state as well as what card you have. Are we even playing a game, or is this just for rendering poker themed wallpaper? Calling it a “deck” is probably wrong. A deck is ordered and may have duplicates… it depends on the game! This is more of a pack than a deck.
It’s probably an amazing question for interviewing candidates in person to see how far they dig into the premise. As a take-home question, you could probably spend a minute on the code above and then an hour on implementing three different games. Maybe that was the original docx, but it didn’t sound like it.
You wouldn't want to check whether a poker hand has a pair by using a bunch of instanceof's or getClass()-shenanigans. You also don't want to encode knowledge about poker into into the card object. That's just data.
Shuffle
Draw
Deal
Cut
Pile
Turn
Now imagine you have pinocle uno and cribbage as games. they each start with a different set of cards, but can use the functions above. The fact that it’s a 52 card deck with suits and ranks isn’t stated by GP, and there’s also the optional jokers.
For a real game, you’d probably need the back of cards as well for animation, and maybe you implement card designs to give the game some customization - now the deck needs some more properties or methods.
After all of that, think of whether the generic deck could be used to play magic or pokemon by using inheritance.
For lastpass, the closest parallel they might have to a deck is a password generator. Implementing that would seem like work. The deck stuff is all premature optimization for a single game, but they are checking your knowledge of inheritance, so just go along with it.
Many card games have a reduced deck - e.g. lots of French card games use a 36-card deck. Some card games use multiple decks mixed together (e.g. Canasta). Some have extra cards (jokers are common, there are others); some have entire extra suits (e.g. games that used to be played with various forms of tarot decks).
All this stuff needs to be parameterised, and suddenly you have an enterprise-worthy class hierarchy and a ton of complexity before you've even really started on game-specific stuff.
Would you really just ignore the requirements and give the simplest starter as a way to start a conversation?
I did a take home for Walmart Labs once and they completely ghosted me. What a complete waste of time.
They get progressively more complex as we go, but the candidate is fully aware they are filter questions that I hope they clear with zero effort.
Your ego will be your downfall.
There is so much I can learn from a developer, junior OR senior by just seeing how they implement something simple like that. I feel like you have a full fledged case of Dunning Kruger effect. Since you don't know what exactly they were looking for, you brush it off to "LeL, LaST pAsS so DuM aSsEsMeNt".
If thats what they are asking for, implement it, programmers and their ego always trying to "LoL, DuM iNtErViEw QuEsTiOn".
There is so much to learn from a person by just seeing how they solve a simple problem like this one.
Deleted Comment
My layperson's armchair guess is that a successful attacker would probably seek to keep it quiet.
If you were a bad person, and you got access of tons of credentials from one of the major trust-us password managers, would you:
1. Focus on finding and looting big-payout cryptocurrency stashes, as quietly as you can (so you can keep doing it longer, before news gets out of how)?
2. Sell to a state actor to use for probably high-value purposes, while keeping it quiet?
3. Something else, and would that involve keeping it quiet, or making a big noisy mess?
1. State actors
2. For profit criminals
3. Teens for lulz and street cred
I guess the first group would probably keep it pretty quiet. The second would keep it quiet until they've abused the data as much as they want to, then sell the remainder on the dark web. The third would make a big noisy mess right away.
2. Inject code in build to export user's passwords to remote server after update is installed
Several years ago the trendy thing to do for security was to get a USB-A security dongle and lock your important accounts with it. Nowadays, laptops from several major manufacturers no longer ship with a USB-A port, so if you need to log in again and don't have a USB-C dock handy, you're locked out until you can find one.