1Password truly doesn’t get enough credit for the choice to encrypt every vault with a high entropy secret key passed device to device. It surely costs them in UX and support load, but it would have made a breach like this essentially inconsequential.
Bitwarden truly doesn’t get enough credit for being completely open source and having independent implementations of the server code (Vaultwarden) with which the official clients are fully compatible, which I can run on a vm on a server under my desk.
In 50 years time, who knows if any of these companies will be around. But I’m pretty sure that my grandchildren, should they want to, will be able to open a gpg encrypted gzipped file (with the passphrase I’ll leave them) containing my passwords in a csv file.
I am fascinated by the idea of being 50 years from now, and doing digital archaeology more or less. So much of our actual output is now digital and stored digitally.
Given how I have experienced technology up until this point, my assumption is that everything I will create for work or for pleasure, is more or less ephemeral. It has certainly proven true for work.
>But I’m pretty sure that my grandchildren, should they want to, will be able to open a gpg encrypted gzipped file (with the passphrase I’ll leave them) containing my passwords in a csv file.
technical possibilities aside, do you presume your grandchildren will be technically apt?
I am pretty sure 99% of people would halt at 'gpg' , and that's now -- not 60 years from now.
Curious, how is Excel encryption? That may be a more approachable format than CSV GPG, and though technically the CSV GPG is more simpler, it may be less familiar to users in 100 years. Excel will still be around ;)
It's such a pity that bitwarden's client doesn't work offline for modifying vaults (need to be online to be able to access the server implementation). I would switch from my old local vault 1password in an instant.
I still rely on a gpg encrypted text file for storing my passwords, too. 25 years of that and it's second nature. No other solution has ever appealed to me.
Proton Pass truly doesn’t get enough credit for being completely open source, more user friendly, and hosted outside the US (wouldn’t want to lose access to your vault [1]).
Wouldn't it also make you lose everything in a recovery scenario? If all your computers are lost in a fire or flood, you would lose the recovery key, and having your password would not be enough to recover your database. I use keepassxc with a somewhat long password with a high PBKDF iterations count, which would not require having any devices in the event of a loss.
There is an option to print out recovery info. A sheet with a QR code and a space for you to write your password (or not, if you don't trust keeping those 2 things in one place). That paper can go in a safe deposit box, with a trusted family member / friend, or in some cloud service you'd still have access to. The QR code + your password allow for recovery.
Lastpass downplayed the breach and turned out they had not properly encrypted the data like notes section. They should have been sued to oblivion, but they were able weasel out of responsibility, so far.
Lastpass had one job and failed it. Unforgivable that they knew their users' master passwords are not secure enough, but chose not to be vocal or proactive about it.
If you're using Lastpass right now, move to more trustworthy options like 1Password, Bitwarden or Keepass. Do it today. And change all passwords, that are meaningful to you.
You'd have to go study the case, but it's a class action case, so it'll hurt if they lose (and even if they don't). The court appears to be consolidating cases into this one, because LastPass has been sued in federal court 15 times so far:
I swapped to BitWarden a few years back and there was almost no friction - export from LastPass, import to BitWarden, get used to the inevitable handful of UI quirks, and you’re good to go.
I have been using 1Password for the last several years and am quite happy with them, except for the fact that they basically forced users to use their cloud offering with subscription as opposed to free iCloud storage after 1Password version 7.
Highly recommend Strongbox. The underlying DBs are KeePass DBs and can be stored anywhere as well as opened with any KeePass client, with a UI even better than 1Password (you can have columns for every field) as well as passkey support + export/import (even before the official method came out because they believe in you owning your own data).
I love it because Strongbox also has its own cloud feature (optional) that is just a hosted KeePass DB which makes it easy to have a shared DB with my partner.
The only downside for me: there isn’t a universal search that searches all DBs for credentials. So if you are in a browser and trying to autofill, you need to select the DB you want it to populate from.
> except for the fact that they basically forced users to use their cloud offering
Yeah that's when I left 1P after having bought hundreds of dollars of licenses for myself and my family (for multiple OS).
The other big thing was self hosting the vault. You used to be able to sync the vault with Dropbox and access it from a browser but at some point Dropbox killed public folders. It would have cost 1P pennies to store the vaults of paying customers in S3 buckets. Instead they decided to use that as leverage to force people into subscriptions.
With the way the Apple is going in the UK, I'd rather give 1Password the keys to the kingdom.
Their whole raison d'etre is protecting your passwords. If they start selling people out, their business implodes.
They also keep adding thoughtful tweaks and new features. A couple years back I thought I'd give it a few years and then hop from 1Password to Bitwarden. But Bitwarden's UI and UX is still subpar (doesn't even support drag 'n drop..)*. All Bitwarden does is invest in enterprise features, which mean jack for the average user.
*dragging items from one vault to another, not a hugely important feature but Bitwarden has a thousand of these kind of paper cuts compared to 1Password
I'm a bit confused on how the LastPass hack enabled the loss of passwords. I assume it works the way that I understand 1Password to work which should mean this would still be very difficult to impossible to do. Can anyone explain what I'm wrong about in terms of how the password managers work or how LastPass works differently?
So the way that I understand 1Password to work is that the decryption key is split in two: the user's single password + a secret key. You need both to decrypt the vault. The secret key is, again according to my understanding, generated randomly and is like 128bits? Once 1Password generates it and sends it to you (maybe they don't even send it and it is generated locally, I don't know), they never see it again. Thus, even if your vault were stolen, the thieves would need to crack your password (very likely not that secure) but also the 128 bit secret key so you would have a minimum of 128bit security which seems fine?
What's different about LastPass? Were the secret keys stolen somehow too? Were the targets of the stolen vaults then hit with further attacks to extract the secret keys? Does LastPass not use a similar structure as 1Password? Or am I actually not as safe as I thought using 1Password?
LastPass does not use the secret key concept that 1Password uses, it only uses a key derived from your password. After the breach they rushed to increase the hash iterations [1] and added features to let enterprise admins set minimum iterations [2] but of course it was too late at that point.
Adding on to what others have said, LastPass stored vault "metadata" unencrypted. Metadata included things the url. This allowed the attackers to prioritize cracking vaults of higher value.
See a vault with just a facebook.com and google.com login? Skip it. See a vault with coinbase and 10 other crypto sites in it? Spend a few thousand trying to crack it.
I was under the impression that basically lastpass knew your password, 1password does not. Lastpass owned the whole key. With enterprise organizations though we can still reset a users password if they forget so 1password might “know” your password too. Maybe older versions or individual versions are more secure.
It would probably be more accurate to say that LastPass has the information to decrypt your vault if they can guess your password. By contrast 1Password would need to both guess your password and guess your personal secret key. The latter is effectively impossible assuming the key generation was well-implemented. The trade-off is that users must keep track of their own secret keys.
I switched away from LastPass after the 2nd major security breach sometime around 2013. Wikipedia only shows 3 total incidents, but I know I've seen reporting on _at least_ 5 between 2010 and today. In that time, I've continued to run into its use at companies, and it's honestly surprised me each time. Something something fool me 5x…
How come this is legal? By now this is a business practice. Why would the government close down a restaurant after food poisoning but do nothing here?this is much worse, considering all this money goes to the axis countries?
I don't think there's anything illegal about being terrible at your job (information security), but I do think it's a tragedy that LastPass has somehow avoided the public shaming they so desperately deserve for their repeated ineptitude.
LastPass understandably finds there to be no evidence linking the two. Uhm, OK.
But what's also hard to believe is that people storing millions of dollars of "collectables" would not change their passwords on at least a yearly basis.
I know that password rotation for its own sake is no longer best practice, but in this case it still seems quite prudent. No?
This is the kind of control that is really becoming a luxury.
And I don't know how we get back to a simple state; Let's say you're a family of three with shared services and accounts:
Keeping everything under Keepass means handling the file sync between all the devices and OSes, with potentially your credentials flying through third party sync services, thus negating most of the advantages of Keepass.
Moving to something like a self-hosted Bitwarden instance should be the way, but then one member of the family becomes a dedicated lifetime sysop making sure that instance is secure while being accessible anytime from everywhere.
It shouldn't be a luxury, but it unfortunately is due to various big players refusing to play nice together.
If everyone has only apple devices (iphones + macbooks), then you can use a shared iCloud sync'd folder.
Except that doesn't actually work because the majority of iOS apps are incapable of using a shared iCloud folder correctly (including apple's notes app, most of apple's apps) because apple tries to hide the filesystem so much, that even saving a file into a folder is basically impossible for most apps.
That also doesn't work if anyone uses linux or windows because apple refuses to play nice with other ecosystems.
If everyone _doesn't_ use iOS devices, there are dozens of solutions that work well, from a shared google drive folder, to syncthing, but if even one person uses an iOS device, then suddenly none of the shared folders work, because apple has made it so creating a shared folder on iOS is bad for iCloud, but even worse for any third party app (be it google drive, syncthing, an FTP based solution, etc etc).
I guess what I'm saying is that apple tried to kill the filesystem, and in doing so has made it so the very idea of just sharing a folder of files securely seems like a per-app luxury.
Instead you need a shared photo album for photos, a shared notes folder for notes, a shared "apple invites invite" for a calendar event, etc etc. Apple has a lot to pay for, and a hatred for folders that has caused the entire industry to move away from simple secure app-independent sharing is one of them.
Instead, we have a jumble of apps being forced to implement their own sharing concepts poorly and often insecurely.
Syncthing works great for this if you have an always on computer. If you don't you can use a server and add it as an untrusted recipient if you have to, though I would not bother since the database is encrypted with your password anyways, and is not vulnerable if you never reuse your db password and there is enough entropy.
Centralizing everyone’s credentials after all these years still seems like the most risky idea ever. The only thing possibly more attractive to a hacker would be free sex and drugs, but only for a little while, and then they’d go back to trying to steal everyone’s credentials.
Some other targets: everyone’s PII, info on friends, family, pets, answers to security questions, mobile IDs, PIN numbers, account numbers, signatures, photos, fingerprints, voice patterns, facial and retinal scans, gaits, DNA, mitochondrial RNA.
I have similar gripes, but I still feel like on balance, randomizing passwords across accounts is more important. Selfhost vaultwarden ftw (or not — don’t f*ck it up)
Readit News
In 50 years time, who knows if any of these companies will be around. But I’m pretty sure that my grandchildren, should they want to, will be able to open a gpg encrypted gzipped file (with the passphrase I’ll leave them) containing my passwords in a csv file.
Given how I have experienced technology up until this point, my assumption is that everything I will create for work or for pleasure, is more or less ephemeral. It has certainly proven true for work.
It’s their No. 1 selling point.
> In 50 years time, who knows if any of these companies will be around
1Password has local clients. If you have the password, you should be able to unlock the vault locally.
technical possibilities aside, do you presume your grandchildren will be technically apt?
I am pretty sure 99% of people would halt at 'gpg' , and that's now -- not 60 years from now.
Curious, how is Excel encryption? That may be a more approachable format than CSV GPG, and though technically the CSV GPG is more simpler, it may be less familiar to users in 100 years. Excel will still be around ;)
Though the tooling isn’t great – I’ll probably switch to Vaultwarden sometime this year.
[1]: https://berthub.eu/articles/posts/you-can-no-longer-base-you...
Deleted Comment
Dead Comment
Lastpass had one job and failed it. Unforgivable that they knew their users' master passwords are not secure enough, but chose not to be vocal or proactive about it.
If you're using Lastpass right now, move to more trustworthy options like 1Password, Bitwarden or Keepass. Do it today. And change all passwords, that are meaningful to you.
https://www.courtlistener.com/docket/66607916/debt-cleanse-g...
You'd have to go study the case, but it's a class action case, so it'll hurt if they lose (and even if they don't). The court appears to be consolidating cases into this one, because LastPass has been sued in federal court 15 times so far:
https://www.courtlistener.com/?q=lastpass%20AND%20(caseName%...
I love it because Strongbox also has its own cloud feature (optional) that is just a hosted KeePass DB which makes it easy to have a shared DB with my partner.
The only downside for me: there isn’t a universal search that searches all DBs for credentials. So if you are in a browser and trying to autofill, you need to select the DB you want it to populate from.
Yeah that's when I left 1P after having bought hundreds of dollars of licenses for myself and my family (for multiple OS).
The other big thing was self hosting the vault. You used to be able to sync the vault with Dropbox and access it from a browser but at some point Dropbox killed public folders. It would have cost 1P pennies to store the vaults of paying customers in S3 buckets. Instead they decided to use that as leverage to force people into subscriptions.
Very happy with Bitwarden now.
Their whole raison d'etre is protecting your passwords. If they start selling people out, their business implodes.
They also keep adding thoughtful tweaks and new features. A couple years back I thought I'd give it a few years and then hop from 1Password to Bitwarden. But Bitwarden's UI and UX is still subpar (doesn't even support drag 'n drop..)*. All Bitwarden does is invest in enterprise features, which mean jack for the average user.
*dragging items from one vault to another, not a hugely important feature but Bitwarden has a thousand of these kind of paper cuts compared to 1Password
The new features released since I bought version 6 has me more than satisfied.
Also using a password manager is one of the most effective things you can do to protect yourself and paying a few bucks a month seems like a steal.
That creates distrust in me, so I swapped to BitWarden and haven't looked back.
So the way that I understand 1Password to work is that the decryption key is split in two: the user's single password + a secret key. You need both to decrypt the vault. The secret key is, again according to my understanding, generated randomly and is like 128bits? Once 1Password generates it and sends it to you (maybe they don't even send it and it is generated locally, I don't know), they never see it again. Thus, even if your vault were stolen, the thieves would need to crack your password (very likely not that secure) but also the 128 bit secret key so you would have a minimum of 128bit security which seems fine?
What's different about LastPass? Were the secret keys stolen somehow too? Were the targets of the stolen vaults then hit with further attacks to extract the secret keys? Does LastPass not use a similar structure as 1Password? Or am I actually not as safe as I thought using 1Password?
[1] https://palant.info/2022/12/28/lastpass-breach-the-significa... [2] https://support.lastpass.com/s/document-item?language=en_US&...
See a vault with just a facebook.com and google.com login? Skip it. See a vault with coinbase and 10 other crypto sites in it? Spend a few thousand trying to crack it.
Source: https://github.com/cfbao/lastpass-vault-parser/wiki/LastPass...
But what's also hard to believe is that people storing millions of dollars of "collectables" would not change their passwords on at least a yearly basis.
I know that password rotation for its own sake is no longer best practice, but in this case it still seems quite prudent. No?
And I don't know how we get back to a simple state; Let's say you're a family of three with shared services and accounts:
Keeping everything under Keepass means handling the file sync between all the devices and OSes, with potentially your credentials flying through third party sync services, thus negating most of the advantages of Keepass.
Moving to something like a self-hosted Bitwarden instance should be the way, but then one member of the family becomes a dedicated lifetime sysop making sure that instance is secure while being accessible anytime from everywhere.
If everyone has only apple devices (iphones + macbooks), then you can use a shared iCloud sync'd folder.
Except that doesn't actually work because the majority of iOS apps are incapable of using a shared iCloud folder correctly (including apple's notes app, most of apple's apps) because apple tries to hide the filesystem so much, that even saving a file into a folder is basically impossible for most apps.
That also doesn't work if anyone uses linux or windows because apple refuses to play nice with other ecosystems.
If everyone _doesn't_ use iOS devices, there are dozens of solutions that work well, from a shared google drive folder, to syncthing, but if even one person uses an iOS device, then suddenly none of the shared folders work, because apple has made it so creating a shared folder on iOS is bad for iCloud, but even worse for any third party app (be it google drive, syncthing, an FTP based solution, etc etc).
I guess what I'm saying is that apple tried to kill the filesystem, and in doing so has made it so the very idea of just sharing a folder of files securely seems like a per-app luxury.
Instead you need a shared photo album for photos, a shared notes folder for notes, a shared "apple invites invite" for a calendar event, etc etc. Apple has a lot to pay for, and a hatred for folders that has caused the entire industry to move away from simple secure app-independent sharing is one of them.
Instead, we have a jumble of apps being forced to implement their own sharing concepts poorly and often insecurely.
[1] https://syncthing.net/
Deleted Comment
Some other targets: everyone’s PII, info on friends, family, pets, answers to security questions, mobile IDs, PIN numbers, account numbers, signatures, photos, fingerprints, voice patterns, facial and retinal scans, gaits, DNA, mitochondrial RNA.
Right. Randomizing passwords doesn’t require centralization.