Eggs Rebasketed

Silly me, thinking paying money for an egg-protection service would make keeping them all in one basket okay. Well, now I have new eggs, fresh eggs, better eggs; and, they're all split up, in New And (Hopefully) Improved Baskets™!

If it's not clear, this is referring to the latest Lastpass breach. This June would have marked my tenth year as a paying customer. I don't even recall when I actually started using the service, but looking back at emails it was at least since 2011.

It's not just the breach that made me decide to drop Lastpass entirely. I let the little things slide over the years, because everyone can have issues. I should have been paying more attention, really, but laziness and convenience won. I used their authenticator for TOTP 2FA, since it conveniently backed all the secrets up into my LP account. I had all the 2FA recovery codes in 'secure notes'. My credit cards were in there for form fills, along with other PID. Server root and database passwords, IRC nickserv passwords, Seafile passwords. Every. Damn. Egg.

But the drip feed of information about the breach, and the repeated attempts to downplay it all. The lack of enforced updates to iterations and algorithms that's left lots of users in worrisome situations. The unencrypted URLs. The culture of a 'security-centered' company that allowed a lead dev to sign into their core systems from some vulnerable home computer on a vulnerable home network. That fact that they've had previous issues and breaches, and yet were still in a shape where this could happen. I'm dunzo.

I at least had a decent master pass (though I'm using far better now on my new vaults), and had upped my iterations to their 2018 recommendation of 100,100...of course, I've learned external recommendations are now like minimum 600k. Whelp. It's probably currently not feasible to crack open my vault for a reasonable cost...but still.

It used to give me a sense of security to pay a company to help with all this—like, you know, when you pay a bodyguard to, uh, guard your body. But now apparently people who try to get a partial refund—people having to spend potentially dozens of hours resecuring their life—are just being told there was no breach of contract, no refunds, so sorry. Yeah, well, you just lost a long-time customer, so sorry.

So, now I'm using a mixture of Enpass, Keepass, and Bitwarden (depending on system, data type/scope, and frequency of usage), and Aegis Authenticator for 2FA. Different, heckin'-long master passes for each one. For the most important stuff, no cloud storage, and nigh-on excessive iterations and secondary measures.

It took the better part of a week to finish changing everything, probably over a full 24 hours of actual working time. Going through, I had entries in my database dating back to whenever I first started using some browser's password storage...probably Mozilla. Quite possibly over two decades of being Very Online. It's now only about 400 entries. Tons of dead sites and redundancies. I had to do so many password resets, captchas, remember made up answers to 'security questions', and wait for crusty email systems that would send out a link that expires in 15 minutes...and take 30 minutes to arrive. Pls.

Password requirements are all over the place, from max 12 characters to max 92. Generally surprisingly good acceptance of special characters, but some random refusals of specific characters that make me deeply suspicious of some setups. Also highly sus are the sites that say "max length N", and then you try it out and it turns out the actual max length is N-1. Wat. But the most pervasive annoyance was how many sites don't just tell you the requirements. The mildly annoying would complain and tell you the full requirement list after one failure, but a ton of sites would only tell you about the specific failures in a given attempt:"this time you had this character we disallow", "oh now this time you used this forbidden sigil, and you didn't have a capital letter!". C'MON, BREH. Oh, and the sites that just fail silently when the password is too long, making you test shorter and shorter until you find the magic maximum. What is even happening? While what's allowed has improved, the entry systems feel on the whole worse than what was standard a decade ago.

The 2FA side of things was even more of a mixed bag. Some sites let you reconfigure, while others make you disable and reenable. Most thankfully use standard TOTP, but some make you jump through an extra hoop or two to use that instead of some proprietary garbage. A few made me manually enter the secret, because apparently generating a QR code is just too complicated.

Backup systems were another bandolier of carrots, with various conditions under which you can regen recovery codes, various numbers of codes provided, and random other requirements like backup phone numbers which seem to basically just drag the security level back down to old SMS-2FA levels. Great. That said, the only truly irritating site is Twitch, which demands a phone number before you can set normal TOTP up, blocks perfectly valid text-enabled voip numbers, and randomly fails with no useful error messages.

On the whole, while I hate that my vault is just sitting somewhere waiting for faster/better GPUs or whatever to crack it open and spill all sorts of identity-theft fodder and phish bait, I actually think doing this sort of personal security audit wasn't a bad thing. I've made a lot of accounts more secure, have a much better, siloed storage system, and it's made me look at other facets of security around me.

It's what motivated me to get on implementing my personal CA network. Got me to finally drop my barely used Wordpress setup and move whatever blogging I do here to Listed. It made me lock down some other aspects of my servers better, and move more towards a zero-trust setup in general. And, I think it will keep me a bit more on my toes in the future, e.g. I'll regularly increase KDF iterations, keep an eye on implementation of new KDF algs like argon2, and just generally be aware of new solutions and alternatives.

Of course, all of this also made me realize more than ever what a disaster this whole general security situation is. Even when the design and coding is done well...passwords suck. 2FA sucks. This whole crazy treadmill of security is just awful. And yeah there's stuff like security keys and whatnot but those just suck in other ways. It feels like either there has to be a better way out there, waiting to be instantiated, or...idk, or it's just going to continue being a disaster. The slow kind. Potentially the boiled frog kind.

...

OH NO, BOILED EGGS.