LastPass and SaltThePass

JeffTechnical Articles & Notes

Password managers are obviously attractive targets for cybercriminals – but they’re considered by most to be better than any alternative.

The thought of having my entire password manager vault/archive compromised was giving me cold sweats in the wee small hours. What else could I do though!?

Then LastPass’s browser plugin was repeatedly shown to be highly insecure by Google Project Zero’s Tavis Ormandy…

… what other holes are there? I wasn’t going to wait to find out. Time for a new strategy!

After a lot of head scratching I came up with an idea and started to search online for one way hashing algorithms written in JavaScript – which is when I stumbled upon this simple, elegant, genius of a LastPass alternative:

It’s really good. No passwords are stored anywhere. You can use it on all devices (there’s even a very lightweight free app). Is there a catch?

No. Not for the average home user. I think it’s about perfect.

It works by concatenating your choice of master password with the domain name you’re logging in on, and optional additional text and then running that through a one way hashing algorithm run in JavaScript in your own browser. No information passes to or from a remote system so it’s really very safe. And the default hashing algorithm is SHA-3 which is considered categorically irreversible.

OK it doesn’t automatically fill out login fields, but apart from a little copy/paste hassle it’s great. And most importantly it’s very very safe and secure. Much more so than any password manager that stores reversibly encrypted passwords online – or anywhere for that matter. This system does not store passwords at all.

If you have more than one account on the same domain though, or you have a need to change a password, or you want to store someone else’s password they’ve shared with you*, it’s not great. As it stands you need to remember quite a lot for each site you want to use it for. Including remembering what username you picked, and what length password to generate. This is fine I think for most personal use but I have literally 100s of usernames – quite often with more than 1 on the same site.

Fortunately it’s open source so I’ve taken it, added to it, and made my own version of it. My version saves my domains, usernames, comments, suffixes and password lengths – so I don’t need to remember anything except the master password. I just start typing in the domain name and up pop suggestions which when clicked, populate all the other fields and so long as the master password is present and correct, my long unique and very strong password is magically conjured and a click on COPY puts it on the clipboard.

I’ve added a bunch of other features too for example automatically blanking everything (including the master password) after a timeout period and putting the whole thing behind a Google 2FA login system to protect my list of usernames.

Screenshot above. Cold sweat frequency reduced.

Now to continue my campaign to get a refund from LastPass…

* I have yet to come up with a way to safely store a third party’s own password.