Sign in

Steve Gibson Password Manager

>>> Download here <<<

Password: Forgot account? Find your friends on Facebook. Log in or sign up for Facebook to connect with friends, family and people you know. We couldn’t find anything for Steve Gibson. Looking for people or posts? Try entering a name, location, or different words. So avoiding a password manager is kinda silly, since the keylogger would instead capture all the other passwords you type in instead. The thing to avoid is the keylogger. My position remains that a password manager is far safer, as it allows you to use more different stronger passwords that protect you from a variety of other threats. Steve Gibson is a well established security researcher best know for his work with Apple and Atari systems as well as founding Gibson Research Corporation. He was given access to LastPass’ source code and confirmed that it’s safe to trust its security.

October 23, 2015 · password managersecurityprivacyleak1passwordlastpasspbkdf2steve gibsonsecuritynowTWiT

Before we begin, let me preface this by saying.. I actually quite like Steve Gibson. For all his faults, he often raises very salient points on a variety of topics, typically surrounding security products & services.

During the latest ‘Security Now / TWiT’ episode on 20/10/2015, Steve & Leo Laporte featured a piece of 1Password news regarding Dale Myer’s ‘1Password leaks your data’ article.

It’s a little over 10 minutes long..

It’s no secret that Steve’s a huge fan of LastPass and for that, I can’t fault him. LastPass is a remarkable product; one which I’ve recommended to many people in the past. I on the other hand, prefer 1Password.

However, my personal preferences do not preclude me from criticising 1Password when it’s necessary. Avid followers may have already spotted that Dale’s news isn’t new at all.. it’s something I mentioned during an article 2.5 years ago (and I wasn’t the first!) (https://paul.reviews/1password-forgot-your-password-youre-doing-it-wrong/) and despite this, I’ve remained a supporter of 1Password and until recently, still relied heavily upon the agilekeychain format.

Before we dive in to the specifics, first.. a minor correction. Dale Myers is not (nor does he claim to be) a security engineer, but a software engineer. I say this not to diminish the validity of his article at all, but to clarify that his viewpoint is that of a developer, not someone who understands the logistics of solid cryptography.

What’s the problem with Agilekeychain?

Although it’s entertaining to listen to Steve wax lyrical about how this ‘represents a fundamental, crucial failure of judgement’ while Leo sneers in the background, there is sound reasoning behind the decision.

Steve Gibson Password Manager Facebook

Why isn’t the metadata encrypted with your master password?

Your master password is used to derive a cryptographic key, which in turn is used to encrypt something else.

OK, why isn’t the metadata encrypted with your master ‘key’?

This unique key is encrypted with your master key, which itself is derived from your master password.

Consider the environment..

When Agilekeychain launched in 2008, Android was still in its infancy and Apple users were rocking the iPhone 3G. In terms of technology at that time, an HTC G1 had just a 528Mhz CPU and a measly 192MB RAM.

If 1Password was to be truly cross-platform compatible, it needed to provide a reasonable defense against attacks from modern PCs but accommodate the performance constraints of a mobile phone. As any developer will tell you, it’s incredibly difficult to strike that balance and unfortunately, sacrifices have to be made.

Think for a moment about what 1Password needs to do in order to display a list of entries.

First, it must stretch your master password through the use of PBKDF2 (itself a considerable demand for a mobile device). With the master key, it must iterate through every single site (of which there could be hundreds), decrypt the entry-specific key and then decrypt the data.

In reality, it just wouldn’t work on a mobile device at that time. It’d either hang completely, or slow the experience to the point where the user reverts back to ‘password1234’ and writes 1Password off.

Remember, it’s usable security we’re after..

Could it be made to work?

Take it slow..

But not too slow..

The problem? The lack of consistency across platforms! A PBKDF2 library on iOS will respond differently to an Android equivalent; something which must also be taken into consideration at the design stage. If you expect a record to decrypt in 100 milliseconds, but it actually takes 200 milliseconds.. you’ve doubled the time on one particular platform.

Of course, they could write their own library.. but they’re sensible enough not to go down that route too.

What’s 100 milliseconds? Big deal!

What happens if the device is busy, or near its resource limit? Will it crash, fail gracefully, dump decrypted data to storage or take 8 seconds instead?

These are all considerations which require plenty of forethought.

Steve Gibson Password Manager

Who was the information exposed to?

Agilebits have never recommended uploading your agilekeychain to a publicly-accessible location. In truth, they actively dissuade users from doing so.. but I completely understand why someone would.

If your keychain is stored on your PC/mobile device, it’s incredibly unlikely that anyone has seen it. Likewise with Dropbox; unless you’ve specifically shared the keychain with others or made it public, it’s highly unlikely that your privacy or data has been leaked.

What’s crucial here, is that it was not exposed to Agilebits. They don’t want it, need it nor have the infrastructure necessary to store it.

Couldn’t Agilebits move to OPVault sooner?

The drawbacks of agilekeychain and added benefits of OPVault have not been communicated well at all; even a minimal risk is worth mentioning to allow users to make an informed decision. Although I discovered these issues during my investigation in 2013, I still opted for agilekeychain as the associated risks didn’t affect me.

Each use case is different, so please don’t consider that a recommendation either!

The inevitable comparison with LastPass

Unfortunately, it’s comments like these which place Steve in my ‘entertainment’ bookmarks folder, not security.

You see, LastPass doesn’t encrypt metadata either! It’s stored, by LastPass, in plain text.

At first glance, the URL looks like an encrypted string. In fact, it’s encoded in Hex!

Again, this isn’t new information.. it was first mentioned by a fellow researcher in 2012, coincidentally around the same time Agilebits moved away from such techniques.

Why do LastPass store metadata in plain text?

You know, these things..

Of course, they couldn’t possibly leak anything of importance could they?!

Frankly, I don’t buy that. You can’t build an application as good as LastPass without knowing there are other, more efficient ways to grab a favicon without leaking metadata and storing it on your own servers. Drupal theme bootstrap.

Oh dear, where do I start with that?

Firstly, his risk assessment is way, way off. If the suggestion is ‘I’ll never give them my data, neither should you’, I’m afraid Steve/TWiT no longer belongs in the entertainment/comedy folder either.

I suppose it’d be prudent to reiterate that it’s impossible to give Agilebits your data. It’s not cloud-based and has no requirement to be so.

I’ll also take a moment to chuckle, Leo-style, at the fact he’s unwittingly leaking his own metadata to LastPass during each and every login. The file ‘loglogin.php’ should be all the indication necessary to question why (or more importantly, how) a company with no personal, private data can possibly create meaningful logs/reports unless their applications share such information.

Should Steve close his LastPass account?

Steve
Steve

There are two options..

  1. Admit that with hindsight, it’s was a ridiculous overreaction to write off an application because of a measured, reasoned set of decisions based on technology constraints from 7 years ago
    or
  2. Stand by his comments, admit LastPass leaks substantially more metadata, shares his activities in plain text with the server and close his account immediately.

I asked Steve to comment, but I’m yet to receive a reply.

Thoughts @SGgrc, given your stance on #1Password’s ‘leak’ ?https://t.co/qVr41oBikn URLs are sent to #LastPass in plain hex btw.#privacy

— Paul Moore (@Paul_Reviews) October 22, 2015

Summary

Trust is everything.

Bitwarden Steve Gibson

The application has a new design and various features aimed at making it easier to use, such as a menu bar utility. It also brings back Wi-Fi Sync, which lets users sync password data from a Mac to an iOS device without storing their encrypted keychain in Dropbox or iCloud.

AgileBits described security improvements including a new keychain design with 256-bit AES encryption keys and data integrity checks that increase resistance to tampering. The design ‘forestalls many attacks that haven’t even been dreamt of yet,’ AgileBits said. 1Password 4 development was helped along by 20,000 beta testers.

1Password 4’s launch price is $39.99 on the Mac App Store, a price that will rise to $49.99. However, anyone who ever purchased 1Password 3 on the Mac App Store can upgrade for free.

Our Drupal 8 development services are being used at some of the largest enterprises in the world. We are known as a company that provides Drupal 8 development services at competitive prices. Feel free to contact us for a quote. 7 Drupal Security Strategies you need to implement right away! Drupal 8 is the leading open source CMS for ambitious digital experiences.With support for decoupled architecture, Drupal 8 development tools enable digital teams to build almost any kind of customer experience across a wide range of channels and devices. Drupal 8 Development Drupal 8 is seeing the fastest growth of all Drupal versions so far. With its mobile-first focus and the increased support from the community, this is the time to start Drupal 8 web development for your new site. Drupal 8 development.

Steve Gibson Password Manager
Steve Gibson Password Manager

Advertisement

Squirrel

1Password 4 will also be available on the AgileBits website in a day or two. Anyone who bought 1Password 3 directly from AgileBits in 2013 will get version 4 for free. Anyone who bought before 2013 can upgrade for $24.99 at launch. That will be increased to 1Password’s regular upgrade pricing of $34.99 later on.

1Password has a Windows application too, but that hasn’t been upgraded.

In general terms, password managers like 1Password automatically fill in your usernames and passwords across any website, automatically generating passwords that are far more secure than most people can remember. Your keychain is protected by a single master password, the only one you have to remember.

We described the importance of applications like 1Password in our feature ‘The secret to online safety: Lies, random characters, and a password manager.’ There are additional options, such as LastPass, Dashlane, KeePass, Password Safe, Kaspersky Password Manager, and Roboform. Apple is also planning to release a password manager called iCloud Keychain with OS X 10.9.

Password managers are popular tools among security experts, but they should be considered by anyone who uses the Internet. As noted, there are numerous options beyond 1Password. The important thing is finding one you’re comfortable with and using it to replace all your simple passwords with long strings of random characters that can resist the password cracking tools used by criminals.

>>> Download here <<<