"Collectively, we lose more than 10,300 hours per year retrieving lost passwords."
July 11, 2010 8:55 PM   Subscribe

I just use a system that ensures I have a different password for each website, while still being easy to remember.

I tried KeePass in the past, but did not find it to be convenient.
posted by reenum at 9:02 PM on July 11, 2010

I'm not sure if this is a double or not, exactly. But I think the post would be better served by listing some alternatives as well. My problem with LastPass is that you're trusting someone else to store your passwords securely, although it's probably a better approach than what most people do.

I like to use local programs for this - KeePass, eWallet, etc - and sync the password files with a file sync service like Dropbox, Mozy, Jungle Disk. I can even keep them synced with my phone.
posted by me & my monkey at 9:05 PM on July 11, 2010 [1 favorite]

1password is what I use, works well with macs/windows/iOS
posted by TimeDoctor at 9:09 PM on July 11, 2010 [6 favorites]

I find the idea of trusting 3rd party website hosts with my passwords a very silly idea. I have to trust that they're magically able to write the world's first bug-free program, because that place has "hack me" written all over it.

Same goes for Mefi favorite banking tool, Mint.com. Insanity.
posted by pwnguin at 9:17 PM on July 11, 2010 [16 favorites]

Is there nobody going to stick up for LastPass?

The reason I ask this is because I was a devoted 1Password user until I got a Windows machine to work alongside my Mac, and there wasn't - at the time - a Windows version of 1Password. LastPass was the most convenient alternative, although of late I've been having qualms about this because of security concerns.

Now that this thread has informed me that there is now a 1Password client for Windows, I'll probably just go back to it. Thanks.
posted by WalterMitty at 9:21 PM on July 11, 2010

Love 1password. I also my 1p file in my dropbox which works out very nicely.
posted by special-k at 9:22 PM on July 11, 2010 [1 favorite]

Passpack.com
posted by blue_beetle at 9:26 PM on July 11, 2010

Same goes for Mefi favorite banking tool, Mint.com. Insanity.

Do you access bank services online? Why couldn't your bank's website get hacked and all your info compromised? Mint uses the same bank level security and one mefite work works there outlines how little risk there is even if someone were to get a hold of your user/pass.
posted by special-k at 9:28 PM on July 11, 2010 [1 favorite]

1Password is fantastic for the above reason already described.

-Not just a well-designed program, but the auto form filler and save functions are fantastic. It intelligently detects when you're submitting a login and offers to remember it, and will put out the right login for you on any given page with a keystroke.

-The syncing with Dropbox works flawlessly on multiple computers

-The iPhone component also syncs and works with sort of a hack w/ the MobileSafari browser

-Local storage means the data stays with you

No relation to the developer at all, just found it to be a uniquely useful piece of software.
posted by artificialard at 9:30 PM on July 11, 2010 [3 favorites]

I just use a system that ensures I have a different password for each website, while still being easy to remember.

Considering that criteria for acceptable passwords can be quite varied among different websites and can often directly conflict with one another (i.e. certain websites require using at least one special character in the body of the password, while some will only accept the characters A-z & 0-9, etc.), this might not always work.
posted by Throw away your common sense and get an afro! at 9:47 PM on July 11, 2010

First, they're storing my passwords on their server? How do I know they won't use them illicitly? Second, they're generating the passwords for me, and if I don't write them down, and if their server goes away for some reason, then I'm locked out of everything, right?

Thanks, but no thanks. Don't need, don't want.

And why does this post read like an advertisement? I was hoping for an ironic twist in the "more inside", but the whole thing feels like a marketing release.
posted by Chocolate Pickle at 9:48 PM on July 11, 2010 [1 favorite]

No no no no no.

Storing passwords online is a very bad idea. They can brute force weak passwords easily! They can modify the Web client at any time to send them your master password!

Use Password Safe, a nice local program for keeping passwords. There are Mac, Windows, and Linux versions.

If keeping one file up to date across multiple machines, use a hash(password+domain) system like SuperGenPass.

Or just write passwords down and keep them in your wallet.
posted by miyabo at 9:48 PM on July 11, 2010 [1 favorite]

If keeping one file up to date across multiple machines is too hard,
posted by miyabo at 9:54 PM on July 11, 2010

Store passwords on somebody else's server? Heh. Thanks, no.

miyabo is right. This is a bad idea. Yes, it's easy, but it makes it ridiculously easy to brute-force a password.

What price convenience?
posted by koeselitz at 10:06 PM on July 11, 2010

Question: I frequently must access my online accounts from lab computers. With all these solutions, don't I have to install a client to every machine I use - including lab machines/my iPhone/etc?

Even if installing software on a lab machine were a possibility, wouldn't that then make me vulnerable by allowing anyone who was able to log into my lab machine account to access ALL of my accounts everywhere?

For me, the best solution to this has been the IronKey (https://www.ironkey.com/). I can move it between all of my computers, and when I go to the lab, it actually has its own copy of Firefox on it that can run right from the key.

Of course, the IronKey is also a tiny bit of a pain, as I have to move it between my laptop and desktop to use it properly, and I often am using both simultaneously.
posted by macross city flaneur at 10:07 PM on July 11, 2010

I know were supposed to be well past the age of privacy, but I'm afraid I'm never gonna trust anything online to provide security. It just ain't possible.
posted by five fresh fish at 10:07 PM on July 11, 2010

Rootkits for JavaScript Environments
Adida, Barth, Jackson, 2009

ABSTRACT
A number of commercial cloud-based password managers use bookmarklets to automatically populate and submit login forms. Unfortunately, an attacker web site can maliciously alter the JavaScript environment and, when the login bookmarklet is invoked, steal the user's passwords. We describe general attack techniques for altering a bookmarklet's JavaScript environment and apply them to extracting passwords from six commercial password managers. Our proposed solution has been adopted by several of the commercial vendors.
posted by ryanrs at 10:14 PM on July 11, 2010 [6 favorites]

I'm curious to know if any of the 1Password fans have tried out the Android version yet? I've heard raves about the other clients, but the reviews so far on the Android one don't seem that great.

More on topic: I gave LastPass a try despite having the same reservations that others mention, but after one two many browser crashes and "server timeouts" with both the Chrome and Firefox extensions, decided safe was better than sorry.

Second, they're generating the passwords for me, and if I don't write them down, and if their server goes away for some reason, then I'm locked out of everything, right?

FWIW, there is a function to export everything to either a plain or encrypted .csv file.
posted by Mr. Palomar at 10:18 PM on July 11, 2010

Online password storage encourages poor browser hygiene. You should only perform authenticated activity from a trusted computing base. If I'm not in complete control of the browser, OS & underlying hardware then by definition someone else is & I'm ceding control of my access tokens (logins & passwords) to them if they wish to steal them from me.
posted by scalefree at 10:23 PM on July 11, 2010 [2 favorites]

My passwords are protected from a Man-In-The-Middle attack by a Man-In-The-Middle.
posted by benzenedream at 10:33 PM on July 11, 2010 [2 favorites]

I just set all my passwords to PASSWORD.
posted by dogwelder at 10:43 PM on July 11, 2010 [1 favorite]

It still encourages people to use browsers they don't know & trust. If you have to use untrusted hardware, a solution like the one used by macross city flaneur provides at least some degree of control by giving you your own private browser to run on it.
posted by scalefree at 10:47 PM on July 11, 2010

Sorry - software to help me manage my use of other software is the opposite of what I want out of technology. I will never use a password manager. You will always find yourself on a machine that's not yours without access to your passwords, or in an Internet cafe with someone watching over your shoulder, or for-the-life-of-you unable to remember the Master Master Password Password. Or, if none of these come to pass - you will get a new computer/OS/life and the software you have come to rely on turns out incompatible with your new ways. Don't manage my passwords!
posted by eeeeeez at 11:06 PM on July 11, 2010

It would be no different then, say, storing an encrypted zip file with your passwords on a server.

... except that your interaction with this encrypted remote storage is through a pretty easily compromised browser as a client, rather than a local application like winzip, etc.

That said, I don't really see the need for a password manager, firefox and most browsers have password storage built in, so it's rarely an issue, even though I use different passwords on all sites now.

That's fine, if you have one computer and you use one browser to visit a given site, and don't have to worry about your browser or your computer failing or losing data.
posted by me & my monkey at 11:06 PM on July 11, 2010

I will never use a password manager. You will always find yourself on a machine that's not yours without access to your passwords, or in an Internet cafe with someone watching over your shoulder, or for-the-life-of-you unable to remember the Master Master Password Password. Or, if none of these come to pass - you will get a new computer/OS/life and the software you have come to rely on turns out incompatible with your new ways.

I'm on computers that aren't mine all the time. Fortunately, my password file syncs to my phone as well as my regular computers. The program I use is compatible with every computer I've used, and has versions available for Windows, OS X, Linux, Android, iPhone, Windows Mobile and Blackberry. But most of these programs support basic import and export functionality, so you can convert from one to another fairly easily - I've done this myself twice, from Password Safe to eWallet, then to KeePass.

But in any case, what do you suggest as an alternate solution? I have three different password files now. Each has about two or three hundred entries. I work with a lot of systems, I don't use the same password on two of them, and I use strong passwords or pass phrases. There is NO WAY IN HELL I could remember even a fraction of them. But I can remember three strong passwords, and that's all I need.
posted by me & my monkey at 11:14 PM on July 11, 2010

delmoi: &ldquolIn other words, according to what they're saying it's only storing an ENCRYPTED COPY of your passwords on their server. The encrypted file is synched across machines, not the passwords themselves. If that's the case, even if their servers are hacked, you're not in any danger (unless the hackers push out a hacked version of the client)”

Yes, but there are a couple of things. First, you yourself emphasize that you have to trust them on this. Honestly, I do – I'm sure they're using some encryption, and I'm sure they believe it's great, though who really knows. Second, there are a lot of 'encryptions' out there, and the fact that safely encrypting a password file is trivial doesn't mean they're doing it right. Why trust somebody else with this stuff?

Yeah, I get that it's totally convenient sometimes, but in the world as it is today, I don't see why anybody wants to stick passwords in somebody else's vault in the sky. Yeah, they let me set the combination myself, and promise I'm the only one that opens it. The question is: now that USB drives smaller than pencils exist, why the hell does anybody want to stick passwords in the cloud anyway?
posted by koeselitz at 11:35 PM on July 11, 2010

Oh, and finally: at this point, I don't even seem to need to keep passwords in one place. I just have to remember my email address. Then, whenever I want to log in to anything at all, I just click the "I forgot my password!" link, and it resets my password through my email.

I think it's kind of worthless that everybody seems to want to put the pressure on email for being the most secure medium, but then I don't really know what other choice they have – mailing you your new password?
posted by koeselitz at 11:37 PM on July 11, 2010

Let's state the problem then work from that to solutions. The problem is authenticating yourself to a website using a browser. To do that successfully you need to establish a trusted execution path from you to the website; control the browser, OS, hardware & connection. If any one of those fails, so does your authentication.

Now we live in an imperfect world & we don't always have the luxury of owning & maintaining the integrity of all 4 of those elements. So if you have to browse from untrusted hardware, your safest bet is to use a bootable CD/USB OS & browser. That way you only put one link in the chain at risk & still control the other 3 (assuming you use SSL for the connection). If you can't do that hopefully you can at least run your own private browser off a USB stick; then you only have to trust the OS & hardware. And if you can't even do that then you probably shouldn't be logging in from there because there's just too many ways your credentials could be stolen to put them at risk.
posted by scalefree at 11:43 PM on July 11, 2010

I signed up for LastPass based on a recommendation from Lifehacker (your mileage may vary, etc). I have 4 PCs running concurrent versions of XP and (I think) the latest build of Chrome. I find that it's about 70% useful. Oddly, I get observable (but not radically) differing behaviors (perhaps related, one of my machines suffers from the failure to install extension bug but not the others). Because Google hasn't resolved the Premium Apps/Gmail domain services issues, I have my personal services spread across two users (and have two others for other organizations I support), and that seems to gum up everything. Other sites that I have multiple logins (EventBrite) seems to fail pretty regularly (regardless of how I input data). I'm not seeing a real elegant autofill in situations where I need to maintain multiple accounts, regardless of how often I go through and cull dupes or update the naming schema.

Also some types of security seem to thwart the process (about half my credit cards manage to knock out the user ID or the pass, though at least vault is useful for tracking the passwords).

I'm not going to copy and paste their security info, and I'm not PGP wizard, but between what Lifehacker posted and my review of the service, I'd say unless your paranoia is off the meter, it's a good solution. I've been trying to get my password (memorized) pool up to three unique 12+ character options, but I find I can't maintain mnemonics for all of them (middle age!), so having one 16 character password to protect everything seems reasonable for the current tech.

I don't understand why anyone would find a physical (USB key) solution an improvement.

For the people discounting the encryption -- have you read through the site or could you provide a concise noob level explanation why their methods are suspect? This is one of those things I'd like to be more vigilant about but can't find decent info about in a reasonably amount of time, and generally I do trust the level of research and opinion generated by Lifehacker (relative to other popular tech sites)
posted by 99_ at 11:49 PM on July 11, 2010 [1 favorite]

special-k: "Do you access bank services online? Why couldn't your bank's website get hacked and all your info compromised?"

My bank uses OFX, and is secured by SSL, which I connect to with a relatively obscure program. Should that practice get hacked, by say a newly discovered attack against DNS, it is my naive assumption that FDIC, US law, and courts will protect my deposits. Meanwhile, I'm pretty sure if Mint.com's security is compromised, any business insurance they have will be rapidly depleted, and the bank will insist that I have violated their policy of giving out my password to people.
posted by pwnguin at 11:52 PM on July 11, 2010 [1 favorite]

Password Maker is one of the things that keeps me tethered to Firefox. Yeah, I can't log into things without a local copy of my Firefox profile. But since I don't want to be logging into anything on an untrusted machine, that's fine.
posted by Zed at 12:00 AM on July 12, 2010

99_: "For the people discounting the encryption -- have you read through the site or could you provide a concise noob level explanation why their methods are suspect?"

You cannot, from a concise explanation on a website, verify that the entirety of their practice is secure. Encryption is suspect by default, and requires an inspection of the implementation, not just what goes on in theory. It's nice that their system is described as using technology we believe to be secure, but it only takes one fuckup to wreck an entire chain of security. It is my belief that there's at least one screwup in their code waiting to be found.
posted by pwnguin at 12:09 AM on July 12, 2010

99_: “For the people discounting the encryption -- have you read through the site or could you provide a concise noob level explanation why their methods are suspect?”

They don't seem to say much at all about it on the website. That's what bothered me. Although honestly I guess they could say whatever they want; it is just a web site.
posted by koeselitz at 12:19 AM on July 12, 2010

The thing is: in general, sticking your passwords on the internet = bad. That's not a big, crazy examination of encryption; it's just simple fact, and it makes sense.
posted by koeselitz at 12:20 AM on July 12, 2010

I recently decided to manage my passwords with some sort of online or software program, and after much research, I decided on KeePass, and I have been very happy with it. Easy to use, has all the features I want, your files can be exported to a USB stick, it's local and not online, and it's open source.
posted by astroworm at 12:21 AM on July 12, 2010

Because Google hasn't resolved the Premium Apps/Gmail domain services issues, I have my personal services spread across two users

While this is unfortunately true, it is possible to create a public Google account with the same email as your Apps account - just don't activate Gmail for the public account. I find this very useful, although kludgy.

For the people discounting the encryption -- have you read through the site or could you provide a concise noob level explanation why their methods are suspect?

I don't think their methods are especially suspect. But supposing that everything they say is true, they're still running a web application. From their site:

"LastPass uses Paros to help verify it hasn't made common mistakes that could result in a XSS or SQL Injection attack"

Well, that's nice and all, but web applications are much more likely to have vulnerabilities than local applications. They have a big, broad, open attack surface. And if you have to run a local application anyway, why bother with the web part?
posted by me & my monkey at 12:24 AM on July 12, 2010

99_: “I don't understand why anyone would find a physical (USB key) solution an improvement.”

For what it's worth, the point of using a USB key has nothing to do with convenience, which seems to be how you see it. The point of using a USB key is so that your passwords are physically present with you and not just open to the internet at large. Having your passwords encrypted on a USB key ensures that someone would have to come to you and steal the USB key from you to gain access to your passwords.

I think the proper perspective about it is: 'the LastPass internet-stored passwords scheme isn't much of an improvement.' Because honestly it's not that much more convenient than the USB method, and since the USB method is so much more secure, why not?
posted by koeselitz at 12:32 AM on July 12, 2010

Attack #1: Hacker, or LastPass itself, swaps out its client-side JavaScript for code that leaks your master password back to them.

Attack #2: Hacker, or LastPass itself, steals your file of encrypted passwords. You didn't use a great master password, hacker does a dictionary attack and gets all your other passwords. Dictionary attacks are very very sophisticated, they are likely to guess anything you could reasonably come up with and remember.

Attack #3: Man in the middle attack. A different site pretends to be LastPass, captures your master password, gets all your passwords from LastPass itself. Employers very commonly run servers that do man in the middle attacks on all their employee]s encrypted connections (and are often legally required to do so!), it's only a matter of time before one of these products implements a special feature for LastPass.

Potential flaw in LastPass system: the client code has to somehow authenticate itself to LastPass's server using your encrypted password. The right way to do this is called zero-shared key authentication; it's well understood in the crypto community, but I wouldn't trust random Joe Programmer to implement it correctly. There is absolutely no way to tell if this step, or any other, is being done correctly without inside knowledge of LastPass' code.

Password Safe was developed by a cryptography expert, but more importantly it is open source and carefully reviewed by other experts. I don't see any particular scrutiny of LastPass' system.

So yeah, use it for your Flickr account or whatever. But don't store your bank account info there PLEASE!

If you think I'm just being paranoid: look at what happened to HushMail. This service offered client-side encrypted e-mail, conveniently accessible through a Java applet in your Web browser. One of their customers was being investigated for criminal activity, and the Feds subpoenaed the customer's data and forced the company to hack into their own system. Turns out it wasn't so secure after all. And HushMail was run by real crypto experts, and open-sourced much of their code!
posted by miyabo at 12:32 AM on July 12, 2010 [5 favorites]

I never looked at password managers before - but since LastPass is available on every platform I use (Windows, OSX, Linux, and even Android) I gave it a shot 2-3 months ago.

Now I can't live without it, and it's on my list of "essential Firefox extensions" (and Chrome as well). It literally shaves about ten minutes off my "bill-paying time" on payday (everything is done online) because I don't have to flip back and forth looking for my passwords for 10 different sites.
posted by mrbill at 12:57 AM on July 12, 2010 [1 favorite]

Just remember all your 15 character random printable character passwords, a different one for each service, you worthless bags of flesh.
posted by Joe Chip at 1:03 AM on July 12, 2010

ClipperZ sounds like basically the same thing, but is open-source and can be run on your own server.
posted by breath at 1:20 AM on July 12, 2010

Someone wanna dig through the source? The Safari 5 extension is just a bunch of html and javascript, kinda like a Dashboard widget.

First download the Safari 5 Extension.

Then run:
$ pkgutil --expand lastpass.safariextz extension
$ ls -l extension/lastpass.safariextension/
total 3144
-rw------- 1 ryanrs eng 1600 Jul 12 02:52 Icon-32.png
-rw------- 1 ryanrs eng 1895 Jul 12 02:52 Icon-48.png
-rw------- 1 ryanrs eng 1660 Jul 12 02:52 Icon-64.png
-rw------- 1 ryanrs eng 1660 Jul 12 02:52 Icon.png
-rw------- 1 ryanrs eng 2084 Jul 12 02:52 Info.plist
-rw------- 1 ryanrs eng 182 Jul 12 02:52 Settings.plist
drwxrwxrwx 46 ryanrs eng 1564 Jul 12 02:52 _locales
-rw------- 1 ryanrs eng 1003 Jul 12 02:52 about.html
[etc]

You'll also want a javascript pretty-printer.
posted by ryanrs at 2:59 AM on July 12, 2010

I guess the way I look at it, LastPass is great for the people who use the same insecure password over and over on all the sites they visit, especially if they access these sites on multiple computers and devices, since it keeps track of your passwords securely.

If you're a security guru who trusts no one when it comes to your passwords, or you've got the savvy to set up a more complicated system, more power to you. For the rest of us, this seems like the most user friendly solution I've yet come across.
posted by crunchland at 3:45 AM on July 12, 2010 [1 favorite]

Any idea how cross-platform the IronKey is? Been interested, but I would need to use it across, at the very least, Linux and Windows, with a possible aside to Mac OS X. I get the vibe I would being seeing something like one of those self-launcher sticks that only work on Windows...
posted by Samizdata at 4:14 AM on July 12, 2010

Ive been using LastPass for about a year now......
posted by d4v1dr0b3r7s0n at 4:25 AM on July 12, 2010

Any idea how cross-platform the IronKey is?

Google is very much a Mac and Linux shop, and they use 'em. Furthermore, I expect some real analysis was done before IronKey was added to the secure-for-source-code portable device whitelist.
posted by ryanrs at 4:59 AM on July 12, 2010

Any idea how cross-platform the IronKey is?

works on my mac and pc.
posted by special-k at 6:00 AM on July 12, 2010

LastPass has switched me from using a small pool of medium-strength passwords, to random strong passwords for each site.

The people in here hard-lining only the most ideally secure solutions are losing the forest for the trees. I know perfect security is better than good security, but good security is better than bad security. ;P
posted by gilrain at 6:16 AM on July 12, 2010

Password security, as commonly implemented by most users, is a fucking disaster. If you truly have secure storage of hundreds of unique passwords for different websites, I applaud you. Most people I know use the same password on lots of sites, which is a total disaster in the waiting. And they use weak, dictionary vulnerable passwords. What we are doing now doesn't work.

I think the right solution is Open ID. Authenticate to one master, then do some funky crypto crap to authenticate to other sites. But for various reasons Open ID is not widely used. So what's the alternative? A password agent that stores your passwords somewhere online. Storing locally isn't good enough if you want to be able to log in from your mobile phone or from an Internet cafe. So what then? Does anyone here honestly memorize or keep a list of 100+ unique passwords in their wallet?
posted by Nelson at 8:51 AM on July 12, 2010

I'm in the keepass camp. I think the user interface is pretty intuitive. And it has iphone / windows / mac / linux ports so i can use it everywhere. I use dropbox to share my database between all of my devices. It's pretty seamless really.
posted by escher at 8:54 AM on July 12, 2010

I probably could have framed this post better, to counter the kneejerk responses from some of the hard-liners above.

First, they're storing my passwords on their server? How do I know they won't use them illicitly? Second, they're generating the passwords for me, and if I don't write them down, and if their server goes away for some reason, then I'm locked out of everything, right?

They are storing your passwords up on their servers, but only after you encrypt your password database locally (AES256). They don't have the key. All they get is the encrypted blob. They do generate the passwords, and keep them in the database in the cloud. You can export and download a copy of your password database for backup purposes, either in open text format (stupid) or in encrypted blob form, which can be unencrypted using a stand-alone, non-installed encryption program.

You can set up LastPass to require third-source authentication -- either via a yubikey dongle, or using their own provided paper based authentication systems (one is called "The Grid" which lets you generate a grid of authentication keys, and in order to log in, you have to provide the correct keys at different coordinates on the grid; or you can generate one-time, one-use authentication passwords.)

firefox and most browsers have password storage built in, so it's rarely an issue

That's very true, provided you use one device exclusively to access things you need a password for online, and that one device doesn't fail due to bad hardware, and the local database doesn't get corrupted. If you use more than one device -- say your desktop, and you iPad, for example -- then this will let you keep track of your passwords -- passwords that are unique and very secure.

The program will import your passwords from many different sources, including KeePass.

I'm sure nothing will convince the truly paranoid to go with something like this. The fact that the people who make this are based in Vienna, VA, which is only a stone's throw from you-know-where, probably won't help matters any.

For the rest of us, who aren't apt to use strong, unique passwords, while using multiple devices, this program is an easy to use giant step in the right direction of online password security.
posted by crunchland at 9:11 AM on July 12, 2010

I'm leaning a bit more towards the password hash option myself, although the DOM vulnerability in supergenpass bugs me.
posted by KirkJobSluder at 9:17 AM on July 12, 2010

Steve Gibson uses LastPass, he went into great detail on Security Now Episode 256 (YT). He starts talking about LastPass at 00:52:45, then gets into why it is safe around 01:12:45.

I use it and love it.
posted by MrBobaFett at 9:30 AM on July 12, 2010

The biggest problem with LastPass and other startups is not that the current crop of employees is untrustworthy, it's that they are a privately held company that can be easily sold to new owners with new agendas for your data (e.g. Facebook has just acquired Lastpass!).

If I will be using cloud-based password storage, I had better read the whole contract and be satisfied that they have adequate insurance, and penalty incentives to ensure they will not just keep the frontend looking secure while the DBA is toting backup tapes out of the loading dock.

pwnguin is spot-on: regular banks and financial sites have plenty of legislation backing the consumer up in case of a successful hack. Without an enormous amount of who-watches-the-watchmen infrastructure in place and large, complex contracts that are difficult to break even by a determined new CEO, you are still relying on "trust me" as your assurance that your data won't be misused.

For the average user, PasswordSafe on a USB key is not rocket science and I believe they have a Java version that will run on multiple clients.
posted by benzenedream at 9:33 AM on July 12, 2010

The biggest problem with LastPass and other startups is not that the current crop of employees is untrustworthy, it's that they are a privately held company that can be easily sold to new owners with new agendas for your data (e.g. Facebook has just acquired Lastpass!).

You encrypt your password database locally, and send it to them. They don't have the key. They can't unencrypt it. Their future employees can't unencrypt it. If compelled by legal authorities with a subpoena, they still can't unencrypt it. If someone breaks into their servers and steals all of their data, that someone can't unencrypt it. The only person that can unencrypt it is you.

If, at sometime in the future, Facebook buys LastPass, and they completely dismantle that which makes LastPass as good as it is, you can export your password database into CSV or a format that Firefox can use and you can delete your account with them.
posted by crunchland at 10:31 AM on July 12, 2010

Using utilities like Lastpass or 1password is a big step up from using a single not very secure password, but is still not a perfect approach:
• Any solution that involves trusting a commercial company involves the risk they will go bad (or simply close down) at some point in the future.
• Anything that involves you installing software means you are limited to using machines where that software is (or can be) installed.
• Anything that involves a 'password store' (USB stick/hard drive/website storage), means you need to be very sure that the 'password store' doesnt get lost/stolen/corrupted.
• Also any software package that involves encryption has the drawback that all encryption is reversible - eventually someone will crack the key and be able to reverse it.

In contrast open-source Cryptographic Hash based systems are fundamentally non-reversible and don't save anything anywhere, even if you have one of the passwords and all the code, theres no way to mathematically work back to the original master password.

Rootkits for JavaScript Environments
Adida, Barth, Jackson, 2009
ABSTRACT
A number of commercial cloud-based password managers use bookmarklets to automatically populate and submit login forms...
posted by ryanrs at 6:14 AM on July 12

Punchcast.com (self link) and/or Nic Wolff's password generator and/or Karim Cassam Chenaï's iPhone page all use exactly the same hash algorithm and can be used interchangeably without needing bookmarklets.
posted by Lanark at 10:36 AM on July 12, 2010

Lanark,
That's how we should be doing it! But hash based passwords are too simple and easy to implement to have any marketing, nor any fawning Mefi posts....
posted by miyabo at 10:55 AM on July 12, 2010

Actually, LastPass apparently does use a hashing algorithm (SHA-256) on your uid and master password to come up with the key to encrypt your password database.
posted by crunchland at 11:01 AM on July 12, 2010

It's the last password manager you need because it kills you on the third use.
posted by GuyZero at 11:32 AM on July 12, 2010

I use me & my monkey's approach: KeePass and DropBox.
posted by arcticseal at 11:45 AM on July 12, 2010

I just used LastPass to log in and post this comment. I have it installed at home and at work, on PCs and Macs. It's fast and convenient and more straightforward (though perhaps slightly less robust) than Roboform, of which I was a paid user for many years. It's a place I'm comfortable being, compromise-wise, for my needs.
posted by VulcanMike at 11:49 AM on July 12, 2010

However anybody ends up wanting to do it, this is a really interesting thread. Thanks.
posted by koeselitz at 11:50 AM on July 12, 2010

crunchland: "The only person that can unencrypt it is you."

Up to a point: you're still vulnerable to the police (or anyone else with sufficient persuasive power) arranging for the company to ship you your own custom version of the webpage when you log in which uploads all your passwords to the company once you've entered the decryption password locally.

That said, if this is your concern, then possibly you shouldn't be storing your passwords online whether encrypted or not.

There are a couple of other companies offering similar services, including passpack who do all the encryption / decryption in javascript locally on the browser & I think the front end code is all open source.

Personally, I think the haters are being somewhat harsh: given that the unencrypted data doesn't leave the browser (which is the big security issue) these web-passed password stores are a considerable step up from the usual "stick the password on a post-it note by the monitor" approach. If I was using one for anything where I cared about the security of the passwords, then I'd be starting a new browser session for each login & only visiting the password site & the relevant webpage to login to. Anything else is asking for trouble.
posted by pharm at 2:01 PM on July 12, 2010

I don't know that I interact with their servers for any other reason than to grab the encrypted database blob when I start a session. I can tell you that when I look at my password vault, the url is local (chrome://lastpass/content/home.xul).
posted by crunchland at 2:05 PM on July 12, 2010

Personally, I think the haters are being somewhat harsh: given that the unencrypted data doesn't leave the browser (which is the big security issue) these web-passed password stores are a considerable step up from the usual "stick the password on a post-it note by the monitor" approach.

My concern is more about making it convenient to use all your accounts on whatever machine you happen to be at, which is very risky behavior. It's very easy to leave your credentials behind in the browser's history, it's not hard to install a keystroke grabber at the OS level & it's trivial to pop a hardware dongle onto the keyboard that also grabs keystrokes. That's 3 out of the 4 links in the chain that are all open to compromise without you knowing or being able to protect against it because it's not your machine.

For those who only use this to share login info between machines they own & control, I have much less of an issue. It's all about reducing the exposed attack surface. The more parts of the system out of your control & open to compromise, the greater the risk.
posted by scalefree at 2:51 PM on July 12, 2010

I used pwdhash for awhile as a hash based password solution; no storage required, just a master password hashed to the host name.. It worked pretty well in Firefox. But then it didn't work in Chrome when I switched, and it still doesn't work meaningfully on the iPhone. Any password solution must have useful agents on all platforms. I'd gladly pay good money for that. LastPass seems to have that.
posted by Nelson at 4:19 PM on July 12, 2010 [1 favorite]

Just futzing around, but I whipped up an Applescript implementationof Lanark's SHA1 password hash algorithm using shell calls to openssl. While it seems to work the same way on ascii input it seems to produce different results with unicode. Need to work with it further.
posted by KirkJobSluder at 5:23 PM on July 12, 2010

Punchcast.com (self link) and/or Nic Wolff's password generator and/or Karim Cassam Chenaï's iPhone page all use exactly the same hash algorithm and can be used interchangeably without needing bookmarklets.

Yeah, but I do offer a bookmarklet, which I assume would be vulnerable to the "caller" attack they describe. Unless and until I can think of a defense, it should only be used at trusted sites.
posted by nicwolff at 11:11 PM on July 12, 2010

Remember back when we could put XSS attacks in our custom profile pages? That was fun.
posted by ryanrs at 1:45 AM on July 13, 2010

You people are ruining it for everyone! Stop talking about this or then teh Hackerz will attack!

I picked up with LastPass like others here when I discovered it supported the platforms I use. Trust is too strong a concept to apply here but it has improved my ability to function across 100's (seriously) of resources.
posted by mouthnoize at 10:39 AM on July 13, 2010

You people are ruining it for everyone!

I think its worth emphasizing that much of the discussion in this thread is just arguing the difference between systems that are 99% secure vs 99.9% or 99.9999%

Meanwhile a lot of people are still using passwords like "qwerty123" which is about 10% secure and a third of people use the same password for everything!

This situation reminds me of the old tiger joke: "I don't have to run faster than the tiger. I just have to run faster than you."
posted by Lanark at 1:49 PM on July 13, 2010 [3 favorites]

After thinking about this thread I bought LastPass Premium and am trying it out. Mini-review: it's pretty good but too complicated.

The basic Windows install works great, very nice and hand-holdy. Unfortunately it doesn't import passwords from Chrome's manager (it does IE and Firefox). The UI for logging in to sites is pretty good. The iPhone app isn't bad either. It works best if you browse the web from inside their version of WebKit, but there's some kludgey integration to Safari via bookmarklets. Best they can do without plugin capability on the iPhone.

Things get much hairier as soon as you start looking in options menus, or try to understand what "logged in" really means and the panoply of logout options. I appreciate that they give me a lot of control, and there are some simplistic "more secure.. less secure" basic options for the impatient / ignorant. But between the complexity of integration and the various options provided, it just drives home how bad our current authentication systems are.
posted by Nelson at 3:23 PM on July 13, 2010