DiceKeys

DiceKeys reminds me a lot of Diceware. The user gets a set of special dice, in this case, which they roll into a box.

DiceKeys
DiceKeys

The user then closes the box, preserving their DiceKeys pattern indefinitely. The result of the dice roll is then used to seed a hash algorithm that, in turn, generates application-specific passwords and even U2F tokens.

DiceKeys
DiceKeys

DiceKeys also comes with an app that can assemble the master password automatically by scanning the dice (including their orientation, which the app uses to generate further entropy), and the QR code-like symbols on the top and bottom of the dice.

DiceKeys are backup security keys with 196 bits of security made of 25 custom dice and a rugged holder, built to last a lifetime. . . . As password managers add support for DiceKeys, you’ll also be able to use your DiceKey in place of a `master’ password. . . .

Use the open source DiceKeys app to quickly read your DiceKey from a device. Our API allows apps and services to derive their own private secrets from your DiceKey without those apps seeing the key itself.

Our reference implementation runs in most modern web browsers, allowing it to work on an incredibly diverse range of devices. While built with web-based technologies (TypeScript & WebAssembly), it runs entirely locally on your device.

We are also developing Android and iOS versions to provide a richer experience on those devices.

The cost for a set of DiceKeys looks to run about US$25.

Enpass Password Manager

The other day I saw a thread where people were debating the best password manager, and someone mentioned they had switched to Enpass.

Enpass looks like a closed source Keypass style solution. All data is always stored locally on devices, and then merely synced to devices using services such as Dropbox, Nextcloud, or whatever the customer prefers to use. As Enpass titled once of its blog posts about the service, Enpass servers never interact with user data in any way.

The pricing model is also attractive. Enpass is free except for mobile devices. Using Enpass on a mobile device costs $11.99 to $23.99/year (looks like they are doing a 50% off the first year, then full price the next). There is also an option for a one-time lifetime purchase for $55.99.

I’m sticking with Bitwarden as I like the idea of being able to self-host my password management solution if I wanted to. It is good, though, to see people have more options.

LostPass Phishing Attack Against LastPass

Every few months, someone comes out with a clever attack on LastPass. In January, for example, Sean Cassidy released his LostPass phishing attack that “allows an attacker to steal a LastPass user’s email, password, and even two-factor auth code, giving full access to all passwords and documents stored in LastPass.”

LostPass is a clever phishing attack. Essentially an attacker creates a fake notice that a user’s LastPass session has expired and asks them to log in. The fake version is visually identical to the actual notice LastPass uses, and even technical users would be unable to distinguish between the real notice and a phishing attempt.

LastPass responded by removing the button in its session expiration notices (so users will, presumably, be able to better distinguish fake versions which would need to have some sort of “login” button). LastPass also now requires users to go through an email-based process to approve logins from any previously unknown device or IP address.

LastPass also points the finger at Google, saying it identified these sorts of problems with the way Chrome displays notifications, but that its complaints fell on deaf ears,

A point that was only briefly raised in Cassidy’s research was the role that the browser itself plays in this attack. LastPass has encouraged Google for years to provide a way to avoid using the browser viewport for notifications. As a true solution to this threat, Google should release infobars in Chrome that give extensions the capability to do proper notifications outside the DOM. You can see our plea for this back in January 2012 with still no resolution; please star this issue to help us raise awareness.

It is good that people like Cassidy are out there looking for ways to get around LastPass’ security, and also good that LastPass generally responds to these sort of attacks much more quickly and effectively than a lot of companies. Every time a vulnerability in LastPass is found, people I know ask me whether they should still use LastPass, and my answer so far has always been “yes.”

So far the vulnerabilities that have been found in LastPass are of the sort that I still feel far more secure using it to manage my passwords than using some other password manager or (even worse) some other method for creating and managing the passwords to the dozens of services I have credentials for.

Web-Based Password Managers

I mentioned the open source KeePass password manager the other day, but apparently there are a number of web-based password managers, including PassPack,and Clipperz. Clipperz also has an open source version of its software that you can download and then install on your own server.

I still think it’s easier and probably more secure just to use KeePass and keep the master password database on an FTP server so you can access it anywhere. Put the URL in your browser and KeePad will load it.

KeePass

A couple years ago I downloaded and tried the open source password manager KeePass, but ultimately passed on it in favor of RoboForm. The other day I decided to give it a second look since I needed something that was cross-platform.

After tinkering around with it for a few minutes I was sold. I can’t remember why I didn’t like it a couple years ago, but whatever it was they’ve certainly fixed it several times over.

What I especially like about KeePass is the cross platform nature of it. I’ve got it running on my Windows and Ubuntu PCs as well as my Blackberry. For the moment, I update my database on my home server and then upload it to an obscure directory on my dedicated web server. Then its just a matter of installing KeePass on any computer I want to use at downloading the database.

KeePass does a nice job of autotyping. Just put the cursor in the username field, press CTRL-ALT-A and it will find the correct password for the site in the database and fill in the username and password fields.

Someone has written a nice plugin for KeePass 2.x, which is still in Alpha, that will synchronize the database over the Internet (though its unclear if this will work with vanilla FTP/SFTP).