"This comes just months after LastPass confirmed that hackers had stolen some of its source code in August and had access to LastPass’ internal systems for four days before getting detected. It looks like this new attack is connected, as Loubba says it determined that hackers gained access to user data “using information obtained in the August 2022 incident.”"
Just read it looking for that extra info and not seeing it? the blog post and this article seem to have the identical information in them. The blog post is in a series, so for background on the "four days in august" you can scroll down.
it's certainly not acceptable that all they are saying is "certain elements of our customers’ information." very unacceptable, if it's credit card numbers or home addresses, they have to reveal that. the current language makes it look like they want to hide some kind of very bad news which is worse. Also their August post indicated that the developer account that was compromised had no access to customer data, so why exactly was that wrong.
Perhaps the attacker determined how the software interacts with customer information, by reading the source code, and was able to exploit the information somehow.
The current update fits pretty well exactly on my screen, so I saw no hints that it was a series. After seeing the usual corporate speak and signoff, I assumed that was it.
I went looking in their history of posts for more information on the August incident but couldn't find anything, as the older installments do not show up individually.
Just a reminder: if you are deciding to migrate from LastPass to something else, the password export malfunctions for unknown reasons. If you have memos, it could be a character in the memo.
You must make sure the exported CSV file has everything!
This really hurt me last year, when I migrated away. I didn't realize at the time how much didn't come with, so I've been playing the reset / recovery game since.
I feel your pain. I switched to KeePassXC, and will never use an online password manager again.
For a password management company, they can't even be bothered to fuzz their export functionality. QuickCheck works unreasonably well on `import(export(a)) == a`.
But maybe it's intended to be buggy, in order to keep you in their walled garden. Clearly the sync between devices works, so they have solved this problem.
> Clearly the sync between devices works, so they have solved this problem.
Presumably they don't use CSV to sync, they're using a saner json/etc. data structure that they're not letting us export ourselves. Seriously, being limited to CSV in this day and age...
This is years ago now, but every ampersand in my passwords came across wrong. I can't recall if it was missing or url encoded, but even passwords weren't safe.
I want to as well, but annoyingly there are many sites that insist on a "special" character because their strength measure says "low" for the 20 character alphanumeric string I generated %-}
My favorite is when they actually limit what special characters you can use. Must include 1 of x special characters. Why? I always just assume they baked their own password storage and couldn't figure out how to handle the whole set of special characters
Multiple times I've found that this is caused by a web application firewall that is intended to mitigate SQL injection attacks. So they disallow the characters that would commonly be used in those attacks.
On those sites, I generally insert the same fixed uppercase-and-symbol string on my zbase32ed-entropy passwords. Zbase32 tends to produce numbers already, and that combo tends to satisfy the silly sites.
Well, this completely explains where one of my Truecrypt volume passwords disappeared to after migrating away from LastPass years ago. Too bad the account has long since been deleted.
Also if you try to export multiple times it will start spitting out exports full of duplicates. Only safe way is to export right after a fresh session login.
I moved to BitWarden a year ago after a billing problem with LastPass that their support handled badly. I haven't had any problems with the migrated data and I finally deleted my LastPass account last month.
As today I attempt to perform the migration, their export to CSV outputs a CSV with 2 lines of my 700+ passwords.
The HTML in the page shows a lot of items, but if I save directly from there, it's poorly formatted, it won't import anywhere.
* custom "items", so instead of "Password", I also have my own
* attachments, which I know 100% are not exported. There is a CLI app to help with that, but still horrible
* I have large notes with weird characters, which makes me concerned if they will be exported properly
* Last time I checked, the CSV seemed very broken (not respecting the standard), I'd be surprised if it imports properly
That's the reason why I haven't moved.
I'd move to bitwarden, but the lack of tags is too much for me. I use tags everywhere, I don't want to deal with directories anymore, so 1Password it is.
I moved to 1password a few years ago and haven't regretted it for a second. I still have Lastpass installed, but it's probably getting to the point I can delete it.
Last I checked, they still didn't have a useful Content-Security-Policy header on their Web Vault (which would prevent XSS), and also didn't have a way to separate "being logged into the extension" from "being logged into the Web Vault".
It’s the worst desktop software I’ve used in several years. The UX makes no sense, it’s full of bugs, it performs badly, they’ve had multiple breaches. I can’t think of a single thing it does that’s even approaching average, let alone good.
I just exported my own vault with the latest version, it was ok for me. I have plenty of passwords with all kinds of special characters. Still, be sure to review the CSV file. If anything looks weird, double check that the password is the same in your LastPass vault. As with all backups/exports, you should always do a sanity check of the data.
One issue I ran into: the CSV file that "downloaded" in the browser didn't have all of my passwords, only about ~20 of ~400. I had to copy and paste the CSV text in the browser to a new CSV file with a text editor. But upon reviewing that, the format of the passwords was fine.
I had a problem not with the password data but with the content of some notes (or whatever it is called in LastPass)
I have been a paying customer of Lastpass for about 15 years. I moved to Bitwarden for all sorts of reasons. I work in technical information security so it was also for that teason (but not only)
Maybe I lucked out? I migrated to Bitwarden early this year and so far all of my passwords have worked. I also made sure to compare the site entries in both. One thing that can't transfer were attachments in LastPass secure notes. So I had to download each one individually and upload them to Bitwarden.
Yeah, in any migration—if you can—it's good practice to run both simultaneously for a while until you're convinced you've checked everything and you're ready to drop the old for the new without much downtime.
1Password. The largest feature disparity is 1password is designed and built by competent engineers. The history of breaches and technical mistakes Lastpass has made over the years is amazing for a tech company let alone a password manager.
How is the user experience though? "Designed and built by competent engineers" is reassuring in the face of security breaches, but often means it's less convenient to interact with on a day-to-day basis.
1Password has the best UI/UX of any that I've used. It's clean, pretty, and solid in my experience. Honestly it's a joy to use which I prioritize in the software I choose to use daily.
Used BitWarden for years, happy with it. Recently switched to Nord Pass, also happy with it. Not sure about feature disparity though, just mentioning some ideas in case you're researching alternatives.
My wife and I switched from Lastpass to Bitwarden early this year. Glad we did, considering all the news! Password sharing is different, since you have to make a group/organization and share the password in there. But once that was figured out, it's been a better experience with less bugs. It doesn't look slick, but it's more functional.
> We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement.
EXACTLY why so many companies opt to stay on-prem, to the amazement and bewilderment of every vendor sales rep that calls on the phone.
Go ahead and ask them which Cloud providers their company uses. Ask them which open-source libraries their SaaS uses. Ask them to show you the audits they've performed on THEIR supply chain this year. You won't get any answers.
So sick and tired of everyone jumping on the "more links in the chain is better" bandwagon.
> Ask them which open-source libraries their SaaS uses. Ask them to show you the audits they've performed on THEIR supply chain this year. You won't get any answers.
Well, even with private cloud and on-prem these are pretty relevant questions...
I Worked with a government organization where I was part of the team on-boarding a new on-prem system. It was purchased through a tender, where on-prem was a requirement. The product was SaaS by default, but they offered an on-prem version. We pretty much got a copy of the stack of containers and docker-compose file that they used to run their SaaS offering.
While running the application, I was missing a lot of context, since logging was minimal, so I asked the company how to connect a log store to get an overview of all the sub-systems. There was no option for this (then how did they monitor their SaaS?). So I used docker to get command line in the containers and see if I can find some logs there to then get into a log store. In one of them, I noticed an error because something in the container was trying to phone home with telemetry, to a server that wasn't owned by our supplier. 'Luckily', our on-prem box didn't have an internet connection, because of the sensitivity of our data.
This was when I realized that our supplier didn't roll their own containers, but just used off the shelf stuff they didn't even audit. So who knows what their SaaS offering was leaking from these containers? I mentioned this to both internal IT architects and the supplier and nobody really seemed to care.
This is a supplier that was named 'Leader' by Forrester and got a $30M funding round last year.
And, to be fair, it's a large part of the Docker experience.
I recently had a pretty much identical experience with a vendor that is industry leading in their sector and counts most large companies among their customers. Just imagine what their cloud looks like.
A supply chain attack on these guys wouldn't even be difficult, and the only reason I can imagine we haven't heard about it is that we just haven't heard about it.
LastPass blog post on Sept 15 said the hack was accomplished with a compromised developer machine:
> Our investigation determined that the threat actor gained access to the Development environment using a developer’s compromised endpoint. While the method used for the initial endpoint compromise is inconclusive, the threat actor utilized their persistent access to impersonate the developer once the developer had successfully authenticated using multi-factor authentication.
This is similar to other recent hacks, e.g. where a crypto company was hacked when a developer opened a malicious PDF he thought was a job offer.
So, in other words, being on cloud vs. on prem, and potential supply chain hacks, had nothing to do with it.
So sick and tired of everyone jumping to conclusions to fit their preconceived notions of what is good/bad when it comes to security.
When you're on prem you only have to worry about your own employees opening sketchy PDFs. When you're not, you have to worry about everyone in your supply chain opening sketchy PDFs.
Nevermind the fact that the next time a major world conflict occurs, the big 4 cloud providers will probably be destroyed, taking about 90% of the western economy with it.
> When you're on prem you only have to worry about your own employees opening sketchy PDFs
This is just plain wrong. When you’re on prem you have to worry about configuring all of you hardware and software correctly yourself. Your firewalls, your SSH server(s), off site backup systems, hardware failures, software patching, access points to your network – the list goes on. Some of these are true for cloud services as well.
They are just different trade offs. Sometimes on prem makes sense, and sometimes cloud services makes sense. You can’t say that security is less of a concern in one of them.
> Nevermind the fact that the next time a major world conflict occurs, the big 4 cloud providers will probably be destroyed, taking about 90% of the western economy with it.
And it somehow does _not_ take your on prem system with it? Even though cloud providers are spread across the whole world, and your on prem system is most likely in one, single location?
> When you're not, you have to worry about everyone in your supply chain opening sketchy PDFs.
That's absolutely not correct. Besides, I have more respect for the security and operations procedures for AWS, GCP and Azure than I do for 99% of startups running their own infrastructure.
But my primary point is that you seem to be arguing that being on prem is inherently more secure, and more importantly, being in the cloud made LastPass less secure, despite the fact that the breach vector in this case would have been equally effective regardless of whether they were in cloud or on prem.
It doesn't matter how secure 4 providers are. There are only 4. OpSec won't stop a submarine from bombing underwater fiber. OpSec won't stop a missile heading for the data center. The strategic importance of our consolidated infrastructure WILL be a paramount target for any enemy of the west.
On-prem business is a diversified attack vector. Cloud storage is a consolidated attack vector. Would russia rather attack 100,000 small diverse targets, or one enormous target with 1,000,000s of customers?
If your goal is to avoid downtime in case of nuclear war, you could use
a managed distributed database solution from a cloud provider.
Also, attacks against 'on-prem' services still scale, in the sense that
an exploit against a service's code can be used on any number of
independent deployments of that code.
The solution to that is to actively avoid monoculture. [0]
If your primary concern is global thermonuclear war, then like other commenters have said, I think we'll have much more important things to worry about.
yeh but it's not the saas/big 4 that has developer login locally as admin that gets owned and then is not segmented sufficiently to stop the spread, it's the scrappy startup.
And I say this while working at a scrappy startup where there is no segmentation, every browses in a browser with sudo etc. see piriform and others.
Your hate is not wrong of cloud but onprem is not necessarily more secure. Not at all. (IMO layers of abstraction and cost once you actually scale are the real negatives)
You don't need to destroy the cloud providers. Missile hits on the major interconnection (interchange? peering?) nodes in each major country and most of the companies and people are offline. Or hit the power plants, see Ukraine.
This + the fact that privacy regulations are on the rise will make SaaS providers adapt to a world where customers data cannot be kept on the SaaS prem.
I would suggest to split this problem into two different problems - the processing ("data in use") vs data on rest. Each of these problems should be tackle with a different solution/approach.
I'm working on the tackling the second approach and if anyone want to talk just reach out (reply/mail/link/whatever you prefer)
This was the immediate and exact same thought I had the moment I read the first sentence of the post. Then I stopped reading. Clearly this was not an engineering decision, and passwords should be trusted to no one but competent engineers and cryptographers.
Product idea! A little e-ink display (let's call it a Password Storage Device or PSD) with a tiny processor and enough memory to store all your passwords. Make them cheap enough that you can have a few redundant copies in various places.
- OS sees the device as a keyboard
- Two versions. One with bluetooth, and one with only USB for a little more security.
- Open source software package to sync your collection of PSDs
- Open source browser extension to autofill passwords
- Tiny keyboard on the device (detachable to share between your collection?)
Usage:
1. Install browser extension
2. Navigate to a password field
3. Follow prompt to populate password
Alternate usage:
1. Manually search for password using the device keyboard
2. Click into password field in browser
3. Press button on device to have it type the password
Or of course you could just view the password on the device if you prefer.
No offense, but this is such a hacker solution. :) And as mentioned, already exists in many forms.
Passwords and login credentials are dead. No user wants to deal with them. Password managers are a solution to somewhat sanely and securely manage this complexity, and not something that the average user wants to think about. In that sense, they don't improve security overall, and introduce many other issues (a centralized honeypot, in the case of services like LastPass).
The industry has been trending towards OTP, FIDO, WebAuthn, and all sorts of identity solutions, instead for years now. It's clear that nobody wants to manage credentials, and having a separate security device is not something mainstream audiences will adopt, so maybe by integrating it with smartphones, this will finally catch on.
It will likely take years for most of the industry to move away from passwords, and we'll likely still require traditional credentials in some cases. The myriad of standards out there is a hurdle for adoption, but it feels like we're settling on something that might be usable for everyone.
Considering that 99% of web app password authentication reduces to email authentication via ‘forgot password’, a good first step would be dropping the password and just using emailed tokens (or links) directly.
When I was studying we had to use the computers in uni when presenting homework.
It gets really annoying when you want to sign into $service on those machines, but you need to use a magic link. Because the you need to login into your gmail, which requires an additional 2fa (and you can’t receive sms in a building that has 6 stories but no femto cells).
Unfortunately google requires either their app or SMS. They dropped pure totp for some reason.
> Unfortunately google requires either their app or SMS. They dropped pure totp for some reason.
I use TOTP with my Google Account all the time. If you have a phone registered with that Google Account it will default to the push notification system first (it might even be possible to make this no longer the default, I'm not sure), but you can always click the button to switch to alternative 2FA options.
Yup, but it seems it will default to "click the notification on your phone" as soon as you've signed in on a phone. You need to click "try another way", even if you've explicitly told them that TOTP is your preferred default.
I hope not. Not only is this often frustratingly slow, it really complicates things for people who use devices where they don't receive email. Myself, I only receive email on my computer and one mobile device. I have several devices where having to click a link in an email to log into a site means annoying gyrations trying to transfer links from one device to the next. This is especially annoying when whatever mechanism you use to transfer the link does link previews and the login link is one-time-use. :D
> means annoying gyrations trying to transfer links from one device to the next
There are alternatives to this, such as typing a code into the login prompt instead of following a link (which will be submitting that code). This does limit the size of token that can be used because it needs to not be too inconvenient for the user to type, but if the code's validity is sufficiently short-lived, and properly unguessable, this can be done without compromising security any more than it already is by involving SMTP in the process.
Of course the other problem with email-only password resets is that users often receive email on the same device they are trying to authenticate – so if someone has left a machine unlocked with their mail account logged in, an attacker can gain access to any site/app that uses this password reset mechanism. One of the reasons that email and SMS are not great choices for a second factor, and even less good choices for what is sometimes effectively the only factor.
Agreed. This is one reason I limit the number of devices that have my email credentials. Using 2FA everywhere is sadly not practical yet, so there are a nontrivial number of accounts that are, as you point out, effectively owned by anyone who can access my email.
I actually occasionally fantasize about implementing a mechanism that I could use from my desktop (where my password manager is) to send passwords as needed (e.g. one at a time) to my devices (I really like not worrying about syncing whole vaults). Encrypt the password using an epehemeral key (gets deleted after 60 seconds, for example) on the transfer service and a local key derived from a random six digit number. Display the number, send a url to the device, and anyone hitting that URL has 60 seconds to enter the six digit code and it decrypts the password and drops it on the device clipboard. This is about 1000 times better (and over-engineered, naturally) than my current practice of "paste it in a slack message to myself."
You would also likely need a way to get this to work on a mobile phone too. I know from personal experience that there is plenty of times nowadays that I end up logging in to various places using my password manager (not lastpass) on mobile.
You could have it MITM between your keyboard and computer. Depending on the mode it records your key presses to an entry, or replays an entry. Otherwise it just passes through.
Probably just needs a screen and like 3 buttons: record/play/navigate mode (use your keyboard to actually navigate).
I won't lie but I lost you in the steps mentioned here. Finally, IMO, people just want auto-fill/auto-logged in instances without having to enter OTP/type password/do 2FA etc. No matter how you slice it, that's the way people want. Now, how do I compress all these requirements within the boundaries of what is acceptable as a provable source of identity, it becomes a harder problem than you describe.
PS: I have worked in computer security and I am drunk. Eat your salt
If you're a lastpass user, might be wise to avoid logging into lastpass until they update with a resolution - if the attackers got into the build server they could craft attacks that would exfiltrate passwords after user decrypts
Fuck. If you're a lastpass user, you kind of don't have a choice. I can't log into accounts I use for socializing, work, banking, etc. without lastpass
I just spent a couple of hours resetting my most important passwords and writing them down on paper.
Won’t be touching LastPass again except offline, while I figure out where to go from here. I had been putting off finding a better password manager, but this is the last straw.
Wouldn't the devs know if a malicious LoC had been built into the client and distributed to take master passwords from the browser? Idk much about browser extensions, but I think they would have been able to figure out if something malicious went out to last pass clients, no?
LastPass is architectured so that your master password is never sent to their servers. Decryption of your vault happens locally on your device. Maybe such an attacker might get your email address (username).
Is there a web UI ? If yes - I guess an attacker can just send "bad" JS to the client and steal the master password no? Or inject a malicious update. Most people probably have auto updates?
Yes, this is one of the concerns. In theory a browser addon should take a while for the bad guys to update and publish, but are the existing addons downloading and using server-provided JS? One would hope not, but that's hardly a safe assumption these days. I know Mozilla takes a pretty hard stance against this sort of thing, but it's not all caught in review. And then there's the electron style apps - those should be static too, right? right?? Also not a safe assumption. And yes, there is a pure-web UI where the code is downloaded from their servers.
> are the existing addons downloading and using server-provided JS? One would hope not, but that's hardly a safe assumption these days
This reminds me of a very brief security review I did of a 3rd-party browser extension that was being installed on everybody's laptop at a previous job. The extension itself had very little code, it was just something that bootstrapped with code from the company's servers. There was no real way to review it or freeze a reviewed version.
The kicker was that the server-provided JS was being loaded over plain http (and no, nothing was checking signatures or anything like that).
I think I misread the initial comment. Yes, if the build server is compromised code could be injected into the next build/release cycle to pilfer your master password. Not only that, but also anything else in the vault since it is decrypted locally and visible to the extension.
Still, local decryption is more secure than sending the master password to the server (so, just compromising the server holding your vault wouldn't be enough to steal your password). I think I will switch to BitWarden which uses the same approach, LastPass seems to be getting hacked alot nowdays.
Are you certain bitwarden has not? I read a thread here some time ago where 1password was bragging that they have never been breached, and someone basically commented back "they have never been breached that they are aware of".
I am concerned at some level on the lastpass breaches, but I am less affected so far than I have been by the equifax, target, and t-mobile breaches. I have had years of free credit monitoring since each one of those handed out enough data to compromise my identity several times over.
Databases: Keepass on pc and keepassdroid on android (saved as not kdbx files, stenographically passworded inside a jpg renamed as a wav, manually backed up between pc and phone, suits me.
Its a pain, but not as painful as being lastpassed!
From the KeePassXC FAQ: "Additionally, you can use a key file filled with an arbitrary number of random bytes or a YubiKey to further enhance your master key"
> So in a sense, it makes your password stronger, but technically it doesn't qualify as a separate second factor, since this is not an authentication scheme and also because the expected response doesn't change every time you try to decrypt your database.
I'd argue that the biggest threat against a (non-cloud-synced) password manager is a local database compromise, and the Yubikey does not meaningfully help here.
To be fair, I don't think anything can help in this threat model – a password manager is ultimately a key/value storage for bearer tokens, and if an attacker can exfiltrate those key/value pairs, it's game over.
So the Yubikey certainly helps against an otherwise too short/reused password manager unlock password, or against somebody shoulder-surfing your password and able to steal your database, but not otherwise tamper with the device you're decrypting it on.
But other than that – if somebody can steal your local database and sniff your password (e.g. via a key logger), they can probably also sniff your Yubikey challenge/response, which is returned via the USB HID protocol as well.
If an attacker compromises your local machine, they don’t need any password: they just wait for you to enter all required credentials and read the passwords when the database is unlocked.
Also, you omitted an important sentence at the end of the FAQ that you quoted. The response changes every time you save the database. Yubikey uses HMAC-SHA1, which is a hash of a shared key and a counter. The counter, and hence the response, changes when the file changes. That helps a lot, with constantly rotating the master key. It also adds 140 bits to an otherwise easy to remember password.
I do see the point of adding more entropy, but against what type of attacker is the rotating password an improvement?
It seems to kick the attacker out of getting future database updates after a point-in-time compromise, but do users using a password manager frequently change their passwords stored in it? At least I don't.
Dropbox works really well with KP and I used it for years. The problem was that I ended up with more devices than Dropbox supported for free so I switched to Syncthing. If you only have three devices use Dropbox.
Syncing with Dropbox worked well for me. When you deal with an adversarial server holding your ciphertexts, you have to be a bit careful with the encryption. But keepass is good, AFAIK.
Syncthing improves the security, for instance, just in case a vulnerability creeps into the keepass code.
It works, but I had problems with the Windows Dropbox client failing... silently, so my wife and I would end up with different versions of files, or not being able to "send" them to each other because her client was down and we wouldn't know.
Syncthing works, has no central server to be beholden to, is free, and I have much more stability with it.
I once started an interview process as a senior developer at Goto, the company behind LastPass.
The contact was a first phone call where someone simply asked the number of experience I had in software development, Java programming, etc. I thought it was weird that basically all they got from the phone call was a bunch of numbers. The weirdest part tho what that they asked how many years of experience I had in... open source? "How many years of experience do you have in open source?"
(Probably because the recruiter had a list of tech and skills required and simply went through it.)
Anyway, I went with it and eventually got a coding assessment. The docx document told me to implement a little deck of cards in Java using classes and inheritance. This was for a senior position.
You laugh at that coding assignment for a senior position but you'd be surprised how many "senior" people interview that would struggle with that and be unable to complete it.
It's a great way to weed out the junior devs that cheated their way through school (or are too dumb to figure it out via stackoverflow) and the senior devs that haven't actually done any real programming in a long time.
An engineer at our competitor got laid off and my PM found out and hired the guy to do FPGA work. My PM knew the guy through some contracts we had with the competitor and assumed he was an expert in the field. Turns out the guy was more of middleman between program management and the engineers so while he could talk about the work, he hadn't really done it in like 10 years. My PM got the hiring expedited and since we don't really do interview tests in our industry, the guy was now on our team before anyone could ask any pertinent questions.
Long story short, the FPGA team starts assigning him work but it's taking way too long and he's asking for more documentation and for help on things that he definitely would have worked on in his supposed previous job. Eventually we all figure out that he kinda overstated how fresh his skills are and we transition him to a sort of documentation role so he wasn't burning hours on things he just couldn't handle. While he was perfectly capable of doing that kind of work, it involved a lot of insight to our design so it took him a while to get onboarded to the system and able to properly describe the design. Eventually he was doing good work and got the project to the point where he wasn't needed but he left a bad taste in everyone's mouth. We could have hired two junior engineers to do the work he was doing for the same price and probably gotten it done much faster. After the guy transfered over to another project, we reamed out our PM about his hiring decision and begged him to give us some input next time. Of course, due to the waste of money from the last guy, the functional managers stopped taking hiring inputs from our project and would just assign whoever the fuck they thought we needed despite the kind of roles we actually needed.
I am one of those people who just won't exaggerate or lie on my CV or during an interview. I say "i'm not sure, i'd google it the first couple times it came up". I'm not a programmer though. I have a weird skillset that doesn't mesh or gel with what recruiters are looking for, so on the rare occasion i get a recruiter on the phone, i tend to get a job offer at the end of the sequence.
I've had a few startup jobs, a couple megacorp jobs (not Apple), and a handful of mom and pop and defunct business jobs as well.
My least favorite interview questions involve regex or deep internals of BSD or Linux, my favorite interview questions are off the cuff solutions to problems presented, and then backtracking the explanation.
I've also been asked to perform job interviews for positions that i probably ought know enough about to interview a candidate for, but I went off my gut feeling about how the person acted in what i consider a stressful situation (a slew of interviewers asking asinine questions). I don't like interviewing, i am not very good at finding candidates that are "in for the long haul" but every time we were tasked with finding someone who can do X before end of Q3, my hired candidate recommendations always nailed it in that time
frame.
All this is to say, i find the whole process ridiculous. My CV apparently looks like a train wreck. I refuse to wear a tie or get a haircut. I'm eerily relaxed in interview situations.
My trick? one time i hung out with a CEO of an IT company from the PNW, and they basically told me everything i thought i knew was trash, my resume was trash, my attitude was trash, and the only thing i was good at was solving problems in a hurry. We did, in fact, get coffee for our meetup. I scrapped every idea of what a resume should look like - what i envisioned a perfect professional resume looked like - and started fresh. I learned to say no to most recruiters in a way that made them ask me about different "opportunities" more aligned with my personal ethics and values in the future.
I have 4 FPGAs, and i've never done anything with them, because the bitstream is proprietary on all of them. I wouldn't hesitate to tell an interviewer that i am interested in FPGAs and custom ASICs, because i am. I'm also interested in bacteria, but i won't be applying to a bioscience lab anytime soon. I certainly wouldn't say "yeah i can program an FPGA", or C, or do front end development, or any of that.
From my reading of these sorts of comments, in aggregate, most people try to impress the interviewers. I want them to impress me.
I have been developing in embedded systems for 38 years, and I have the shortest skill set you will ever see on a resume. I only put down the things I know.
On the other hand, I have reviewed resumes from people with five years of experience that are 'experts' at twenty five unrelated technologies. As soon as I see that, I think, 'yeah..... no'. I worked with some genius level folk at Bell Labs back in the mid 1990s, ten years into my career, and they were each really good at two or three things. I took note of that. Yes, they could figure other stuff out, they could move on to new technology, updating the three things that they were good at, but that list always seemed to be short.
You have to laugh at 'experienced' or 'expert at' followed by JS, JAVA, Full Stack, Python, Linux, BSD, C#, AWS, C, C++, MySQL, PostGRES, Lisp, Lua, Azure, MathCAD, DSP, AI, Excel, SystemC, Perl, regex, Bash, git, assembly, Verilog, ...
Pretty much. I hold the record for our coding question in my company - 3 minutes and 54 seconds. Granted, I'm one of the two people that put the question together, but still.
We've had candidates with "20 years of experience" completely unable to do what amounts to "call a web service, deserialize some json, write a couple for loops and if statements, and post back some json to a web service" in over an hour, or in a take home scenario.
It will never cease to amaze me that there are people employed in this field that just. can. not. program.
To be fair: it might be they have never done this before.
At my previous company, we had a technical assessment - this was about ten years ago now. It boiled down to: read XML, do some math / business logic, and build a REST API to do so.
Interestingly, ten years ago, at least half the applicants said they found it interesting because they had never worked with REST or JSON before. A lot were Java developers, so the XML part wasn't a problem, and they would often add some SQL database as a bonus.
But 5-10 years later, as development switched to (Node)JS and web, it became the inverse and people said they had never done anything with XML before.
And far more likely: done before, but never on anything even remotely close to a blank slate. You can spend years doing X, be very good at doing X, but only ever adapt some pre-existing precedent implementation of doing X to a new use case, or to a new underlying library, but never any green-fielding. That "implement X in a vacuum" test will rate many experienced people lower than some who have never ventured beyond textbook examples. It's not impossible that your real tasks have so much green field work in them that those experienced brown-fielders might actually be bad matches, but I suspect that those situations are much less common than the tests that select for green-fielders.
No doubt when GP refused to complete the coding assessment the people who designed it thought “aha! Yet another non-coder filtered out by our process!”
I'm currently doing interviews for a senior firmware dev position and was stunned by this. Today I talked to a guy who couldn't tell me what an interrupt was in any technical detail. His coding was worse than a first year college students. 5 of the 6 people I've talked to so far bombed the coding portion.
This isn't intended as a rebuttal, but I've learned to stay away from deeply technical questions in embedded. As long as the interviewee is sufficiently paranoid about C, is recognizably experienced via conversation, and knows the basic concepts I don't press too hard on their specific skillset.
There are just too many niches where the knowledge we each consider necessary simply isn't. I had one particularly bad interviewer grill me on how the ARM GIC worked in detail (e.g. interconnect details, differences between versions, etc) because they considered it basic knowledge. I've personally never needed to know anything about it that wasn't in a TRM.
I agree. Why memorize something that is well documented? Do you understand basic interrupt management and the existence of interrupt controllers? Good. Understanding basic concepts matter, but silicon implementations of a concept? No.
One question I have found useful in embedded development is asking someone to discuss the difference between a thread and a process, and the difference between thread based OSs and process based OSs. It is a general question, not bound by anything like CPU architecture, but just gives an idea into whether the person is comfortable about general memory domains.
I have mentored people, bright programmers that never worked in small embedded systems, that initially tripped all over the thread model, but eventually came to understand it.
Im pretty new to interviewing so I appreciate the feedback. I think I'm dong OK with respect to that but I'll make sure not to assume my own expertise are trivial.
I have a different perspective. I feel that specific coding task tells me absolutely nothing about the seniority of the person performing the task and tells me very little about their qualifications.
Making direct comparisons of software to trades generally needs to stop. I understand that it's merely an analogy, but it's not a good one. Nails are extremely well understood with little room for improvement while the smallest piece of software is not so well understood and has infinite room for improvement. There are a handful of traits about an engineer that can make them incredibly valuable to an org that you'll never measure by putting the most weight on their ability to balance a binary tree (to use the cliched example).
This sub-thread was talking about "that specific coding task", not about binary tasks [edit: trees] in general. You might be very valuable building, say, a database application, while not being able to balance a binary tree, but if you can't do whatever we can all come up with as a small coding assessment ("little deck of cards"). It sounds to me like a good first filter, plus then a good talking piece to have a conversation about in an in-person.
Ya, my bad (and also to your sibling comment), I have trouble with HN comment depth sometimes.
Although I experienced recently what you said exactly! I was asked to build a deck of cards for the screening interview. It was a fun back-and-forth and I felt really good about things. Then in the next steps, I was asked to implement Conway's Game of Life. So like, I've been programming professionally for 13 years, I'm well aware of GoL and maybe should know how to do it, but I've never bothered since there are just a mountain of other projects, programming and not, that interest me over that. It's all good if you want your engineers to be able to solve that type of problem as it's your company and you do what you like with it. But like, they were an e-comm company and I have a ton of e-comm experience and was actually pretty into what they were doing, so why were they using something like GoL to assess me?
On the flip side of things to get a little tangential, I often feel companies reject me because they just don't like me, and I wish they would just say as much since that hurts way less than being told I'm a not a great engineer, lol.
Anyway, maybe a bit too much TMI... interviewing right now is a bit of a shitshow with all the recent layoffs and I'm maybe a little bitter, but also realllllly enjoying unemployment while it lasts.
Did they tell you to implement “Conway's Game of Life” in that many words, or they gave you the rules they wanted to implement?
If the first, that sounds like a terrible question. If the second, that sounds like a quite straightforward fizbuz style coding task.
> I'm well aware of GoL and maybe should know how to do it
What do you mean “should know how to do it”? I don’t think you should have memorised the rules, or an implementation. But I think if you are a software developer you should be able to turn human language into code. That is a key skill of the job.
Recruiters and subsequently hiring teams are often told they can't give much actual feedback to candidates, out of a fear for legal challenges. I cannot assess the validity of these fears, just relaying what I heard. I guess folks have been burned when their presumably-good faith attempts at feedback were twisted into inclusion and equal opportunity cases (which are also important subjects that I don't want to dismiss either).
That's why the programming tasks are simple. FizzBuzz, or "implement a deck of cards."
Sure there are different ways to do this but it's a small enough task that the quality of the solution is easy to judge.
I think the nail analogy works. If a blacksmith can't make a decent nail he shouldn't be hired. Same if a developer can't use one of a few very well-known standard library data structures to implement a deck of cards.
>I understand that it's merely an analogy, but it's not a good one.
Are there any good ones?
I find that people introduce an analogy...it is discussed, another 'contradictory' analogy is introduced....and eventually someone has 'won' the argument referring to something completely unrelated, and thereby have 'won' the original argument, by default.
My boss is particularly good at his :-) To me, its a form of gaslighting.
As soon as i hear "But what if...?", or "it's as if...", I refuse to budge, and simply ask "Are we talking about 'the original subject', or 'Blacksmiths'?
If it's the latter, let's talk about Japanese swordsmanship first, then the history of European metallurgy first - just to be on the same page."
Often used at the same time is the No True Scotsman fallacy.
Set ridiculous boundaries on the analogy, ignore the fallacies, and the original subject soon gets re-discussed. It's amazing how many people actualy find that uncomfortable.
The premise is that someone capable can blast through trivial assignments in no time. Either this is the final proficiency challenge or there are subsequent, harder questions. In the former case, why not see the salary/offer and then decide?
Typically, because one has other opportunities that are no less compelling and where potential employers show respect for candidates' time.
I have a GitHub profile with a lot of code on it and on my resume I highlight projects I've done a lot of work on. "What if faked tho?"--there's literally too much there to be worth faking. If a hiring manager looks at my resume, has the option of going to my GitHub profile, and between the two goes "I'm going to hand him a college-level Java problem because I'm not sure," then there probably isn't a way we're going to work together. And that's okay, on both sides of it; there are a lot of developers who aren't bothered by that kind of low-trust relationship. I am. Not a fit.
(This is in contrast to, for example, asking a question like that during an interview. Interviews are bidirectional, and are showing an investment in the hiring process on the part of the employer. If a card-deck Java problem is worth addressing with my time, then it's worth addressing with your interviewer's time. The contrapositive is also true.)
Personally, I only ever ask people to solve coding/problem-solving questions live. The best experience IMO is when we talk through the problem together, since this approximates what collaborating with this person on real tasks will be like - not very well at all, but about as well as one can do in the amount of time available for a live interview.
However, I do understand where the offline exercise idea comes from - it's not necessarily about lack of respect for candidates' time, but is generally done with the best of intentions in response to feedback, because candidates complain that the interview technical exercise scenario is needlessly artificial: in a live interview candidates do not usually have easy access to their usual tools or Google/Stackoverflow, and many feel pressure and panic from having to code/problemsolve live while someone is watching and feel they would do better if left alone to do the same thing for the same length of time.
Given the incredibly strong feelings either way, perhaps it might not be a terrible idea to let people choose which approach they prefer; but I've never seen any company's hiring do that, though, thinking about it, there really is no good reason why not (provided I still get to talk through the results of the offline exercise with the candidate during the live bit!)
I think this is a good analysis of where the offline idea started from, but in my experience the majority of interviewers who want you to do a "take home" thing are asking you to sign up for a multiple-hour mess of a project. That's where the lack of respect comes from, and the lack of acknowledgment of the market--most people you want to hire are already employed, after all, and time pressure from life is a thing.
Making it an option for somebody who would rather wouldn't be bad, but yeah, as you say, nobody's learning a lot about the other people that way, and they're probably more important.
(The OP's card deck problem is just faintly ridiculous and a bad allocation of the candidate's time, and I assume there are more hoops to jump through afterwards.)
> If a hiring manager looks at my resume, has the option of going to my GitHub profile, and between the two goes "I'm going to hand him a college-level Java problem because I'm not sure,"
I know we're talking hypotheticals. I get your position 100%, and good for you.
My view is that I'd tell you that
1. I've seen your Github profile
2. However, I didn't have time to go through your entire Github profile looking at your efficiency and productivity. I want to do a quick, ad-hoc programming exercise to see how fast you operate on basic tasks (which #1 doesn't readily address). I expect you to crush it really fast and this is the only coding exercise I'll have you do.
To me, that doesn't seem unreasonable if I'm upfront about expectations. Your response will also say a lot about you (not necessarily negative, but for fit).
These requirements come up because someone always slips through diligence. While you might be getting punished, interviewers are trying to de-risk candidates as much (and as fast) as possible.
> I want to do a quick, ad-hoc programming exercise to see how fast you operate on basic tasks (which #1 doesn't readily address).
Right. And to do so in good faith, this absolutely can and should be a collaborative exercise with an interviewer. It demonstrates that the employer has skin in the game and isn't body-shopping. Once you're out of junior/low-mid hiring, this is really, really important to getting quality candidates to go through your funnel.
> interviewers are trying to de-risk candidates as much (and as fast) as possible.
Of course they are. They should also be aware of the tradeoffs in doing so.
Now if we could just standardise this so you didn't have to do several coding assignments for every position you apply for. I'm sure most people needs to apply to more than one company to actually get hired, especially with all the layoffs now.
And very low ability to do any improvisation.
Without specifying every detail of implementation task will not be completed.
Even in areas that don't require very specific solutions, and need to just work.
Ya, most people who have been in the game for a year ask for "senior" position. I'm pretty sure this is why there is "staff" now. Well, I'm not sure how long "staff" has been a thing as I've never worked at a company that has that title, just interviewed for them (nb: I interviewed for "senior" positions at said companies).
There was a blog post on HN a few days ago by someone who taught himself programming during covid and landed senior roles (multiple, simultaneously, by lying to the employers).
This type of self-referencing and self-congratulatory comment is what makes this website worse and worse little by little. You don't add any meaningful information or knowledge and it is something shallow a kid would say to look cool in front of his friends. I am not attacking you, you can do better.
I was going to post a comment but I decided it didn’t add much. Maybe if we all refrain from liberal posting it would remove the need to post comments asking for better comments. I’m not sure. I may post too liberally myself.
I disagree. The information "Goto has obviously horrible hiring tactics that select Programming-101-graduates for senior positions WHILE operating a security-sensitive product" is meaningful.
There are so much bad hiring practices in our industry that I indeed choose to trust the rare companies that do it right over the ones that cargo cult Google brain teaser questions, make you implement quicksort on a whiteboard, give you a take-home project that will take you forever but they will hardly glance at, will stop replying to you because ghosting is good, ...
That's the first impression I get from an unknown company and I decided to trust it.
Sounds silly, it’s a shame you didn’t get past the initial screen. It’s a process that has to be humored and you could have added a lot of value just by joining and then patching their hiring process.
When I was teaching in high school the deck-modelling thing is one that the kids come up with a lot especially when it came to doing their term project. I love the idea of being asked to implement a deck of cards using Java and inheritance! Here’s my implementation:
SUITS = “♠♥♦♣”
RANKS = “A23456789XJQK”
deck = {(s, r) for s in SUITS for r in RANKS}
That’s about all you can commit to. Suits and ranks should probably be enums but we can start from these three lines and see how it goes.
Sorting? Depends on the game. Value? Depends on the game, and some games give the same card two values. Inheritance? Shared behavior depends on the game and is orthogonal to the card itself and often is dependent on game state as well as what card you have. Are we even playing a game, or is this just for rendering poker themed wallpaper? Calling it a “deck” is probably wrong. A deck is ordered and may have duplicates… it depends on the game! This is more of a pack than a deck.
It’s probably an amazing question for interviewing candidates in person to see how far they dig into the premise. As a take-home question, you could probably spend a minute on the code above and then an hour on implementing three different games. Maybe that was the original docx, but it didn’t sound like it.
public enum Color {
RED, BLACK
}
public enum Suit {
Diamonds(RED, '♦'),
Hearts(RED, '♥'),
Clubs(BLACK, '♣'),
Spades(BLACK, '♠');
Color color;
char symbol;
public Suit(Color color, char symbol) { this.color = color; this.symbol = symbol; }
}
public enum Rank {
Ace('A'),
Two('2'),
//...
}
public record Card(Suit suit, Rank rank) {
// ...
}
The question is fundamentally broken because data objects shouldn't be inheriting anything. That's in almost all cases bad design that demonstrates only that you have no clue how to write sensible object-oriented code.
You wouldn't want to check whether a poker hand has a pair by using a bunch of instanceof's or getClass()-shenanigans. You also don't want to encode knowledge about poker into into the card object. That's just data.
Nice. Very thorough, that’s a more positive take than what I was presenting, though I feel we are both (rightly) being standoffish on the whole inheritance requirement.
Some other things you could do with a deck of cards to add useful functions.
Shuffle
Draw
Deal
Cut
Pile
Turn
Now imagine you have pinocle uno and cribbage as games. they each start with a different set of cards, but can use the functions above. The fact that it’s a 52 card deck with suits and ranks isn’t stated by GP, and there’s also the optional jokers.
For a real game, you’d probably need the back of cards as well for animation, and maybe you implement card designs to give the game some customization - now the deck needs some more properties or methods.
After all of that, think of whether the generic deck could be used to play magic or pokemon by using inheritance.
For lastpass, the closest parallel they might have to a deck is a password generator. Implementing that would seem like work. The deck stuff is all premature optimization for a single game, but they are checking your knowledge of inheritance, so just go along with it.
To be fair, none of the functions you listed, as far as I can tell, need to know anything about what they're operating on. You can implement all but the last on a generic list of objects.
The last I'd probably implement as a container object Turnable<C> that adds an orientation state to any parametrized type, including Reversi disks.
I feel the card itself should be immutable as far as possible. It's state: orientation, owner, location and whether it's dog-eared should be kept separately.
Many card games have a reduced deck - e.g. lots of French card games use a 36-card deck. Some card games use multiple decks mixed together (e.g. Canasta). Some have extra cards (jokers are common, there are others); some have entire extra suits (e.g. games that used to be played with various forms of tarot decks).
All this stuff needs to be parameterised, and suddenly you have an enterprise-worthy class hierarchy and a ton of complexity before you've even really started on game-specific stuff.
It’s important to be solving an actual problem. Modelling a deck of cards is probably not the problem — what are we actually solving? Building a new hearts.exe? Rendering a custom deck for a laser cutter? Tracking casino fraud?
Those would be better questions which could start off with a discussion about the general solution, followed by a quick “how would you model the cards part of this?” component.
When applying for a senior role, yes. Part of a senior developer’s job is to push back against “requirements” that don’t further business needs; in this case, an accurate, maintainable, and useful model of a deck of cards.
> It’s probably an amazing question for interviewing candidates in person to see how far they dig into the premise. As a take-home question, you could probably spend a minute on the code above and then an hour on implementing three different games. (Maybe that was the original docx, but it didn’t sound like it.)
I did a take home for Walmart Labs once and they completely ghosted me. What a complete waste of time.
I have interviewed many “senior” candidates who can’t do simple coding exercises. I think that starting out with a simple exercise like that weeds out a ton of people without putting undue burden on the good developers.
I have a series of questions in various areas designed to be in increasing order of difficulty, but I don't expect them to clear them all0-they ramp up to "deep and esoteric knowledge".
When I'm explaining the process I usually preface with these being designed to gauge their skill level, not just make sure they meet some minimum floor, so there are going to be some easy questions and some that are hard and I don't necessarily expect them to answer all of them and not to get discouraged or be afraid to say they don't know. I usually just keep going until they miss a couple in a row.
If someone actually doesn't know the job, I'm only asking maybe 5-10 relatively simple questions and thanking them for their time.
Because my goal isn't usually to get trivia answers. I'm laying foundation and jumping off points for a conversation.
I have some technical hurdles candidates have to clear, but I try to speed run past them and get the background stories on things that stick out to me in their resume. Also, hitting them with the DevOps equivalent of a LC hard right out the gate is a dick move that sets a bad tone and demonstrates a hostile process.
Bro wat? This comment is basically "I'm too smart to work for this company".
Your ego will be your downfall.
There is so much I can learn from a developer, junior OR senior by just seeing how they implement something simple like that. I feel like you have a full fledged case of Dunning Kruger effect. Since you don't know what exactly they were looking for, you brush it off to "LeL, LaST pAsS so DuM aSsEsMeNt".
I did. Interview for AWS principal engineer position and their screening call had a 20 minutes make a code like structure to solve this problem. They did not ask me to write Java or anything compiled but something that shows I can actually turn my idea into some for of code.
I think having such kind of question is very much expected and I would wonder if a company does not have it for external/unknown hires.
There were rumors a couple years ago that this already happened to one of them.
My layperson's armchair guess is that a successful attacker would probably seek to keep it quiet.
If you were a bad person, and you got access of tons of credentials from one of the major trust-us password managers, would you:
1. Focus on finding and looting big-payout cryptocurrency stashes, as quietly as you can (so you can keep doing it longer, before news gets out of how)?
2. Sell to a state actor to use for probably high-value purposes, while keeping it quiet?
3. Something else, and would that involve keeping it quiet, or making a big noisy mess?
Most hacks, these days, seem to fall into one of three categories:
1. State actors
2. For profit criminals
3. Teens for lulz and street cred
I guess the first group would probably keep it pretty quiet. The second would keep it quiet until they've abused the data as much as they want to, then sell the remainder on the dark web. The third would make a big noisy mess right away.
Most of them are build without having decrypted passwords or keys for them on server, so attacker would need to get to the point where they can craft malicious update to the client (or exploit the client)
This kind of thing has already happened. Chinese hackers got into the Juniper VPN source code and replaced a key pair with their own. They even updated the tests so that it would pass. This went unnoticed for years.
This is a good point, but on the other hand, couldn't any application be hijacked in the same way to include a keylogger/upload plaintext password DBs stored locally by browsers/etc? Somehow this hasn't happened on a mass scale that I'm aware of.
Not exactly, because the JavaScript code can change and be delivered at ANY time. No code signature verification is involved.
An offline password manager is updated a few times a year, and will go through OS repository distribution, with verification of the signature for changes. Or you can download the software from the source website and check the signature.
Extension has the passwords so just need to suck them through a straw. Getting a keylogger on someones machine probably requires getting them to run an executable or a zero-day exploit.
I don't use them, but my conclusion is that at least one major cloud password manager has been hacked already without any disclosure. If they disclose it, the company should logically be dead. Thus, the incentive would just be to cover it up.
Can you elaborate more? Which? Why do you think this? I also agree with you and I think it’s one that rhymes with shome paus werd. But I think it happened early in their “cloud” journey
They will at some point. A whistleblower, the attackers themselves, the leaked data showing up somewhere on a forum and getting picked up by reporters, etc. etc. At the scale at which any of the popular passwords managers operate, IMO it would be impossible to keep it a secret for long. So taking the risk of jail time only delaying the inevitable... doesn't make sense.
Sure it’ll result in a lot of issues for minor sites, but most critical services mandate 2FA. So just don’t keep your password and 2FA in these services.
The core problem is really that passwords suck and should never be the entirety of authentication. Time for hardware tokens! (admittedly there are some big problems when people lose tokens, but at least that's not a problem of insecurity ;-))
Depends on how you define "insecurity". Availability is one of the pillars of security, so even your joke falls apart.
Several years ago the trendy thing to do for security was to get a USB-A security dongle and lock your important accounts with it. Nowadays, laptops from several major manufacturers no longer ship with a USB-A port, so if you need to log in again and don't have a USB-C dock handy, you're locked out until you can find one.
Isn't availability usually from the service still being accessible in a technical sense? Password lockout policies will also result in people being locked out often until manual review or the use of some (hopefully secure) second factor. With hardware tokens there just needs to be an established - and efficient - process to replace them or allow access on an ad-hoc basis for exceptional cases (a bit iffy perhaps but also possibly necessary given practicalities). There's no dispute that passwords mean you don't have to worry about things like what USB ports your laptop has, but that's mainly because of the fact they're just strings that you type in which is also their entire issue for phishing/hacking etc.
Either way, availability can be compromised by a hack due to passwords being phished and I think I'd prefer dealing with hardware tokens than the fallout of being phished or otherwise suffering credential compromise. That said at this point I probably wouldn't issue hardware tokens en masse until proper processes are in place to manage them (and their loss/breakage/etc) - it's certainly not solved to my satisfaction yet.
> We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.
Sure sounds like they found passwords or keys in the development environment breach back in August, and nobody bothered to change those after knowing they were hacked.
I used to be a lastpass customer a few years ago, until I switched to Bitwarden. Can you tell me that you actually delete users data when they delete their account? Or do you keep backups which were also hacked? i.e. are your ex-customers also affected?
Kudos to the CEO for disclosing this as it's happening and writing the post. This disclosure post is direct, forthright about what's known, specific about engaging help, and explicit about notifying people as more happens. Hacking sucks, but the CEO's post is IMHO on the right track.
Ridiculous take. Absolutely zero kudos because it was obvious to everyone that this was the most likely outcome way back in August. Back in August the company issued a bullshit statement that they'd ruled out that the intruder accessed customer data. Now they are saying they did lose customer data.
How is it a PITA to move off lastpass? I switched to Bitwarden and it was a piece of cake. Exported all passwords. Imported all passwords. Pretty much all password managers can import/export as a CSV or similar.
I tried migrating from LP to BW and got import errors. Bitwarden's error message was very vague (along the lines of "sorry, something went wrong") and I haven't been able to track down what entries were causing the issue. I've tried 3 or 4 times including trying to reproduce with subsets of the full collection but it's too much of a pain with hundreds of accounts and I so far haven't been motivated enough to manually transfer them or to write a selenium script to do it automatically.
Moving to vaultwarden (the open bitwarden server implementation) was also really easy. Just installed the package in Arch, setup the vhost in nginx, put the vhost into my local DNS and slightly adjusted the vaultwarden config file. Now I use bitwarden clients everywhere and point them to my server.
Since I don't feel 100% comfortable having my self hosted things on a public IP, I put it only on my LAN. For remote access (e.g. phone) I use wireguard.
Just check your data after re-importing the passwords. LastPass sometimes has issues with the export (see elsewhere in this thread) and does not export attachments at all. You have to move attachments manually.
You can't export all the passwords, some extra fields are not exported by LastPass, so there is your PITA when some site asks a security question you had an answer to in that unexported field
How smooth is the hotkey autofill experience? Does it identify websites and fill out login forms properly? (I prefer not to rely on sites' "remember me" boxes or ephemeral cookies).
I'm using keepass2android offline on Android, with the password file synced using syncthing. Works great.
It also has autofill that comes up in any supported app when it recognizes a password field that it can autofill. Quite seamless.
It also took a little mucking around to install it's custom keyboard and I had to run some adb command to give it permission to auto-switch keyboards, but now it's setup it's pretty good.
You can open an entry in keepass2android, then it will auto-activate the keyboard and you get buttons so you can auto-type any field from that entry into anything.
On Windows I'm using KeepassXC and the KeepassXC browser extension. It hasn't been perfect, I had to manually enable simple http auth for that to work, and sometimes it seems to miss login fields.
Also I had to manually add the URL for some existing sites (I was using KeePassDroid only on Android before so the URL entries weren't filled).
There's no way I could find to go to a site, then I would like to just click a button and choose an existing entry to fill into it.
But once I've manually added the URL entries, it's pretty seamless and auto-recognizes that there are entries that it can fill.
In Android, I use Keepass2Android Password Safe app by Philip Crocol. As far as my experience goes, it is quite smooth and for the most part it is able to fill out the login form properly.
It's really not. As the quality of their software declined severely starting around 4-5 years ago, I put off moving because I assumed it would be a huge hassle. It turned out to be surprisingly easy. I have since deleted my LastPass account and wouldn't trust that company to mop my floors.
I don‘t think the quality of the product was any better previously; they were the first to offer cloud hosted password management as far as I remember and that, plus being cheaper than 1Password last time I compared, are their only benefits in my opinion.
Years before these systems came out I thought of building a similar zero trust style system and I realized the level of attack that I would be putting myself under and the insecurity of JavaScript due to extensions, mitm, and client side malware made it ridiculously unpalatable. You would have nation state attackers coming after you as well as your nation state demanding you grant access to them. It felt pretty brazen to me that these companies came out but they did well. I still think it's an incredibly juicy target and a bad idea.
I at least know if someone broke into my physical safe.
> I realized the level of attack that I would be putting myself under and the insecurity of JavaScript due to extensions, mitm, and client side malware made it ridiculously unpalatable
This doesn't really make sense. These threats apply equally to people just memorizing and typing in their passwords into web forums. If the user's browser is compromised there is literally nothing to be done.
It doesn't compromise ALL of your passwords in one go, it only gets the ones you type. I don't do my bank or my broker except on my low risk machines with 2fa. But logging into a motorcycle web forum shouldn't leak that password. Having them all in the browser local storage with one master password does.
I've been looking to migrate off LastPass to Bitwarden or KeePassXC, but can't decide:
1. First off, who's to say LastPass will actually delete my data when I delete my account? Could I in practice be increasing my exposure by starting to use something different?
2. Bitwarden: They look cool but "In September 2022, the company announced $100M series B financing". In my experience, usually, financing = bad.
3. KeePassXC: I'm afraid the UX will be worse. But hey it's in my operating system repos, so perhaps I should just give it a try?
I've been very happy with Bitwarden. If things go south because of getting funding there are some good forks of the server you can self-host (vaultwarden).
> Bitwarden: They look cool but "In September 2022, the company announced $100M series B financing". In my experience, usually, financing = bad.
You can self-host bitwarden using the opensource implementation of bitwarden server. It includes everything, even the pro features, and supports multiple accounts for the whole family for example: https://github.com/dani-garcia/vaultwarden
Just use keepassxc and be master of your keys. You have to move forward. Every 6 months I hear about a breach at lastpass. I assumed only clueless normies were left on it, but I guess their efforts to blockade data exports were effective.
The KeePassXC browser extension doesn't have exactly stellar reviews. As for KeePassXC itself, I'm a little hesitant to use something that makes the UX so painful I have to copy the usernames and passwords.
That said, switching from LastPass to Bitwarden seems a little pointless: yes Bitwarden is a younger company and perhaps hasn't managed to mess up their product yet, but knowing life it's just a matter of time and then I'm at a worse place than where I've started.
> Every 6 months I hear about a breach at lastpass.
1Password has the same fundamental flaw that LastPass does - they insist on hosting your vault on their servers.
That is a bad idea and you shouldn't use a service with that requirement. Use something you can self host, or have the choice of DropBox/iCloud/etc for syncing.
I don't think either of those help if the website itself is pwned? SRI is fine if your website is secure but the CDN is pwned, the other one seems to be a defense a website can use against a malicious extension, but the risk with LastPass is if the LastPass website is pwned it can just read your password. You'd need some way to transfer essentially signed app bundles to the browser for the browser to verify, which seems like a different sort of project.
I assume ultimately something like signed releases will become a thing on the web, with the signing process being separate from the other processes so that a hack has to compromise two entirely different systems, not just the build pipeline, to allow new JS to run. Currently the only thing that is signed is the SSL certificate which of course guarantees precisely nothing about the actual website content served from the server other than that someone didn't tamper with it after it was sent.
I think this gives people a false sense of security, yes zero knowledge is extremely useful + cool, and certainly reduces the risk in event of a breach, but all it really means is that _all_ of your passwords are behind some encrypted blob in the open, that would be extremely difficult to decrypt. Not impossible. Certainly any average or even very high-end machine today would have a pretty much 0 percent chance at decrypting the data, it's still out there in the open forever. Imagine in 10 years we have some leaps in quantum computing or discover a flaw in the algorithms use, all a hacker would need to do is go back & decrypt the data to try some credential stuffing attack, etc.
TL;DR is short-term I wouldn't be freaking out of my password manager was hacked, but I would still definitely update all credentials at some point & treat it as an actual breach, and not an "oh no we were hacked but it's okay because zero-knowledge!".
Also how many times have they been hacked now? Who's still using last pass?
I feel like passwords can be way too sensitive to entrust to a third party. Even if you can verify that it is secure, you could still find yourself in a jam if their service goes down or is otherwise inaccessible.
You don't have to worry about any of this with a KeePass database. You just have to deal with the very mild inconvenience of keeping your database synchronized across devices.
> You just have to deal with the very mild inconvenience of keeping your database synchronized across devices.
Which is pretty easy with SyncThing. Other services like Dropbox are also fine if you have a sufficiently high entropy password. The danger isn't in the "online", but a third party being able to decrypt your passwords.
"Other services like Dropbox are also fine if you have a sufficiently high entropy password"
That's why you add that binary key file to the mix that you liberally distribute to all your devices. But that you carefully keep far off your sync platform. The danger of a weak password is when a device falls into the wrong hands, a compromised sync platform is much less of a concern (if the file is in the mix).
I haven't touched KeePass in a while(especially since it always had its quirks outside of Windows, being .NET), but KeePassXC which started as a merger of all the various patches to KeepassX(the QT implementation), has been very active. It has a more secure browser integration than the original had, although it's worth noting that nothing ever came close to the accuracy of 1Password when it comes to website quirk integration[1]. There's also TouchID, OTP, better encryption and Yubikey integration of the top of my list.
I'd suggest using it in conjunction with Keepass2Android and KyPass(on iOS, someone mentioned Strongbox), although the Keepass2Android syncs and merges properly and the iOS does not.
Yes, if you can keep your password local it's still the best option.
Sadly, once your use case becomes complicated and you need to share between devices, and potentially have partial sharing between people (e.g. your spouse, your parents etc.), it becomes a nightmare to manage. In particular trying to explain how sync is supposed to work with a third party on iOS is just pain.
I'm eyeing at self-hosted BitWarden instances, but then I kinda fear to someday be the one shooting myself in the foot and nuking everyone's literally life critical credentials...
> you could still find yourself in a jam if their service goes down
This is true for many password managers that sync with the cloud. I use 1Password and I've made sure that I install apps on at least a couple of devices because the apps a local copy of the password data that can be accessed offline.
I've done that with another password manager that I used in the past too.
I used KeePass in the past and would likely still be using it if I didn't get 1Password free (free family account if your employer has a business account) and if I didn't need to have secure sharing with my wife.
Let me know if you know of a secure, convenient way to share password entries with another person using KeepPass that doesn't involve you sharing the your whole password database. I know you can have yet another password database that only contains shared records... but that definitely fails the convenience factor.
I use a combination of a local only solution for the "master list" of passwords that I backup to cloud storage (which is not synced to my phone) in conjunction with the saved passwords & sync capabilities of Firefox for accessing it on my phone. Occasionally I'll be in a position where I'm on my phone and Firefox doesn't happen to have my latest password saved, so I just initiate a password reset for whatever that service is, set it to a new password, and then circle back later when I'm back on my machine to update my local only storage solution. It's not the most streamlined and user friendly, but it works well enough.
As mentioned throughout this thread, Syncthing can seamlessly sync between Android phones and Windows/Linux hosts. There are apps for iOS as well, but they can be a bit more finicky due to Apple's app sandbox implementation.
This, very much so. I use KeepassXC (Strongbox on iOS) with Seafile to sync the database files. It's only gotten better over the years, and I'd rather see my donation money go directly to the developers than get slurped up into some SaaS that doesn't care about me or security anyway.
Does your sync setup work in realtime in the background? Earlier this year I was evaluating iOS devices and a showstopper was the apparent inability to have keepass database updates push-synced: the closest I got was a scheduled copy of the file at a given time daily, but my nightmare was making a change on one device, needing that change on the iOS device, having it not be there, and not having network to go fetch it. It'd be neat if you've got a way to make this work more like Syncthing on Android.
No, that's a limitation in the setup but it's something I am willing to live with. I can make edits on my computer and "pull" them onto my phone, but not the other way around.
However I think this is a limitation of the app itself more than a limitation of the system in principle. As far as I can tell, the developer decided to only support a couple of the most popular cloud sync platforms. Maybe guess there is no consistent API for that sort of thing in iOS.
Bitwarden is better, but Vaultwarden (the self-hosted version written in Rust) is the absolute best option. Host it yourself on a free tier VM in one of the clouds, configure a backup solution, and never worry about it again. And you don't need to trust anyone with your passwords.
Use tailscale if you want to get fancy and keep it off the public internet or go the easy route and install fail2ban and expose it via public IP.
> Host it yourself on a free tier VM in one of the clouds, configure a backup solution, and never worry about it again. And you don't need to trust anyone with your passwords.
> Use tailscale if you want to get fancy and keep it off the public internet or go the easy route and install fail2ban and expose it via public IP.
This isn't exactly a slam dunk, considering you now have to be knowledgeable about how to secure a machine that is on the internet and stay up to date with security patches which even tailscale itself isn't immune to: https://news.ycombinator.com/item?id=33695886
free for personal use, open source, cloud synced, no device limits. and as OP mentioned different server implementations if you want to host it yourself. No idea why people stick to any of the proprietary solutions.
How much should you worry about security with a setup like this? I have reasonable Linux skills, but I wouldn’t want my VM to get pwned because I forgot to update it.
Honestly I don't even bother with hosting it in a cloud instance. I host Bitwarden on my home network, and whenever one of my devices opens the Bitwarden browser plugin or mobile app (at home), it will automatically sync everything. From that point on you can continue using Bitwarden without it needing to connect to the server.
So on one hand, I lose the ability to sync when I'm not on my home network. On the other hand, I don't change anything in my Bitwarden server _that_ often, and if I do, I can just quickly do a sync on whatever devices and I'm good to go. With the added benefit of not opening myself up to the outside world.
and what if your TV or thermostat, with access to your private network, gets compromised? do you have that machine locked down good enough to protect against an inside-the-firewall attack?
Here's where I get a little more naive....do you....have one VLAN that's your "normie" network that your WIFI access points expose to all the devices, then the other VLAN is...only within the wired network, so if your phone wants to get to your bitwarden, it's always going out the wifi out the gateway first and back in, kind of thing?
right now all my "services", which are not bitwarden-level sensitive, are all on the same network as whatever crap I bought at home depot. I have an edgemax router and there is a third NIC I've never used, so I guess I'd finally plug a switch in there! ok. next project I guess
When it comes to hosted options, they are hands down the best. Worth pointing out that they also have integrated 2FA, if you're satisfied with first and second factor living in the same spot.
It is still 2 factor, breaching the password manager is a corner case that you can decide to cover or not. It seems like for critical accounts you should NOT. For derived accounts, it should be better than just a password.
For a "service based" password manager, sure. (It can prevent the service from ever handing over your encrypted database to an attacker.)
In a local password manager, it doesn't work like that. A challenge-response mechanism can help there, but the cost/benefit analysis looks pretty different there, IMO.
I’ll second the 1Password recommendations, it’s fantastic software that is becoming better and better. If you’re comfortable with cloud syncing, I can’t imagine a better option than 1Password.
A top 1Password tip is that the business plans include free family plans for every member, so if you can get your employer to use 1Password then you’ll be able to get your personal account for free (which would include your family, too). A very underrated deal!
I recently logged back into my old LastPass account after 5 years and it was fascinating just how bad it is compared to 1Password.
I've been pretty happy with cloud-hosted Bitwarden. I used 1Password at work on macOS and the form fill didn't seem to work quite as well (that was ~2020-2021 so maybe things have changed)
Not sure about 1Pass on Android, but Bitwarden works very well for me there (much better than Lastpass which afaik required a subscription to use the app)
It doesn't do cloud syncing itself, but it lets you pick from a number of different providers (DropBox, iCloud, OneDrive, plus a few others) which you probably already use.
Never using online password manager is a good start. Only use encrypted local password manager preferably on encrypted file system and never use same passwords and emails. Best have seperate emails at least for the most important data. Also generating random 50+ alpha-numeric-symbols.
Is that safer than 1Password? According to their documentation, passwords inside 1Password are fully encrypted and only ever decrypted locally on the user's devices. So, it seems identical to the local use case you describe except that it's much more difficult to lose your passwords on 1Password. With passwords only locally on a single machine, if you lose the machine, you lose your passwords. Plus, there's no easy way to share the passwords across multiple machines and especially operating systems.
It seems to me that everyone stating that systems like this are terrible simply propose an alternative that is a hand-built version of the same solution.
Generally it seems that there are two types of people - those that trust encryption and those that trust themselves just a little bit more.
In lots of threads like these the same statements repeat, pretty much similar to this exact thread.
Some people place encryption as the root of trust and so trust that any local encryption is good enough - because if it's encrypted then it's safe to go anywhere...right?
Some prefer to only trust local encryption that doesn't go anywhere, e.g. not synced non-locally to a cloud service. They do trust encryption, but their own stewardship of it they trust a little bit more.
Logically, both must trust encryption of they wouldn't both use it, but one trusts the implementation a little less. That person generally trusts their own systems, setup, skills and self to provide an additional layer of 'feel good' security. They trust the security of their setup and its supply chain over that of a third party. They trust their own 'defence in depth'.
Functionally the two approaches are more similar than either will admit, because unless you can secure the entire 'system' from transistor to human, all the 'prefer local' user is doing is shifting the point of attack and not necessarily understanding their 'defence in depth' might not be as deep as they think.
Most 'prefer local' users will usually point out that the shift of the point of attack makes it harder to achieve. That may have some truth, it may also not. It may actually be that a third party security focused service with many dedicated employees who are paid well and operate round to the clock to monitor activity might have a greater 'defence in depth' and a subsequently greater chance of spotting or preventing a supply chain attack over a single individual spread across many tasks (such as living a normal life and administering their systems in spare time).
The discussion usually then descends into opinion and there it stays, like a plant in the shade, never producing any useful fruit to it's keepers.
I’m disappointed, but I can’t say I’m surprised. I once tried to contact their support team after getting effectively locked out of my account, only to have the support form return a 5XX error upon submission. I dropped them right then and there.
These probably won't replace password managers, just result in passkey managers... Dashlane already supports passkeys & 1password just announced intent to support soon.
They're essentially certificates, so most implementations will only store them on-device, and most implementations I've seen seem to favor the phone as the device you use.
It really depends on the platform - but in short you'll either need a phone, or be locked into an ecosystem (browser, OS, etc) making using them on multiple devices & browsers difficult or impossible. A password manager supporting passkeys makes this easy as you can 1-click generate a passkey, and 1-click sign-in to services from any device or browser.
Given that Apple and Google (at least) are collaborating on a shared standard, shouldn't lock-in to an ecosystem not be a thing?
And: does using a third-party passkey manager open up passkeys to the same security issues as password managers? Specifically, more than remaining within the Apple-or-Google-supplied system?
It's shared standard in the sense that all implementations will be the same, AFAIK passkeys you generate on iOS systems aren't easily used on windows ones, etc. Or they'd require scanning a QR code from a phone which IMO sucks when a password manager has it in the browser already.
Also what security issues with password managers? There's some potential concerns with extension-based over OS based systems, but if your device is compromised where someone can actually access memory then they'd both be equally void to some extent, AFAIK there's nothing seriously concerning security wise on a password manager vs keychain, etc.
You get some form of cross-platform sync. Apple, Google, and so on each have syncing, but in their ecosystem only. You can break out with the QR codes, but this might not be the preferred solution to some.
There’s something hilarious about reading their blog to understand what has happened from their side, to getting this wonderfully annoying pop up urging me to sign up to their newsletter multiple times:
> JOIN OUR NEWSLETTER
> Enter your email for updates from the LastPass Blog.
My company uses LastPass, but I found it too much of a hassle compared to the browsers own, built-in password management, so I don't use it.
But I do keep it installed, because their poorly developed browser extension hijacks way too much on any page with any <input> elements on it. I need to keep it around to be able to test my own work to make sure LastPass isn't fucking things up for my coworkers.
It's something to do with how they inject their UI into the page. It's particularly bad if you're trying to make a responsive grid layout. I've seen several incidences of the LastPass extension completely obliterating an otherwise very well-behaved page, on both my project and other websites. And because it's happening in extension code, it's not immediately obvious what is going on. All you see is a blank page, or a page with the intended UI all smashed into the bottom rows of the grid layout. It's also a bit of a Heisenbug, as the LassPass code races your own to inject the UI.
My wife's Instagram was hacked and then banned. It was using a Lastpass generated and managed password. I've since redid all her credentials in the password keeper I personally use.
I suspected Lastpass was lieing about how significant their security leak was back in August, considering my wife's account getting hacked and banned was pretty soon after the news hit.
I have to believe that if hackers hit the treasure trove of Lastpass customer passwords, Instagram is not going to be their first target. We'd be seeing financial fraud first and foremost, likely sparingly at first, to not alert everyone to the fact that all of our passwords are compromised.
Your probably right, but I'd assume financial attacks would be highly targeted after verifying they have the proper passwords via using places like FB that will just ignore you endlessly if your account is hacked.
They known enough to say "We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information."
I'd want to know what information they have gained access to.
"Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture."
A security breach memo is not the place to advertise how great your security is.
I'm not sure if they fixed it, but in the past any process that was running in your user account or admin on your PC could dump the plaintext of this trivially, for many years.
Reply to @jeffbee: You basically have to have that threat model, because ordinary users are running dozens of untrustworthy processes on their machines. Real world security has to assume the user is not a security expert.
A process running as my user or admin on my PC can also just inject input events to transfer money out of my bank account. You cannot have a useful threat model that models yourself as a threat.
Exactly what I thought too but there appears to be a lot of dislike for LastPass on HN and I’m not seeing any evidence to back it up, perhaps it’s just a dislike for cloud based solutions
I know people will deny it but don't underestimate security by obscurity. Why use the most well known password manager which is a huge target for nation states everywhere? Nobody is attacking my provider (which I won't say)
I have never really liked the idea of a password manager synched to a central server. Everyone always made excuses for it because each one is encrypted for each user and whatnot but it just means an attacker only needs to hit one spot to get a slew of vaults.
I liked 1Password for a long time because it gave you an option to sync with iCloud, Dropbox, FTP, etc. Then they started their own service like LastPass and started trying to push people to that. They got backlash initially and turned the other abilities back on but I'm sure they're trying to make it as difficult as possible to continue to use anything but synching to their server.
I've since moved to Keepass and sync it with my NAS
A couple of days ago some of my sensitive information (stored in LastPass) was used trying to access different services. I‘m still trying to identify how the data got breached.
They gave no information on what was hacked. Although they're saying no passwords were compromised because of their encryption and architecture.
For a layperson, what's the best tips for what to do. Are passwords in Lastpass still safe or should we change all the passwords? Or simply change the master? Or should we migrate to something else?
I've thought about migrating before but frankly any password manager will have breaches...
I am by no means skilled as a programmer when compared to skilled programmers/scripters, but I did cobble this together a few days ago. Python version of a password keeper using sqlite. My motivation was precisely because I do not trust other password keepers. MIT license: https://github.com/rubysash/PythonPassKeep
https://github.com/rubysash/PythonPassKeep MIT license. Python version of a password vault using sqlite I cobbled together from chunks of other, greater coder/scripter's work. I know I'm not any type of pro coder so be gentle with the attacks. Feel free to use it too though, I do.
For most people, non-technical people in particular, their biggest exploit risk is they re-use the same username and password everywhere, one website gets popped and their creds get in the open, and then people use those creds to get into everything else.
Anything that gets them to use unique, strong passwords for everything vastly improves their general security, even if they are using a third party, commercial organization.
Yep. I fell in the trap of using repeat passwords because I was lazy. One of them leaked and someone overseas started using my personal Plex server. I setup LassPass the next day and changed everything to unique strong passwords. LastPass is cross platform and the convenience is worth what the risk for personal use.
1. Have people manage their own secrets storage? Most people don't have the time or ability do this securely either. I'd rather pay someone else to secure infra, code, distribution, encryption, backups, etc. for me.
2. Reuse the same password on every site? One site gets hacked and now you're screwed.
3. Memorize a unique, long password for every site? Not feasible.
Third-party/commercial password managers are the best solution for most people, practically speaking.
I've never used password managers, partly because I don't trust them and partly because I've found an alternative that I feel is secure enough and more convenient. I split my passwords into two parts, one secure part that is memorized but reused and one weak part that is written down but not reused.
The main ways people are hacked are re-use of passwords and writing passwords down. If someone gets access to one of my passwords, trying it in other sites won't work. If someone finds the written parts of my passwords, that won't work either as they would need to know the secure part of the password that I memorize. I can even easily take the written part of my password with me if I want to use a password on a different computer.
The only issue with this technique would be if someone finds multiple passwords of mine, they might be able to figure out the scheme and brute force other passwords, but if someone already has multiple passwords of mine and is taking the time and effort to go after me individually then I figure I am probably screwed any which way.
The alternative to fully cloud-based solutions would be a local, open source kdbx client (Keepass, KepassXC, etc) with the password database situated on a cloud storage (Dropbox/Google Drive/etc). This way, one gets the best of both worlds.
This can be a nice compromise, but it's not without downsides. Personally, 99% of the authenticated software I use is in my browser, and the usability of an extension that has a little badge to tell me I have an account on this site and autofill capabilities is really tough to pass up. Further, because it's an extension, it can know what site I'm on, which all but eliminates my risk of falling prey to phishing attempts.
It is a hard one because the only computing/memory device you have with you at all times, requires no batteries and not connected to any networks (yet) and not vulnerable to probing/observation (yet) is your brain! But memory is too unreliable unless everyone trains for it.
Crypto keys are great but you can lose them and once shared they are keys to you kingdom.
Specific security devices are great but you need to remember to have them with you. They can get lost or broken so you need backups.
Google authentication is convenient but they can ban you. It is also a 3rd party to trust.
Passwords suck but might be the best of the worst. Advantages: password managers can be used to make password useless for other sites and people conceptually understand it.
For many, the ease of setup and maintenance is worth the risk.
The general population is not going to setup their own open source password manager solution. So going with an easy to use commercial password manager is better than not using one at all.
What percentage of the population even thinks about "tech stacks"? That's the group of people who probably already is using something else. Everyone else is still catching up to not having a password that's just "password1234"
People get their credential compromised via shared passwords way more than compromises of Lastpass or Chrome or 1Password. Sure, it's a bigger risk if your manager is compromised, but for most people it's as much "eggs in one basket" as people only having one bank account which is probably true of nearly everyone.
Wiki says that some companies agree[1] that "123456" and "qwerty" are the most popular. "password" seems to generally be in the top 10.
What's interesting on these lists is the presence of Dragon and Monkey - am I mistaken or is it due to CJK users entering a Chinese character that got translated somehow? Wouldn't that mean some of the most popular passwords out there are single unicode characters? Surely not...
There are lots of enterprise tech stacks where you have a single (or single-as-possible) centralized secret store… it’s far from uncommon, I.e., Hashicorp Vault, AWS Secrets Manager, Google Cloud KMS.
The alternative is spreading your eggs all over the farm, with no way to keep track of where they all are. Many will be put somewhere, then forgotten about.
Then what should folks do? The alternative is having to "run your own encryption" by running your own Password manager on your own infra or re-using passwords
Oh come on guys, what's the problem? Just keep delegating all your sensitive stuff to the cloud instead of the unbearable chore of storing it locally! They'll definitely fix their shit together and everything will be okay, until someone hacks them again.
The one where you can just launch chrome and click the eyeball icon to see what the password is? Or does chrome have something fancier I am not aware of?
Related general question - does anyone do a regular export of their password database? I'm thinking this would be a good idea, but I'm wondering what the best practice is, obs the export needs to be secured.
I have an encrypted USB stick for things like this. It has a keyboard, so encryption is built into the device and it wipes after 10 tries (not ideal for back-up).
How does LastPass implement their security challenge, where they rate your passwords and compare them to known mass password leak incidents? Does that require an upload of plaintext passwords to the server?
Years ago for my university student account, you were allowed to provide the question.
I figured I would never need to use it, so I set the question to "Dicks?". I was very immature and thought that was funny.
A few years later after the semester break I forgot my password. I had to email IT to reset it, and they replied "Please provide the answer to your security question: Dicks?". And I had to reply "Yes no problem, the answer is Dicks". It was an awkward email exchange, but in my defence I had immediately remembered the answer so it served its purpose.
As someone who forges security questions, and at the risk of playing No True Scotsman, we keep these answers in the database with our passwords
And yeah, if we lose the database I guess we're screwed, but tbh, after ample backups, the risk of the database being leaked is way higher than the risk of losing it despite replication.
> I ran into one once that a 6 character minimum length for the answer
This is a problem too, but at least it works if you manage to talk to a living person - even if you don't remember exactly how did you wrote something you can prove you know the answer for the security question. With 'cp359-qreor-534wej' as an answer you have no chance.
Same. I use random passwords for any required security questions. It is funny when you call customer support and they ask you to verify a security question though.
I have had this problem, and failed the security check when I told them I had to look it up. Which was a little silly because I just hung up and called back and did it again with the list in front of me.
I've done something like this with my bank, I tell them it's a bunch of nonsense because the security question recovery is just a variation of a weak password so we'll need to validate me some other way. They always can
I was on a first date and forgot my wallet so the first place we went was the bank. I had to repeat all my info 3x. I leveled with them and pointed to my date and said I need $100. They gave me the $100.
I've certainly heard people speculate that would be the case. I always just put together 2-3 words unrelated to the question, e.g. my first grade schoolteacher is "Antique Campfire".
Anecdotally I've heard of this type of social engineering working. It's probably better to use some randomly generated real words. Another poster suggested diceware.
I haven't tried, but I am not on the phone with support much as I go to great lengths to avoid calling haha. The one time I had to verify my security question, I told the representative that its a long, random character string and they waited for me to open up my password manager to read it out to them.
I think the best way to do this is to use a passphrase so that it's clear that it's not just gibberish but you have the benefit that it's random text. Obviously at the end of the day, it all comes down to the person on the other end of the phone but I suspect they'd be more suspicious of someone saying "it's a bunch of gibberish" when they can see "grumpily siberian pampers panorama unroll aloof masculine mandatory" versus "YpZVpyQHsmPATt1P" (also the former is much easier to read over the phone).
I didn't even have to try. I was prepared to read off the random string, and the operator went with some other piece of information from my profile instead.
How do you keep track of phony answers to security questions if they are different for each site? If it is the same phony answer for every site, it is not any safer to use real answers to the security questions.
Yup. You pretty much have to do this. I love signing into my bank's bill payment system. "You appear to know your password and possess your second factor. But what's your favorite book? <all lowercase favorite book> WRONG YOUR FAVORITE BOOK IS ACTUALLY <starts with an uppercase book> NOW YOUR ACCOUNT IS LOCKED."
Even if you're using real answers, you will be locked out of your account if you don't treat them like passwords. Eventually.
Worse yet, real answers are just weaker passwords. Mother's maiden name? Childhood friend? Elementary / high school? For a targeted attack, against most people, this is very insecure in the all information online age. Nobody needs to know your 20 character password if they have your social media page.
I generate the password and stored them in my password manager under the notes. 1Password added functionality seemingly recently to add security questions and generate a random word string that I use these days.
Note that you should not generate a random password like D27fX$0f7RyD for your security questions. These are designed to give to a human operator on the other end of a phone. If an attacker calls up the account recovery line, gets asked for a security question, and just says "heh, I think it was a string of random characters", there's a decent chance the human operator will let them into the account. As you say, use an actual word string (passphrase) generator, which is a bit less susceptible to this attack.
Yep, if you can choose the question, choose something like "What was your first pet's name?" and then make up something silly like "Mister Poopy Eyes" (a conceivable child-given pet name).
My work provides me with a 1Password subscription (for both work personal use) that I take advantage of that is pretty good. I think they only require you to reauthenticate with your master password once every two weeks or something. I use a PIN, biometrics, or my Apple Watch to unlock it when it timeouts in between that two week period, and I've had no problems syncing between several of my devices.
Pick your three favorite movie characters for which there is a lot of information about them (name, town where they grew up, age, dog with a name, etc.). Rotate through these three. Append the name of the service. Dog's name? buddylastpass
There will be no reuse, because for Facebook it would be buddyfacebook or dugfacebook, or something else… but you will always be able to guess it in three tries. A computer system doing some kind of pentest isn't going to parse out the "facebook" or "lastpass". A human might, but that's why you rotate through three names. At the point where you have a human targeting your account and actually thinking about your inputs you are probably !@#$ed anyway.
I have a small orange password book… oddly. If that gets stolen I think I’d be in big trouble. However it doesn’t have my email address in it. Answers to those inquisitions of a password reset nature are within.
I used to do something like this. I avoid it now, and use a pass phrase of a few words as answers to these questions, stored as a password.
It was clear to me after I had to read such a security question answer over the phone to unlock an account the CSR was perfectly happy with "gibberish over the phone == gibberish in front of me", meaning my attempt to secure things made it less secure in the end.
Finding your partner cheating isn’t easy. People who cheat are generally smart enough to hide it. Therefore, their partners often spend nights awake wondering if their suspicions are true or not. Luckily today you are going to read about a way through which you can know for sure if your partner is cheating on you. This happens by sending a mail to Jeffreyethicalhacker Don’t worry, you aren’t going to need your partner’s phone in order to see what your partner had been up to. The way I told you worked for me, and it was remotely.
contact him via email; Jeffreyethicalhacker@gmail.com
whatsapp or Text on : +1 (747)345-9036
ymjh
Finding your partner cheating isn’t easy. People who cheat are generally smart enough to hide it. Therefore, their partners often spend nights awake wondering if their suspicions are true or not. Luckily today you are going to read about a way through which you can know for sure if your partner is cheating on you. This happens by sending a mail to Jeffreyethicalhacker Don’t worry, you aren’t going to need your partner’s phone in order to see what your partner had been up to. The way I told you worked for me, and it was remotely.
contact him via email; Jeffreyethicalhacker@gmail.com
whatsapp or Text on : +1 (747)345-9036
umyu
That's not far enough outside the bubble. People just reuse passwords, or add a suffix to a base password, or forget their passwords and email reset each login.
Basically the entire password manager space is the result of "security fatigue". Telling everyone that every single unimportant website they log into requires a unique high security password makes people use bad solutions that make their security worse, like storing all their passwords in a cloud-based single point of failure.
when you have an employee leave your company can you reroll or disable all their work account passwords in keepass? (no; this is good for the user and not useful for the org, but that’s the use case.)
Yes. Because their passwords should be linked only to their own work accounts and not be shared passwords. Even if you used lastpass at work, nothing stops an employee from storing it again somewhere else.
Password managers are a huge security antipattern and this will probably have to happen a couple dozen more times before infosec bloggers with affiliate marketing deals stop promoting them.
No one who uses unique passwords can remember them forever. It's a compromise of post-it notes vs managers. Either that or do account recovery every time you need to do your taxes (SOL for encrypted files though).
I sadly write passwords down, but dream of a better option.
Post-It notes are a safer option than password managers. And it's absolutely outrageous to say this: But not every single account you have needs a unique password. Just ones which can actually allow someone to impersonate you meaningfully, cost you money, or gather sensitive data about you.
Response to @palata because of rate-limiting: The problem is people tend not to only put unimportant accounts in their password managers. They also put their bank and email passwords in there, and to my true horror: People have started storing their TOTP tokens in their password managers, which effectively reimplements single-factor authentication!
> People have started storing their TOTP tokens in their password managers, which effectively reimplements single-factor authentication!
The thing is that many services are now requiring TOTP in places where I don't want it, since I was already using a strong/unique password, and the TOTP requirement is effectively just to protect the service from having to deal with users who get their passwords stolen. If you're going to make me use TOTP where I don't want it, I'm going to automate its input.
I think you'd be drastically better off not wasting effort with a strong/unique password on places you "don't want" MFA, in favor of using MFA, which is always better at defeating an attacker than any password.
I do post-it notes and a couple of master passwords for things I don't care about, so I don't disagree. I need to make 2 points though. 1, enough 'non-sensitive' data can eventually become sensitive when taken as a whole, and 2 post-it notes are less secure if they are at a place of employment, think teachers.
Maybe the best option is one of those physical access password managers like KeePass
KeePass on something normally-offline like a thumb drive is probably a decent compromise where needed, but I'd still encourage people to keep their most sensitive passwords either undocumented or partially/incorrectly documented.
Definitely not where you store your passwords! In my case, since I don't store my passwords on my phone, I have my TOTP app there, and then for backup, I print the QR codes when I set up TOTP and secure them in the physical world. Restoring my 2FA setup to a new phone is easy: I just scan through the stack of paper!
Time for hardware tokens based on DNA, so that nobody gets online unless they are exactly and uniquely who they are, and fully trackable from all points of contact. To get in, you must have the token. Bad actors lose access similar to jail time. Unless they can hack their DNA to be unique again, they don't get back in except on parole or after punishment.
My guess is this way of solving old problems may create new ones due to that pesky problem called human nature.
DNA is easier to lift from unsuspecting victims than it is to hack your alphanumeric code. Thought theft at scale with DNA based systems would be hard. Unless, you’re the government, in which case, good luck.
"This comes just months after LastPass confirmed that hackers had stolen some of its source code in August and had access to LastPass’ internal systems for four days before getting detected. It looks like this new attack is connected, as Loubba says it determined that hackers gained access to user data “using information obtained in the August 2022 incident.”"
https://www.theverge.com/2022/11/30/23486902/lastpass-hacker...