New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
You didn't get the context of that at all did you? For a password management website, you have two choices, you can store passwords in plain text on the server, or you can decrypt them on the client side, where the only option is JavaScript. At least try a bit before posting memes, this is not 4chan. In case you forgot:
@raindog308
Really, the best option I see for implementation is to handle this completely on your end for storage, which works as a FIFO implementation for in/out and 2fa required with what would amount to a session cookie for that single instance. Leave it up to someone who knows each platform better how to interface each- but we all know that'll never happen, because having others do this is inherently less secure than doing it yourself, if only by obfuscation.
I'm sorry, but after reading this statement in so many different ways in an attempt to discern just what the fuck you seem to THINK you know, you are back on my "do not engage" list. Props for the l33t burn.
Apology accepted. Let there be peace
For a start, "we store your shit safely" is a lowend product, no matter how much one hypes it.
As for your points 1 - 5 I assume that they are largely based on what "one thinks" and some marketing blabla. security audits are an example. Do they really do those? And, if so, how are they done and do they actually mean anything (beyond marketing)?
I just had a quick look a lastpass, a well known service. They use a CDN and google analytics is splattered all over the place. End of analysis; more isn't needed to see that it's but a rip off caring shit about safety.
But OK, let's look a little closer. How do all them remote pw manager thingies work? By using the clipboard or a similar insecure mechanism provided by some browser interface or some plugin.
Now, tell me, what's the single most bloated and insecure piece of software crap on your system? Right, it's your browser.
That whole "we store your passwords and comfortably insert them for you while you are browsing" business is insane (security wise) and utterly ignoring the basic laws of security.
The law is: Strength of the security chain is defined by its weakest element.
The weakest element is either the browser or the shitty password storage service. And BANG, exactly that weakest element is the pillar upon which rests the whole she bang.
Now, I do understand that people want comfort. And that is what they pay for and what they get. NOT security. "security" is just psychologically necessary mumbo jumbo because deep in their hearts people fucking know that having all their password on the internet at some shady provider is insane. Hence the providers must make a whole lot of security mumbo jumbo to cool down the customers bad conscience, enough to make them sign up and pay.
Case closed.
Just in case anyone was curious they do have a whitepaper posted on how they handle security. Figured it might be worth a read: https://1password.com/files/1Password for Teams White Paper.pdf
You didn't get the meaning of "core"?
Thanks so much for entertaining me better than Monty Python could. Now, you are explaining my fucking job to me? How many lines of formal TLA specs have you written so far? Let me guess: None, zero, zilch.
New OS version come out? How devastating! I'm shocked to see my whole game shattered. Or no, wait. Looking at it I find that 99% of my code written for windows xp still works on windows 7 (and quite certainly on w10, too). A recompile is all that is needed. Cool, huh?
Even better: My security related code works cross platform. A miracle! (Hint: I do not use C or C++, except as meta assembler).
That's bullshit. The password service toy feeds the password via some mechanism like the clipboard into a html text field, case closed.
Yes, that is what I meant.
Thanks, I guess. Whatever triggered you this time, because you never tell. Probably my oversimplification of "plain text storage". But if you jump to conclusions that quickly, I'm more than happy to be on that list.
For start that is not a whitepaper but pseudo security blabla for pseudo "securitry-conscious" half-wits.
Some funny examples:
They use CryptGenRandom() to get random on windows. That's a worthless statement as they tell nothing about the crypto provider not the relevant CryptGenRandom() parameters.
They use tls. Wow, cool. In other words: they use the more or less current of ssl (shit security layer).
They store their database - and hence your data - in? A mysql compatible amazon database. Yay!
They use w3c webcrypto for javascript. For which there is no formal spec, no verification, nothing.
Just as I said: mumbo jumbo to cool down worried clients. And hey, they use the same DB provider nsa and cia use. What could possibly go wrong?!
That's why all my passwords are "fuckthecia." Ha, joke's on them!
Careful there! You should add a digit and a special char to "fuckthecia"! *g
That's all you'll ever need. Don't forget that WHMCS uses base64 encryption.
How many notification emails have you received in the last minute?
You just don't understand "totally trustworthy web crypto". Look, if your password is 4 characters long that's base64*4 = Two hundred Fittysex bits!!1!!
Plus the hidden rotl13 stage high end sakkurity providers employ * shiver
I remember not that long ago when you had to get a binary with a specially-backdoored SSLeay library in order to "legally" run SSL here in the states, and it wasn't that long ago. Now, a bit over 20 years later, nobody knows or cares who the fuck their CA is- as long as their browser doesn't bitch that it's missing the intermediary- and they're posting every little bit of their personal life on social media.
base64+rot13 with time_t of request(encoded in the header with a private salt, of course) is probably a bit more secure than what most people are actually using.
I'll admit that I do use LastPass, but I use it primarily for sync, because everything important is 2FA (and they can completely recover your password and display it to you as plaintext on their webservice). I wouldn't make the mistake of considering any third party- or any tool that interfaces form inputs as secure, or trustworthy.
I mean it's all layers. Your security should be equal to the value of what's behind it. If it's cat pictures, "password" stored in MD5 will do just fine. We all know you're going to post them on reddit anyway.
Shows what you know (I'm apparrently a btard). I prefer plaintext, really, because SQLite can be hard to read from http://wss.org/mypasswords.sqlite3 because of all of those weirdo character thingies it shows
@jarland is right. What he says is a simple rule but also an important one that unfortunately is regrettably often ignored.
If @WSS uses some "we store your shit" service there is nothing wrong with that as long as it's about the gazillion passwords one amasses for rarely used and not exactly sensitive accounts.
Where I see a grave problem though is when people are putting pretty much all their passwords and keys into such a crapbox - as probably millions and millions do.
I'm reminded again of the time when an old Gmail account of mine got compromised. Was never used for anything important but I decided to check on it a couple years after I had last used it. Found someone used it to register a Dropbox account to store their family photos.
Not even to spam. They just really needed another Dropbox account. Really enjoyed the pictures of their couch.
The sad thing is that the majority of "security" tools are designed to bilk money from window lickers. Actual security tools are far too inconvenient. I mean for fuck's sake- the first thing people want is to have their important data blindly pasted into textareas. Either you want security, or you want the illusion (which has been touched by several of you already). Anything truly important shouldn't be trusted to any third party which is easily accessible by the masses (e.g. public http).
I switched from 1Password to KeePassXC which aims to be a better cross-platform solution based on KeepassX. The source is open here: https://github.com/keepassxreboot/keepassxc.
I use KeePass2Android on my phone which works well.
I sync my database with dropbox and use the additional local key feature which I manually transfer to my devices not over the cloud so there is an additional layer over my master password in case Dropbox "drops" the ball on security at some point.
I like KeePassXC due to some convenience features being baked in like the HTTP feature which isn't the absolute best but works well. I also like the quicker development pace. I am sure KeePassX would work just as well too..
I ditched 1Password due to non-existent Linux support and their migration to a service that seems subscription oriented. I do not think they will continue with the "pay once, keep for life" model.
LastPass is a good alternative, been using it for years.
I have heard of a guy who intentionally gets bitten by venomous snakes. So he could rightfully state "I've been bitten by venomous snakes for years". Should we follow his advice if his next sentence was "Getting bitten by venomous snakes is a good alternative"?
I did, but it's irrelevant. It's like saying "building an airplane is trivial, look, here's how you design the engine, and you're done". When you state that such a service should cost $10/yr, then you yourself are discussing a lot more than "core".
I gather you yourself have never used a password manager. But you still fancy yourself an expert on the market...?
Apparently someone needs to.
The stuff you write at home for yourself doesn't count.
The hard work is at the client and on the web. So yeah, when Apple releases a new iOS version or Microsoft puts out a new .net framework or there's a new HTML fad, your code will break and you'll have to maintain it. In Objective-C or .net C#, not your favorite flavor of assembler.
Sure sounds like regular maintenance work to me. I guess we can't just write it once and be done with it.
Yawn. This is your answer for everything. Yes, you have a bigger e-penis than the rest of the universe. How dare we mortal LETizens even comment? Throw in a hardon for the Russians, a touchy trigger-finger about perceived ad hominems, and a cross-language thesaurus for "nada" and I think we could write an emulation script for you.
Writing a password management system in assembler with mathematical proofs of correctness that only works over the command line on OpenBSD is not the problem. Something that's secure and easy to use cross-platform on every device and web site is.
If you've never used a password manager, are ignorant about them, and think they're wrong computing, why are you so opinionated about them?
@raindog308
Cute. But unfortunately in pretty much every possible way wrong and, Pardon me, plain stupid.
It might shock you but actually I do not need to have used a remote password manager to know about their security. And btw, I have read their whitepaper (have you?).
And you, what have you to bring to the table, other than ad hominem attacks? And I'm not even talking about your stupid attempt to paint me as a hobby programmer but rather that you have not shown any competence whatsoever in the field of IT security so far - unlike myself.
But then mighty raindog308 needs no fucking competence. He just tells us how the world works and we take that as gods word ... (or so he dreams).
Is that so? Then do it, bigmouth!
Not even a whole system but just some routines, say one that gets 128 bytes of good quality random, one that reads a single entry from the DB, and one that does a sha-256 hash. Oh, and: Don't forget the formal spec. Small job, right? Smaller even than what you just bragged.
Or you save your time and don't even attempt it because I let you in on a little secret: You won't find a static verifier for assembler. Oopsie.
So, try your "streetwise" games with someone else, bigmouth.
In the interest of defusing things, I'm just jumping into the fray (pray don't shoot the messenger or the middleman).
First and foremost, it's one big continuum (maybe not, but don't nit pick) with convenience at one end and (ideally) perfect security at the other [i.e. isolated host sitting by itself]. Different people have different needs/perceptions/wants/whatever and are usually making tradeoffs between convenience and security (usually knowingly at least most of the LET crowd, I'd say). Different people have different "acceptable" points on that spectrum and we need respect their own choices despite disagreeing with it.
At the end of the day, as long as they're (reasonably) aware of whatever they're subscribing/buying/getting with the associated tradeoffs let us leave things be.
This discussion is about alternatives to 1password so let's just get on, shall we?
Thank you.
Personally I use Keepassx, but for my relatives, who are less computer literate, I installed SafeInCloud on iOS, Android and PC. I set up a private Webdav server where their password stores are saved and syncronized. Works very well and doesn't involve a 3rd party for storage.
To be fair, and I'm not trying to be unfriendly here, from my perspective the most you've done here to do that is tell us that you're an expert in it. If I've glossed over significant detail to arrive at that conclusion, I apologize. I've seen bits and pieces of data but the bulk of it appeared to be centered around "This is what I do and that's why they're wrong." That's fine, by the way. I'm not dismissing it or suggesting that you're wrong about anything.
But do keep in mind that if you use your profession as a reference while none of us here know anything about who you are or what you do, nor have any ability to see and test your security practices first hand, there is a point where we will take what you say with a grain of salt. Such is a natural reaction, I would propose. We're on the internet after all. I certainly don't need to tell you how much bad advice is floating around. There's a reason we all learned to take advice with a grain of salt.
Not quite. I made quite some professional statements and hence there is a body that can be examined and verified. Look at any professional forum and statements are the "currency"; you tell bullshit and you are caught, based on your statements. Or you have knowledge and one listens to you. So, yes I have delivered quite a lot that allows to judge me.
And: It's not about a grain of salt. Anyone is free to trust or believe me or to not do so (Besides, there are also other options in between, such as asking, for instance).
Also see it from my side for a moment: What if I'm really a professional in the field of IT security and working daily with tools like TLA (formal spec), Spark/Ada, Frama-C, etc? What If I'm real and just a friendly guy willing to share his knowledge? It's not that I expect a big thank you but not being the target of (granted, helpless) pissing attempts would be nice, no?
And keep in mind: If - and the chances are high - one day soon, say lastpass has a major breach then I'd feel like an asshole having the knowledge but not having warned.
For a while I used to use a program I wrote that took a massive seed and the host name of where I wanted to log into to generate a unique password, converted into base whatever from the resultant base 16 hash. It works OK until it hits the real world of [place where special chars arent allowed] or [password doesn't meet other arbitary requirement]... (ideally I wouldn't store the passwords anywhere). It's also much more convenient to have something that populates forms (hint: now talking about client side code).
@bsdguy maybe you do have [great wealth of experience] in a particular area but you're terrible at communicating it, and you're pretty damned determined to get the message out that you know better... than everyone basically.
I think I can infer that you're a command line kinda person, your description of building an online service is a massive oversimplification, like forgetting some kind of account management, billing management. You're just yacking on about how you did some unit testing for a chess game you wrote in Java, one time
Saying 'I don't use online password systems and here's why' would be much more succinct than getting your life story.
All that aside, I wouldn't use online password storage and I'm pretty sure the OP is already aware of the pro's and con's.
Simple reason: I don't talk about things I don't know. iphone problems? I'll be quiet. graphics programming? I'll be quiet. Graphics design? I'll be quiet. not totally simple iptables stuff? I'll be quiet....
And no, I'm not interested to get across that I know (in my field). In that regard this forum is utterly irrelevant to me (my clients are relevant and peers are). I'm interested in not letting bullshit stand.
Than you think triple wrong. a) network services are a major part of what I do; granted, very little client side but I've been involved in enough projects to have a good idea about their work (in terms of time and complexity).
b) I never checked a chess program and I don't touch java.
c) of course there is billing, accounts, hr, etc - but: There's little difference there between a password service, an email service, or a hosting service. And as those are so common it's easy and relatively cheap to get done.
Oh, I'm so sorry that I painted it green while you's have preferred blue. And btw: I didn't tell my life story; why do you play foul inventing things?
Thanks for including at least one sentence re. the thread topic.
Yeah, the thread topic is about online services storing passwords, which you've spent a considerable amount of time devaluing, vaguely and without mentioning an alternative means.
My original statement at least offered an alternate means, which you seemed to overlook because it wasn't about you
. It's also alluding to the fact that there is client side technology involved in its usefulness, which relates to this discussion about understanding the latest browsers. Which browser events work across desktop, tablet and phone, across all popular browsers? Subtle things are relevant. You aren't a UI guy, clearly (neither am I).
Said like a true theorist. I'll not even ask if you'd take 'off the shelf' solutions and how they fit into your line of thinking, or whether it'd be written from the ground up. Building online apps simply isn't the same as black box number theory.
The topic is recommending existing alternatives to 1Password, recommended anything yet ?:)
Why am I not surprised that you didn't get what I meant? So I'll spell it out clearly for you: That was sarcasm because pretty much everything else was about me. Trust me, I do not desire any "opinion" from you about me.
At least one thing you got right.
Theorist? uhum. Now guess: What's the major work and cost block when creating a password service: The (hopefully reasonably safe) password related parts - or - the standard stuff pretty much every online company of kind needs? The parts that (hopefully) set you apart and are the bloody core of what you sell - or - or the housekeeping stuff that earns you no money?
The same that I'd recommend if the topic was "What's an alternative to dog shit for dinner?" - None, when there's only different kinds of shit on the menu.
P.S. As OPs interest is for a considerable part about lower costs than 3$/month (which I also find very high) I actually do have an alternative: Cheaper dogshit, i.e. a cheaper half-way decent (if one can say that in this context) online password service.