Notably some sites are using fresh certificates that have the same (months-in-the-past) starting-validity date as their old certificates. For example, Heroku has done this.
(I can think of a few process and fee reasons this approach might be picked. Perhaps a CA might offer a free new cert and revocation, if and only if the new cert has the same validity range as the one it replaces. An ops team might prefer one consistent time of year for the ceremony of non-emergency certificate rotation.)
I didn't notice any field in the cert-viewers of Firefox or Chrome that could reliably tell the true issue-date of a new certificate.
Is LastPass just looking at the start of the validity, or does it have some way to know if the certificate is truly new?
We haven't found a way to do this -- we're using openssl s_client to get the start date, but one of our own certificates for LastPass.eu also reissued without changing the date so we know it's a problem.
We wish we had all site's certificate fingerprints from before this started so we could utilize that data -- if anyone has it, an email to [email protected] would be greatly appreciated.
I've been meaning to switch to a password organizer rather than rely on my browser's built-in one (I know)... I've seen a few discussions on here but I haven't seen a clear victor. In your opinion, is LastPass the one I should go with? Or Keepass or OnePass or one of the others?
Edit just to say I think this is a very nice feature by LastPass and thanks for posting.
With a question like this, you're probably going to get a lot of biased options. Not because people want you to use an inferior product, but because obviously one think that what he uses it the best. For example, as a current KeePass user, I'd suggest it.
Lastpass overall is comfy, you do everything within your browser, it sync without much problems and you can use it on the go with the official applications and addons. One downside is that everything is closed source. The other one is that I find their addon is trying to do too much, and it's not polished enough (at least, their Firefox one). I've had tons of annoyances with it.
Keepass instead is awesome because it's opensource and you own your data. But you can feel that not everything is nicely integrated. I use a Firefox addon (PassIFox) for filling username/password, and it works pretty nicely, but you have to set it up (and it's kinda a pain to get it working on Linux). I use an application on Android (Keepass2Android) which has a different UX, and doesn't have the fancy input method that the lastpass app has (instead you just copy/paste, and there is a keyboard for autofilling but I find it mostly annoying). The integrated sync support only ftp/webdav, and not everyone has a server providing those around (and I never got webdav to work anyway). Sure, you can sync the file with dropbox or other "cloud" solutions, but this implies even more software in your chain.
I never got to try OnePass sadly, as there's no Linux version.
Anyway, I'd say: Try both, and see which one you prefer. Keepass is libre, and lastpass has a free tier, so you don't have to put any money in it. Just use them for a bunch of sites for a bunch of days, and then decide.
I use LastPass and definitely recommend it. It will generate a random password for you based on definable criteria, which I like and use almost everywhere. The primary vector of mass attacks these days seems to be one compromised database leaks out, and then they use those cracked passwords to get into other sites where you used the same email/pass combination. Keeping track of hundreds of unique and secure passwords without a manager is untenable.
In a vote for lastpass (I haven't tried the others) - they just added auto filling passwords for the android app. It works pretty well (typing their generated passwords into apps that blocked copy/paste was my biggest gripe until then). I'd say that it's pretty easy to get duplicate entries for a single site which can get annoying, but it's relatively easy to delete ones if you don't get mixed up with which is the "correct" entry first.
I recently went over this and went with KeePass. It's open source, although apparently not with a public repo (just source zips). I'm in the process of verifying it and building it for myself. I used to use PasswordSafe, but I think I have a higher chance of missing a backdoor in C than in C#. (I removed all the native stuff from my copy of KeePass.)
For critical stuff, I want to minimize the amount of proprietary stuff. I already have Windows (as a VM host), Lenovo and VMware to trust - but at least that's not directly connected to the Internet[1]. Why add a third party that could suffer a remote compromise or worse?
1: Host runs VMs, has no protocols bound to NIC but passes it through to a gateway VM which acts as a router for the other VMs. KeePass can run on the host, so a VM compromise is somewhat limited.
I use and really like LastPass. In particular, its integration with browsers (and my smartphone) with the random password generation means that my passwords are all unique and non-rememberable (and thus unphishable, since I rely on LastPass to fill the password for me, which it only does on a domain match).
Things like their security check are just icing on the cake.
You are likely not to see a clear victor in this thread either. People who use/like LastPass will say so, and those who use others will throw in the vote there. You can also google 'Option 1 vs Option 2' and get a bunch of results. Best you try them yourself and see which one you like!
Lots of recommendations already, but I'll throw in a vote for Pass[0]. It's simple, cross-platform, and doesn't require trust in any service--although you do need to trust yourself not to lose your gnupg private key.
It's a bad idea to trust your secrets with a proprietary web service. Free software is a prerequisite for digital security. Best to use a free software password manager that you can run on your own computer.
My biggest problem with LastPass, and this is a small problem, is that it fucks up on a fair amount of input fields. So for example, it still works, but its icon is too huge for site example.com so it is awkaward or it thinks it is a username and password form but it is actually a signup form with username password1 password2.
Used to use LastPass, but I've disliked some of their recent decisions. Their Android app is getting bulkier by the update; it includes a full blown web browser inside the app. Their Firefox extension seems to be no longer maintained as well. I switched to KeePass + Dropbox and have been enjoying it. If you use OSX, I strongly recommend http://mstarke.github.io/MacPass/
If you're looking for an open source alternative that is easy to use and not as clunky as KeePass, 1Password or LastPass, you should take a look at Padlock: http://padlock.io/
It's still in alpha but will be released on all major platforms once its ready.
KeePass if you don't trust third parties and security is top priority, so you want an open source product that isn't web-based. (Disclosure: I use KeePass personally).
LastPass if sync/mobility is most important and you're fine trusting a (US?) company.
I use LastPass for years now and I definitely recommend it. I tried to set up KeePass and god what a nightmare that was. You need a PhD in setting up the thing before you can use it comfortably.
I wish there was (or maybe there is) a protocol for updating your password. Then managers like lastpass and 1Password could more easily update your password. Maybe, behind the scenes they could rotate your password every x days automatically. Having a protocol in place would also make breach notices an easy "update all passwords" click away.
There's probably a reason this is a bad idea. Let's hear it! :)
It discourages two-factor auth for password change requests (such as site username and access to your email account), it adds an additional point of failure, and it would make it easier for attackers to lock you out of your account once they gain entry.
Plus, if any changes are to be made to the authentication process it should be migrating to two-factor auth across all services.
there are some obvious discouragements, as outlined by grrowl in another comment, but I agree with you that it would be nice. Security and convenience have a well known relationship.
I've thought it would be nice to consolidate 2-factor authentication methods in a single service, then require a single, 2nd factor authenticator for access to the service or vault. So a yubi-key like authenticator with your lastpass that then authenticates using 2-factor protocols of some sort automatically; again, trading security for convenience, but would also allow for things like auto-changing of all passwords (which happening more often couldn't hurt security) while still under protection of a 2-factor authentication.
Wait. When I click "Security Check" in my LastPass Tools... menu (this is in Chrome), I get taken to an internet-hosted web page where I'm prompted to enter my master password. [1] I am not taken to a chrome:// page or some other client-side tool.
I take this to mean that I'm giving LastPass's web server my actual master password, and that they will do server-side decryption of my Vault and have server-side access to my passwords in cleartext.
NO! It's all done locally via JavaScript -- we never want to get your master password / encryption key -- we go through great pains to ensure that never happens.
How does their "Updated Cert?" check work? If it's just checking notBefore, it's going to have a ton of false negatives, as a lot of CAs are just re-issuing certs using the original notBefore.
There really should be a disclaimer that this tool is useless when checking certificates re-keyed with the same starting and end dates. It could create a reputational risk for sites that are otherwise safe or patched.
I've love to see an actual list, officially backed, with website's URL and whether it has been fixed or not. Also with the ability to submit URLS. Seems this would be more productive than to let everyone look up their own sites manually.
perhaps it has been updated in the last 12 minutes, but that doesn't say LastPass is vulnerable. They are using a new cert, it's just saying they might be vulnerable because LastPass can't detect the server's operating system.
[+] [-] gojomo|12 years ago|reply
(I can think of a few process and fee reasons this approach might be picked. Perhaps a CA might offer a free new cert and revocation, if and only if the new cert has the same validity range as the one it replaces. An ops team might prefer one consistent time of year for the ceremony of non-emergency certificate rotation.)
I didn't notice any field in the cert-viewers of Firefox or Chrome that could reliably tell the true issue-date of a new certificate.
Is LastPass just looking at the start of the validity, or does it have some way to know if the certificate is truly new?
[+] [-] pwman|12 years ago|reply
We wish we had all site's certificate fingerprints from before this started so we could utilize that data -- if anyone has it, an email to [email protected] would be greatly appreciated.
[+] [-] devindotcom|12 years ago|reply
Edit just to say I think this is a very nice feature by LastPass and thanks for posting.
[+] [-] Spittie|12 years ago|reply
Lastpass overall is comfy, you do everything within your browser, it sync without much problems and you can use it on the go with the official applications and addons. One downside is that everything is closed source. The other one is that I find their addon is trying to do too much, and it's not polished enough (at least, their Firefox one). I've had tons of annoyances with it.
Keepass instead is awesome because it's opensource and you own your data. But you can feel that not everything is nicely integrated. I use a Firefox addon (PassIFox) for filling username/password, and it works pretty nicely, but you have to set it up (and it's kinda a pain to get it working on Linux). I use an application on Android (Keepass2Android) which has a different UX, and doesn't have the fancy input method that the lastpass app has (instead you just copy/paste, and there is a keyboard for autofilling but I find it mostly annoying). The integrated sync support only ftp/webdav, and not everyone has a server providing those around (and I never got webdav to work anyway). Sure, you can sync the file with dropbox or other "cloud" solutions, but this implies even more software in your chain.
I never got to try OnePass sadly, as there's no Linux version.
Anyway, I'd say: Try both, and see which one you prefer. Keepass is libre, and lastpass has a free tier, so you don't have to put any money in it. Just use them for a bunch of sites for a bunch of days, and then decide.
[+] [-] keypusher|12 years ago|reply
[+] [-] mayneack|12 years ago|reply
[+] [-] MichaelGG|12 years ago|reply
For critical stuff, I want to minimize the amount of proprietary stuff. I already have Windows (as a VM host), Lenovo and VMware to trust - but at least that's not directly connected to the Internet[1]. Why add a third party that could suffer a remote compromise or worse?
1: Host runs VMs, has no protocols bound to NIC but passes it through to a gateway VM which acts as a router for the other VMs. KeePass can run on the host, so a VM compromise is somewhat limited.
[+] [-] cheald|12 years ago|reply
Things like their security check are just icing on the cake.
[+] [-] rschmitty|12 years ago|reply
I use LastPass Premium
[+] [-] enoch_r|12 years ago|reply
[0] http://www.zx2c4.com/projects/password-store/
[+] [-] davexunit|12 years ago|reply
[+] [-] 27182818284|12 years ago|reply
I'd still recommend it, despite those problems.
[+] [-] frewsxcv|12 years ago|reply
[+] [-] zippergz|12 years ago|reply
[+] [-] plg|12 years ago|reply
I can see an argument about cross-platform use but is there another reason or reasons?
thanks,
[+] [-] swlkr|12 years ago|reply
You could store your passwords in a git repo to get a sort cross-platform thing going on.
[+] [-] fletchowns|12 years ago|reply
http://passwordsafe.sourceforge.net/
[+] [-] MaKleSoft|12 years ago|reply
It's still in alpha but will be released on all major platforms once its ready.
Disclaimer: I'm the developer
[+] [-] blueskin_|12 years ago|reply
LastPass if sync/mobility is most important and you're fine trusting a (US?) company.
[+] [-] ryeon|12 years ago|reply
[+] [-] slowmotiony|12 years ago|reply
[+] [-] willtheperson|12 years ago|reply
There's probably a reason this is a bad idea. Let's hear it! :)
[+] [-] grrowl|12 years ago|reply
Plus, if any changes are to be made to the authentication process it should be migrating to two-factor auth across all services.
[+] [-] bradleysmith|12 years ago|reply
I've thought it would be nice to consolidate 2-factor authentication methods in a single service, then require a single, 2nd factor authenticator for access to the service or vault. So a yubi-key like authenticator with your lastpass that then authenticates using 2-factor protocols of some sort automatically; again, trading security for convenience, but would also allow for things like auto-changing of all passwords (which happening more often couldn't hurt security) while still under protection of a 2-factor authentication.
[+] [-] davidp|12 years ago|reply
I take this to mean that I'm giving LastPass's web server my actual master password, and that they will do server-side decryption of my Vault and have server-side access to my passwords in cleartext.
Is that accurate?
[1] https://lastpass.com/index.php?securitychallenge=1&lang=en-U...
[+] [-] pwman|12 years ago|reply
[+] [-] Fishkins|12 years ago|reply
https://news.ycombinator.com/item?id=7554974
[+] [-] nly|12 years ago|reply
[+] [-] reedloden|12 years ago|reply
[+] [-] jasonhoyt|12 years ago|reply
[+] [-] dalek2point3|12 years ago|reply
[+] [-] comeonnow|12 years ago|reply
[+] [-] araftery|12 years ago|reply
[+] [-] notatoad|12 years ago|reply
[+] [-] djchen|12 years ago|reply
[+] [-] Karunamon|12 years ago|reply
Thanks guys!
[+] [-] blantonl|12 years ago|reply
[+] [-] csmatt|12 years ago|reply
[+] [-] retube|12 years ago|reply
[+] [-] regularfry|12 years ago|reply
[+] [-] alistairjcbrown|12 years ago|reply
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] circa|12 years ago|reply