My thoughts on the Self-Hosting Solution

You probably noticed that in the (frequent) posts talking about security and passwords lately, I keep suggesting LastPass as a password manager. This is the manager that I use myself, and the reason why I came to this one is multi-faceted, but essentially I’m suggesting you use a tool that does not make it more inconvenient to maintain proper password hygiene. Because yes, you should be using different passwords, with a combination of letters, numbers and symbols, but if you have to come up with a new one every time, then things are going to be difficult and you’ll just decide to use the same password over and over.

Or you’ll use a method for having “unique” passwords that are actually comprised of a fixed part and a mobile one (which is what I used for the longest time). And let’s be clear, using the same base password suffixed with the name of the site you’re signing up for is not a protection at all, the moment more than one of your passwords is discovered.

So convenience being important, because inconvenience just leads to bad security hygiene, LastPass delivers on what I need: it has autofill, so I don’t have to open a terminal and run sgeps (like I used to be) to get the password out of the store, it generates the password in the browser, so I don’t have to open a terminal and run pwgen, it runs on my cellphone, so I can use it to fetch the password to type somewhere else, and it even auto-fills my passwords in the Android apps, so I don’t have to use a simple password when dealing with some random website that then patches to an app on my phone. But it also has a few good “security conveniences”: you can re-encode your Vault on a new master password, you can use a proper OTP pad or a 2FA device to protect it further, and they have some extras such as letting you know if the email you use across services are involved in an account breach.

This does not mean there are no other good password management tools, I know the name of plenty, but I just looked for one that had the features I cared about, and I went with it. I’m happy with LastPass right now. Yes, I need to trust the company and their code a fair bit, but I don’t think that just being open source would gain me more trust. Being open source and audited for a long time, sure, but I don’t think either way it’s a dealbreaker for me. I mean Chrome itself has a password manager, it just feels not suitable for me (no generation, no obvious way to inspect the data from mobile, sometimes bad collation of URLs, and as far as I know no way to change the sync encryption password). It also requires me to have access to my Google account to get that data.

But the interesting part is how geeks will quickly suggest to just roll your own, be it using some open-source password manager, requiring an external sync system (I did that for sgeps, but it’s tied to a single GPG key, so it’s not easy for me having two different hardware smartcards), or even your own sync infrastructure. And this is what I really can’t stand as an answer, because it solves absolutely nothing. Jürgen called it cynical last year, but I think it’s even worse than that, it’s hypocritical.

Roll-your-own or host-your-own are, first of all, not going to be options for the people who have no intention to learn how computer systems work — and I can’t blame them, I don’t want to know how my fridge or dishwasher work, I just want them working. People don’t care to learn that you can get file A on computer B, but then if you change it on both while offline you’ll have collisions, so now you lost one of the two changes. They either have no time, or just no interest or (but I don’t think that happens often) no skill to understand that. And it’s not just the random young adult that ends up registering on xtube because they have no idea what it means. Jeremy Clarkson had to learn the hard way what it means to publish your bank details to the world.

But I think it’s more important to think of the amount of people who think that they have the skills and the time, and then are found lacking one or both of them. Who do you think can protect your content (and passwords) better? A big company with entire teams dedicated to security, or an average 16 years old guy who think he can run the website’s forum? — The reference here is to myself: back in 20002001 I used to be the forum admin for an Italian gaming community. We got hacked, multiple times, and every time it was for me a new discovery of what security is. At the time third-party forum hosting was reserved to paying customers, and the results have probably been terrible. My personal admin password matched one of my email addresses up until last week and I know for a fact that at least one group of people got access to the password database, where they were stored in plain text.

Yes it is true, targets such as Adobe will lead to many more valid email addresses and password hashes than your average forum, but as the “fake” 5M accounts should have shown you, targeting enough small fishes can lead to just about the same results, if not even better, as you may be lucky and stumble across two passwords for the same account, which allows you to overcome the above-mentioned similar-but-different passwords strategy. Indeed, as I noted in my previous post, Comic Book Database admitted to be the source of part of that dump, and it lists at least four thousand public users (contributors). Other sites such as MythTV Talk or PoliceAuctions.com, both also involved, have no such statement ether.

This is not just a matter of the security of the code itself, so the “many eyes” answer does not apply. It is very well possible to have a screw up with an open source program as well, if it’s misconfigured, or if a vulnerable version don’t get updated in time because the admin just has no time. You see that all the time with WordPress and its security issues. Indeed, the reason why I don’t migrate my blog to WordPress is that I won’t ever have enough time for it.

I have seen people, geeks and non-geeks both, taking the easy way out too many times, blaming Apple for the nude celebrity pictures or Google for the five million accounts. It’s a safe story: “the big guys don’t know better”, “you just should keep it off the Internet”, “you should run your own!” At the end of the day, both turned out to be collections, assembled from many small cuts, either targeted or not, in part due to people’s bad password hygiene (or operational security if you prefer a more geek term), and in part due to the fact that nothing is perfect.

3 thoughts on “My thoughts on the Self-Hosting Solution

  1. I use pass. Thought we have slightly different views on this. I actually do not want my password accessible directly in the browser. Sure, I will save login tokens and sessions (“cookies”) to I am kept logged and don’t have to login to the same places all the time. Using any kind of password store that will automatically expose passwords to the DOM based on a domain-matching scheme is kind of ludicrous. Extremely vulnerable to cross-site scripting hijacks or domain take-overs (dns, etc.) Had it been crypto certificate signature + expected certificate chain + domain + expected security level, it would have been way better.<kbd>pass</kbd> calls itself the Unix standard password store. (From following the Unix componentalization principle.) I want a Unix standard phone capable of interacting it instead of a fancy app. To quote Steve Gibson, “oh, my god, do I pine for the days of a textual interface and commands.”. (Although the famous quote was followed by “But I’m not useful to anybody if that’s what I’m doing over in the corner somewhere”.)If you want more ownership and control than you have with LastPass, you could always host your own instance of Clipperz. Its like LastPass, except you use a mobile website instead of an app and a bookmarklet instead of a browser extension. Its kind of a sad that there are not many more options like this available.Disclaimer: I am an employee of the web browser vendor Opera Software ASA. Opinions expressed here are my own and does not represent bladibla bla bla.

    Like

  2. While I agree with your sentiment that users shouldn’t have to roll their own solutions, I’m not sure that it applies well to the specific problem of password management.First off, LastPass is excellent. And it’s fundamentally a secure design; if the LastPass code is not actively malicious, their system is built the same way I would build one myself.But it is completely possible to get a password manager that syncs from your own storage without having to self-host anything or do fancy setup. You can use KeePass2, which has a huge number of plugins ( http://keepass.info/plugins… ). It runs under Linux in Mono. Your password safe is fundamentally a single file, well encrypted. Browser autocomplete works fine via KeeFox, a Firefox extension (same way that LastPass’ autocompletion works).Because the password safe is a single file, you can sync it however you like. Sneakernet. Dropbox. Google Drive. Whatever. There are Android and iOS apps which can read this file for you. On Android (KeePassDroid), they even provide keyboard integration so you can just click a button to have your password filled in on a web page. If syncing the file yourself is too difficult, one of those many plugins will do it for you. They’re easy to install.I think there is a level of simplification where we just have to say “the only way this could be simpler is if it were packaged to lose all flexibility”. LastPass is that – you lose the option of self hosting. But I believe that most users can figure out how to use the powerful sync software that already exists to get *one* *file* synchronized through a cloud drive onto their devices.That said, I use Unison and FolderSync and my own server for the syncing. But my point is that users don’t have to if they can’t or don’t want to.

    Like

  3. But see, you’re basically telling me that you can avoid hosting your own by rolling your own. You’re telling me that I need to get a software, plus a Firefox extension, plus plugins, and then find a way to sync it. It’s already quite a bit of a mess.And then you hit what I said in the post itself, which I guess you only skimmed through: if you use Drive or Dropbox or Unison to sync the **one file**, they have no idea how to handle conflicts. You now add two different passwords for two different devices while neither is connected, and when it conflicts out you lose one. Or you have to know how to get the old one from the old file and add it to the new file.That is not a “not-roll-your-own” solution, it’s just a little more proper solution that `sgeps`, but just barely.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s