Password Managers?

This is why i said disable browser integration with keepass or any other desktop based password manager.

2 Likes

So what? Everything will be hacked eventually. This was disclosed and they fixed it quickly. Canā€™t ask for more than that.

3 Likes

This absolutely. Lastpass have historically done very well with security issues in their software. Them publicly addressing and fixing issues isnt a bad thing. If anything it has shown their commitment to the security of their software.

3 Likes

Well they donā€™t do it out of sheer benevolence, security incidents are existential threats to a password management program. Like with Kaspersky, when the US government said they were FSB tools. At that point they were dead men walking. You canā€™t recover from something like that.

If someone steals a password vault (like a kdbx file) itā€™ll be a lifetime before they brute force the file if you used a high entropy master key.

Its a preference of personal responsibility. Or you can rely on someone else to make sure youā€™re safe.

Only a fool would rely on anyone. Both lastpass and 1password utilize end-to-end encryption. You hack lastpass, steal their DB, and all you get is an encrypted datastore.

1 Like

Where does the decryption occur? Does last pass send you the encrypted string and its your browser that decrypts with your key?

Or is your key sent to lastpass and the decrypted passwords sent back to you?

Itā€™s end to end encryption, so everything happens locally in your browser.

They also have features where you can share logins with your friends, and thatā€™s done by decrypting the login, then encrypting it with your friendā€™s public key. Then itā€™s sent to your friend and they decrypt it with their private key. The public and private keys are both uploaded to the cloud, otherwise there would be no way to distribute it to all your various android devices and whatnot, but the private key is encrypted with your secret passphrase.

Note the above only applies to sharing logins with other users, all standard logins are just straight-up encrypted with your secret passphrase before theyā€™re sent to the cloud.

You could also just use a text file within an encrypted folder.

Thats kind of what pass does.

Plasma Vault does this on KDE. GnomeDiscs ( or terminal ) can do this using LUKS. Im not sure if the GnomeDiscs LUKS setup is as secure as the method keepassXC is using, but you can make it so if you create it via the terminal and specify a higher AES level.

Nice, source:

https://lastpass.com/support.php?cmd=showfaq&id=6926

My only remaining concern would be verification of any received client side web app. I doubt Iā€™d use it in a browser personally.

Well thatā€™s how you would do it, right? You would hack Firefox or Chromeā€™s addon site by spearphishing access to a Lastpass developerā€™s account, then upload a compromised addon, which would be automatically updated to millions of users. Of course the same applies to a local vault with Keepass, once you compromise the client you own the data.

The browser does have a wider attack surface than a local application, so thereā€™s an obvious tradeoff for convenience there.

3 Likes

I personally wouldnā€™t make the trade off.

1 Like

Me neither.

1 Like

air-gapped solutions are a minor inconvenience (basically amounts to typing passwords instead of copy/paste).
But thatā€™s where i draw the line at the momentā€¦

However if KeepassXC has some major issue (desktop side) id probably move to that way of doing things.

I use KeeWeb Desktop. Itā€™s a bloated Electron app, but I like the interface which allows adding things like images and custom fields.

Uses standard .kbdx files, so is compatible with KeePass, but I enjoy the interface enough to cope with the bloat.

I suggest Paper.

Thanks grandma :slight_smile:

Am I the only one who still uses obsurdly long words and phrases together that would never go together that are easy for me to remember?

Iā€™ve never had a single account online ever be breached or hacked. (that I know of)

I also change my passwords every 6 days.

I also never repeat a password.

Done it this way since the days of early internet.