Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"The horror of LessPass" #88

Closed
guillaumevincent opened this issue Nov 17, 2016 · 3 comments
Closed

"The horror of LessPass" #88

guillaumevincent opened this issue Nov 17, 2016 · 3 comments
Labels
🔒 security
Milestone
Crepuscule

Comments

@guillaumevincent
Copy link
Member

guillaumevincent commented Nov 17, 2016
edited by edouard-lopez

The interview went to says:

Your goal is to make your password as random as possible, so anything that reduces randomness or entropy is going to reduce the effectiveness of your password

Is going to increase its bruteforceability

The Horror of LessPass - TWiT Netcast Network

Understanding our mistakes

We use patterns to create passwords with complex rules like no consecutive vowels or can't start with a number.

We made two mistakes:

  • First, we did not understand at the beginning that the entropy of the generated password increase the bruteforceability of the master password. I took the idea of password templates from masterpassword algorithm. We misunderstood and took for granted what we read.
  • Then, it was to define cvCVns as template by default (consonms, vowels, etc.) instead of a more random one as x (full characters set).

On Open Source

And for anyone who thinks they do well at first, or who think that Open Source does not help. On the contrary, we believe that nobody does well at first, and thanks to the community scrutinity and critical studies of the code, this kind of tool becomes more robust the longer it lives.

How It Feels

The video is obviously a setbacks for us, especially after the euphoric past week where we went from ~100 to 1600+ stars, but we are glad that people review our code in depth and this came up early on.

Actions

We will use the full alphabet in the next version by default. We will probably increase the default length of generated passwords.

So in the future, we will describe (with drawings) the future algorithm and its implementation. We will simplify the code to helps everyone understand how it works. And we hope you will keep your eyes peeled for mistakes and stay critical to the code.

Best ❤️
@guillaumevincent guillaumevincent added this to the Crepuscule milestone Nov 17, 2016
@edouard-lopez edouard-lopez changed the title The horror of LessPass "The horror of LessPass" Nov 17, 2016
@abe33
Copy link

abe33 commented Nov 17, 2016

Hi @guillaumevincent, You'll probably have to devise a strategy for people to transition to the new algorithm from the previous one. So that they can still generate their previous password while being able to use the new algorithm (the typical scenario is for people wanting to change their password again using the new password).

@guillaumevincent
Copy link
Member Author

guillaumevincent commented Nov 17, 2016
edited

Hi @abe33 here is the strategy we discuss with @edouard-lopez :

  • The interface will change and offer the possibility of generating a password with version 1 of LessPass or version 2 (pbkdf2 100k iterations, full alphabet and fix Some consonants and symbols are never in a generated password #84). Version 1 will be active by default with a warning of a future change.
  • All the passwords saved on the connected version will integrate the information needed to regenerate passwords correctly. And when connected, it will use the version 2 for new passwords. So no change for connected passwords.
  • Provide users with the ability to change their master passwords and migrate to the new version. Game to change its master password #36

If you think there is a better way, do not hesitate

@guillaumevincent guillaumevincent mentioned this issue Nov 17, 2016
Closed
@edouard-lopez edouard-lopez mentioned this issue Nov 20, 2016
Closed
@guillaumevincent
Copy link
Member Author

I close the new version is online

@guillaumevincent guillaumevincent mentioned this issue Dec 1, 2016
Closed
@guillaumevincent guillaumevincent mentioned this issue Feb 3, 2017
Closed
@lesspass lesspass locked and limited conversation to collaborators Mar 29, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
🔒 security
Projects
None yet
Milestone
Crepuscule
Development

No branches or pull requests
2 participants
@abe33 @guillaumevincent