Fixing C's Biggest Mistake (page 23)

On Monday, 9 January 2023 at 00:18:50 UTC, RTM wrote: > On Sunday, 8 January 2023 at 21:53:32 UTC, Steven Schveighoffer wrote: >> Nope. That's not how LastPass (and password managers in general) work. > > https://en.m.wikipedia.org/wiki/LastPass#2022_security_incidents > > It’s serious. Serious yes, but look at the data that actually leaked, it's not the keys to the safe I think

January 09, 2023

Re: Fixing C's Biggest Mistake

Posted by Steven Schveighoffer
in reply to max haughton

Permalink

Steven Schveighoffer

Posted in reply to max haughton

Permalink

On Monday, 9 January 2023 at 00:43:08 UTC, max haughton wrote:

On Monday, 9 January 2023 at 00:18:50 UTC, RTM wrote:

On Sunday, 8 January 2023 at 21:53:32 UTC, Steven Schveighoffer wrote:

Nope. That's not how LastPass (and password managers in general) work.

https://en.m.wikipedia.org/wiki/LastPass#2022_security_incidents

It’s serious.

Serious yes, but look at the data that actually leaked, it's not the keys to the safe I think

Yes, it's no different than any other data breach of any other company -- email addresses, billing information, etc.

Note that LastPass and others do not even have the keys to the safe to be stolen in the first place -- they never store your master password.

the "100s of passwords" are not compromised (that is, unless they use "password123!" as their master password).

LastPass uses 100100 rounds of encryption, which means each guess takes a long time to test to see if it's right. Brute force will take millions of years.

Everyone today should use a password manager, whether it's cloud based or not. And the most important rule is to not use a previous password as your master password.

-Steve

On 1/8/2023 5:44 PM, Steven Schveighoffer wrote: > Everyone today should use a password manager, whether it's cloud based or not. Yes, because password managers are perfect software, unlike every other piece of software on the planet. I heard today that Pegasus can read Whatsapp encrypted communications. If Pegasus can do it, anybody can. > And the *most important rule* is to not use a previous password as your master password. A master password is a single point of failure.

On Monday, 9 January 2023 at 01:44:41 UTC, Steven Schveighoffer wrote: > > Yes, it's no different than any other data breach of any other company -- email addresses, billing information, etc. > > Note that LastPass and others do not even have the keys to the safe to be stolen in the first place -- they never store your master password. > > the "100s of passwords" are not compromised (that is, unless they use "password123!" as their master password). > > LastPass uses 100100 rounds of encryption, which means each guess takes a long time to test to see if it's right. Brute force will take millions of years. > > Everyone today should use a password manager, whether it's cloud based or not. And the *most important rule* is to not use a previous password as your master password. > > -Steve Sadly, many peoples 'master' password will most likely be something they can easily remember. Also, there is almost certainly a backdoor into the password database. The backdoor could be intentional (to assist law enforcement), or it could just be an API that someone forgot to properly lockdown. But its there. It always is. "the cloud is another name for 'someone else's computer'": https://www.schneier.com/blog/archives/2022/12/lastpass-breach.html

On Monday, 9 January 2023 at 01:44:41 UTC, Steven Schveighoffer wrote: > and btw. People talk alot about reducing 'the surface of attack' by using more 'memory safe' programming languages. But if only people would stop uploading critical information to the cloud! (like the list of all their passwords!!) That would reduce the need to attack in the first place. As long as the cloud exists. Attacks on it, will always be occuring. No matter the platform, no matter the programming language.

On Monday, 9 January 2023 at 00:43:08 UTC, max haughton wrote: > On Monday, 9 January 2023 at 00:18:50 UTC, RTM wrote: >> On Sunday, 8 January 2023 at 21:53:32 UTC, Steven Schveighoffer wrote: >>> Nope. That's not how LastPass (and password managers in general) work. >> >> https://en.m.wikipedia.org/wiki/LastPass#2022_security_incidents >> >> It’s serious. > > Serious yes, but look at the data that actually leaked, it's not the keys to the safe I think Even if it was just the 'customer data', that data alone is worth a lot, as it can be (and likely will be) used in very mischievous ways. It may well be, they were after that data afterall.

On Monday, 9 January 2023 at 03:02:31 UTC, Walter Bright wrote: > On 1/8/2023 5:44 PM, Steven Schveighoffer wrote: >> Everyone today should use a password manager, whether it's cloud based or not. > > Yes, because password managers are perfect software, unlike every other piece of software on the planet. > > I heard today that Pegasus can read Whatsapp encrypted communications. If Pegasus can do it, anybody can. > > > >> And the *most important rule* is to not use a previous password as your master password. > > A master password is a single point of failure. So is an airplane (despite the internal redundancies, the whole system can fail, e.g., the 737 rudder actuator failures), and yet we fly. That something is a single point of failure is, considered alone, not an argument against its use. The decision to use or not should be based on a weighing of the benefits vs the risk/cost (probability of failure and its cost). As for LastPass, I was a user, with a long-enough random password drawn from a large enough character set resulting in > 10^15 possibilities. A key that hard to find by brute force gets the risk low enough for me so I can enjoy the benefit of having access to my passwords from all my devices and share them with my wife and vice-versa. What's the alternative? An encrypted spreadsheet? Unworkable. I will say, though, that I have cancelled my LastPass subscription and migrated to 1Password, because I think the way LastPass handled this was dishonest.

On Monday, 9 January 2023 at 15:12:41 UTC, Don Allen wrote: > [snip] > > I will say, though, that I have cancelled my LastPass subscription and migrated to 1Password, because I think the way LastPass handled this was dishonest. Sorry if this is off topic, but how was the migration? Any difficulties?

On Monday, 9 January 2023 at 15:23:56 UTC, jmh530 wrote: > Sorry if this is off topic, but how was the migration? Any difficulties? I migrated to 1Password, and it had some rough spots (this was a couple years ago), most things were fine. Most of the strife is differences in how the two services store the notes. Like some notes went into the wrong buckets or the fields didn't match up. -Steve

On Monday, 9 January 2023 at 15:23:56 UTC, jmh530 wrote: > On Monday, 9 January 2023 at 15:12:41 UTC, Don Allen wrote: >> [snip] >> >> I will say, though, that I have cancelled my LastPass subscription and migrated to 1Password, because I think the way LastPass handled this was dishonest. > > Sorry if this is off topic, but how was the migration? Any difficulties? I'm only about a week into this, so not a lot of experience, but 1Password has worked well so far. A minor inconvenience is that the 1Password browser extension wants the master password the first time you use it after a browser restart. My password is 15 random characters, so impossible to remember. I've dealt with this by putting the password in a file in a USB key and have a little script to mount the key (using doas so I don't have to do this as root), print the password and umount the key (doas again). I then copy-paste the password to make the extension happy. Not a big deal.

Forums