The first paragraph very nearly lost me – irrational, rage bait, directly contradicts later stated facts – but there’s some good content later. The chief complaint seems to be that LastPass is not forcing this upgrade, they are just blast emailing unaffected people that they “forced” it while not actually doing so. And they’ve pulled similar stunts in the past, and in current communication seem to clearly be blaming users for their weak settings and passwords while erasing the fact that LastPass chose the settings, ok’d the passwords, botched the upgrade, and still hasn’t fixed most of their mistakes.
Everybody with a clue knows LastPass is a lost cause, but what’s more interesting to me is how we can generalize the lessons we’re learning here. I’d propose that user blaming in general is evidence of bad tech and magical thinking around it, and that points a finger at some very interesting targets.
it takes a bit more than 10 minutes to convince my family to also migrate their passwords and re-figure out how to use it when all their life they used the same password for everything.
Can someone explain to me what is the advantage of using something like LastPass over simply the in-built password manager that Firefox or other browsers have? I know that LastPass can be used for desktop applications too, but if you are only using a password for the web, is LastPass offering anything more than the in-built browser password manager?
Also doesn’t support recovery questions. As someone who generally enjoys safari, the password manager could use some love. Integration across devices is good though.
Downside of Firefox Sync for password management is indeed its lack of iOS app integration. Sadly, I suspect it is Apple making it impossible to compete.
Upside is that it also syncs to my Firefox on Linux, which Apple’s doesn’t.
credentials/certificates/keys/data storage, secure sharing etc. Pretty much anything that's more complex than single user username + password doesn't seem to be served by the current built-in managers.
A lot of these require deeper system integration, and this is not, in my experience, cross-platform. I’d rather have to drag my SSH/VPN keys and certs around manually, and have basic password management working across iOS, MacOS and Linux.
>>> KrebsOnSecurity last month interviewed a victim who recently saw more than three million dollars worth of cryptocurrency siphoned from his account. That user signed up with LastPass nearly a decade ago, stored their cryptocurrency seed phrase there, and yet never changed his master password — which was just eight characters. Nor was he ever forced to improve his master password.
This does fascinate me. How many people who have won the crypto-lottery like that still keep invested? Is most of the crypto gain unrealised so far? Or most of it been drained out?
The more early someone was in mining or buying Bitcoin, the greater the possibility that they believe in Bitcoin in and of itself.
I.e. to someone who was early into Bitcoin, they might wish to never sell off all of their BTC.
And besides, even if you wanted to sell off your Bitcoins, there are a number of things to consider:
- Taxes. Why sell millions of USD worth of Bitcoin now, and pay taxes on all of it today? Possibly better in some situations to sell enough to live comfortably for a few years, and then sell more later when you need to again.
- What are you gonna do with the money instead? Put it in stocks? Buy a bunch of houses?
This is a classic issue with money. What do you do if you're Taylor Swift? You're a 750 millionaire, with the next couple 100 on the way from this tour.
Whelp, spent the first 50 on a house all humans will drool over. Got the compulsory car. Got the compulsory jet. Got the compulsory yacht (not quite as large as Bezos' (ehmm, banana?) that could not leave its construction port). [1]
And with the other 600 million? Private air force? [2] Air craft carrier for your private air force? Or you end up like every wealthy human, dumping your money into real estate so that you can buy 1000 houses for every normal human, and completely "disrupt" the housing market.
Use it to give people jobs. Open up restaurants and build schools and hospitals. Help friends start their own businesses, stimulate the economy. Tony Hseih, RIP, didn't have a private air force, but he made downtown Vegas. Someone's already started an electric car company, and built a rocket company to go to Mars, so that's been done, but there's just so much out there. Rhianna's got her clothing line for people who aren't models. Cars and mansions are boring.
There's a risk of "dragon sickness" (from The Hobbit) and conflating one's self-worth with their financial value; I feel for these folks, and support regulation that would make it increasingly difficult to amass money beyond a certain point (basic needs being well met and all that), along with psychological help (not in a pejorative way- I am a beneficiary of therapy and medication and I don't feel lesser for it).
Generally agree. Had the same thought. However, related to this comment and @fragmede's response, is that wealth is strong correlated in human society with power, influence, celebrity ... and more wealth.
People quite literally just hand money to people who already have money. I have sat in a room, and watched someone nearby check their phone and say "There's a minor wealthy celebrity nearby! We all need to go and buy tickets to the stadium! We might see or meet them!"
I went to Dragon Con a few years ago, and people were willing to stand in line all Dragon Con, their entire weekend experience, to see a wealthy famous person. I'd go play games, go out, and see the people move in the line slightly. All weekend. Stretched all the way around the entire block and down the street. Wasn't even "that" famous (supporting movie character).
> The more early someone was in mining or buying Bitcoin, the greater the possibility that they believe in Bitcoin in and of itself.
Citation needed. I got into bitcoin back when mining on your CPU was actually a reasonable thing to do. I tried selling it when it was worth about $50, only for mtgox to promptly fold.
Suffice to say I firmly believe bitcoin isn't really a solution to anything.
Of course anecdote does not data make, but neither does an unsourced claim.
I wonder how many people heard of Bitcoin very early in its creation, mined a few "just for fun", and then forgot about them or even deleted them when they thought it wouldn't amount to anything.
2009-ish I remember finding an online wallet that would just give you half a bitcoin for making an account. Intended to look into bitcoin some more but just forgot about it until years later when it had gone up like 1000x or more and was just like "aaaghhhh dammit"...
I’m fascinated by crypto lottery winners, too. The only person I know personally who did very well and exited on top did so for environmental guilt reasons: He became too opposed to the environmental effects of BitCoin’s energy consumption to feel okay about hanging on to it. Cashing out at the top was just a coincidence.
The other crypto lottery winners I know (those who have admitted it, anyway) gave up a lot of their winnings either by doubling down in BitCoin at the highs or by gambling on altcoins in the hopes of a repeat. They started as believers and their early winnings only galvanized their confidence. After that, they were dumping their cash into crypto at every opportunity because they thought it was going to make them supremely wealthy.
I "won" the crypto lottery and got a 100x return... which means that I sold many years before the peak and made $2000. There's people who timed things much better than I did, but if you'd held on past a 10,000x you're probably going to keep holding.
Or not realize they have a terrible password. The thing I notice is not all services allow spaces. A sentence of regular dictionary words has proven a good password for a long while otherwise.
I still hold ~1M US worth of crypto all together, which is roughly the majority of my net worth. Been in since early days. If I'd guess I've probably "realized" (sold/used for payment for non-crypto goods or services) ~20~30k$ or so over the years? I still donate here and there and use it for payment for goods and services when I can.
I probably lost at least another ~1M$ worth (not projected: at the time. it sucks but you move on) through completely preventable ways when acting agains my own better knowledge. Check. Your. Backups. 3-2-1.
I made great "second-order-gains" from my dabbling in crypto I guess you can say, since I made a decent career in the crypto industry. Most people I know in the industry personally who have been around for as long are still invested to various degrees and defi people gonna defi.
I'd probably balance my portfolio more towards real-estate, commodities and maybe stocks if I'd be smart about it but I have enough of anxiety around taxes that I'm postponing doing anything that means having to file paperwork or that may be illegal. No accounts on exchanges. If it really comes down to it I guess I'd had to consider changing countries if my country of residence becomes hostile enough that using my crypto becomess untenable. I'm still very much a "true believer".
1. You said fear of taxes - have you spoken to an accountant? I understand it's capital gains.
2. What's your view on why the price went up and stays up-ish? Speculation? Funnel for money laundering?
3. What's "believing"? If central banks all published their own coins does that solve the problem of native digital cash? or is this money without fiat type of thing (I am sorry for strange questions - I am sure there are places to dig this up online but it's only what I can glean from around)
Add: Realized I def sold more than $30k when I consider I basically lived off cash I got through localbitcoins and similar for a few years. Meeting up random people at coffee shops etc.
Isn’t the market cap of, say, Bitcoin high enough that selling a few mil USD worth shouldn’t really impact it? But maybe the trading volume is too low.
It’s hard to say how much of that are “real” trades, bots can have minimal liquidity but a huge trading volume.
Satoshi is in theory holding onto ~25 billion in coins. Trying to cash that out would however absolutely tank the current valuations.
But that’s hardly the only major risk. Bulgaria has something like 213,000 bitcoin worth nominally 5 billion or so and no particular interest in bitcoin, but trying to cash that out is again problematic.
I'm just saying $3 million doesn't do much to the price. If someone suddenly cashes out several thousand times that much, then sure, price will crash.
I've personally watched sell pressure on Coinbase in the multi-million range get executed over the course of a few minutes, with only a modest temporary effect on the price.
Yes, if the benchmark is 3 million then most of the time it’s inconsequential but there’s much larger wallets susceptible to being pillaged and I would expect a significantly larger impact from even just 30 million. Further liquidity isn’t a steady state. So, if you happen to execute a significant trade at the wrong time you can trigger a surprisingly large cascade effect.
Which is why very large transactions frequently occur either outside of open markets or across a surprisingly long period.
Choosing a good key derivation function has always been critical to making passwords work. I guess lastpass didn't do that.
I have not benchmarked these recently, but I fear that they had to compromise # of iterations to give "2012 low-end Android device" some chance of ever being able to unlock their vault. As a result, everyone else is vulnerable. Adding icing on the cake is leaking everyone's encrypted vault. Whoops!
KDFs only add 10-20 bits of security in terms of attack costs, there's only so much you can do to make 8 character passwords safe.
If you control the parameters you can improve that boundary-- say, FDE with a KDF that uses 8GB of RAM and 10 seconds to compute-- but consumer products are limited.
> Since then, a steady trickle of six-figure cryptocurrency heists targeting security-conscious people
Such as…
> That user signed up with LastPass nearly a decade ago, stored their cryptocurrency seed phrase there, and yet never changed his master password — which was just eight characters.
I don’t want to victim blame and I agree with the anti-LastPass sentiments. I just find it amusing that Krebs keeps trotting out the “security conscious“ victims with 8 character master passwords.
As somebody that has been using lastpass for many years and continues to do so… I just do not understand how people who pick weak master passwords complain about this.
The lastpass documentation makes clear over and over that your entire DB can be compromised but as long as they don’t have the master password, you are safe. How people do not think one step past this and realize they need a very secure master password is beyond me.
And yes I know there will be a host of comments telling me they are in the password business so they need better something and guides and whatever, fine. But for anybody with the slightest bit of common sense, lastpass was and still is secure and lived up to their promise.
You’re right to a point, but there’s a world of difference in ways you can store a password. If their algorithm were a single round of MD5, it’s going to be a lot easier for an attacker to guess a password than if they were using Argon2.
I don’t think LastPass is using MD5, but my point is that their job is to make any master password harder to guess. They’re not doing it.
You are overestimating the technical ability of users by orders of magnitude. Even people who are nominally "experts" in one technical area at least adjacent to computing who are completely useless outside of the most basic thing. Running a business or a project implies dealing with people as they actually are not as we might hope they could be.
The whole approach that LastPass uses of only encrypting the vault with the master password is just bad security - it really doesn't matter how many rounds of a key derivation algorithm they use.
The 1Password approach provides much better security. The vault is protected with the master password together with a long randomly generated string. That random string is saved on device on first login, so subsequent decryptions just require the master password. Logging in on new devices require this "account key", but the added security of having a completely uncrackable encrypted vault, regardless of the entropy in the master password, is very much worth it.
Serious question - I've never used 1Password - what happens if you only ever use one device and that device becomes permanently unavailable for some reason (stolen, destroyed, etc)?
But you are absolutely correct, if you lose your device and the Emergency Kit you're SOL. It reality, though, that is mitigated by the fact that:
1. I think it's probably pretty rare to install 1P on only a single device, as the biggest benefit of any hosted password manager is syncing. I think the vast majority of people will install it at least on their phone and a laptop/PC.
2. I think the user experience for setting up the Emergency Kit is done well and most people are likely to do it.
A little while back I created a completely frontend-only (to the best of my knowledge) complex password generator in Codepen, maybe someone else can find it useful (or fork it and make it better).
Is there any reason NOT to set the number of iterations/hashes as high as reasonable by default? From an end-user standpoint, it might take an extra second or two vs 0.1 seconds, but then you've increased the brute force time needed by ten.
The most efficient way to brute force "Horse Gone Barn Bolted" would be with a minimal dictionary attack, say the most common 2000 words, plus s ed *ing variants. you're still looking at 1+ quadrillion combinations for that password, not including spaces.
That can't be that fast assuming a slower hashing algorithm, right?
-non crypto person's wild guess
1Password does it right: Everyone's master password is augmented with a big randomly generated "Secret Key" that is stored (only) on their machine.
Even if their entire database was leaked, the Secret Key guarantees a good minimum password strength.
(The main drawback is that the user now needs to save this Secret Key or get locked out forever. But it's less sensitive than the master passphrase, since it's mainly designed to protect against this mass-leak scenario.)
I never believed I could recover all my funds back to my wallet, my colleague introduced a professional hacker to me ADRAIN LAMO HACKER AGENCY, and this hacker recovered the $766,000 that was stolen from me by these online scammers. ADRIAN LAMO HACKER AGENCY recovered all my funds within 24 hours. If you’re a victim I do advise you to consult These professional hacker via email: Adrianlamo@consultant.com
Agreed: combined with Syncthing for making it accessible on my devices (which plays nicely with Keepass2Android Offline edition).
Then handle backups with a cloud provider of your choice + additional encryption (basic rule I've been happy to see validated: never upload personal files to the cloud without encryption, after the whole Google content scanning debacle).
“For example, another important default setting in LastPass is the number of “iterations,” or how many times your master password is run through the company’s encryption routines”
If you are complaining about the idea of iterating a hash multiple times, this is actually a fairly standard construction to increase the cpu cost of brute forcing hashes.
Ok I googled. I guess it makes sense as it helps to protect against pre-hashed rainbow tables or dictionary attacks by making them more computationally expensive.
Usually people use salt to protect against rainbow tables.
Iterating a hash function (e.g . PBKDF2) is most just a way to make hashing take longer. Since attackers have to make very many gueses (while legit users only have to hash the password once), increasing each guess by a few seconds can really slow things down.
However in modern apps they usually try to use more complex constructions like argon2 to make it so you cant use GPUs to do lots of guesses at once.
Everybody with a clue knows LastPass is a lost cause, but what’s more interesting to me is how we can generalize the lessons we’re learning here. I’d propose that user blaming in general is evidence of bad tech and magical thinking around it, and that points a finger at some very interesting targets.