topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Friday March 29, 2024, 1:56 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: LessPass password manager  (Read 3598 times)

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
LessPass password manager
« on: March 15, 2017, 09:56 AM »
I haven't seen this discussed here:

https://lesspass.com/#/

https://blog.lesspass.com/

I found out about it reading Jeff Atwood's Blog: https://blog.codingh...-rules-are-bullshit/

But as with many things, it came from the comments, not the article: https://discourse.co...are-bullshit/5033/23

(the reason I can't just stop reading the comments *sigh*)

A short blurb from the site (full info can be found at https://blog.lesspas...742dd18a4#.d6uu4xx1q)

The trick is to compute passwords rather than generate and store random passwords.

LessPass generates unique passwords for websites, email accounts, or anything else based on a master password and information you know.

LessPass is different from other password managers that you can find on the Internet because:
It does not save your passwords in a database ;
It does not need to sync your devices;
It is open source (source code can be audited).

The system uses a pure function, i.e. a function that given the same parameters will always give the same result. In our case, given a login, a master password, a site and options it will return a unique password.

What about sites with strange requirements?

From the same link:

What about complex password rules?

Sometimes sites have specific password rules. For instance, some banks only accept passwords made of numbers. So you have to remember both a strong password and complex rules.
Well, we built a “connected” version to tackle that. It works by saving your password’s profile, i.e. everything –except the master password and the generated password– to be able to generate the password. Then, next time you need this password you just have to select the profile and type the master password.

Source is available on GitHub: https://github.com/lesspass/lesspass

And you can host your own instance in a docker container, if you don't want to use the public database.

Not quite sold enough to switch from lastpass, but I am thinking about it, and wanted to find out if anyone had seen/taken a look at this?  Seems very simple, but very logical...

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,747
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: LessPass password manager
« Reply #1 on: March 22, 2017, 01:22 AM »
This looks really useful!

I do have a few things holding me back from switching over to it right now:

I think that it is useful to store other things in my password manager that can't be generated, such as TOTP codes for 2FA. Or the answers to "security questions" that I've completely made up so they can't be "social engineered" out of me. So having some area where I can store "secure notes" would be nice.

Also, they allow you to customize some aspect of the password generation, such as whether to include special symbols or not, but I feel they probably need to allow some more control over that customization. Because some places have crazy restrictions on passwords, like, you must have at least one special symbol but only from a limit set of special characters, such as ~, $, and %. But something like & is not allowed and is considered invalid. As it is, if you're unlucky enough to generate a password that has the invalid special symbols, then you're out of luck with LessPass. Then again, maybe this can be resolved simply by increasing the counter to generate a bunch of them randomly until you finally get one that works.

I'd also like it more if there was an app (for Windows, not for phones) for it rather than having to access it in a browser. But maybe since it is open source it wouldn't be too much work to fork it and implement the code into my own desktop app.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: LessPass password manager
« Reply #2 on: March 22, 2017, 02:35 AM »
Have they changed the core mechanics of how it works, or is it still 100% utterly useless?

Last time I looked at it, the design meant compromised master password == having to change each and every password you've used it for.

Also, what this guy wrote.
- carpe noctem

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: LessPass password manager
« Reply #3 on: March 22, 2017, 02:01 PM »
Have they changed the core mechanics of how it works, or is it still 100% utterly useless?

Last time I looked at it, the design meant compromised master password == having to change each and every password you've used it for.

Also, what this guy wrote.

Thanks!  That's the kind of info/criticism I was hoping for, as it seemed simple and sound to me.  Disappointing.  Another good article on this from that guy: https://anarc.at/blo...-02-hashers-history/
« Last Edit: March 22, 2017, 02:07 PM by wraith808 »

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,747
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: LessPass password manager
« Reply #4 on: March 22, 2017, 05:41 PM »
Thanks!  That's the kind of info/criticism I was hoping for, as it seemed simple and sound to me.  Disappointing.

Agreed. Thanks, f0dder!

Tuxman

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 2,466
    • View Profile
    • Donate to Member
Re: LessPass password manager
« Reply #5 on: March 22, 2017, 05:45 PM »
Also, requiring Docker for a self-hosted installation is a no-go for me.