Selfhosted

38707 readers

677 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago

MODERATORS

[email protected]

Review of LessPass? (lemmy.world)

submitted 10 months ago* (last edited 10 months ago) by [email protected] to c/[email protected]

20 comments fedilink hide all child comments

Hi everyone,

I just came across this project called LessPass, which doesn't require a database as a back-end and can compute passwords on the fly instead of storing them. The idea really intrigued me, and I wanted to know from the community about the experience of using it - did you run into any troubles with it? How does it compare to more traditional password managers (which would need me to think of a back-up strategy)?

Is it possible to back up your passwords from LessPass? Can you use your own passwords when you prefer to? How are the client programs?

Thanks!

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 25 points 10 months ago (5 children)

It's a cool concept that quickly falls apart in my opinion:

It's not really stateless as soon as a website has certain password requirements. You probably don't want to remember the configuration of all passwords in your head.
If the password for a website gets compromised, you have to set the "counter" + 1. Again, not stateless.
If you have multiple accounts per website, you'll have to store the site differently (for example including www, not including www) or interlace the counter (odd/even) between the two. This gets more and more messy the more accounts you add, and again, it's not stateless.
The master password is the only thing an attacker needs (plus the state mentioned above, but it's easy to brute force a simple counter). With most other password managers, the attacker needs access to the vault/database and potentially a keyfile, secret and/or some form of second factor.
Changing your master password because it got compromised or ideally before it gets compromised changes the passwords for all websites.
You still have to remember your username or login email, so that's again not stateless if you're saving it in some sort of LessPass client.

I could probably list a lot of other reasons why it's not a good idea to use it. There are probably some edge cases where it's good, for demonstration purposes or training sessions where the participants all need unique (temporary) logins for several services.

[–] [email protected] 1 points 9 months ago (1 children)

In my view, both a password file (vault/database) and LessPass are potentially attackable via brute force. I don't see that one is safer than the other.

[–] [email protected] 1 points 9 months ago

Point being that an attacker also needs access to said vault.

load more comments (3 replies)