20211229

LastPass 的新風險狀態不明。

一開始的起點是公司同事提的一個問題。

Because LastPass is beyond stupid and uses your master password to log in to their bbulletin or whatever php forum.

https://news.ycombinator.com/item?id=29705957

然後我就點進去用複製貼上搭上搭著 google 翻譯把兩頁的內容看完。


下面是我斷斷續續整理的想法。

  1. 看起來只能換掉 lastpass XD

  2. 不過我看的一部份下面的討論,我主觀認為沒有任何方便的方法做更換密碼管理服務這個事情,因為任何方便的工具都有信任問題。

  3. 同時開源跟安全我也不覺得可以畫上等號。

  4. 另外 2FA 服務跟密碼管理服務放在一起大概是我覺得全天下最蠢的事情之一,就算是 1Password 也是一樣,怎麼會把兩把鑰匙放在一起,這樣沒有意義呀。

  5. 我的 2FA 管理是離線的。

  6. "My whole point was I like to be in total control my password database, and never have to decide whether to trust a third party provider or not."

    這個回應是我覺得最有趣的,真的有人覺得自己的 VPS 是可以信任的? VPS 不會有 master password 但是整份資料可以從記憶體 dump XD

  7. 密碼管理服務註冊的 email,那個 email 的密碼不可以被密碼管理服務保護這個事情不曉得多少人懂這個邏輯 XD

  8. 這段話很實際。

    While I don't like that many of them force you to upload your secrets to the cloud (LastPass, 1Password 8, etc), it's still a better security posture than having your weakest link be every site on which you've used the same password.

  9. 我是建議連自己的大腦都不要相信,所以我在外面不喝酒 XD

    The only way your data is safer is in your mind, which is the first mistake of security; you dont get hacked because you knew about the weakness, you get hacked because you didn't.

  10. 我剛剛看完目前的討論,我覺得應該是有問題還沒爆發,但是說不出所以然。

  11. 我的 chrome 裝的延伸套件是必須要裝的,少於五個,而且我沒有裝廣告防禦延伸套件,換個角度來看廣告防禦延伸套件本身就是一個資安問題。

  12. lastpass 真正的問題是這個。

    I stopped using Lastpass in 2017 after the second breach that year that allowed remote code execution:  
    https://en.wikipedia.org/wiki/LastPass#2017_security_inciden...
    It wasn't so much that that happened, but rather their response:
    https://blog.lastpass.com/2017/03/important-security-updates...
    - "Our investigation to date has not indicated that any sensitive user data was lost or compromised"
    - "No master password change is required"
    - "No site credential passwords need to be changed"
    Given the fact that an attacker could run code in a user's browser extension without any communication with Lastpass servers, there was no way for them to know whether the master or site passwords had been stolen. The only responsible thing for them to do at that point in my view was to recommend everyone change all their passwords. Instead they completely played it down.
    So they completely lost my trust and I spend the next several days moving off Lastpass and changing the passwords for hundreds of websites...I feel for all of you finding yourselves in that situation now. :-(