What are the security problems with garbage-collected languages?

(not being sarcastic, don't have an agenda, I have no previous knowledge on this, and am not a security expert. Just had never heard this suggested before, and am curious what he meant. Legit question!)

With garbage collected language, programmers don't know when their variable is "free()ed", since it could be held in multiple thread, and the last thread dying will release the memory for this variable. Since programmers often don't know when the password variable will be "free()ed", it is very unlikely that they scrambled the password before releasing the memory. Thus, leading to the password being kept in some region of the program memory, in clear text, exploitable by a buffer overflow & co. for an indefinite amount of time.

> G1 reclaims space mostly by using evacuation: live objects found within selected memory areas to collect are copied into new memory areas, compacting them in the process. After an evacuation has been completed, the space previously occupied by live objects is reused for allocation by the application.

[1] https://docs.oracle.com/en/java/javase/18/gctuning/garbage-f...

If you are worried, you can store the password in a byte array and zero that out.

But further, a buffer overflow is practically impossible with a GCed language (especially a popular one). A programmer using a GCed language cannot write code which has a buffer overflow. That must come from a bug in the runtime itself. Not likely.

As far as I'm aware, every gced language has bounds checks on arrays. Certainly all the popular ones.

> the last thread dying will release the memory for this variable.

Really not how GCed languages work. Memory lifetime is not bound by thread lifetime except in the rare case when memory is bound to a thread (static/global variables).

The majority of GCs on the market are tracing collectors. Memory is periodically collected when it is not longer referenced (mark and sweep). What triggers that collection is a whole host of potentials interactions. How frequently and deep it runs also depends on a lot of application characteristics.

if it's a copying collector this is no guarantee of anything

but the same is true of general memory allocated with the OS (swap/THP/...), unless you use something like mlock()

Because the JVM had no buffer overflow? [1] Also I purposefully wrote "buffer overflow & co" because buffer overflow are not the only possibility. Shellcodes could ptrace() and inspect the memory of the program.

> > the last thread dying will release the memory for this variable.

> Really not how GCed languages work. Memory lifetime is not bound by thread lifetime except in the rare case when memory is bound to a thread (static/global variables).

That was bad phrasing from by part. You should have read "the last thread releasing the variable reference".

[1] https://www.cvedetails.com/vulnerability-list.php?vendor_id=...

Happens extremely rarely and is frequently not in JVM core code but rather something like the 2d renderer or applets. Code not likely to be executed on a server.

Take a deeper look into those CVEs and count how many are for Java 8+ and server code (it's a pretty short list).

You might as well argue the linux kernel is insecure because there's been buffer overflows in the various drivers.

> Shellcodes could ptrace() and inspect the memory of the program.

Certainly, and they can redirect socket traffic and inject a MITM for any process to directly intercept a password. Even if you are zeroing memory, there will be a period of time when a password is present in memory which means the ptrace attack also works with C.

The bad part of a managed language is that passwords stay in memory for longer, but that risk is somewhat moot considering exploiting requires a compromised system. In which case, there's little reason to pull out passwords by sniffing memory.

Take 2 classes that reference each other, but nothing references either.

In your example they won't get cleaned up. You'll want a tree-based collector. If an object is no longer referenced from the tree it can be cleaned up.

And there is simply no way to deal with this, technology just isn't there yet.

What does the attack that does this actually look like? Lastpass reads text off an html page and decides when to inject auto-fill prompts and/or enter in a password. Is it possible for a buffer overflow to be exploited there, that lets an attacker (who controls the site) gain access to a password for a different site? How does that work?

Is there some other attack possible here? Ie: is it possible another user-space application can read passwords from memory used by the password manager? How does another app know it's a password? How does it trigger a buffer overflow?

(I'm ignoring apps running with kernel or privileged access: that seems like game over)

Your best bet is to ensure no references to the password string exist - including in library code you may use, which means constant revalidations whenever you update a library or your underlying language runtime. Once you do that, you can force garbage collection, either by some explicit language mechanism to request garbage collection, or by trying to allocate gobs of memory in some way that can't be easily optimized out.

I won't get into the question of whether a programmer should also know all that, as there is another consideration which renders it moot: Even with a non-GC'd language, a programmer could leave variables with sensitive information in memory for the remaining duration of the program (e.g. local variables left deep in the stack when a function returns or throws an exception - do you know when they will be overwritten?) What matters here is that the programmer understands the risks, knows what constitutes the most sensitive data, and acts accordingly - but, armed with that knowledge, the programmer can just as well ameliorate the risk in a GC'd language as one that is not.

The issue is: what if thread A and thread B hold a reference to the password variable? And you don't know in which order they will execute. In which thread do you scramble the password before releasing the variable reference?

From what I understand, OP's point is: because of the nature of C, you have to know where your variable is "free()ed", because you have to do it yourself. Therefore you can scramble there. Even if you have two thread doing:

    n = decr_reference(password)
    if (n == 0) {
      scramble(password)
      free(password)
    }

This assumes you can write destructor at all and that it's run deterministically.

> though you can probably force that to happen in most GCed languages

I'd actually be surprised if any GC'd language allows this. You normally need to resort to different kinds of tricks for RAII-like behavior.

   with prompt_password() as password:
     stuff

Or at the least, let a program implement parts of the gc api and plug it in themselves.

https://docs.oracle.com/javase/9/docs/api/java/lang/ref/Clea...

However, the issue isn't so much that doing that, rather it's that GC will potentially never collect the memory. In the JVM, the GC primarily runs when enough allocations happen. It's not on some timer.

So the concern would then be having a password sitting in memory for hours (or even days) on end.

This wouldn't help once you create your own objects however, e.g. JSON parse from a decrypted block.

However, using them correctly in the context of memory leakage and safety is non-intuitive and is definitely a bit tricky.

I'm not sure I see the issue, you just implement a memory-safe string class that manages arbitrary bytes, it's slower but that wasn't the goal.

I don't want to say the concerns are entirely unwarranted, but I really don't think it's a big deal for the vast majority of people.

I'd vastly rather see sensitive security software developed in a modern garbage collected language (or in Rust and similar languages) than in C or C++.

I'm sure some people worry about this, but I think you will be hard pressed to find a modern OS that actually would give away your contents to another PID.

Just because a program can malloc(8), fill eight bytes with known content, free() the pointer, malloc(8) again and see their old content doesn't mean the OS hands your data to anyone, just that the libc (or whatever runtime you use) is not actually getting a whole page for that single 8 byte malloc, and it didn't give it back to the OS at free() either, so you "owned" the page where those 8 bytes lives all the time during execution of this simple test.

The limit for which your allocator starts _actually_ handing back data is probably never less than 4k and upwards to 256k depending on page size, malloc settings and OS/libc defaults.

So while there are a lot of traps code can fall into as mentioned in other comments in this thread, I think everyone can stop worrying about "the next program to malloc() will get my old data" because that just doesn't happen.

I know that's not an either-or proposition, there are memory safe languages that aren't garbage collected. But if people aren't talking about those languages, if they're just bringing up C or something...

I am not an expert, I might not know what I'm talking about here at all -- but my instinct is that I would rather see security-critical code written in a garbage collected language than in C. Frankly, I don't trust developers not to make memory errors in C.

Maybe I'm underestimating the risk of the garbage collector not zeroing out variables? Or maybe I'm over-complicating it and the answer is just the obligatory "write it in Rust" refrain so you can avoid both problems?

But I'm also a little surprised to see this line, my impression was that security advice was starting to trend towards recommending GC languages, not away from them.

The real dangers always turns out to be crazily bad security practices (the kind obvious to everyone after the fact), not theoretical attacks that probably weren’t ever demonstrated in the wild.

That said, I'm sure there are workarounds even in GCed languages. For instance, you can usually create C extensions which could allocate and manage memory outside of the GC's control. So, such extesion could potentially give back memory control of certain special memory regions where secrets can be stored, while everything else just goes through normal GC.

My question: does the nondeterministic execution pauses that garbage collection injects into a program's runtime aid or prevent timing attacks?

It seems like it would prevent them, since it makes it that much harder to predict execution duration, but I have this vague impression that high-security operations are more likely to demand real-time computing. Maybe that's just incidental, and applications that must highly perform also tend to need to be secured from attack?

For example:

    password = "my-secret-password";
    // do stuff then remove the pass from memory
    password = "" or null or delete or unset

But that feels like a very generous interpretation, I'm sure the author really meant it as a "real programmers don't use GC language"...

edit: https://learn.microsoft.com/en-us/dotnet/api/system.security...

It's a little frustrating that their only recommended alternative is "just give us your secrets bro" though:

> The general approach of dealing with credentials is to avoid them and instead rely on other means to authenticate, such as certificates or Windows authentication.

I’ve shrugged off a lot of strangeness that has been happening with them as a fledging company’s growing pains. Unfortunately, this incident is the final straw. I think we are going to see a lot more come to light and their lack of any sort of transparency on this is a cardinal sin in the Infosec world. As an aside, it’s interesting to see their fall from grace from their reception section on Wikipedia: https://en.m.wikipedia.org/wiki/LastPass#Reception

I’m moving to bitwarden and not looking back. I would be interested to see some people write about this transition as I’m not sure if I want to export/import or start anew and move things manually.

Key points: - Refresh the website list from the extension before starting, ideally clear the extension cache first (will sign out) - export from the extension - attachments and password history are not exported - there is a lastpass-cli that will help you export attachments - there is a hacked together PR from myself that will help you export the password history

The import worked very well in 1password aside from attachments/history. What I did though was tag all my password with "lp-breach-aug-2022" and then as I go through them and change them, I remove the tag

I didn't understand any of your explanation of how to migrate from Lastpass to 1Password.

  1. Export passwords
  2. Export attachments
  3. Export password history
  4. Export form fills (THIS IS NOT POSSIBLE FROM MY UNDERSTANDING, form fills also appear to not be encrypted?!)

In the extension, go to Account Options -> Advanced -> Clear Local Cache, this WILL LOG YOU OUT. Then, log-in and Account Options -> Advanced -> Refresh Sites, this will update your local cache. Finally, begin the export process and follow the instructions, make sure to USE THE EXTENSION (not the website): Account Options -> Advanced -> Export -> LastPass CSV file. When saving the CSV, do not copy-paste the content of the HTML manually, instead use the popup to download the file that LastPass provides. You might need to allow popups for LastPass extension the first time you perform the export, then perform another one to get the popup.

# 2. Export attachments

Use lastpass-cli to export attachments. A script is provided in version 1.3.4: https://github.com/lastpass/lastpass-cli/blob/v1.3.4/contrib... Keep in mind that the script works also on version 1.3.3, which is the one provided pre-compiled by Ubuntu, you just have to copy-paste the script to your local machine.

# 3. Export password history

This is not possible natively, you can use my modified PR, but it's not trivial, bash knowledge, familiarity with C syntax is expected: https://github.com/lastpass/lastpass-cli/issues/245#issuecom... Keep in mind that YOU SHOULD AUDIT THE SOURCE CODE, I modified an existing PR and it's hacked together, I brought it only to where I needed it to, to get the password history out for my specific use-case.

# 4. Export form fills

Unsupported from my understanding

# Conclusion

Tag the items or mark them in your new password manager with something to remind you that they were breached on lastpass in august 2022 and remove such mark when you change their password.

I audited the code to the best of my ability and it doesn't look like it's malicious, but I certainly could've missed something, so to anyone who's thinking about using this, it works, but do your due diligence.

Is the ability to take a payment the only thing LastPass got right?

The one on top of my mind is that you can unlock LastPass with a PIN. My wife has a phone with a glass cover (to protect it from the children), which "broke" fingerprint unlock.

She's required to type the full password every time to unlock it, which is particularly hard on phone (long password).

On top of that, lastpass app (phone) had the option to "force" autofill from a notification. For some apps where the popup never really shows up with 1Password, I was able to force it using LastPass and then fill. With 1Password the only option is to go to the app and copy-paste.

Those are not game-breaking though, given the many, many bugs that LastPass (app on phone) had, the most annoying was: open the autofill and when searching, just no result shows up. This made the autofill useless a good chunk of the time.

On top of that, LastPass EXTENSION (chrome) has the option of choosing between sharing states between browser profiles or not sharing states between browser profiles. This is very useful in my case, because my wife has a chrome profile under my OS user, but we can still have 2 different lastpass "logins". From this perspective, 1Password is actually entirely broken: if you login into the native application (which is basically required for decent functionality), you are not allowed to login into 2 different 1password profiles through the chrome extension unless they are on different URLs (e.g. mycompany.1password.com vs 1password.ca).

Finally, LastPass was consistent: web, extension and app had the same capabilities.

1Password is highly inconsistent, where the native app has more capabilities than all of them, the extension has no edit capabilities but has better read capabilities than the web version and the web version has a mix of edit and read capabilities. For example, the native app can "batch add tag", but the web cannot do that.

TBH it was more of a throw-away sarcastic outburst, an exclamation, an out-breath, than a genuine question. And also based mainly on the security side of things. I didn't make that clear, however, so I apologise for leading you into expending so much effort on your excellent reply.

And I'm very angry at LastPass too.

To be fair, the thing I'm the most angry about at LastPass is how the product felt completely stale. I remember signing up 6 years ago and there has been no change at all across the board. Bugs, issues, improvements, NOTHING.

They could have avoided all this, they just didn't.

How did you add the tag, or is it obvious in the UI? I've never used 1Password before but think I'm gonna land there instead of Bitwarden, and I like this idea.

The web portion has *less edit capabilities* than the native app. You should have the extension and the native app installed at the same time, the extension should connect to the native app (and share login).

In the native app you can click on one item and then hold shift or control (Windows) to select multiple items, then you literally drag them on the tag on the left. It will feel laggy a few seconds if you tag 1000 items like I did and it might not work perfectly, so double check that all the items got tagged. To do that check, you have to: click on the tag, then scroll to the end. It will tell you the count of all the items for that tag. Repeat the "bulk tagging" until the count is what you expect. Do notice that if you click on one item and then hold shift and click on the item at the end of the list, it will select all of them, so this process is pretty fast. I had to do only 2 tries before all of the items got the tag.

EDIT: You must have added the tag to at least 1 item manually for the tag to show up in the sidebar. To do that just press "edit" on the item and at the bottom there is a "tags" field, you can add one. In the web version, you just type tags and separate them by commas. The native version has a way better control.

Secret about tag: if your tag is named `foo/bar` it will represent them in a tree-like structure in the native app, so `foo` -> `bar`.

WTF

> I see the features in 1Password and I almost cannot forgive myself for holding onto Lastpass for such a long time.

The export process was the thing that mainly held me.

There was also an issue where 1Password would not work properly with a Work Profile on Android if you ALSO had a non-work-profile version of the app, which translated to "if you use 1password at work and in your personal life and you have a Work Profile, you cannot use 1password inside the work profile (it must be outside)"

In the end, this is just a bag of passwords, so as long as it's keeping things safe, it should be acceptable.

It didn't.

And it also doubled the price without giving any software improvement over the years, which is very bad.

I like this design a lot. LastPass _used_ to work like this ages ago.

>You must have added the tag to at least 1 item manually for the tag to show up in the sidebar.

I did get stuck here for a minute but was able to get it set up. Thank you!

I discovered that every time you click "export" in lastpass, the export accumulates a copy of the vault. My second export had 2x of everything in it, 3x for third, etc.

I see the features in 1Password and I almost cannot forgive myself for holding onto Lastpass for such a long time.

Did it about 18 months ago. I was expecting it to be more cumbersome than it was. Export from LastPass, import to BitWarden, manually compare.

Simples. It all worked IIRC, though I only have a few dozen entries as I'm in the habit of clearing old ones down. Left LastPass going for a few weeks just in case, then closed it down and the data was deleted.

Edit: If I was doing it now, I'd do it from scratch and change every LastPass-aware credential as I go. That info is out there now; you don't want to be using it any more.

I've used LastPass for password history once, and a couple times for notes (which don't get exported).

Now I want to delete my lastpass account completely but what would be helpful is if I can mark all my bitwarden passwords that are still the same as the ones in LastPass, as I'd like to change all of them. Anyone know a way to do this?

When I moved over to KeePass I was able to export and import all of my passwords but the field labels got pretty mixed up, and it was a little bit of a pain to correct. That might be fixed now, but it would be interesting to see people's experiences importing into other services beyond just "here's how you export from LastPass to CSV".

Edit: as other people mentioned, I also didn't get any password history with my export, which isn't a big deal to me but is worth highlighting.

I would highly recommend starting new. Every transition between managers has wound up leaving me having to manually delete fields after the fact anyways, or just keep those fields littering the manager. Sometimes even incorrect fields when moving away from LastPass which is even more of a bother. Starting new also gives you a chance to get more used to the new manager's features, and when transitioning you can add specific fields based on crucial information that might have otherwise been lost in automatic moves.

Use this transition as a justification to change your passwords to the services you use, and also a way to decide whether you want to keep using that service or submit a deletion (most you can do this on your own, other times you have to send a GDPR deletion request). I know it takes more effort, but spend a chill weekend doing so, and you'll be glad you did. Plus you can also review some security settings on your services, like force sign out all other devices and changing your 2FA settings.

Think of it as a new year refresh

I then stopped using my account on LastPass and literally a few weeks later they revealed the "security incident". Had to change all my passwords but I'll never get near this company ever again.

Luckily I've been off of it long enough that I suspect most of my regularly used accounts are different anyways, but I'm still going through the process now of methodically rotating all of them (I may change some of the email addresses as well).

----

I think a lot of people even casually knew LastPass wasn't at the same quality level as other solutions, but inertia is powerful. Sometimes you need something glaring to be the final straw that breaks the camel's back.

It's been long overdue; I moved off of Gmail as well a while ago but haven't gone through and systematically changed all of my account email addresses; there are still a few older services I have that send emails over. The new year is a good opportunity to clean that stuff up.

I've deleted my stuff now anyway, it's all we can do. :(

I knew it was a backup, but I don't recall seeing anywhere how old it was. Do we have any more information?

My data was confirmed deleted by them mid last year when I moved to BitWarden, and I'm hoping the backup was older. If not then I'm in the unfortunate position of being at greater risk than those who signed up more recently. I need to change everything anyway just in case, but knowing more would help with peace of mind. I used them for so many years I probably only had the 5,000 (or maybe even the 500) iteration config they never once mentioned.

The next thing to do will be to start changing passwords. As with most of us, that's a project of serious scope that I do not look forward to.

I've spent the better part of the past three days doing just this. Get some good music and some good coffee, and it can actually be pretty cathartic. I enjoyed the hygiene exercise much more than I thought I would.

Also it's been a fascinating exercise in user-interface/-experience competitive research. Some websites just do not give a crap. Here's one gem: https://i.imgur.com/yBLmuHt.png

I can't help but feel pity for the local/city-level websites though. You can tell they've just Frankenstein-d stuff together on meager budgets and under crippling administrative loads.

When I first moved off I didn't want to close the account just in case something went wrong with the transition. But after it was clear that the transition was fine, then I should have gone back and just finished up the final step.

I probably needed to do a full account cleanup anyway at some point, but I just wish I had been slightly more proactive about deleting my data. It's a good lesson to learn, I'm thinking that as part of the account cleanup I should also take a look at what other accounts I have lying around that are unnecessary.

My workflow is to launch the login from LP (using the app), use those credentials, and change the passwords using Bitwarden. Otherwise, you might accidentally set a new password that doesn't actually work and have to go through painful password reset processes.

I may never find out for sure, even if I ask LastPass...

This may make sense though. LastPass seemed to be the only one with a good enough UX. And without a good enough UX, you can't make users actually use it. Using an imperfect but usable password manager is still much better than not using one with better security but poor UX.

(Here comes the old adage: make the friction low for the customer, and any shortcomings elsewhere will matter little.)

Indeed. Writing down passwords on a pad of paper next to your computer is a valid practice for most people if we're being realistic, particularly for personal computer use. Even leaving passwords in an unencrypted text file on your desktop is not nearly as bad today as it used to be 20 years ago. Pretty much anything is better than using the same 8 letter password on every single website. That's the status quo which needs to be toppled.

LP extension and web vault ARE pure garbage:

1. It can't even recognize sites correctly ?! WTF really. I usually get 10 or so (looks like random) hits for any site but not the one that I should.

2. It offers me to extend pro support 5 years after I stopped paying for it. What I need to do for it to stop ffs.

3. Its UI is simply outrageous, i.e. if you search something it shows empty folders among those that contain the item etc.

I recommend NextCloud Passwords plugin: https://apps.nextcloud.com/apps/passwords

Its awesome, supports team work, and if you have NC its no brainer. Probably too much work to install NC if you don't use it but in small company settings its probalby good idea as you need online office anyway.

The UIX of Bitwarden can be a bit meh at times but it's also boring, predictable, and solid. I'm just saying this as someone who hates save buttons in the upper-right hand corner of things - just... small nitpicky stuff like that. Sometimes I have to look for a button or their use of iconography confuses me a bit.

I would do my own hosting for a distributed password database but the older I get the less I trust myself to keep that stuff locked down and patched. Given the number of users I feel Bitwarden has more skin in the game to keep their solutions tight.

If you're not looking to self-host I can't recommend Bitwarden enough!

Also planning for my passing, I think it'll be easier for my SO to get into a simple web-based solution with my TFA scratch code if they need to handle any of my affairs vs. tracking down my KeePass file that would be behind disk encryption etc.

Like I said - used KeePass for years, and I love it to death. I have just moved on in my usage and needs =)

I needed something selfhosted and have used bitwarden for that until I got burned down when I could not recover the instance.

https://bitwarden.com/help/about-sso

> Login with SSO is available for all customers with an Enterprise organization

Correction: that part of the source seems to be only 'source available' rather than FOSS.

Simply stop using LP and it should stop;P

By just searching "LastPass" it is almost always a security breach or hack. [0]

[0] https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...

You gave them your passwords. What makes you think your passwords are safe?

e.g.: Personal/Confidential/google.com/pjungwir@gmail.com Client1/Secret/google.com/pjungwir@example.com

The folder structure allows for different keys to be used in .gpg-id files, so secret access can be limited on different devices based on which keys are available. For example, only a subset of keys are available on my android phone via the Password Store app from F-Droid, with all devices using a shared password-store synced using git(1).

Completion with bash works well (on Fedora) and following the convention of having the password on the first line allows for the android app to work and you don't need to worry about someone looking over your shoulder by using 'pass -c ...'.

There is if you pay $10 annually for Bitwarden Pro.

I use it, and it was the game changer I needed in terms of user-experience, to bother actually start using 2FA/MFA for all sites where it was an option (compared to before where I would only do it if required).

I definitely recommend giving it a try.

GitHub and some famous banks/credit card providers.

Mfa code doesn't autofill, but it's just a click to copy.

> I just use Authy

isn't Authy an authenticator app?

So is the Bitwarden database not also stored/always up to date local (like how IMAP works for e-mail, if the server goes offline you still have all your emails locally) ?

This is the key point. Properly implemented, you should feel very relaxed if your encrypted data is leaked.

I'm using BitWarden, but 1Password's "secret key" concept is smart, it means your data is still very secure even if your password sucks.

They were hacked back in 2015 too: https://www.wired.com/2015/06/hack-brief-password-manager-la...

> On Monday password manager service LastPass admitted it had been the target of a hack that accessed its users' email addresses, encrypted master passwords, and the reminder words and phrases that the service asks users to create for those master passwords.

(That's from 2015 but could read like the other week!)

Once it came to light they lost control of their vaults the calculus changed. In my memory this is the largest, most prolific breach in history. Every other breach of a major site pales in comparison. The only solution is to change password managers immediately (I went to 1password) and begin the process of changing everything and updating your security posture. Unfortunately, the hackers also have an insane amount of metadata on customers. So if you stored incriminating (either legally or socially) websites in there the hackers now have a lot of leverage to get you to bend the knee.

In summary, lastpass has been on the down slope for a long time. But it was easy to just accept this and work around it. This breach changed everything. It revealed their incompetence in full and woke a lot of people, including myself, up to just how hard it is to trust a company. It's just not enough anymore to have a big company slapped onto your logo (LogMeIn) and hope they provide the correct mitigations through experience. From now on I, and many people I know, will be carefully evaluating their choices with password managers, etc from now on. I don't think their CEO can be trusted especially with all the weasel words used in the disclosure and the timing of the disclosure. They showed no respect for their customers in either the aspect of security or disclosure. If you know nothing else about this breach that should be enough to get you and everyone you know to run.

https://www.wired.com/story/the-full-story-of-the-stunning-r...

I've been debating building an in-house solution for managing secrets, if for no other reason than to get all of this information off of 3rd party computers. No serious proposals have been put forth, but I don't think this stuff is exactly rocket science either. Our requirements are functionally-equivalent to a copy of passwords.xlsx on a network share.

At this small scale, everything is vendored out. Many times, 2+ different vendors will need to directly exchange something like a password for the bank's core system. Email is the preferred technique, typically with some theatrical secure email crap on top - involving yet another 3rd party in the secret exchange mess.

As you get into the scale of an organization like Capital One or BofA, you start to see more of that Hollywood-style credential exchange & control with multiple consenting parties, Iron Mountain trash cans, biometric doors and one-time passwords.

If you are concerned about the IT/security of your financial institution, you may prefer larger ones. These have more employees running just IT compliance than many of our clients have in total.

If you are concerned about bad customer service or losing access to funds, you may prefer smaller ones. Being able to realistically talk to a board member of the bank about a dispute makes a lot of people feel better about where their money is.

Really?!

That's the least secure option I can think about, including LastPass. No encryption whatsoever, and the whole setup relies on no one ever making copies or otherwise getting unauthorized access to the file. Audits could be tricky, too - Excel may save some temporary copies of this file somewhere (like in %TEMP%) without anyone realizing.

This stuff isn't rocket science (pass is a simple shell script, after all), but your comment sounds quite concerning. I mean, I know banks are notoriously backwards when it comes to technologies and information security, but this is just... wrong.

This way, you don't make the same mistake as Telegram as well; I.E., don't roll your own crypto if you can help it, especially if there are ready-made tools that already do what you want, doubly so when those tools are battle-tested and looked over by actual experts.

The "actual experts" part is where I trip over this. What is the standard in this context?

I've written a lot of software that utilizes cryptographic primitives in a wide variety of business contexts. Does this make me an expert? Or, do I need some special piece of paper that says I have permission to conduct cryptographic implementation business? If so, where do I obtain this?

I thought this whole comment thread was a matter of the "actual experts" not being who they claimed to be.

Switching to Keepass, 1password, et. al. is just continuation of the same madness in my view.

What drove me away was the lingering impression that they were more focused in figuring out how to monetize their product, rather than improving it: E.g. one year feature X required a $1/m plan, next year it was free, and the third year it required the $5/m plan. At the same time, their apps/extensions seemed sluggish and stagnant.

That didn't exactly inspire trust in a product that is essentially the gateway to most of my online activities.

I know it's got a bit of security via obscurity vibes, but I've concluded the combo of residential IP, wireguard, firewall and dedicated VM is probably more secure. That would require someone with decent skill targeting me specifically...in which case they're probably better off with a wrench attack anyway.

The big unknown is uptime.

NB: Not affiliated with the company, just a very happy customer.

Well, it turns out the project in question had to change their name from bitwarden-rs to vaultwarden-rs since they violated the trademark. Updates stopped being pushed to the original docker image url, and several months passed until I suddenly noticed this. In the meantime I could easily have missed some important security upgrades.

I understand it's only myself at fault here, but it made me migrate to a hosted account instead. As fun as it is to self host things, something this security critical is probably better left to dedicated people.

My LP password is thankfully on the stronger side of things so hoping I've got time to try them all

Ideally I'd sync it directly against home server, but iphone limits options on sync to own server a bit. Maybe via git...

I think this is really unlikely; since https://news.ycombinator.com/item?id=34092956 I've been gathering lockout reports on HN and they're mostly things like adding a phone number to your account and then forgetting about that when switching numbers.

So I don't really think the OS is the right place for a password manager, at least not without some standardized interoperability.

Of course, that does mean that it's less universally convenient like the other commercial apps.

As usual with Apple stuff, I guess they're not interested in making it a better separate app because their value proposition is "use our frameworks and get this feature 'for free' "

Additionally, I share my LastPass with my partner. Probably not a setup for most, but we find it convenient.

All that is achievable only when the password manager is not tied to the system login.

(A) signing into iCloud (Requires Apple ID Password) + approving the new device on an existing device that has Keychain access

or

(B) signing into iCloud (Requires Apple ID Password) + performing SMS 2FA + entering the device passcode of your primary device

The threat model here is where a nation-state actor enlists the full cooperation of Apple and gets Apple to hand over your encrypted iCloud Keychain, then gets Apple to siphon your Apple ID password next time you sign in. They could then use those two pieces of information to brute force the passcode on your encrypted Keychain data. If you have an 8+ digit passcode, or an alphanumeric passcode, that makes it exponentially harder to brute force.

With the long passcode, your only remaining threat would be Apple shipping malicious hidden code or an RCE in their product that allows them to force your device to approve new devices non-interactively, which would allow them to approve a malicious device the next time you approve your own new device for access to iCloud Keychain.

Or perhaps it's more likely that, when you're setting up a new device, Apple sends over the name of your new device, but with the public key/CSR of their own device, since iOS doesn't show a key fingerprint during device approval or anything.

0: https://support.apple.com/guide/security/secure-icloud-keych...

I remember, a long time ago when i created an AppleID, there was a yes/no choice whether or not to upload [something related to the password] to Apple, so it would become possible to recover the AppleID password if needed in the future.

Is that still a thing, or has it been replaced by new features now?

I can't speak to Enpass's security, but I have been a user for several years. It feels less polished than 1Password but is freer and more open.

We can't audit their code unless it is open source? I'm not going to just believe them at face value because some random internet personality says so. Unless some respected authority can publish an audit of the security posture and source code, we're just taking them at their word.

Granted, if I had to chose today, I would instantly pick 1Password based on what I can find on google, and LP has far, far more leaks than 1P.

But let's not kid ourselves that 1P is somehow more trustworthy without audits. And I'll eat crow if 1P has proof that they are routinely audited by 3rd parties.

EDIT: removed snark.

EDIT#2: If Signal can publish open source, why cant 1Password? If security is done right, the source code should be visible to everyone without jeopardy, or at least that's what I've been led to believe.

EDIT#3: Thanks for the link y'all, here it is at top level: https://1passwordstatic.com/files/security/1password-white-p... ... mmmm crow

EDIT#4: We trust browsers too much. 1P stores the secret key on every device so that you only have to enter your passphrase. I'd really like that code to be public because that's a great way to lose control of everyone's secret key. Extensions worry me because they are a critical component in any password manager's usability-vs-security. But perhaps that is a digression or worth an Ask HN.

They also regularly have audits and pen tests, with the reports pushed publicly: https://support.1password.com/security-assessments/

Finally, it's been built by people who are respected in the security industry.

I see no reason not to do this, especially for such a security-oriented service. You should be striving for as much transparency as possible.

Where is the repo of software that you've paid an unknown number of developers to work on for multiple years over multiple versions that you charge for and run a viable business employing all of the peoples?

That's why every "the company source code got stolen!" news is nothingburger, no competitor can use it, it would be huge liability to be caught using it, and it "only" matters for people that might find bugs in it.

https://github.com/bitwarden/server/blob/master/LICENSE_FAQ....

> It's also been built by people who are respected in the security industry.

This means almost nothing. It is an appeal to authority. Experts can still miss things. Yes, it is better than experts saying a product stinks, but still is not trustworthy without open source. Maybe I'm making my own fallacy here, I'm just trying out a position.

Being Open Source is in some ways a multiplier on security because it allows more expert review. But the expert review is the important part; if security-critical code is Open Source but hasn't been looked at by anyone other than the main developers, the Open Source part is a multiplier on zero.

It's a little bit more complicated than that, and there are a lot other factors at play as well even outside of security. We're not really getting into stuff like future-proofing and what happens if 1Password gets a lot worse in the future. It's complicated.

But the gist is that while it would be a lot better if 1Password was Open Source, it's still in its current state probably got more eyes on it than some Open Source security projects do.

Now how much value is the first adding versus the second removing is the case. And based on incentives for each, an honest security research maybe getting a small bug bounty, and a rogue one potentially gaining access to 10's of thousands of accounts I think it might be a net negative overall.

But it must be smaller than the number of bugs that exist in code read by a smaller group.

Now, it's grounds for an (extremely) persuasive inference! And we know very little of what we consider known by strict deductive logic: we rely on weaker inferential reasoning the vast majority of the time. Grandparent's "means almost nothing" is much, much too strong.

But when we really want to know for sure that something is true, people are going to want to see proof, not a statement from someone who probably knows of proof.

I'm really just here to stand up for the body of knowledge I learned in 9th grade Logic Camp. Good old classical Aristotelian logic is where the concept of a "logical fallacy" comes from; it really is all about deductive reasoning and not about inferences; and there really isn't a PhD-from-a-really-good-school exception to the fallacy of argument from authority. Just the same way that "X is false because George Santos said it" is simultaneously very persuasive, at least to me this week; and also a fallacy ad hominem.

Nobody's saying we do, and I think there's a good middle ground we all actually inhabit where the director of the CDC, for example, is an authority on diseases when speaking in an official capacity, but we don't give a damn what they think about the latest movies. This isn't a difficult concept until we try to formalize it, really, at which point I'm sure we can run off into a bramble of paradox and bizarre conclusions we "must" accept in order to satisfy certain kinds of logical consistency.

> I'm less sure that we'd have the same list of which people count as infallible-enough experts in which areas.

This is a problem and we've seen it be a problem quite severely in recent years. Part of the problem is certain political groups following people with absolutely no recognizable expertise in anything except making money from people who don't recognize logical argumentation as even potentially useful: If it doesn't validate their pre-existing ideas, it's not only wrong, it's a trap laid by the enemy, and anyone who promotes it must be punished. Take that mindset, add some over-simplified and incorrect models of reality, and you have people who refuse to accept reasonable sources of authority for self-contradictory and purely emotional reasons.

Finally, logic has come a long way since Aristotle, and using some kind of consistent attempt at statistical reasoning is no less valid than declaring some probably-true statements to be axioms or postulates and reasoning deductively from there. Like diagnosing a disease: You can't use deductive logic to determine why you're having flu-like symptoms, you must use some kind of reasoning based on relative frequency of diseases and, possibly, incorporate the results of various tests in a more inductive fashion. "George Santos lies a lot" is a perfectly valid piece of evidence to incorporate into a worldview, just like "The seasonal influenza is more common than some horrendous infection which also initially presents with flu-like symptoms" is.

Treat arguments from authority as indistinguishable from any other rule of reasoning, on the other hand, and there’s nothing to do but declare people who don’t share our view of authority irrational. And then I don’t know what the plan is.

It’s exhausting when people refuse to recognize well-established expertise, but I think it’s counter-productive that so many of us get defensive about it. Yelling at people to accept our authority figures isn’t working. It won’t ever work.

> If we keep in mind the difference between what we can rigorously establish and what we’re fundamentally taking on faith (however well-founded)

From my perspective, we're taking everything in the real world "on faith" (and there is a loaded phrase ripe to be deliberately misinterpreted) to a certain extent, and not just because of brain-in-a-vat arguments. For example, I sit in chairs thinking they're solid objects, but they're made of solid objects and might well collapse under me. In my experience, that doesn't happen to me, so my heuristic is that chairs are safe, but a heuristic isn't rigorous. It's "faith" if you want to phrase things that way.

Moving deeper, I trust that my senses provide me with accurate-enough reflections of reality I can use them to navigate my world safely, but I know enough about neurology to know that that isn't a given. Vision is reconstructed by the visual cortex from messy and incomplete nerve signals from the retinas, our sense of 3D space is reconstructed (based on low-level heuristics) from a pair of 2D images reconstructed from those messy retinal signals, and so on, from the bottom of the neurological hierarchy to the top of the conscious sense of self. The human machine lives off of best-guess reconstructions from incomplete and messy data.

This isn't mere acatalepsy, however: I think humans live in a physical world we're capable of perceiving accurately enough, and comprehending well enough, that we can accurately say we live in a real and comprehensible external Universe, and that some things don't go away even if you don't believe in them. Therefore, it's possible for our heuristic judgements to become more accurate at predicting reality over time, which is what separates knowledge from dogma.

Accepting that an authority is probably more likely to be right than wrong is a heuristic, and that heuristic can and should be improved, but all of our knowledge of reality is heuristic, so trying to treat reality like an axiom system is philosophically wrong-headed and incapable of dealing with the full complexity of reality as well.

Second, I think there's at least a rough partial order on the things people propose as axioms: the order of how surprised I am when someone contests one, if you like. Very surprised, if it's the existence of external reality; not too surprised at all, sadly, if it's whether biologists are to be trusted over the pastor at their church on the origin of species.

The nice thing about that machinery is that when you meet the second sort of person, you're not forced to believe that they're fundamentally irrational and immune to all reason.

One more thing: trusting experts is a very convenient heuristic for me individually, and I use it all the time, but it's not epistemelogically all that useful. In principle you can always replace an appeal to the authority of a genuine expert with the evidence that they rely on to come to their judgement: if you can't, then they're speaking outside of their expertise. No one of us can win an argument on the internet that way; time is finite and we each only know so much. But if we all chip away at it, by supplying evidence where and when we can, we might get somewhere.

Technically, unless you reinvented logic on your own, this in an argument of authority with extra steps.

The nice thing about having a notion of strict deductive reasoning is that it gives you an idea of what arguments might persuade someone of basic good faith, but who very much doesn't want to be persuaded. If you and your interlocutor don't both accept modus ponens then you won't get anywhere, but that's pretty unlikely in practice.

(And I'd actually argue that we each invent logic on our own and then notice that the logics are equivalent, but that's straying into metaphysics.)

Whether they know stuff or not is irrevelant to the fact person is trying to avoid having constructive argument.

So it could really be dismissed by "okay, they are experts, but how you're sure they didn't wrote it all on hangover?"

I haven't seen a name mentioned in much of the discussion here.

Who are we talking about from this list, and what else have they done? https://1password.com/company/

The audits could be classified as that but not "well they hire security people, they must know what they are doing!"

Hyundai hires engine developers and their engines explode nonetheless!

Maybe I'm wrong but doesn't this put it in a totally different category than other fallacies? Circular arguments, for example. All circular arguments are wrong. If you identify a circular argument you don't even have to fully understand what is being said, you can immediately conclude "this is a bad argument".

But appeal to authority isn't like that. "I'm not going to drive through the mountains today because the roads are iced over, and I know that because the highway department said so." That's an appeal to authority, and it isn't proof, but it's a good argument and there's no need to drive out yourself and confirm that the roads are dangerous. Identifying an appeal to authority is not enough to discard an argument, you need to evaluate the authority. When you see a circular argument you don't have to measure the diameter of the circle or something.

So I don't think appealing the Grammarly was a fallacy, but in this case I think they're wrong.

Hmm... perhaps my concern is that expert opinions matter way more than non-experts, but we still can't blindly trust them.

...and I'm sure you're not saying to take everything they say as word of truth.

I withdraw my argument on the grounds it is poorly constructed.

The key words are: “if done improperly, this could be…” The article goes on the give non-fallacious examples of an appeal to authority. The quality of an implantation will be correlated to experience, so this is an example of a non-fallacious appeal to authority.

It's sort of like seeing a lot of arguments that rely on false or misleading evidence and deciding that "appeal to evidence" is a fallacy. The choice of authority or evidence is the issue, not the act of appealing.