add password article

This commit is contained in:
James Ravenscroft 2022-12-27 09:54:14 +00:00
parent 8bba87626f
commit db59e79503
2 changed files with 89 additions and 0 deletions

Binary file not shown.

After

Width:  |  Height:  |  Size: 108 KiB

View File

@ -0,0 +1,89 @@
---
title: "Post Lastpass Password Management"
date: 2022-12-27T07:34:26Z
description: After the recent Lastpass scandal, should we be a little more distrustful of cloud-based password managers?
url: /2022/12/27//post-lastpass-password-management
type: post
mp-syndicate-to:
- https://brid.gy/publish/mastodon
- https://brid.gy/publish/twitter
tags:
- security
- technology
- privacy
- cloud
- open-source
---
Earlier this month [LastPass revealed that they had been breached](https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/) and then a few days later that [that their customer's encrypted password data was stolen](https://www.tomsguide.com/news/lastpass-hack-was-even-worse-than-originally-reported-should-you-delete-your-account). Following a couple of years of controversy including [earlier breaches](https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/) and [price rises](https://alternativeto.net/news/2022/1/lastpass-seemingly-deliberately-holding-users-password-data-hostage-alongside-new-pricing-plans/), this latest breach hasn't been a particularly good look for them.
## Making Good Use of Time Bought with LastPass' Strong Encryption
Let me be up front about the fact that I am a Machine Learning specialist, not a security expert. That said, I've been the CTO at a tech firm for the last 6 years and data breaches are one of the topics that keep me up at night and make me sweat at work on a regular basis.
So then, on the subject of the LastPass breach: the good news is that LastPass uses pretty strong encryption to store customer password vaults so, in the worst case, it might take hackers years or centuries to break in to your account depending on the strength of the password you chose. [Wladimir Palant](https://palant.info/2022/12/23/lastpass-has-been-breached-what-now/) gives a bit more detail about the tactics that an attacker might use and how long this might take.
You can also use [this tool](https://lowe.github.io/tryzxcvbn/) to estimate out how secure your password is and how long it might take a very dedicated hacker to crack your vault. *NB: do **not** use your actual master password in the test tool but an analogy of it. For example if your real password was TopSecretPassword123 you might try a different combination of a 3,6 and 8 letter word followed by some numbers: BarDemonsAbstract567. This works because the tool uses the length of your password and the type of each char (number, letter, symbol) to estimate its difficulty*
![a screenshot of the zxcvbn tool on Github for the provided example: BarDemonsAbstract567](images/pwtool.png)
You might also want to see if your password is on a [list of leaked passwords](https://haveibeenpwned.com/Passwords) that have previously been cracked because an attacker is bound to try these first rather than guessing randomly.
In summary, unless you are famous (to the public or to security services), your password appears on a list of leaked passwords, you might not be in immediate danger. However, my advice would be to assume the worst and start changing all your passwords yesterday.
## Should I keep using LastPass? What About this other Cloud-based Password Manager?
Since the breach, people been recommending a plethora of other cloud solutions. BitWarden seems to have a very good reputation and others include 1Password and Dashlane. Now, don't get me wrong, all of these providers certainly have a better reputation than LastPass at this point in time (as far as I can tell from a quick bit of searching, none of them have suffered serious breaches). However, I take the somewhat pessimistic view that security breaches are pretty much inevitable at successful companies that grow beyond a certain point because:
- a) Employing more people to do more 'stuff' increases the odds of both human error and malignant intent.
- b) Big companies with more data make juicier targets for would-be hackers
- c) As companies move from focussing on growth in new markets to focussing on profitability and reducing costs, leadership teams sometimes raise the axe to expensive processes and teams like cyber-security, reducing the quality of their protections against breaches.
These three issues can often combine explosively, shattering the reputation of a once-loved company overnight.
I'm not making any specific allegations about the providers I've listed here. However, I would not be surprised if, in the next few months or years time, we see a current `darling' of the password manager market appearing in the news under similar circumstances to LastPass.
If you subscribe to this viewpoint then there are a couple of ways to look at things. Either you continue to use cloud-based password managers and accept that you're likely to need to change all of your passwords every few years after a breach, maybe jumping from incumbent provider to scrappy password startup because they haven't been hacked yet and, they've got a great reputation. Or, you take the view that keeping your passwords in the cloud (read: on someone else's computer) is not a good idea and that you should look for local solutions.
I'm not willing to stick my neck out on the line and make a recommendation either way here: I'll leave that as an exercise for the reader.
## Some Local/Non-Cloud Solutions
### KeePass + SyncThing
Firstly I've received a [couple of recommendations](https://fosstodon.org/@jamesravey/109579516252941441) to use [KeepassXC](https://keepassxc.org/download/) which is a local-only password manager which stores your vault on your computer using strong encryption. The Keepass vault is compatible with the [KeepassDX](https://www.keepassdx.com/) app for android and you can use [SyncThing](https://syncthing.net/) to provide real-time peer-to-peer sync between the devices (the implication of peer-to-peer being that the data is never stored in an intermediary cloud service - it is only ever transferred directly between devices you control).
Of course you could sync your vault using something like DropBox or Google Drive if you are comfortable with trusting those services. Another concern would be backups - if you lost both your phone and laptop at the same time (e.g. in a house fire) you've lost your password vault. With SyncThing you could also send a copy of your vault to multiple devices - your partner's phone, a network drive you have in your garage etc. I personally use [Restic](https://restic.net/) to make encrypted backups to a cloud storage provider, adding another layer to the security onion in terms of encryption and obfuscation and of course hoping that my cloud storage provider won't get hacked for a little while and that when they do, there are enough layers of protection to buy me time to reset the passwords I care about.
### LessPass
I learned about [LessPass](https://www.lesspass.com/#/) from [Doug Belshaw](https://dougbelshaw.com/blog/2017/07/06/lastpass-to-lesspass/) who ditched LastPass for it "before it was cool" to do so in 2017. This is a really clever solution for password management. LessPass doesn't actually store any of your passwords. Instead, it uses your master password (like the one you use for a LastPass vault), combined with the URL website you want to log into and your username to generate a password on-the-fly. In effect that means that you no longer have to worry about syncing your password vault as there is nothing to sync - just use the LessPass app to generate your password on your phone or your computer and as long as you enter the same username, website address and master password it will come out the same.
LessPass offer desktop browser extensions and a mobile app which can optionally store your master password behind your biometric login (e.g. fingerprint) to speed up logging in from your mobile device (quicker if your master password is long but slightly less secure, reader's choice on whether to use it.)
If you are worried about remembering which usernames and websites you need to log in to (or which of LessPass's settings you used to generate the password), LessPass also offer a free service which can remember which usernames and websites you have logged into, but they don't store your master password anywhere which means that if a hacker got a copy of their database they wouldn't even be able to verify that they'd got your password right without trying to use some of the values that the app generated to log in (and you'd expect those services to have rate limits and to eventually block accounts who try lots of incorrect passwords). If you want to take advantage of this service but are feeling particularly paranoid about hosting your usernames via their service you can also self-host it.
Of course with LessPass there's no need to worry about backups as long as you have access to their software, and you know the websites and usernames you care about and your master password.
To me, there's something about LessPass that feels a little too much like magic - I'm kind of waiting for a cryptographer to come along and tell me why I shouldn't use it and what the major flaw with it is. However, until that day, it seems like a really great approach and I'm definitely up for trying it out.
### Funding
KeePassXC, SyncThing and LessPass are all open source projects which are free at the point of use but obviously cost money to develop. My ask of readers thinking of switching to one of these solutions would be to consider donating the money you would have spent on SaaS licenses for one of the cloud password managers to whichever solution you end up going for:
For solution 1, consider splitting your SaaS fee across these projects evenly
- [KeePassXC Donations Page](https://keepassxc.org/donate/)
- [KeePassDX (PayPal and LiberaPay Donate Links at Bottom of Page)](https://www.keepassdx.com/)
- [SyncThing Donations Page](https://syncthing.net/donations/)
For solution 2, please donate to the LessPass team via the [LessPass OpenCollective Page](https://opencollective.com/lesspass)
## Conclusion
In conclusion, password security, like many of the topics that I think about and write about, is complex and multifaceted. If you are a LastPass user, I'd strongly recommend changing your master vault password and all the passwords that you care about over the next few days if you can (and if you are a high profile activist or celebrity, do this yesterday). As for what to do next? Well, that's up to you. If you believe that there won't be another LastPass breach for a little while you might change your passwords and stick with them. You might trust another upstart cloud-based password manager company for a few months or years until they inevitably get breached. You could try one of the local-only approaches I've suggested but, I'd suggest that you never assume it's 100% foolproof, be ready for the unlikely scenario in which a SyncThing vulnerability is announced or someone does indeed tell me why LessPass' magic isn't secure.
We live in a modern, interconnected world where we interact with ~~the cloud~~ someone else's computer every single day. So, when it comes to security and passwords, don't put all of your eggs in one basket.
One last thing: **Should I use a password manager? GOD YES! LastPass is Not representative of all password managers.**