Comments
tfb • December 2, 2022 7:40 AM
Quoting Wikipedia (so this is nth-hand and may be false or confused):
LastPass assured that passwords stored with the service were still secure, as encryption and decryption of passwords takes place on the user’s device.
Which sounds like they may have leaked some encrypted passwords.
I don’t know if LastPass lets you store passwords you have chosen rather than randomly-generated ones. If it does then a great number of them will be ‘password3’ or whatever, and delightfully easy for an attacker to guess, given the encrypted data. Let’s hope the thing the password is for is not also stored with it … oh, don’t be silly, of course it is.
(A good approach would probably be to encrypt the password & what it is for together?)
Uthor • December 2, 2022 8:18 AM
@John,
Yeah, that is more secure, but being able to log in from anywhere and not being reliant on my personal hardware going down is also a plus for me.
And I shudder to think about my mom trying to store her passwords on her own password manager. Her being able to share them with me is helpful, too. I mean, I have to make purchases for her because she’s uncomfortable typing in her own credit card number.
Yes, it’s not the most secure, but there are benefits to it.
Brenden Walker • December 2, 2022 9:18 AM
@John, @Uther Offline/local password DB here as well. I carry 2 USB sticks (one in pants pocket, one in utility vest aka man purse) with password database and portable copy of the password manager. If there’s a PC around, I can access my passwords.. and I almost always have a laptop around.
IMO works as well as cloud storage.
Winter • December 2, 2022 9:28 AM
@Brenden Walker
I carry 2 USB sticks (one in pants pocket, one in utility vest aka man purse) with password database and portable copy of the password manager.
I have heard bad things about the reliability of USB sticks. They have a habit of failing early.
Brenden Walker • December 2, 2022 9:57 AM
@Winter
I carry two.. never had any fail in over 20 years of this use case. I replace them every 5 or so years. Now that you mention it though, perhaps I should clip one to my wife’s purse.. and have 3!
I’m sure for some folks cloud storage is more convenient and plenty secure. I’ll give up convenience for security 99% of the time, different risk appetite.
Peter A. • December 2, 2022 10:12 AM
I store my less important passwords (encrypted) locally plus a few backups over there and there and somewhere else still. The important passwords are stored in my brain only. I don’t carry a computer with me so I am not tempted to access anything away from home.
Andrew • December 2, 2022 10:20 AM
To entrust your passwords to a big organisation which has the security specialists on payroll to defend from all the shady characters from all over the planet?
Or to keep your passwords close to your own chest hoping you’re much smaller an much less significant target, but also relying only on yourself to notice if someone tries to exfiltrate your secrets?
Sounds almost Shakespearean:
“To be, or not to be: that is the question”
Robin • December 2, 2022 11:01 AM
@Brenden Walker, glad to read that, I get a bit of mickey-taking from nearest and dearest (and those not so near and dear) for having multiple copies like that. (I’ll add that my Password Safe files are also stored on my regular backup discs).
As for USB sticks and their durability I’m still using one (for non-critical jobs) that accidentally went through the washing machine. Those little ticket/key pockets in a pair of jeans are easily missed when checking kit before putting it in.
TexasDex • December 2, 2022 12:14 PM
The LastPass client encrypts all passwords with a key that is derived from your Primary Password. Then it hashes that key again and uses it to log into the LastPass service. So LastPass only ever has the encrypted data, and the hash of the key, not the key itself.
They don’t encrypt some parts of the data you upload, such as URLs, so that they can provide certain services, e.g. breach notification, but the passwords are pretty safe. Even if you have dumb ones like password1, they shouldn’t be vulnerable.
lurker • December 2, 2022 1:54 PM
@Winter
USB stick reliability is much like other hardware: some brands are made more reliable than others. I’ve had rapid failure from el cheapos that I bought in a hurry; and I’m still using (not on a daily basis) some reputable brand devices over 12 years old. BTW cleanly unmounting before unplugging is essential; there is one popular OS that doesn’t always succeed.
@Robin, ditto on the washing machine.
@All
Password storage? Paper, always paper. Yup, fails the washing machine test, but that’s what backups are for.
Uthor • December 2, 2022 6:01 PM
@Peter A.
“The important passwords are stored in my brain only.”
I had a disease in my brain earlier this year. It has made me remembering things really hard. I remembered my password manager password after getting out of the hospital, but somehow it slipped my mind a couple days after. I was able to do a password reset with my service. I have trouble remembering my password still, need to look at a written down one most of the time.
TL;DR: Good thing I had a backup of all that data that I could access!
Paul • December 2, 2022 10:35 PM
You can always use a self-hosted Bitwarden instance.
For me a password manager is best. I could do paper, but then I log into accounts from different locations so paper won’t work. USB drive? Nope. Won’t work if I need to log into an account on my phone (can’t connect USB drive), nor will it function at work (work laptop USB ports blocked for storage devices). Lugging a laptop with me is very inconvenient. Bitwarden on my phone works for me.
Robin • December 3, 2022 3:57 AM
@Paul. Agree. I happen to use Password Safe and for me a big plus is that it is completely self-contained, so I can have a copy on every device I use: two laptops and two phones. Yes there’s an occasional bit of manual work to keep them all synchronised but that doesn’t happen often enough to be a problem, or even a chore.
Mike D. • December 4, 2022 6:49 PM
Passwords on a USB drive doesn’t work for me since they’ve banned USB devices at work. As in “disable the usb-storage driver” bans. Some part of NIST SP800.171 compliance required it.
Clive Robinson • December 5, 2022 5:06 AM
@ Mike D., ALL,
Re : The perversity of bureaucracy.
“Passwords on a USB drive doesn’t work for me since they’ve banned… …part of NIST SP800.171 compliance required it.”
Yup that’s the way it gets…
It’s not the USB Drive that’s the actual problem, but,
1, The dumb design of certain consumer grade OS’s.
2, Certain people not upto the job.
So you end up with a,
“Security Fundemental Anti-Pattern”
Akin to tying peoples shoe laces together as a requirment.
The problem arises due to a trade between,
1, Password insecurity
2, File insecurity
Both are “human failing issues”.
Humans in general are usless at precision, but supprisingly to many good at patterns. Hence bank cards still use 4digit pins, and we can tell dogs from cats and mostly people we know from those we don’t.
On the other hand computers, or more correctly computer memory, can easily and accurately store integers so large they can encode entire films in HD without a problem on something smaller than your finger nail. As for pattern recognition even babies that are not yet able to talk are better than computers that still have trouble with telling cats from furniture.
So human mind/brain is realy realy bad at passwords which is probably the most fundemental security failing of all time. And it’s a failing you can not fix, as it’s the human mind or brain which evolution saw no advantage in making “accurate or precise” as that’s not been on the “How to avoid being lunch” list.
So if you can not fix it, you can only mitigate it, with something else.
Humans have been described as “Monkeys that invent” which is a little unfair on monkeys, and way to generous towards most humans. Who lets face it have the bad habit of thinking “deep fried twinkie” or similar is a good idea, then adding icing and sprinkles on top is going to make it the veritable summit of achievement (hence Cronuts)…
But “levers and springs do make fun things” to play with so occasionally useful things have happened and we now have technology… As a result of which along with early successes of gunpowder and adding machines, we have after a couple of thousand years “improvment” progressed to nukes and computers… Both of which are requiring “Security” that few can actually understand.
So what do humans do when they have no understanding but don’t want to admit to it?
Well historically they get all bureaucratic, blaim the “Gods” or both… and in more recent times they just blaim technology. All on the rather stupid notion of if they don’t understand it, but they go all martinet over it, then other people won’t realise they are clueless… Hence the joys of lower managment being likened to baboons climbing trees and showing way to much of their undesirable features in the process.
So back in the days before computer networking was affordable because a network card cost more than the computer it was put in. People used to carry “Magnetic Media” from machine to machine. Back then such things were large, to large to put in a pocket and in many cases a briefcase either and cost a weeks wages. So security wise they were fairly secure due to value and size.
But as with all things and age, they shrunk and got more numerous so cheaper. With the advent of the “8 inch floppy” data started to get about. As a floppy was sufficiently portable that “hand carry” or even “posting” became possible, so the advent of what later became known as “Sneaker-net” started. So named not because people “sneaked from place to place” with them, but “nerds” being students or equivalent wore “sneakers on their feet” (or “Chucky Red Tops” as seen on the “Chucky doll” for the younger readers who think “If it ain’t got no swoosh…”).
The thing about magnetic media, was unlike “Core Memory” or RAM, it was semi-mutable, thus ideal as a way to boot a computer with… Then some one who had progressed beyond levers and springs realised that as you can not see data on disks you realy could get sneaky and then it quickly became what got called a “Computer virus”. Officially the first “PC Virus” seen in the wild was “Elk Cloner” in 1982 that got around on Apple DOS 3.3 disks. It was the work of Richard Skrenta who wrote it the year before as a ninth grader in High School where Apple computers were “the nerd toys” of the day. Seven years before NSA Scientist Bob Morris’s son who is a couple of years older than Richard gained notoriety and a criminal conviction for the first wild Network Worm.
So, long ago, both “removable media” and “networks” were known to be vulnerable to “malware” run by “inside” users. But what many don’t actually think about is that “active attacking” by non users or “outsiders” is nearly always a “network attack” (though there are the so called “parking lot” attacks occasionally happening). But whilst removable media can help mitigate the insider user security issue networks can not.
So we have the oddity of removable media being banned, yet the far worse networks being OK…
The reasons for which as I’ve indicated are laziness or bureaucratic idiocy.
But as also noted humans are mostly incapable of remembering with precision much above a few digits, so can not be secure unless considerable mitigations to assist then are used.
But that bureaucratic mantra is “removable media bad, networking good” even though the evidence is very different…
I could go on in depth about this, but let’s just stick with calling it what it is a,
“Security fundemental anti-pattern”.
Subscribe to comments on this entry
Leave a comment
Sidebar photo of Bruce Schneier by Joe MacInnis.
John Tillotson • December 2, 2022 7:18 AM
Some “stuff” belongs in your possession, no matter how many “apparent” benefits you get from putting it in the cloud. Passwords in the cloud seems like such a handy idea: Log in anywhere with no effort. But your passwords get hacked and you are well and truly pwned.
Never put anything in the cloud that can really hurt you if it’s lost. Use a LOCAL password manager and make sure it uses good encryption.