More than $35 million has been stolen from over 150 victims since December — ‘nearly every victim’ was a LastPass user::Security experts believe some of the LastPass password vaults stolen during a security breach last year have now been cracked open following a string of cryptocurrency heists

  • Professor_Piddles@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    24
    arrow-down
    1
    ·
    1 year ago

    Any obvious holes in keeping a text file on my laptop that I encrypt when not using it? Using ccrypt on linux.

    I do not want my passwords - even encrypted - on the cloud or at the mercy of a 3rd party in any fashion.

    • Rootiest@lemm.ee
      link
      fedilink
      English
      arrow-up
      21
      ·
      edit-2
      1 year ago

      Use KeePass.

      My concern with using a text file is you have to defrost it to use it and whenever it’s not encrypted it’s potentially exposed. You are also vulnerable to keyloggers or clipboard captures

      KeePass works entirely locally, no cloud. And it’s far more secure/functional than a text file.

      I personally use KeePass, secured with a master password + YubiKey.

      Then I sync the database between devices using SyncThing over a Tailscale network.

      KeePass keeps the data secure at rest and transferring is always done P2P over SSL and always inside a WireGuard network so even on public networks it’s protected.

      You could just as easily leave out the Tailscale/SyncThing and just manually transfer your database using hardware air-gapped solutions instead but I am confident in the security of this solution for myself. Even if the database was intercepted during transit it’s useless without the combined password/hardware key.

        • Rootiest@lemm.ee
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          1 year ago

          Having a recovery process for the YubiKey would really just be a potential security hole.

          Ideally you have a backup clone of the key in case yours is lost/broken.

          Keeping a recovery seed or backup password instead would be inherently less secure as the YubiKey uses an HMAC challenge-response key for KeePass rather than a static password/key file.

          A static password or key would be a better target for hackers as it would be easier to crack so having that option would lower your overall security.

          Also worth noting that the way KeePassXC handles the HMAC challenge-response is different from how KeeChallenge does it.

          In KeeChallenge the HMAC secret is used to encrypt the database, which requires storing the encrypted secret in a separate file.

          In KeePassXC the database’s seed is used as the challenge and the response is used to encrypt the database.

          The benefit to the KeePassXC method is two-fold:

          • It’s less vulnerable as the HMAC secret never leaves the YubiKey or get stored in a file.

          • It increases security because the challenge-response changes every time you save the database (changing its seed)

          • Professor_Piddles@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Thank you for your detailed responses - I’m going to look into KeePass and maybe a Yubikey after reading your description of how it works. I hadn’t considered a Yubikey before mostly because I’m prone to lose things, but also because my encrypted file password is >12 characters and a fairly random mix of lower and uppercase letters, numbers and special characters.

    • ThetaDev@lemm.ee
      link
      fedilink
      English
      arrow-up
      11
      ·
      edit-2
      1 year ago

      Yes, if you write the decrypted file to disk, it could be recovered. Deleting files only removes the file system entries - it does not wipe the content.

      Use a local password manager. KeePass (use the KeePassXC variant on Linux) is the most popular choice. If you prefer a command line tool, pass (passwordstore.org) is an option.

      • Professor_Piddles@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Thanks, great point. Lots of suggestions for KeePass here, so I’ll definitely look into it. I appreciate the command line tool recommendation as well, as that’s my preference. Cheers!

    • vector_zero@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      1
      ·
      1 year ago

      All it takes is a malicious program accessing your clipboard or running commands to find your password file while your machine is booted and decrypted.

      • time_lord@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        If something happens to your SSD, you lose all access to everything. And SSDs can die without warning, and be un-recoverable.

    • chicken@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      1 year ago

      If we’re talking crypto keys like in the article, that would be an improvement over storing them in the cloud, but it’s still vulnerable to malware/keyloggers. Ideally you should use a dedicated hardware wallet and/or write it down physically and have some form of offline signing setup.