You are looking at intermediate data of what's stored in your decrypted blob. Yes, some things are encrypted twice in the Lastpass vault.
The contents considered "unencrypted" by the blog post are actually only accessible after your private key has been provided.
"How can Lastpass show me the Google logo?" It's shown by your Lastpass Extension, after your vault has been decrypted with your password. It's the same reason that Lastpass can show you the password saved for Google!
Notice that request has an unencrypted folder name, "Email." Those folder names are only accessible after the decryption of the entire vault.
URLs are encrypted. LastPass does not know your URLs.
I noticed the article does not include the destination URL for this request, only the parameters. So I can't make a determination as to why this request was made and who the destination server is.
I just tried adding a new site to the "Email" folder, and no requests to remote servers showed up in my Network tab.
IF the LastPass extension really does make a call to lastpass.com with this information, then, yes, there is a possibility that Lastpass can track these hashes in some separate store. But that doesn't mean that the encrypted vault blob has the unencrypted data as claimed.
LastPass does actually know URLs. After logging into LastPass.com, you can navigate to https://lastpass.com/getaccts.php (only accessible post authentication with a valid session cookie.)
This will return an XML document with your vault data. Most of it is encrypted, however an URL parameter is encoded as hex, in plaintext. I am able to look at all URL. They could be storing the blog fully encrypted in a server datastore, but at some point, the LastPass servers are handing the client non-encrypted URLs.
Agreed that the vault blob almost certainly hides all of this, but the question still remains about how the logo is initially obtained. There still might be a leak to lastpass when the logo url is first requested.
And if the extension is pulling the logo from the web then there is also a leak to each site whenever it pulls (rather than to lastpass itself).
Best case scenario: the extension comes with a list of the most common logos baked into it. But if that's the case, why would it save a logo url. Hmm ...
I'm pretty sure we'll be hearing back from Lastpass on this one.
That's not really a leak unless you're keeping a password to some site without actually using the site and don't want the site to know you've done this. But that probably doesn't come up often in practice.
Well, sure, but any out-of-band communication is potentially a leak. If the extension pulls every logo whenever you run it (notwithstanding whatever caching is used, if any), then every site that has a logo could track when you open the extension at all. There are other potential issues here too ... like if a maliciously formed logo image could be used to crash the extension, etc..
Those aren't great examples, but any out-of-band information leak is a bad thing to have. Even if there are no known exploits now there might be future exploits that haven't been anticipated. A common issue when it comes to security.
How can the site tell you're using the extension? And so what if it does? The site can guess you're using a password manager by noticing the instant password entry. The malicious logo, that's really a problem for your browser to deal with. Using an extension to help you talk to a site you already talk to is not really a leak, given the purpose of such extensions.
A lone request for the logo image with no other simultaneous requests in the log could probably be gleaned as a lastpass extension lookup.
And again in this scenario (which we don't know if it's accurate, yet) it's pulling the image for every site with a logo whenever you browse the vault. So your IP address could be leaked to a site that you don't want to know your whereabouts at that moment.
Forensic information is forensic information. A security-conscious tool should not be increasing one's forensic footprint.
It looks like this happens when you use the web version of Lastpass available on their website, not through the extension.
I've been able to confirm when you update a site through the web interface it makes a POST request to https://lastpass.com/show_website.php with the `url` parameter which contains the hex-encoded URL of the website. I think the author is correct about this.
> I just tried adding a new site to the "Email" folder, and no requests to remote servers showed up in my Network tab.
Well, I don't even have lastpass so I can't check, but it obviously has to be sending something when you save the new site or it isn't saving it in the cloud at all.
Back to the Metadata problem. Here's how this information could be weaponized:
NSA: LastPass, we suspect that John Smith uses your service. Give us access to John Smith's password database.
LastPass: We cannot, all of John's usernames and passwords are encrypted and we ourselves don't have the key.
NSA: Alright, then, give us the websites for which John Smith's database has credentials for, and we'll subpoena each website of interest individually.
If John Smith has known email address JohnSmith@gmail.com, it is probably safe to assume that the email is the login for at least some of the websites of interest, and can then ask each website for info on that particular user.
The NSA already has that data they have your home address (this is public) and can see you connect to gmail servers at times you are normally home for. We've already seen evidence this is well within the NSA's capabilities based on the Dread Pirate Robert's trial.
2.
LastPass's RNG is closed source so if your threat model includes the NSA you've already lost as it is very reasonable the NSA knows every password LastPass could ever generate for you.
3.
LastPass's encryption/decryption is ALSO closed source so there is no reason the NSA can't just subpoena them to update your client with a faulty crypto.
4.
LastPass Apps/Browser phone home once unlocked. If subpoena by the NSA they can steal your password there.
Seriously if you have a threat model that includes the NSA you've already lost.
DPR had terrible OPSEC. We should all learn from his failures.
You are completely correct that any threat model that includes direct attention from the NSA is insurmountable. Even highly skilled targets like OBL are eventually defeated.
OBL seems like an odd example for "insurmountable". He was probably the target of more US gov't attention than anyone else who isn't running a country. After more than a decade of active pursuit, he was compromised by a largely non-digital security breakdown.
I agree with the general point about direct attention, but OBL seems closer to the exception than norm.
Is there is any proof that the "Concerned LastPass User" who wrote this isn't just the creator of BitWarden?
I normally don't assume astroturfing without concrete evidence, but there is no information in the post that explains why the author is anonymous and the creator of BitWarden has previously made comments without disclosing their affiliation (https://news.ycombinator.com/item?id=12754396).
Does it matter? If the claim is true, then it's a serious problem. If it's untrue, then the article is wrong. Neither one is changed if the author is a particular person.
Yes, as this seems to be an initial marketing attempt by Kyle Spearrin (the creator of Bitwarden) to unveil his own LastPass alternative while simultaneous making LastPass seem untrustworthy. Regardless of whether the issue detailed in this article is true, the following timeline cannot be ignored:
1. Bitwarden.com was registered on Nov. 16, 2015
2. The initial commit to bitwarden/core was on Dec. 8, 2015
3. Release v1.3.0 of Bitwarden is issued on Jan 16, 2017
4. A quick fix release v1.3.1 is issued on Jan 17, 2017
5. Bitwarden.com gains an SSL certificate on Jan. 17, 2017
6. This article arrives touting an unknown LastPass alternative on Jan. 18, 2017
Suspicious? I am. Especially since Kyle is the only contributor to the project, as well.
It matters because now in reality there needs to be an unaffiliated third party to confirm the issue as the current reporter may be an unreliable source.
For others (LastPass for instance) to take action on it, yes. For anyone reading this, because we could be looking at an unreliable source, they might as well treat it as if they never read it at all.
This seems pretty thin, as evidence. It is a little bit odd that the author comments on HN about Bitwarden referring to himself in the third person and sometimes not disclosing affiliation when his product is being discussed. But he's also on this thread so we can just ask him.
It matters a little bit since, if the thing does happen to be written by someone affiliated with Bitwarden, you have a good reason to avoid both LastPass and Bitwarden.
Metadata matters. The NSA revelations have shown this.
For a really simple example, I guess there are quite a few people with a pornhub account in their vault. I'd guess a significant portion of those users don't want that fact to become public.
It's fine you don't care about these things. Are you also suggesting you would prefer to be oblivious to the security of your passwords? Are you also unable to see why other people would very much care about this issue?
LastPass is so buggy, I have a draft blog post that I'm going to publish some day listing the dozens of bugs I've found. It's still the least worse cross-platform password manager (with sharing and sync features) that I've tried.
Bitwarden looks interesting, but it doesn't seem to support team features, nor does it seem to have any documentation, or even an "about us" page.
I'd either need Bitwarden to take some money or be fully open source and I have to provide the cloud storage. Being "free" but still clearly costing them real operational money (even if not much) is not something I will plan on being there in 5 years.
I don't necessarily need LastPass to be there in 5 years, since I can export and recover what I need into another manager if I need to, but I personally don't want to go into something that is set up right now to not be there in 5 years.
This is not a permanent objection forever and ever, amen. If my objections go out of date, I'd consider at least trying it.
Hi there. I'm the lead developer of bitwarden. bitwarden is currently sponsored by the Microsoft BizSpark program which covers many of our operation costs and allows us to offer services for free to our users. We are working to introduce enterprise features for businesses in the future which will allow us to monetize. For now though, everything is free for users.
Can I suggest that you explain this on the website? I visited, could see that you had a cloud sync but couldn't see how you make money and left because it didn't add up.
Of course, that BizSpark money has an expiration date and, in the meantime, you're trying to figure out a business model. I think the concern is that you don't have one today, so who knows if you'll come up with something that pays the bills down the road.
So I decided to email them about how they are funded and this was the response :
Hi there,
bitwarden is currently sponsored by the Microsoft BizSpark program which covers many of our operation costs and allows us to offer services for free to our users. We are working to introduce enterprise features for businesses in the future which will allow us to monetize. For now though, everything is free for users.
Here's the draft, which as you can see, isn't very polished (without the screenshots). I think you can see why I've procrastinated on it. Also, I have reported a couple of the issues to LastPass, and they've acknowledged one and fixed none.
- Clicking "Export CSV" does absolutely nothing
- If you have more than one two-factor device, it forces you to use the Yubikey, you can't log in with an alternative second factor
- Asked me to log in, and then when I logged in, it complained that I was already logged in, and forced me to log in again
- You can't have individually shared items within a shared folder
- The UI for permissions is confusing, checkboxes should grant permissions, not take them away
- Moving an item gives this error: "Sorry, this request is taking longer than normal", but the edit dialog stays as it is
- Just because you've added someone to a shared folder doesn't mean they have access to all the items, they may only have access to a whitelist or a blacklist, it's not clear which until you click through
- There's a "(none)" folder, which is confusing, as you can still select the parent folder.
- The free trial of Teams expired, but no visible effect on anything
- On Dec 21, 2016, I get this message: [screenshot]
- When you convert a folder to a shared folder, you get this message, which is not true: [screenshot]
- I get this error after sharing, even though "Shared-Email" does not exist, as I just deleted it! [screenshot]
- LastPass Android doesn't let you edit stuff offline
- LastPass browser extension prompts me for Yubikey more frequently then every 30 days, despite ticking "30 days"
- Keyboard shortcuts just don't seem to work on Firefox on macOS. Also, the help documentation doesn't mention that the defaults seem to be different.
- "Find duplicates" didn't find duplicates, one when one was in a shared folder and the other wasn't.
- This error message when I try to share something: [screenshot]
- When a user in the team forgets their password, they get removed from the team for some reason, without notifying admins.
- When trying to use LastPass on Safari, I get this error: "Something blocked LastPass"
- After creating a shared folder, I get this error. It's very unclear what cancel is meant to do. What is actually does is cause a spinner to appear for ages, then for an error message to appear saying the "request timed out", then a folder called "Shared-Email" to be created which is empty.
- Searching for an email address simply doesn't work
- This is so confusing. My trial has ended... [screenshot]
- I changed a permission, and I got this email. What is "Super Admin Shared Folders"? [screenshot]
- When I tried to add a user to LastPass Teams, I got this error message: "error: undefined" [screenshot]
- The users have a circle next to them with a letter in the middle, representing the first letter of the email address (not the first letter of the first name!)
- It added person X, but then forgot her after she attempted to add a personal account, and none of the passwords showed up
- It forget X's full name
- If you invite someone by accident to a LastPass team, there is no way to uninvite them, until they have accepted the invitation
- If you invite someone to join LastPass Team and they already have an account, the only way to join is by clicking on the link in the email. If the email ends up in Spam (which it did for us), you are not notified in any other way (for instance, when logging in to lastpass.com)
- If one of the admins make another user an admin, none of the existing admins are notified
While I haven't used 1Password on Windows, it's come a long way in the last year or so, so that it's now a first-class cloud-based password manager with sharing, sync, and cross-platform clients, as well as the ability to belong to multiple organization-level accounts at a time (great for us serial entrepreneurs!). 1Password's Mac browser plugins actually communicate with the native client running in the background and doing the heavy lifting, which I think is a better security model as the plugins only need to worry about securing the localhost communications channel, rather than securing any data caches or doing any cryptography themselves. I've left LastPass entirely, and good riddance.
I really want to love LastPass, I think all the pieces are in place, the UX is underwhelming though. We have been using it at the company for years, and I agree that it feels very rickety.
Can't even begin to count the # of times it lost a newly generated password, or it failed to swap the password for a website, or didn't immediately show a password I just created until I did a full refresh, or it has opaque rules about what can be shared with teammates. Would be great if they put more focus on getting the fundamentals right before expanding the feature set.
Just to clarify: You're talking about Lastpass here? For myself, Lastpass has just been an absolutely terrible user experience, with many of the issues you're talking about. I have this obscure ritual I have to go through when generating new site passwords -- like generate one in a new tab, then go manually "add site" and input the information -- because Lastpass can't get it together.
Thats exactly what I do for generating a new password.
LastPass always thinks I want to replace credentials for subdomain sites. all the time.
When I have a password saved for foo.com
And then I try to save a password for bar.foo.com.
LastPass, for all that is holy and good in the world, stop assuming I want to replace my password for foo.com damnit.
maybe the ui is not great, but as far as I know you are asked every time (in a not very visible way that probably defaults on replacing the previous): if I'm not mistaken if you look at the very bottom of the save dialog/page there should be a dropdown that allows you to create a new entry
Yeah, LastPass. I sometimes copy and paste the auto-generated password just in case it loses it. I've had many occasions where it would flat out drop it after I save the site and now I have to immediately password reset because the password is nowhere to be found.
This and the respondents' experiences below have been my experience too. If they can't get the basic UX right, I doubt they got the security right (they didn't: http://lifehacker.com/lastpass-hacked-time-to-change-your-ma...) and I'm not sticking around to find out. I switched to Enpass instead.
Would love to find an alternative that works for larger teams vs being meant for one individual at a time. LastPass has that functionality, big part of why we use it.
man, try 1password or enpass. The user experience across windows/osx/android/ios is so much better than last pass ever was for me, and they don't host my data. Linux support is iffy and unofficial at best though.
I don't see this as much of an issue personally. I don't ever store any identifying information in urls, so it's more of a convenience to have the logos for easy navigation.
I get that they say that everything is encrypted, but really it could be a lot worse. I definitely won't be switching password managers just because of this like some people are saying.
Its a pretty huge deal if you store passwords for websites that you don't want other people to know you even have an account for. Like, say, a dissident in a politically oppressed country having an account for the US immigrations website.
Well, I'd love to use something other than Lastpass but there are no other password managers that are as well integrated into chrome and that sync seamlessly.
Keepass had tons of issues on the synch-side, merging incorrectly or just plain not syncing in addition to the android app being horrible to some extend. Additionally the chrome plugin is less well written, it's not bad but not as easy to access as lastpass.
1password is still not out on linux and I have no intention of using them until they bring out a linux client.
Bitwarden looks fishy to me (audit? pricing? funding? integration?).
If the only problem with Lastpass is that they sent out the URL of the site in cleartext over a HTTPS connection, fine, have it, there is clearly worse and it's something I'm willing to accept in exchange for one of the better password managers.
Right. Advocating for the use of Wine here is a sign of ignorance and inexperience. Someone probably sold them on Wine when they researched installing Ubuntu alongside Windows to get their toes wet.
I have no problem with Wine if it's about running applications outside a security context and are no longer being developed, most of the time I prefer to use a VM.
The problem is that using Wine tells the 1Password devs that they don't need to make a native Linux solution, that it's unnecessary since it already works.
But that is not what I want. I want a native Linux client since that reduces the number of packages on my system drastically.
Wine has also little ways to employ security measures for Linux, so if there is a problem concerning Linux and Security, 1Password cannot fix it.
This doesn't seem like a terribly important information leak, but what gets me is that they obfuscated it by converting it to hex. Why do that?
On the one hand, it feels like they're being sneaky and trying to trick savvier users who might glance at the data to make sure it "looks encrypted". On the other hand, they have to have realized someone would notice eventually. Or maybe that's the point: if they obfuscated it well, someone would break it and they'd have egg on their faces. By just hiding it a little, they have plausible deniability that they weren't trying to obfuscate.
Stupid question: why can't LastPass encrypt the URL as well and decrypt client-side to show the logo, like they do (as I understand it) with passwords?
The client still needs to fetch the logos from somewhere so it has to upload a list of URLs to get the logos for. They've just opted to do it when saving a password entry.
It probably wouldn't be infeasible to send the client all the logos they have. The client could then pick them out with no server interaction. There's only going to be thousands of them, tops, and probably only hundreds. Hooray powerlaw.
This might be modestly annoyingly resource intensive for mobile, probably not an issue for desktops.
They can, I don't see why they chose the current implementation over this one, somehow this small leak can let them build a database of browsing habits and target users who use x website...hmmm
Perhaps a silly question as I do not have a lot of experience with software like this, but:
What prevents Lastpass, bitwarden or any other third-party to update their software (and/or compromise the download server) to synchronize all information un-encrypted in a new version which is auto-updated by the user?
I currently use KeePassX, and synchronize this file with a secure server myself since I feel uncomfortable with having software that handles the encryption also controlling the synchronizing service.
Two fixes:
1) find an opensource one, compile it yourself, verify it's behavior, install it yourself
2) find one that works without using network, don't approve adding network permissions ever, run it in a jail without network, on android you can deny the network permission.
This works again random software companies, but not against google.
Lastpass is an atrocity to software. In almost a year using it (including its "Premium" version), I was unable to get their password change feature working and it was often unable to remember passwords properly. I would change the password, Lastpass would show the right password in its UI, then it would use the wrong one. This is the most basic feature of a password manager and it
simply doesn't work. Their support, even for the paid version, might as well be a bot that just spits out random Lastpass "facts".
I see a ton of reviews all over the Internet claiming it's one of the best password managers, and I wonder if these reviewers and websites didn't just get paid some money to write a positive review without ever installing, let alone using the software. With the software being so shoddy, I would not trust my passwords to Lastpass even if they ended up fixing the UX. I ended up deleting my account and switching to Enpass which has worked flawlessly. On top of that, I don't have to trust Lastpass, or any shitty company like that, with my most valuable data and can sync it over WiFi, my NAS, and shared folders in addition to cloud providers (also works in Linux).
I've been using LP as a paid user for several years now, and was really annoyed when they were absorbed by LogMeIn. My main issue is this: while there are several alternatives to LP, there don't seem to be as many which have the same or similar features while ALSO integrating YubiKey's OTP functions. I bought a YubiKey because of LastPass, and slowly integrated it into my workflows. I really like it as a second factor, and the additional capabilities (such as storing secrets for TOTP, etc.) make it nearly indispensable.
Last I checked (over a year ago), 1Password wasn't terribly interested in adding it as a feature, and while there was a KeePass extension which implemented HOTP-based 2nd factor, I never got it to work reliably. Is there ANY service which integrates the YubiKey as well as LP does? I'm more tied to that than I am to LP.
Unrelated to the initial post, but here's a recent LP annoyance: on January 9, LP pushed an update to the Chrome extension which broke the version 3.0 view (which looked like a filesystem), forcing users to move to their 4.0 view if they wanted to use the extension. According to a user commenting on the support tab in the Chrome store, "you deleted the min.js file from your extension but your lastpass version 3 view still needs this file. cant even manually copy it back because chrome then thinks its malware. keep up the good work!"
I can't speak to the veracity of the comment, but LP's forum was pretty active, and admins essentially said "don't use 3.0" as a fix. Support tickets mentioned they were aware of the issue, but not much else. To be fair, LP did say they would eventually deprecate the 3.0 view, but there was little communication about the recent update, making it seem like they don't really give a shit. I don't like their 4.0 view; it's less efficient, and more interested in making things look pretty.
As someone who's worked in this domain, I found this very poorly handled. The obvious, privacy-conscious solution, would be to embed all logos in the client, but this can be unfeasible on the web, depending on the quantity of data. In practice, maybe sacrificing a couple of MB for a one time download isn't such a bad trade-off for privacy (and this will only happen for logged-in users who visit their vault).
However, if we want to trade off _some_, but not all privacy (in terms of what logins a vault contains), I can think of a naive obfuscation scheme where random domains are added to a login alongside the real one. Here's how that could work:
Preprocessing
* assign an order to the logos and hence numerical IDs
* pick a hash function (URL / site name) => ID
User adds a new login:
* is the URL recognized (e.g. accounts.google.com) i.e. do we have a logo for it?
* if yes, obtain its ID e.g. 1
* get N more random IDs e.g. 14, 124, 144
* save all of them as the login's metadata e.g. "logo_cache:1,14,124,144"
User requests logins (and hence needs logos):
* compute (and cache) the list of IDs of logos needed (M entries x N logo IDs each, deduped)
* pack and send the logos (hopefully a much smaller subset than all logos)
It's really weird that the URL parameter is encoded as hex. Is this some attempt to hide it, or just a lazy programmer not wanting to call an escape function?
I got a license for 1Password Families in a Humble Bundle recently and have been seriously considering making the switch from LastPass. The LastPass Chrome extension gets disabled on me once or twice a week and has become a real annoyance. The only thing holding me back is the ongoing pricing for 1Password is 5x more than LastPass.
I'm an ancient Lastpass user too. But I don't think the unencrypted URL worries me.
If any 3-letter agency want my history, they can just visit anyone in between me and the URL.
My browser have my browsing history.
My ISP have my browsing history.
DNS resolvers have my browsing history.
CDN have my browsing history.
Proxy/VPN have my browsing history. (which some they claims they don't log at all)
Basically browsing history is too accessible to anyone.
If you are using network that doesn't managed by you, they have your browsing history too. (McD, Starbucks, etc)
And last again like others+Lastpass have commented, your whole pile of encrypted data is encrypted together and sent to Lastpass. Did you try to read your Wireshark?
I really like a lot of the features of LastPass... works across devices, has groups with sharing options for teams, security audit and summary, auto updates (on some sites), 2FA, and the dead man's switch is nice...
I haven't found any other services that work as well for teams with features like this. I've tried 1Password and some others and found their team sharing options lacking.
Curious what other teams are using -- not just personal password managers but tools you can use successfully over an entire organization.
I've heard many bad things about LastPass - and this is just the cherry on top. I highly recommend 1Password to everyone. I've been using it for about 2-3 years now and it's been absolutely flawless. Yes, it doesn't have a Linux client, but that's literally the only "drawback" I can think of. As a developer who uses a Mac, the only time I'm on Linux is when I'm SSH'd into a server.
I ditched LastPass after LogMeIn acquired them. With all of the bad press that company has had over the years it was enough for me to move on.
For the most part I am happy with Dashlane and pay for it annually. Sometimes when chrome or firefox update it take a while to load the browser plug-in. other than that I have few complaints.
Anyone else use Dashlane or something similar, other than LastPass?
Anyone have recommendation for replacing Lastpass? I need support for Android, Linux, and Windows. I would like to be in control of my data if possible (sync to cloud) and a nice to have would be a browser extension for autocomplete.
Sync is easily achievable, I use Syncthing to go between my phone, dev server and desktop. Other options are the usual suspects, Dropbox, BT Sync, etc.
As for sharing - yeah, you probably lose that. Well, unless you sync a separate DB or something.
That's a tad on the paranoid side since KeePass already encrypts it. If you're using the latest version which has significantly improved the encryption you should have a very good margin of security.
KeePassX - I've been using it for years now. I just put the database on my Dropbox. Quick, convenient, and most importantly for me, always in my own hands.
I've used KeePassX for offline/cold storage for years. I like KeePassX so much wrote a YubiKey extension [0] years ago but it was never merged. I assume the maintainer wasn't interested, never responded, but allowed the discussion to continue. Turns out this was more the norm than the exception, I assume the maintainer was too busy or lost energy/interested in maintaining what became a big project.
Years later KeePassXC[1] was forked and slowly growing.
With a key file stored outside of dropbox, for a bit more security. Requires an extra step of manually copying the file to each device but it seems worth it to me.
Hi, I am the lead developer of bitwarden. bitwarden is currently sponsored by the Microsoft BizSpark program which covers many of our operation costs and allows us to offer services for free to our users. We are working to introduce enterprise features for businesses in the future which will allow us to monetize. For now though, everything is free for users.
I have a question to all the hackers here about personal identity managers and UX. There are projects to decentralize personal identity and move away from passwords, such as Solid (https://solid.mit.edu) and our own project, Qbix (https://qbix.com/platform).
The WeChat article recently posted shows one major thing about user behavior and UX architecture. Users actually prefer to have one APP on their phone representing their social identity, have all their notifications, contacts, etc. from all different communities in the app.
So this probably means that the "personal identity server" should have some default protocol to receive notifications (encrypted with user's public key) and an APP for iOS and Android. The server would have rules for processing notifications and may notify the user (eg it may stop after the first 5 or set do not disturb where only the badge updates). Upon opening the app the user would see all the notifications from all the other services (they would be fetched and decrypted). And those notifications may contain deep-links back into flows that generated the notifications, eg a chat.
What is also nice is if you can have these rules be general purpose hooks that run on the client in some isolated JS environment. Then for example you can update the list of ids that a user's contacts have on different services (if you have pairwise anonymity) in the background. And next time you visit a website the auth extension/library/app can offer to connect you with those people on that website.
I think the Personal App should
display badges corresponding to the # of websites that have caused notifications, not the # of notifications. The latter should appear only when you open the app and see the list of relying party websites.
Then each website can have a # of notifications next to it and the can be sorted eg by most recent or most urgent notifications.
Last thing - by having a personal APP I have a feeling that it would also be tied in with payments in the future. Identity service is becoming tied with payments (to prevent fraud, China now ties the two together more than any other country and cash is disappearing). So the Personal App could in the future have some standard for attaching payment methods and using them without giving the relying party anything except tokens representing payment plans the user agreed to (like Stripe does).
In this way, even though payments are increasingly tied to identity - which may lead to fascism - we can empower local communities to control the identity and maybe in the future even issue their own money on their own credit! This may help finance loans for poor people in India etc. (already shown that having a large group guarantee loans works better for everyone due to social factors etc.) and pull people out of poverty faster. @mediaprophet what do you think of these points about integrating payments inside identity App in the future?
(By the way I say community because you may host your own data AND your own identity on your own server but when it comes to reputation and payments, there has to be some others who give you this value. Maybe it will not be communities. Maybe it will be completely distributed with no centers. But so far in history, wealth and reputation and power has always found a way to concentrate itself at least a little.)
Anyone with access to your computer can look at the plaintext passwords in Chrome just by going to settings > passwords > show.
It's been a long-standing dispute... Chrome says "if people have physical access, security is broken anyway." But that's because they refuse to acknowledge the lesser threat model; "A non-tech savvy friend or family member borrowing my computer for 20 min" -or- "my computer gets stolen from my desk while I was logged in... and now they have access to all chrome passwords in plaintext."
It's infuriating. Wish they'd fix that, even if it's a superficial fix.
The advantages of using a password manager
- Password generation
- Safe from google
- Safety when google account is compromised (and physical access)
- Non-password encryption
When using a non-cloud solution (e.g. KeePass, local 1password installation)
- Auditable and specified ecryption: I know how my passwords are encryped. I can check this by actually decrypting and finding my passwords
- No automatic updates. You can't force an update to my client that breaks security.
yes and no. There's malware out there that can get credentials from browser password stores. So, I agree that an external password manager introduces an additional attack surface, but it partially removes one as well.
You are looking at intermediate data of what's stored in your decrypted blob. Yes, some things are encrypted twice in the Lastpass vault.
The contents considered "unencrypted" by the blog post are actually only accessible after your private key has been provided.
"How can Lastpass show me the Google logo?" It's shown by your Lastpass Extension, after your vault has been decrypted with your password. It's the same reason that Lastpass can show you the password saved for Google!
Notice that request has an unencrypted folder name, "Email." Those folder names are only accessible after the decryption of the entire vault.
URLs are encrypted. LastPass does not know your URLs.
I noticed the article does not include the destination URL for this request, only the parameters. So I can't make a determination as to why this request was made and who the destination server is.
I just tried adding a new site to the "Email" folder, and no requests to remote servers showed up in my Network tab.
IF the LastPass extension really does make a call to lastpass.com with this information, then, yes, there is a possibility that Lastpass can track these hashes in some separate store. But that doesn't mean that the encrypted vault blob has the unencrypted data as claimed.