Sharing and Over-sharing February 2, 2023 12:17 PM   Subscribe

We've had a couple of threads about Lastpass: the news of the breach and an ask for alternatives. It's pushed my buttons as being across the line into "don't show your dirty laundry in public."

I get that we build community by sharing info about ourselves, it's why I like a MetaTalkTail Hour and the Free Threads. Recommending a password manager by dint of your personal experience also serves to tell the world how you secure your online activity.

I'm glad people found alternatives to this service that they could no longer trust. I think that saying how you secure your online accounts is like saying where your car keys and valuales are in your home: if someone targets you to get to your password manager they would already know which has your endorsements and your online life.

The thread is in Google's index and user accounts are listed. It's probably an impossible request for a pony to ask for some masking of the usernames, so instead I'll ask people to think before contributing how they make themselves safe to a thread like that.
posted by k3ninho to Etiquette/Policy at 12:17 PM (47 comments total)

if someone targets you to get to your password manager they would already know which has your endorsements and your online life.

And then what?
posted by NotMyselfRightNow at 12:27 PM on February 2, 2023 [6 favorites]

Have any users been targeted in this way on Metafilter? On other similar sites?
posted by ryanrs at 12:45 PM on February 2, 2023

We’ve had a couple of threads about 1Password: the news of the breach and an ask for alternatives. It’s pushed my buttons as being across the line into “don’t show your dirty laundry in public.”

LASTPASS. LASTPASS had the breach that is being discussed. I am gonna have a heart attack.
posted by Going To Maine at 12:48 PM on February 2, 2023 [33 favorites]

LASTPASS. LASTPASS had the breach that is being discussed.

k3ninho is employing misdirection to throw the hackers off their trail. OPSEC!~
posted by zamboni at 1:15 PM on February 2, 2023 [19 favorites]

I just changed all my passwords to L@stpa$$. Hackers will never guess it, too on the nose!
posted by snofoam at 1:21 PM on February 2, 2023 [8 favorites]

So by keeping yourself safe, you want to allow many other people to remain vulnerable? Dude, mutual aid!
posted by wenestvedt at 1:29 PM on February 2, 2023 [5 favorites]

"don't show your duty laundry in public."

I thought that was about playing the music of Don Henley.
posted by box at 1:31 PM on February 2, 2023

I get that people have different barometers for personal safety and general privacy and I've watched some of those YouTube videos or whatever where someone takes an innocuous detail about someone's life and uses to to extrapolate all sorts of terrifying information... so, I get it.. I do... but...

I think we're all adults and I think the good that's done by people sharing their positive experiences with these products so that others can be guided in the right direction far, far, far outweighs any potential risk. And if you don't feel that way, I would encourage you to not share that information in a public forum!
posted by kbanas at 1:33 PM on February 2, 2023 [5 favorites]

I think it is really nice to think about the safety of fellow mefites, but I don’t really know how revealing what password manager one uses is really putting someone at increased risk. I’m not an expert, but it seems like it should do little to increase risk.
posted by snofoam at 1:34 PM on February 2, 2023 [11 favorites]

And then when half of us get hacked in like six months think of how superior you'll feel!
posted by kbanas at 1:34 PM on February 2, 2023 [3 favorites]

I really don't think there's any risk here - specifying what password manager you use is similar to saying which continent you live on - there's only so many choices. Telling folks my house is in North America doesn't make it any less secure - I have to live somewhere!
posted by cgg at 2:12 PM on February 2, 2023 [5 favorites]

It's understandable to worry about sharing details of your security setup, and the approach of being secretive was widely used in the early internet. But it turned out that being secretive led to lots of bad choices. The security community ultimately went in the opposite direction: your security software should be as standardized and public as possible, except for the one randomly generated secret which should be drawn from a large number of options and easy to change if leaked. We try to design systems to be secure not only if the attacker knows your password manager, but even if they know the specific way you generated your password. This gets summed up (and oversimplified) as "there's no such thing as security through obscurity."

This is why lots of us have recommended 1Password over Lastpass in recent weeks: Lastpass was always cagey about their security choices, and was recently confirmed (again) to be doing weird nonstandard insecure things. 1Password has been consistently public and specific about their security model and why it works, and earned trust from that. There's no harm in passing that on.
posted by john hadron collider at 2:44 PM on February 2, 2023 [14 favorites]

I keep all my passwords on two scraps of paper. Well, one scrap of paper that I've torn in half and really all my passwords boil down to one formula, half of which is on the one piece of paper, the other half of which is on the other. One half I keep in one part of my house, the other I keep in a locker down at the bus station. The train station. The library. The gym - take your pick ... I have it on a micro-dot that I have secreted in a piece of old gum under the seat of my chair, in a sequin on the collar of my dog, just thrown, casually into the dirt of my favourite house plant. Actually, my Password is the same across all platforms, it's ... well, it's secret. I woke up one day and realised I had to change all my passwords. While I was brushing my teeth I looked out the window and saw a flock of crows pass by. There were X number of crows and that became my new password. With a capitol letter or two thrown in. I keep my list of passwords in an old rolodex, alpha by website. I keep my passwords in a cross-written diary from the 1800's, each hidden as the ingredients in my great great great great aunt's famous black velvet cake. Red velvet cake. Blue velvet cake. As the dimensions of the barn my great great great great uncle and his sons built. In the names of his sons and the number of letters in each name, in the alpha-numeric spelling of each name. I keep my list of passwords in an old notebook that I keep in an old Bustello coffee can in the pantry. On the shelf in the garage with all the screws. By the paints.

I never really understood the beauty and simplicity of a single-source web-based repository. Then again, I have been known to throw my clogs into the gears - to throw a bag of sugar into the cement mixer.

You drop the gold bug, tied to a silk thread, through the left eye of the skull out on the furthest branch...
posted by From Bklyn at 2:47 PM on February 2, 2023 [41 favorites]

I would simply not target anybody who states that they make use of a password manager—they'd be in the like top 10th percentile of security consciousness. The next 90th percentile would be much better targets.
posted by General Malaise at 2:58 PM on February 2, 2023 [13 favorites]

I think it’s a reasonable starting assumption that anyone using a password manager and actively helping other people think through their online security is already thinking proactively enough that it’s a bit weird to assume they need a reminder to…think about their online security. This seems like a non-problem.
posted by Stacey at 3:47 PM on February 2, 2023 [7 favorites]

Any serious thinking about security has to think about threat modeling. It's impossible to defend against every threat, and security is always placed in tension with other priorities, so you need to think about questions like "Who is likely to threaten my security?" "What do they want and what are they willing and able to do to get it?" "What things can I do to stop them?" and "What are the expected costs and benefits of doing those things?" Just by using a password manager you're already at a level of security that is going to deter the vast majority of drive-by attacks. So we're already in the realm of what what security professionals call "Advanced Persistent Threats", the sort of people or groups that are willing to spend significant effort attacking you in particular over an extended period of time: things like a technically savvy stalker, or a three-letter government agency, or a criminal gang. But the thing about APTs is that there are only so many of them, and while they might not always be rational, it's not like they just choose their victims out of the phone book either. And the other thing about APTs is that protecting against them is both expensive (in money but also time, effort, and things you just can't do anymore) and not terribly effective (i.e. there's almost nothing you can do that will stop someone with sufficient time, motivation and resources).

So yeah, if you just left an abusive ex, or you do things the FBI would really rather you didn't, or you engage in online activism in a way that draws harassment that might escalate, you should worry about this type of stuff. But for most people most of the time, it's not really worth the effort of even thinking about it too hard. Do the things that are simple and effective (like using a password manager) and don't worry about the rest.

For the same reason I'm perfectly happy to tell the world that my car keys sit next to my wallet in a little tray on my desk in my office, right next to my work laptop and my gaming PC, which are probably the most valuable objects in the house. Sure, the cost of not sharing that information (i.e. not being able to make this rhetorical point) is pretty low, but you also have to think about:

"What is the probability that there's someone out there who might want to break into my home specifically?" (Low)
"How valuable a target is this for them?" (Not very, a 20-year old car and a couple 3-year old computers are only worth a few thousand dollars on the re-sale market even before you apply the "buying this might draw a felony indictment" discount)
"How much easier would this make things for the threat?" (Not at all until you've broken into my house, and even after, these are objects sitting out in plain sight where even the most cursory search would make them obvious)

So I agree that the cases are similar, in that most people will never face the sort of threat that would be willing to dig through their Metafilter comments to find this information, and even if they do the threat still needs to hack their password manager, which is certain to be a much harder process than simply figuring out what they use.
posted by firechicago at 3:47 PM on February 2, 2023 [16 favorites]

Security through obscurity. I keep all my passwords in a file disguised as an mp3 of a song by a band you’ve never heard of.

Of course this is not true-I have encoded this message in ROT 26 to keep the hackers guessing.
posted by Devils Rancher at 4:33 PM on February 2, 2023 [10 favorites]

Have y’all read this?

I both have a password manager and have the master password written on a piece of paper that’s on the floor underneath my desk. I tell facebook friends and family that it’s there for when I stop answering texts someday.
posted by bendy at 9:52 PM on February 2, 2023 [1 favorite]

I don't think someone who has the ability to hack a secure password manager would be motivated by the chance to get the credentials of specific individual users... they'd be after bulk. It'd be a bit like saying you're going to rob a large bank downtown because you heard a particular dentist has a safety deposit box there.

If you're capable of the former, the latter is small potatoes.
posted by DirtyOldTown at 7:43 AM on February 3, 2023 [3 favorites]

Has the MeFi user database been compromised? Are nefarious forces able to glean your true identity from your MeFi profile? Because I thought that fear was based only on some possible future sale of MetaFilter to some not-so-nice other.
posted by Rash at 9:05 AM on February 3, 2023

Has the MeFi user database been compromised?

To the best of our knowledge, no, just fyi.
posted by jessamyn (staff) at 11:38 AM on February 3, 2023 [1 favorite]


I think people are terrible at estimating risk based on a number of years dealing with risk for pay -- and this thread. I did enjoy your internet-typical levels of snark.

Stay safe.
posted by k3ninho at 11:56 AM on February 3, 2023 [1 favorite]

I would appreciate a more detailed explanation of how you think the risk changes between announcing "I use a password manager", which will generally narrow it down to 4-5 providers, and saying "I use Bitwarden". To me, it sounds like there wouldn't be a significant difference, since they could easily do whatever they're doing on *all* the platforms.

Basically, if my assessment - which does agree with other people's in this thread - is wrong, can you explain a bit more what your concerned about? Because if it's *not* the above, I'd love to know, for security reasons.
posted by sagc at 12:17 PM on February 3, 2023 [3 favorites]

Are you telling me that the names of our preferred password managers aren't automatically asterisked out by MetaFilter when we post here? You can actually see LastPass when I type hunter1 LastPass?
posted by MiraK at 12:21 PM on February 3, 2023 [10 favorites]

I think people are terrible at estimating risk based on a number of years dealing with risk for pay

That's interesting because others in that thread who also estimate risk for pay felt comfortable sharing the name of their password manager.

I agree, as a whole, people share too much information and are unaware of how disparate pieces of information can be put together to reveal data people would not like others to know.

I disagree that this is one of those cases.
posted by a non mouse, a cow herd at 12:27 PM on February 3, 2023 [2 favorites]

based on a number of years dealing with risk for pay

See, now we think you're bad at your job, not just someone who read an MSN article about hackers once...
posted by michaelh at 12:48 PM on February 3, 2023 [7 favorites]


Hunter1, shurely you know the caps add another 2^26 bits of entropy hamburger
posted by Rumple at 12:55 PM on February 3, 2023 [4 favorites]

Then, run it through ROT-13 twice for even more protection
posted by a non mouse, a cow herd at 12:57 PM on February 3, 2023 [1 favorite]

If I let people know what finger I use for touch ID on my laptop, does that make me more of a target or does it help ensure that I only lose one finger if I am targeted?
posted by snofoam at 1:25 PM on February 3, 2023 [2 favorites]

mitchelh, that’s really fucking mean. Just because you disagree with someone’s threat model or risk tolerance doesn’t make them wrong. And telling something that they’re bad at their job is personal and escalating in a way that’s totally uncalled-for. Why make this personal? Fucking gross.
posted by dorothy hawk at 1:47 PM on February 3, 2023 [5 favorites]

And honestly everyone else making fun of the poster is being similarly gross, just somewhat less so. This thread is starting to become a pile-on and borderline bullying.

Look at the way a non mouse, a cow herd approached the OP: with respect, compassion, and genuine curiosity.

How about try that instead of being snide, rude, insulting, and mean? Or just go elsewhere.
posted by dorothy hawk at 1:51 PM on February 3, 2023 [3 favorites]

It is indeed mean to tell OP that he is bad at his job. But I understand the tone of the responses, because this line:

I think that saying how you secure your online accounts is like saying where your car keys and valuales are in your home

is basically telling everyone who participated in the original thread that they are dumb.
posted by grumpybear69 at 2:46 PM on February 3, 2023 [2 favorites]

My car and motorbike keys are in a tray near the back door FYI
posted by Fiasco da Gama at 2:55 PM on February 3, 2023 [2 favorites]

Recommending a password manager by dint of your personal experience also serves to tell the world how you secure your online activity.

It does, except in the very critical way that it doesn't, in that recommending a product is not the same as sharing every detail of how someone uses a product they recommend. In this case, nobody's sharing their master password; nobody's sharing their password database. All they're doing is saying "I use this one because I don't trust/used to use and was breached with/didn't know about that one", which...isn't a security compromise? It's just describing which tool one uses to achieve their desired level of security.

Put another way, if I say "I use Dashlane because I used to use LastPass, and it didn't work well for me/it was breached so I don't trust it any more/it costs more now so I wanted to switch", that doesn't mean that you or anyone can go to dashlane dot com and look me up to see the specifics of what I've done with my security using Dashlane.

Product recommendations are a standard part of discourse; revealing the line-item, private details of how one uses a product are not.
posted by pdb at 3:14 PM on February 3, 2023 [1 favorite]

I think that saying how you secure your online accounts is like saying where your car keys and valuales are in your home

This is something I think about a lot, since I have shared a lot of my life on metafilter. I think it would be fairly trivial to find my home in just a few minutes of effort based on the things I've shared here. Sometimes I realize that and think oh shit, here I am a woman living alone, with my fireproof safe in the right-hand corner of my office under my desk and my car keys on the kitchen bench, I have such regret.

And then I remember that I live on the south side of Chicago and know in my heart that the venn diagram of the sort of people who would set out to do me harm has significant overlap with the sort of people who are pants shitting scared of the south side of Chicago, and I'm kinda like. Try me bitch.

For everything else there's a reactive dog and a baseball bat by the door.

No one's forcing us to share things. Let us take our calculated risks in peace.
posted by phunniemee at 3:21 PM on February 3, 2023 [11 favorites]

Oh it took me this long to realize the biggest concern about someone breaking into your home is the property crime, cute ☺️✌️
posted by phunniemee at 3:29 PM on February 3, 2023 [10 favorites]

My car and motorbike keys are in a tray near the back door FYI


*VROOM VROOM VROOOoooooooommmm*

(P.S. I strapped the motorbike to the car roof. That's how.)
posted by Mr. Bad Example at 4:28 PM on February 3, 2023 [9 favorites]

posted by clavdivs at 7:09 PM on February 3, 2023 [1 favorite]

I keep my passwords encoded in the pattern of favorites I use on MetaFilter.
posted by grouse at 7:38 PM on February 3, 2023 [1 favorite]

Luckily on Metafilter if you type in your password it'll show up as stars. See, here's mine: *******.
posted by Diskeater at 7:57 PM on February 3, 2023 [3 favorites]

I think people are terrible at estimating risk based on a number of years dealing with risk for pay -- and this thread

There's a number of risk/Infosec professionals on Metafilter, some of whom gave you non-sarcastic answers here. One of the keys to being good at it is learning how to measure what risks are worth worrying about, because you simply cannot solve for all risks. And to be good at risk management you have to be good at taking pushback too. Sometimes there's externalities you're not aware of. Sometimes what's good for your immediate team isn't actually what's good for the company as a whole. Sometimes you're focused on the wrong thing or overrating the level of the risk. These happen to all of us.

I've fought battles over IDOR issues where the address space was on the order of 20^64 with maybe 10,000 records existing in it. You can probably guess the character set (but not encoding), so while not random, you couldn't simply iterate to find other records. The vulnerability required already having authenticated access, with maybe 500 total users existing. Some of the extremely pedantic Infosec team demanded that the dev team drop everything and fix it immediately. Should it have been fixed? Yes. Did it need to be fixed immediately? No. Did the squabble damage the Infosec team's reputation in the eyes of the developers? Yes. Guess which team does the work that makes the company money and has the ear of management as a result?

Here's an Opsec fail - let's suppose I tell you that my the password to my vault is a 40 character passphrase. Do you have more information about me than you did before reading that? Yes. Can you do anything with it? Not in any practical way, not other than screaming, "what's the passphrase!" while beating my knee with a lead pipe after kidnapping me. I could even tell you it's based on a CD that I own. Again, more information, but not helpful. So suppose you break into my home and find that I have around 5,000 CDs. You've theoretically narrowed the search space but not in any meaningful manner. Not all risks are worth worrying about.

To go to one of the classic Infosec Twitter Opsec fails, I could publicly post a picture of my door key, and I'd get a bunch of randos screaming at me that they could clone the key from it. And maybe they could. But realistically, no one is going to copy my key off the internet and clone it in order to break into my house.

There's easier ways into my house that could be figured out using Zillow (or some basic physical surveillance) in far less time than creating a key from a photo.

Now, I have a number of compensating controls for that, but when it comes down to it, I know that my locked front door keeps out only the laziest of would-be intruders. Truth be told, it's locked most of the time because it gets gusty here and the deadbolt keeps it from blowing open and letting out one of the compensating controls, who's about 100lbs and toothy.

Or the people who post under their legal names who get "shamed" because you can locate their house based on something in the background of their selfie or whatever when the response is, "Or they can go to the state database of property owners, put in my name, and find it that way."

Longwinded point being, I think you posted this with the best intentions but be careful of becoming John Pesche, because it'll make you a lot less effective.
posted by Candleman at 9:46 PM on February 3, 2023 [9 favorites]

Luckily on Metafilter if you type in your password it'll show up as stars. See, here's mine: *******.

Damn, "hunter2" is my password too! What the fuck!?
posted by loquacious at 9:53 PM on February 3, 2023 [2 favorites]

Still waiting for anyone to actually say *why* sharing the name of your password manager is bad, instead of just implying those of us who don't know are stupid. Honestly curious.
posted by donnagirl at 10:47 AM on February 4, 2023 [1 favorite]

Because theoretically if I were targeting you specifically, I might locate your profile/user name here and read your comments and see that you said you were using a product called TotallySecurePasswordVault. I could then do things like try all the passwords for an account named donnagirl or your email address that had leaked over time (like the major LinkedIn data breach some years ago) to see if you'd reused the same name and password at TotallySecurePasswordVault in order to access all your passwords (as well as trying other common passwords or things that doing background research on you might indicate use as a password - in your case I might try library related words or titles of poems by Elisa Chavez). You saying that you use TotallySecurePasswordVault would tell me both that you use one and which one to go after.

In all actuality, very few people on Metafilter merit that kind of attention and of the few that do I trust that they use a strong and unique password for their vaults (and most likely use token based 2 Factor Authentication as well). That type of digging and research happens if you're known to have millions of dollars of Bitcoin, are the CEO of a Fortune 500, organize a Tibetan dissident group etc. Or really piss off the wrong person who's good at this type of digging (commonly referred to as OSINT) who goes after you as a grudge or to take you down a notch.

Most cybercrime targets people at either ends of a very spectrum. Either they go after very, very specific individuals (as previously mentioned) or they go after systems that have millions of people's info (like getting all the usernames and passwords from LinkedIn and trying them all at Bank of America because statistically, 10% of them have an account there and of that 10%, 5% might have reused the same credentials). There's very little reason to go trawling for tiny snippets of a information about random people and then trying to figure out if they're worth targeting because there's just sooooooooooooo much information out there. And going after random Mefites is less likely to be profitable than posters at a crypto message board.
posted by Candleman at 11:37 AM on February 4, 2023 [6 favorites]

this thread reminded me that I needed to finally pull the trigger on ditching lastpass for 1password, so thank you for that.

More seriously, I'm someone who has had my identity compromised in so many ways over the years, up through and including attempted tax fraud by impersonation and attempted benefits fraud by impersonation, so I do spend time thinking about these issues for my own sake. Every single one of these was an aggregate attack that did not specifically target me where there was little if anything I could do to prevent it, and I am utterly unworried about such an attack happening via 1password. If it happens, I'm not particularly worried about it being a technical attack -- social engineering of people who could access my info via e.g. my employer (way easier to figure out than what password manager I use) seems most likely. This also reminds me of another early security lesson in my life, when I had a storage unit broken into as a student. I had a great lock on it; the thieves used the power of leverage + this lock to break off the hasp (possibly they didn't even need a separate tool). I will say I *am* quite worried about the fact that my data is in the lastpass hack (with lastpass' old apparently quite bad security defaults and, it turns out, unencrypted metadata), but not with the expectation of being specifically targeted, let alone from a random discussion site. Anyone who has access to that data doesn't need to check my posting on metafilter to see that my data is there, and is just going to be doing whatever bulk scripting of this stuff they can.

The worst issues I've experienced were because one of my employer's W2 preparers was hacked. This is something (by me) that was completely unpreventable, it's like the weather. You just have to manage risk around events like this somehow, and using a good password manager is (imo) nowadays one of the best ways to do it. People talking about this on the internet, and discussing alternative options, is a great way to encourage this and improve the ecosystem; I would far prefer this discussion to be happening than not, and I'd rather help other people to the extent I can than remove whatever the iota of risk is for myself. I think it was even from one of these recent threads that I saw the 1password post on how to choose a master password, which was super useful and helped me move to a much better master password.

(Also my car keys are in the front entryway with all my other keys, like absolutely everyone else??)
posted by advil at 12:21 PM on February 4, 2023 [3 favorites]

Do people who use password managers not use randomly generated passwords? That is, for me, kind of the point. If your password doesn't look like 873gfoksu49o4s7bges74hyfs47yWRE@Uy3ru32ef2ei then, yeah, you might be at risk for some sort of brute-force breach based on previous leaks.
posted by grumpybear69 at 8:37 PM on February 4, 2023 [2 favorites]

Fun fact: Metafilter only required one digit for a valid password. That was changed but I always thought, why not because playing who -ha with passwords, here, filled with wizards, is like

Look, it's got only a kwikset lock!

That's what bothers me. Use the detect invisibility spell......Holy Olidammara!

Magic Mouth: ZIPPITY BOP!
posted by clavdivs at 3:20 PM on February 5, 2023 [3 favorites]

« Older Wonderful meta comment riffing on Bradbury’s...   |   Metatalktail Hour: Unsolicited advice, please Newer »

You are not logged in, either login or create an account to post comments