That’s a good point and well raised @222 (and I probably should have referenced that myself in post above as it is the other reason they may not be encrypted). However I do think this should be a less likely reason these days, given multiple other PWMs do encrypt (like BW, 1PW, NP, etc) and it has no detrimental impact on their browser extension performance - however that’s not to say it won’t be detrimental to LP’s specific extension…
Most likely the true reason is some sort of combination of some of this and the desire to read & analyse the users’ activity data.
The login email address is stored in cleartext in the database — not sure if that is what you mean by “exposes”. Data sharing policies are documented in the Privacy Policy.
Yes, that’s what I meant. Stored in plaintext. So a data breach would understandably expose that we are customers of Bitwarden but wouldn’t any associated data as the vault is fully encrypted, unlike LP.
With regards to the first part of your statement, I think that many users who are concerned about privacy and security use an anonymous email address for their Bitwarden login.
With regards to the second half of your statement, the sensitive vault data is fully encrypted (unlike LP), but there are some metadata (e.g., preferences and timestamps) that are stored in plaintext (see here and here).
In the end, isn’t using a tool that stores the database locally on your system the best possible (but not certain) security ? That assumes, of course, that your device doesn’t get stolen. (And you could add another level of security with a device locker, e.g., Bitlocker.)
Selfhosting also you means you have to ensure your own backups are sufficient and secure. Alternatively you delegate it all to a provider like BW and trust that they are the experts.
Class action lawsuit against LastPass was filed 01/03/2023 in MA. Someone is already claiming that it caused them to lose $50,000 in Bitcoin because they had their security keys stored in LP.
True, but it depends on how much trouble you want to endure vs. your level of anxiety over a potential breach of the expert’s system. If you think that your home is secure, you can print out your vault periodically and stick it in a fireproof safe; certainly not fail-safe. For me, I’ll trust BW.
Hey @southerndoc do you have a link/reference for the report? Do wonder how genuine it is vs. frivolous claim to try and make some quick cash? If genuine interested to read more, is it proof of a lost LP User Vault having it’s password cracked (and possibly cracked due to the poor level of iterations in the key encryption many LP users have due to the failures in that area by LP)?
P.S. assume you meant 2023 too (i.e. 3 Jan 2023), not 2022? Don’t you hate it when the year rolls over and you have to remember to fight your muscle memory and change the number?
@Mycenius I think it’s proof of the low frequency of the plaintiff’s synapses firing if he kept his BTC seed in an online password manager with a significant sum sitting on the blockchain.
yep, quite possibly - but 1Password has a crypto wallet so LastPass likely does too. So would encourage you to do so if you were just the man on the street dabbling in crytpo I’d think…
Perhaps. or he had a crappy weak password on his LP vault and it may have been in the batch stolen. So it doesn’t rule out that it was obtained from his LP Vault (which itself was potentially gained from the breach theft). Or its just an opportunist scam claim…
There is a PDF link with the full court filing but I haven’t gone through that in detail yet to see if any technical detail has been provided to substantiate the claim and LP Breach & Vault Theft link?
I think 1Password only has a blockchain seed template you can use within 1Password. I don’t remember LP having a similar template. It encourages a very poor security practice.
That’s a very very good point from 1password in my opinion. I’m a Bitwarden user and I’m also trying to see what Bitwarden thinks about this. Adding a 256 bit random secret key to your password that’s only stored locally on the device or paper means that the vault is encrypted by two different factors, your password, and the secret key. The 2fa options that Bitwarden offers are only when logging in, but if someone has the vault, they only need your password and can theoretically be brute forced (as far as I understand). The people that keep saying that Bitwarden is just as good if you use a good password are missing the point in my opinion:
-first of all, you don’t improve or become the best, if your mentally is “it’s good enough”. If a hypothesis suggests that something can make things even better, then it should be studied really hard.
people keep making calculations to show that if you have a password of particular length that it will take a million years or whatever to crack, but the reality is it would be extremely difficult to create a truly random master password, people will often create a password that they can remember but they think will be difficult for someone else to guess. Having a password made of words, while substitution numbers for letters such 4 for A, 7 for T etc (leet speak), and then adding a suffix of numbers or special character is not as secure as people think. That’s because password crackers are way more sophisticated than people think, they don’t try different random letter combinations one by one like people think, so all those calculations of how many years it will take doesn’t even apply. Password crackers can do a dictionary attack and do all these tricks of substitutions and suffixes, the dictionary of words come from previously leaked passwords such as the millions that yahoo leaked and the million others that some other company leaked and so on, the password cracker will start with the passwords that are more common, and depending on the algorithm selected it can guess from there the substitutions and additions etc … if you thought of a password, then someone else can think of it as well.
Your particular password doesn’t even have to be used or leaked before, if a similar password or similar part of your password was leaked then the cracker may guess correctly. Normally this isn’t such a big issue when talking about online login password because you usually get locked out after 10 wrong tries or so but when you can try as many times as you want to unlock your vault, then we have to think of the issues.
-Another point is that even if your personal password is a gazillion characters long and no way in hell it will be cracked, the reality is that other people’s password are not as strong, and hackers know this, so there will be incentive to get their hands on the vaults and try to crack the weak vaults, meaning hackers will focus on Bitwarden in general. But having a secret key added to every vault like 1password said, means that even people who have week passwords will be very very difficult to crack since it still has a random 256 bit secret key, so hackers wouldn’t bother with password managers that do that, and will focus their attention on others that don’t use this additional secret key (which at the moment is LastPass and Bitwarden unfortunately).
Note I’m not a technical person so I may have got something wrong, but I strongly feel that this topic should be given enough attention and studied with self critique, not by being defensive of current practices and just saying use a stronger password etc…
Thanks
I don’t have much doubt that 1password is pretty much the gold standard of security.
The fact that they enforce the use of the secret key tells me they prioritise their users security over business.
However, I have come to BW because I didn’t want to be forced to use a secret key file.
Yes my password has to be longer (much) than it would in 1password but managing the secret key file sounded like too much of a PITA.
May I introduce you to a readily available source of pure entropy called “dice”? Dice rolls are a great way to create an uncrackable passphrase. And if you don’t want to read the instructions and roll the dice yourself, you can use an online passphrase generator (such as this one, this one, or this one).
Other than the above quibble, I don’t disagree with anything you wrote.
yep, quite possibly - but 1Password has a crypto wallet so LastPass likely does too. So would encourage you to do so if you were just the man on the street dabbling in crytpo I’d think…