LastPass "accidentally" blocked users from exporting their passwords (Password managers thread) - A potential GDPR violation in progress

[Slav Power]

https://archive.ph/0bdmQ

According to this post, LastPass has had a whole bunch of "bugs" right after they've raised their service pricing, which essentially locked people out of exporting their passwords to use in other password managers, and it has been an issue for months. It is quite obvious that this isn't some oopsie woopsie done by some Pajeet because you cannot fuck up every possible way of getting your data out of the service like that on accident. Which brings us to the GDPR, the thing that the EU made to force corporations to give their customers a clear access to the data they store. In the official regulation we can read the following:

And as for the fines they might be facing, well:

So, if this goes any further and LastPass is actually proven to be fucking with the user data on purpose, they are gonna get proper fucked by the EU, which will be interesting to see.

---

And as for what you should actually use to manage your passwords:
BitWarden
BitWarden is essentially a replacement for services like LastPass with one major difference: it is open source, both client and server, meaning you can self-host it on your own hardware. The downside of this solution is that you need a server machine to keep your passwords in sync. It is a more modern approach in terms of the user interface and program architecture. They also offer their own servers and business plans, which should be avoided if you want to have absolute control over your passwords.

KeePass
KeePass is a more old-school approach, as it relies on creating a single file that will be your password database. Therefore you'll need to find a way to keep it in sync and keep it backed up. SyncThing combined with KeePass' built in synchronization features and additional plugins will allow you to get your database synced between various devices, as well as to keep a backup of your database on more storage devices than one. It also has plenty of useful plugins and multiple forks for various platforms.

As a bonus, both BitWarden and KeePass (with plugins) support generation of OTP codes, as well as Steam Guard codes, making them an all-in-one authentication solution. Personally I use KeePass since it's what I've been using for many years, but I encourage everyone to read into both of those to choose the right password manager.

Remember: if you want your passwords to be safe, you will need to give up the comfort of having everything figured out for you, as that's what got people into the LastPass trap.

 

[Psychotron]

Why would I ever trust a service with my information like this?

Password managers are the most retarded innovation, and will inevitably lead to more and more retarded orgs getting owned and pwn'd

 

[Groserr]

Why would I ever trust a service with my information like this?

Password managers are the most retarded innovation, and will inevitably lead to more and more retarded orgs getting owned and pwn'd

This is the same retarded shit like people using online wallets for their coins.

 

[The Mass Shooter Ron Soye]

Keep them on your computer and encrypt them yourself. Write them down on paper as backup, or print out the ciphertext.

 

[Captain Fitzbattleaxe]

Why the fuck would you ever pay a third party to handle your passwords?

 

[Hijaboholic]

Why the fuck would you ever pay a third party to handle your passwords?

Because either managing a Keypass file, writing passwords down and keeping them in a safe, or just memorizing them is apparently too much for some people. If you can't do one of those three things you shouldn't have an account for anything.

 

[Spasticus Autisticus]

As a bonus, both BitWarden and KeePass (with plugins) support generation of OTP codes, as well as Steam Guard codes, making them an all-in-one authentication solution. Personally I use KeePass since it's what I've been using for many years, but I encourage everyone to read into both of those to choose the right password manager.

I would recommend not keeping OTP codes in the same manager as your passwords. If you do this it means that in the case that your passwords database is compromised, the attacker has access to your OTP codes as well, which defeats the purpose of MFA. I suggest either having a separate file for the OTP codes with a different key (preferably a physical key as well) or just keep them on your phone. Otherwise I agree with these suggestions. Cloud SaaS apps are not your friends when it comes to privacy and data ownership. Self-host or go offline whenever possible.

 

[Slav Power]

I would recommend not keeping OTP codes in the same manager as your passwords. If you do this it means that in the case that your passwords database is compromised, the attacker has access to your OTP codes as well, which defeats the purpose of MFA. I suggest either having a separate file for the OTP codes with a different key (preferably a physical key as well) or just keep them on your phone. Otherwise I agree with these suggestions. Cloud SaaS apps are not your friends when it comes to privacy and data ownership. Self-host or go offline whenever possible.

Fair point, I guess I'll have to learn a second master password.

 

[Fomo Hoire]

For people who want Bitwarden's paid features without having any ties to the centralized Bitwarden instance, look into BitBetter. They address the piracy issue in their FAQ, basically they'd be fine with paying to unlock the features, but paying an equal amount for a managed hosted enterprise level instance and a feature unlock on a self hosted instance was too much for them. They recommend donating to open source projects that accept donations if you're concerned about that kind of thing.

I'm not sure that it would be compatible with BitBetter because of the docker dependency, but one relatively easy way to get self hosted Bitwarden is through Yunohost. (It's called VaultWarden in their application catalog). It does require the command line at first, but you basically just go in and paste a command, set a couple passwords, and let scripts handle the rest. Probably not the cleanest installation for just Bitwarden, but it's all trade-offs and if this can get some people into self hosting... And if it is enough to tempt anyone, here's a list of all the other applications you can quickly add to a Yunohost box once you've gotten past the initial command line part.

On the KeePass side of things... I heard it can integrate nicely into NextCloud with KeeWeb. Honestly don't have much to say about it other than that solutions exist to make syncing the vault across devices less painful.

E: I think I lied about yunohost I was probably thinking of cloudron

E2: nvm I'm dumb it's in there as VaultWarden

 

[Agent Abe Caprine]

It baffles me that so many people don't have alarms ringing in their head when it comes to something like LastPass. If it's convenient, it's asking to get compromised.

 

[Toolbox]

It baffles me that so many people don't have alarms ringing in their head when it comes to something like LastPass. If it's convenient, it's asking to get compromised.

It doesn't help that these kinds of managers were massively astroturfed through youtube sponsorships. Monkey see monkey do.

 

[Joe Swanson]

Imagine not writing down your passwords in a book, and keeping your book in your desk

 

[Manul Otocolobus]

My suggestion is using something like Veracrypt to make a small container file, write down all your passwords in there, and have it protected with a master password that you can memorize and is not written down absolutely anywhere. My master password has 144+ bits of entropy. Good luck figuring it out.

That's what I do. The program won't remember where your password container is stored, and you can instruct it not to leave anything in ram of any importance. The file you make can be named anything, with any extension, and be located anywhere. If someone wanted to try and find your password container using file heuristics they won't have much luck because the container file is indistinguishable from complete garbage in its encrypted state. It gives no indication of what it is and what is stored in it, if anything.

Furthermore, if you are among the extra paranoid, you can actually make a "False-bottom" container file. It works just like a normal container file, but also contains a second container inside of it that will allow you to store a separate set of passwords/files. When the main container is mounted it will show its own contents, but it is impossible for anyone to be able to tell that there is a hidden container inside of it with a separate set of passwords/files. So, if someone had a gun to your head and somehow knew you had a password container, you could decrypt and mount the main container, which would have passwords that are less critical that you could give them and unless you somehow breached your opsec they would never know about the second hidden container that has the critical password files stored in it. It also works if you said you didn't keep X password in that container, but only at another location, it is more believable once you open the primary container and they can see the passwords present, but not the one they are looking for, even though it is safely hidden in the second container. The second container also has a completely separate password and encryption scheme/key, so nothing about the primary container would give them any information on how to get into the hidden second container even if they could find it.

Veracrypt has also had its source code throughly audited by independent 3rd party experts, and besides a few low-priority items, which have since been patched, it is verified to be completely clean and functional in its encryption implementation.

The only downside to this, obviously, is the downside to any strong encryption/opsec, if you suffer a head injury and end up retarded/become demented/are murdered, is that all the information inside your container is truly lost forever, or until quantum computing stops being shit.

 

[awoo]

So you're saying keeping all my passwords in a spreadsheet is theoretically better than using one of these password managers?
I don't trust any password manager with a server.

 

[Chocolate Wombat]

The company I work for uses LastPass because the retarded boomers they hire can't be bothered to manage their own passwords. I strongly suspect LastPass is only solvent because of corporate users.

 

[Pissmaster]

I remember seeing LastPass shilled on articles about improving your security years and years ago, long before Youtube sponsorships, and it never made sense to me why you'd wanna trust a single solitary program to keep every single key to your kingdom. Like, I think I probably learned proper opsec practices by mentally blacklisting any kind of article about opsec that recommended password managers.

 

[Shroom King]

write down passwords in notebook
put notebook in gun safe
put gun safe key in safety deposit box at the bank

There you go, you're welcome.

 

[Jimjamflimflam]

Rather just write them all in a notepad file and throw it in a folder labeled "Not Passwords" then trust them with a third party company.

 

[tehpope]

I just use masterpassword (aka Spectre). Doesn't rely on a server. Works on Linux and Android. Gives great passwords.

Spectre: Passwords, Privacy-first

Password manager and secure identity platform. Spectre is a free and offline password cipher. Privacy-first. Coming to web, iOS, Android, Windows, macOS, Linux.

www.masterpassword.app

 

[404unf]

There is KeePassXC which is a Cross-Platform fork of KeePass.