In my view, both a password file (vault/database) and LessPass are potentially attackable via brute force. I don’t see that one is safer than the other.
Comment on Review of LessPass
narc0tic_bird@lemm.ee 7 months ago
It’s a cool concept that quickly falls apart in my opinion:
- It’s not really stateless as soon as a website has certain password requirements. You probably don’t want to remember the configuration of all passwords in your head.
- If the password for a website gets compromised, you have to set the “counter” + 1. Again, not stateless.
- If you have multiple accounts per website, you’ll have to store the site differently (for example including www, not including www) or interlace the counter (odd/even) between the two. This gets more and more messy the more accounts you add, and again, it’s not stateless.
- The master password is the only thing an attacker needs (plus the state mentioned above, but it’s easy to brute force a simple counter). With most other password managers, the attacker needs access to the vault/database and potentially a keyfile, secret and/or some form of second factor.
- Changing your master password because it got compromised or ideally before it gets compromised changes the passwords for all websites.
- You still have to remember your username or login email, so that’s again not stateless if you’re saving it in some sort of LessPass client.
I could probably list a lot of other reasons why it’s not a good idea to use it. There are probably some edge cases where it’s good, for demonstration purposes or training sessions where the participants all need unique (temporary) logins for several services.
ogarcia@lemmy.world 7 months ago
narc0tic_bird@lemm.ee 7 months ago
Point being that an attacker also needs access to said vault.
jeffhykin@lemm.ee 7 months ago
#3 isn’t true. There’s a username field, so you just put in the username of the alt accounts.
Your point about the master password and two factor is a good one though.
In practice the password requirements are rare (like 1% of sites), but problematic when they happen because there’s so many different ways to restrict passwords and trying all combinations is impractical. Needing the counter is exceedingly rare. Remembering the username isn’t a problem, but if you don’t have a consistent policy of always-using-a-username or always-using-the-email (as the lesspass username) it can be difficult to remember that. Similar situation with the URL, if it’s not abbreviated consistently, then it’s a problem.
MigratingtoLemmy@lemmy.world 7 months ago
Thanks, I’ll keep this in mind.
ThetaDev@lemm.ee 7 months ago
You also cannot use it to store secret information like bank account/credit card details, API keys, etc.