❌ Software Removal | LessPass #679
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#679
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Description
LessPass is one of the top 3 Password Manager Softwares recommended on the page. It is a stateless password manager, and with it come inherent risks. The issue with lesspass, it seems to create inconsistent passwords, between varying versions. I believe this constitutes such a stateless password manager as being useless if that's the case.
I had noticed these inconsistencies and opened an issue regarding it here: https://github.com/lesspass/lesspass/issues/328
I had a prompt reply back, after which I updated it with more correct information pertaining to the issue. Another user investigated even more deeply and found the actual culprit. The original codebase was apparently dropped (there's no clear statements why?). It is supposedly fixed in the python version, but I never received a reply as to which version of the NodeJS lesspass-cli I can consider canon.
This unfortunately brings me here to today, where I have to ask that this software not be recommended by privacytools (where I found it myself in fact). I've used this, and made the great mistake of recommending it to others. Luckily for myself I had fallbacks in place, unfortunately people I've recommended it to, have not, and are now stuck either trying to run through every version of lesspass, or having to reset their passwords.
At face-value, stateless password managers are hard to get right, and lesspass is in my opinion really far from getting it right, they apparently do not follow simple best practices, such as testing for consistency between subversion updates, screwing their end-users. Also, my issue here doesn't explore the other many implications and weaknesses of the system you may see posted on github issues such as https://github.com/lesspass/lesspass/issues/336 that will undoubtedly burn regular users.
To disclose fully, I have not undertaken or started an alternative implementation, but I have considered one for a while, and may go through with it at some point, and it may or may not stay private or be public. Just wanting to fully disclose right now, if I do decide to make an alternative implementation, so it doesn't appear like I'm trying to sabotage LessPass.
I also found myself thinking that I forgot my master password a few weeks ago.
Consistency is key for this type of password managers. What will we replace it with? I'd prefer again a stateless password manager to recommend all of the main 3 types (local, cloud with e2e, stateless).
Though it's possible that I personally forgot my master password. Is there any inconsistency between different versions of the browser plugin?
The plugin appeared to create inconsistent passwords, when compared to lesspass-cli 5.0.1 and 5.1.1, whichever browser plugin version my one friend had. I have nothing empirically to share there though, but he was copy pasting a master password, with same configs, across the 3, and all resulted in different passwords.
Regarding what you say, it'd be nice to keep a stateless manager, if there is another good one. I personally can't recommend any at this point, and with me being the one requesting its removal, it probaly wouldn't be appropriate anyways. However, it's more dangerous to keep something that'll cause users to get locked out of their accounts.
Of course, it may be fair to give some ample time for the author(s)/maintainer(s) to respond to this, although I can't see them swaying my opinion on this, and seeing that you've likely encountered similar, it's probably a more widespread problem.
I'm not 100% sure the problem is on LessPass's side. It's really possible that I have simply forgotten my password. But it's also possible that I haven't (since your friend has the same problem) and that would be a major issue.
@guillaumevincent have you received any reports of such behavior other than https://github.com/lesspass/lesspass/issues/328?
Hello,
lesspass-cli was using nodejs. There is a bug reported by @d-nice https://github.com/lesspass/lesspass/issues/328
It's a bug due to the way we converted the counter into a string. Counter of 10 was converted to A hexadecimal instead of "10" string.
Because of another bug in the cli (password prompt on Windows), I decided to rewrite LessPass cli to python.
LessPass cli version 5.x is deprecated
You should use LessPass cli 6.x
So for my defense:
LessPass cli 5.x, LessPass web extension, LessPass mobile generate the same password if counter inferior to 10. People don't use a lot the counter (use to change password without changing master password) so the bug was discovered late in the process
LessPass cli 6.x, LessPass web extension, LessPass mobile generate the same password for any counter
This is not fair at all.
Have you seen the number of tests in the repo? Really this make me sad.
You can even see non regression testing for your bug in the new cli https://github.com/lesspass/lesspass/blob/master/cli/tests/test_password_generation.py#L69
Ok this explains why.
Feel free to ask some questions
Thank you @Shifterovich for the ping
Cheers
Another wrong affirmation
We merge all the repositories in one mono repo. We keep the git history for all the repositories. You just have to look at the commits.
Clear statement was here https://github.com/lesspass/lesspass/issues/349 and in the commit message
I don't fully understand why you didn't post some issues on LessPass. Create another tool, fork the project, but don't send misinformation.
I disagree, but I not upset
❤️
@D-Nice "testing for consistency between subversion updates"
This test asserts specific output, so it would fail if the password generation algorithm changed without also updating the hardcoded string in the test.
Though this is in the (new) Python version, right? @guillaumevincent are such tests present for the other implementations as well?
I hope I am wrong and lesspass is completely fine. However, this upcoming weekend I'll look to get some more info regarding the web-browser version my friend was running. For example, they have all their master passwords written down, BUT do use the counter mechanism as well. If that mechanism is broken, it should be explicitly stated somewhere, and not just assumed that the fix is to use the newest version, people are going to upgrade and be left in the dark, with passwords that won't work.
I don't think this is a valid defense, that people don't use it a lot. If they don't use it a lot, drop it if it will introduce bugs that break the functionality behind it. Also, how do you know whether or not people are using the counter, if it's there, assume it will be used.
So is it fair to presume that if they are using the web extension, their passwords would have changed between browser version 5 and 6? This would explain the incosistency that seemed to appear betwee lesspass-cli 5.0.1, 5.1.1 and whatever web extension version they used. However, the worst part, neither of them produced a working password.
You may be right, I naively based this off a quick look at the current lesspass monorepo, I saw no tests folder in root (but it is under cli) so my fault. Similarly, since the old lesspass-cli repo disappeared, I simply checked what I had in my global node_modules, and saw no tests there either. I took extra time to find via archive.org that there in fact was a tests script, but can't inspect it at this point: https://web.archive.org/web/20180612214246/https://github.com/lesspass/cli
I think there still needs to be better communication regarding this. Not to take away from the hard work of the contributors to it, but it's very unrealistic to expect users of lesspass to go through commit... The people I'm recommending it to are not necessarily coders, if this is an application meant for technical users only, then it should be clarified as such.
Not sending misinformation... you yourself ascertain that lesspass has had instances of inconsistent passwords between versions. Between a major version, I can understand it (but there should be a prompt to end-users about this).
You may disagree but at least are not upset. Tools like these should be scrutinized. I assure you I gain no benefit from this, as I've recommended this to a number of people and have been told about it not working after months of use passed. I assumed they probably we're not using it correctly, or forgot parts etc... But have recently confirmed similar inconsistencies in person which I've already gone over, so I'm afraid that the people I thought weren't using it correct or forgot may have been correct in lesspas not working.
Anyways, we shall see if anyone else has had similar issues to report here, and then I'll see if I can get anything empirical in here.
Again @guillaumevincent I hope you don't take any of this personally, but password management is not something to take lightly.
Also, while here, may I ask(which I've previously done), is there a version of lesspass-cli from nodejs that can be considered canon (working according to proper spec for that version). Or is it considered broken, and v6 must be used, which constitutes a switch to python?
Well, I didn't because I thought lesspass was just fine. I had just been thinking of an implementation because some features I would have liked to see, such as argon2, never made it. Also, some additional outputs like base58, for easier human readability. And if I had done it before, it's probably not something I would have released publically as I know it's a lot maintaining such projects.
If you wish to believe that this is the reason for me opening the issue, you may do so, but it would be quite foolish of me to state this at all then, and I must be an evil genius to apparently have this months in the planning then. If anything, this scares me a bit more, that you would look at this concern as someone trying to sabotage you/lesspass, rather than raising valid concerns.
Browser version generate the good passwords with any counter. Why are you saying that password are inconsistents? Only LessPass cli 5.x, on Linux only, with counter > 9, generate a password different than all other implementations. It's a bug. And it's fixed in LessPass cli 6.
I'm just saying that we discovered the bug late in the process because not a lot of people use this feature. Not that the bug is not important.
The nodejs implementation is deprecated with a warning message when you install it. So the answer is no.
Yes IMO the python version is 7kbytes and much better. Nodejs version is bigger, is deprecated and had some critical bug like the prompt of a password on Windows not hidden.
And everyone had python on their computer right?
Do you know that you can send an email to the support of GitHub to get a copy of the latest source code?
I love to clean my work
It's a bug and the end user can see a warning. See https://www.npmjs.com/package/lesspass-cli
lesspass-cli is not available in the npmjs search anymore. To be honest I can't see what I could have done differently. Really.
I don't take it personally. I found that you raise an issue, in another repo, with false information in there.
Agreed, and I tried to do my best to create a good product, with a lot of tests, with transparency and love.
yes this is lot of work, especially when everything is free and open source
--
Finally, ask you this question: if you learn that another product like KeePass has a bug. Are you asking that this product be removed from https://www.privacytools.io/? Keepass has some bugs and some unsolved.
The good thing to do is to open a bug on the repository of the project. Like you did. And when the bug is resolved, send a thank you to the maintainer or the developers. Well, that's what I'll do.
Cheers
Then the tests check that the Python version will always generate the same passwords, but not that the passwords will be the same as the passwords generated elsewhere? What about the browser version?
What implementations are/were there?
BTW thanks for participating in this thread, it's hard to discuss some tools without talking to the devs.
Assuming tests for cross-implementation consistency exist/will be added, is there any reason to remove LessPass? @D-Nice
Seems like there was just a slight bug that misinterpreted the counter values and no other issue with consistency?
Apart from this consistency issue, are there any problems with LessPass @D-Nice?
I can confirm the issue on Windows as well.
Imo it should have been fixed, instead of just marked as deprecated and left broken, and if someone installs the latest version of lesspass-cli by npm, they end up, with a broken one.
I can't speak for KeePass, as I don't use it and therefore can't put in a word for it.
I agree, but imo it wasn't properly solved, as lesspass-cli 5.1.1 (latest) is still broken, and I recommended that to be used by some people. Those people may only remember to do
npm i -g lesspass-cliand will probably not pay much attention to the deprecated message, assuming they've done it during a period that message even existed.I took the time to compare the various browser versions myself this morning, from 2.5.1 on Firefox, to each available version, up to 3.1.2 on there. I also tried with Chrome, which the person that was having issues, used, and the password generation was consistent for them all with various generation parameters between length and counter, and also matching the password style (which is very long) used by the person.
I won't go through all the steps, but I tried to ensure when I had initially seen this, for the person showing me this, to minimize room for error. I wasn't able to do it myself, as they didn't want to reveal their master password, but they were assuring me the fingerprint matches (3 icons), even though when I installed lesspass-cli for them, 5.0.1 and 5.1.1, each one was generating a different password than their browser, but I have to assume they were copy pasting it incorrectly or there's some windows clipboard issue, as I asked them to type out their password in notepad, and then copy it across the different toolsets with same parameters. I obviously couldn't confirm the master password they used, but they were showing me the output, and it was in fact different. The other problem was that it was not only this account they were failing to get into, but also some common ones they use, and they had to reset those accounts, so of course from the information I had seen, lesspass seemed like it broke, and this wasn't my first experience seeing it happen (and I of course understand bugs and mistakes can occur).
I didn't open this out of spite or to underhandedly have LessPass removed. Could I have gone through better channels, maybe, but I was under the impression that there was some major breaking change, lesspass-cli was just dropped, and thought passwords changed without notice, and to protect users, I put this up. I had even mentioned that the maintainers should be consulted before acting on this. You made it clear that no such issues should exist, and I investigated and confirmed it once I had time. Unfortunately the issue just appears to be that this password manager style, is easy to get wrong for people generally, which ofc is not your fault, and I try to teach them as good practices as I know to avoid succumbing to such issues.
I still do, however, think you need to fix latest dist-tag of lesspass-cli
TL;DR
However, to point out again, my tests on a Windows machine regarding this show consistent results between 5.0.1 and the browser versions from 2.5.1 to 3.1.2. So to answer your question @Shifterovich I have nothing empirical from my end to show that there's problems between browser versions, which I guess most users use anyway, to warrant a removal of LessPass.
In my opinion it can probably be closed and marked as invalid.
If there's any issue with LessPass, we can continue in this discussion.
For now, I'm closing.
Thanks @D-Nice for trying to protect users & @guillaumevincent for answering the questions. Constructive discussions about removal of software are rare here, just look at all the Brave and cryptocurrency threads.
Though @guillaumevincent please reply to this:
you can see tests in different modules:
Tests of the old nodejs cli
d7a086e063/packages/cli/test.jsThere are a lot of other tests, unit and functional. Even end 2 ends.
I can add a specific tests in every components for counter > 10
I can push a 5.2.0 copy of the 5.0.1 in nodejs
Like that any latest version even deprecated are consistent
I think that is an acceptable solution, so the nodejs version at least doesn't seem like it's left in the dust with a part that could break with the counters.
Has 5.2.0 been unpublished? I believe I recall it being up, but see 5.1.1 as the latest once more.
@D-Nice sorry for the delay, and thank you for the reminder.
I published a version 5.2.0 today with the fix.
Remember that:
The API changed
Ah ok thank you, I thought it may have been unpublished. Yes I am aware it's unsupported, but still would rather the latest version of lesspass-cli be the one consistent across most of the earlier versions.