SN 900: LastPass Again

Beep boop - this is a robot. A new show has been posted to TWiT…

What are your thoughts about today’s show? We’d love to hear from you!

Steve included a quote from Elon Musk in this episode; it’s discussed at @1:27:35 in the show:

I can’t exactly say why, because it’s one of those things where, it’s like: my biological neural net said, ‘it is important to buy Twitter’ and just like with a digital neural net, you can’t really exactly explain why the neural net is able to understand an image or text – the collective result of the neural net says this is an important decision, or this is the right action, and my biological neural net concluded that it was important by Twitter and that if Twitter was not bought and steered in a good direction, it would be a danger for the future of civilization, and so… that’s why I bought it.

@Leo asserted this quote “as clear as mud”. Elon’s statement seems lucid to me. Elon had a gut feeling or maybe a hunch that it was important to buy Twitter. He had a similar gut feeling in 2004 when he contributed $7.5M to the Series A investments in Tesla Motors and joined the company’s leadership. He thought this EV vehicle company – with his leadership – would have a positive impact on the future of civilization. Until about a year ago, there was near-unanimous agreement that Mr. Musk’s hunch on Tesla was correct.

Steve Jobs was legendary for his hunches. Steve’s neural networks informed him that the cellular carriers had no business controlling any of the content or functionality of the OS for his [proposed] iPhone. He pitched this to all of the carriers, and all but Cingular told him and Apple to take a hike. But Apple won, both companies profited handsomely from that initial exclusive deal, and the landscape of wireless service worldwide was forever changed. This 2008 WIRED article talks about many of the details of Apple’s breaking down the carriers’ “walled garden”.

Leo has over 30 years in broadcast/netcast/podcast media. I don’t know if he has ever contemplated the impact on civilization of his work, but he is clearly a fount of passion, knowledge, and experience. Steve Gibson’s pioneering work with SQRL should have a positive impact on computerdom – even if he is never fully appreciated for his work. And Steve and Leo’s work for 900 episodes of Security Now! has definitely had a positive impact for all online users. It has undoubtably made civilization at least a little bit safer for everyone. OTOH, both of them have had failures: initiatives that will make no public difference to the world. That’s true of everyone.

Elon has gut feelings. Power to him! He uses a way of labeling those gut feelings that some don’t like. I don’t really care, and I’m not sure why anyone should care. If Leo thinks Elon’s message is “clear as mud” from that discussion, I wish he’d elucidate his opinion with a couple of paragraphs here. I wish that Steve would do the same – either here or on his podcast. Thanks.

I think a good/actually best replacement is Keepass. Open source, everything is encrypted, and you have total control over the vault location. I checked the iterations and the default is 1,000,000. It may not be as automated in some ways but it really isn’t hard to use.
Features - KeePass

If they go out of business, you still have everything, you don’t lose control.

I used to use it at a previous employer, it is fine, if you have a dedicated machine, but if you are constantly moving around machines, it is a pain. Yes, you can keep it on a Cloud Drive, but that isn’t any better than using a dedicated cloud service, like BitWarden (which is also open source). You have to enable the Cloud Drive on every device you want to use KeePass on. It also means you have to keep your cloud service password in your head, in order to access the cloud drive, in order to access your safe.

It also means it can become infected, if you use it on a machine that is infected with a virus, and it will automatically spread to all your other devices (using the same OS). The same is true, if you use a USB key.

Using a cloud password safe has many advantages and conveniences, but at the cost of complete security.

We have a policy at work, no external USB devices that aren’t from the company and aren’t encrypted, so using a personal stick would be grounds for dismissal. Likewise, attaching non-authorised cloud drives is ground for dismissal. Opening the password safe in the browser is not…

There are many different way of doing password security. It always comes down to which way makes the most sense in your situation, there is no right solution that will work for everyone.

1 Like

So after listening to this episode I made the decision to leave Lastpass.
If I do the following have I created a situation that even if the vault is hacked that there’s minimal reason to be worried given I’ve done everything I can to prevent the cracking.

  1. Set all website passwords to 20+ random (text, symbols, numbers) characters.
  2. Set iterations to the max, e.g. 2M
  3. Switch to PW manager that uses scrypt or argon2 to eliminate brute force cracking method from being viable.
  4. Ideally set the master password to 20+ random (text, symbols, numbers) characters. Suboptimal but still viable is to use the first letter of each word in a phrase to create 20+ character string that is personal and memorable to me only, e.g. MdaIafboIki!Tmms2ad.CIbw? (My dog and I are friends but only I know it. This makes me sad twice a day. Could I be wrong?)

What am I missing?

1 Like

I would say you are reasonably secure, for the time being, as long as the PM is doing its job properly.

But… I would change the order, 3, 2, 4, 1. Change your password after you have moved to the new manager. :wink:

The passphrase is difficult, if it is too complex, you will never remember it and have to write it down, or you will leave it unlocked on your trusted devices - I have mine set to close after 30 minutes of inactivity, so I often need to re-enter the password several times a day. I also had to reset my work PC this week, which meant re-activating my safe in a new profile with 3 different browsers… A right royal pain! :smiley:

Edit: I forgot, don’t forget MFA.

1 Like

Thanks big_D!
One other question, do you know of any PW managers besides Dashlane that uses Argon2?

I don’t, I know several are looking at it, but I think most are still on PKDBF2, because is is FIPS-140 compliant, which is needed for many certifications and use in many industries. But I expect to see many starting to switch this year and at least offering it as an option.

1 Like