Why you should avoid LastPass
-
I got redirected to https://lastpass.com/update_phone.php
Red lights flashed in my head. I get redirected to a php file in the root of the webserver? The webserver doesn’t even bother rewriting the url so that maybe the url could look like “/update_phone”. Leaving out the .php will not work either.
This is a big indicator for some really ugly and old PHP code. A friend of mine played around a bit after I joked require(‘header.php’); and found https://lastpass.com/header.php which is literally the header of their main site.
Seriously, if you're offering yourself as the ultimate keeper of the keys to my life, you must do better than
password_check.inc.php
.
-
@cartman82 small world, I wrote an explanation of why this is a problem on HN (not everyone speaks PHP), and it got quoted in the article :)
Th[ese findings] reflect poorly on the Lastpass website , not necessarily on their crypto.
Judging from the URLs, it seems that each action is handled by a different standalone script. This is very common in legacy code bases, and it typically (not always) means that:
-
all those scripts need the same bootstrapping boilerplate copy-pasted into them, which is a maintenance nightmare. Even if you simplify it to one or two lines of boilerplate that includes a central boostrap file (or use some configuration magic to automatically run an additional script before the script you requested), it's still worse than having a single centralized entry point that handles routing, auth, and so on. There's always a chance that someone forgets or botches an auth check in one of these files and it goes unnoticed.
-
you will probably be able to make an HTTP request directly to some file that was not intended as an entry point (the author mentions header.php – this is a perfect example), and then who knows what happens, because you never planned for this and your bootstrap code doesn't run and possibly variables expected by that script are not defined, or errors thrown by the script are not handled by a pretty error handler... kinda like doing an assembler jmp into the middle of another function, after any sanity checks it might have had.
-
I have been working with PHP for 8 years now, and almost inevitably, where this pattern shows up, there's most likely outdated and insecure practices like SQL queries from string concatenation (leading to SQL injection) or unescaped HTML output (leading to XSS, XSRF, or other security problems). It's basically an "easy target" sign for hackers.
Front Controller pattern is a recommended alternative.
-
-
@DCoder Oh yeah. It was pretty good, paste it here.
-
Thanks for posting. I was actually contemplating using it, at least for my wife who doesn't want to bother figuring out KeePass. Especially now that they made lastpass free on mobile devices.
Maybe I should make my own password keeper service. In a real language (have to figure out what that would be first) .
-
@dangeRuss said in Why you should avoid LastPass:
In a real language (have to figure out what that would be first) .
-
@Gąska said in Why you should avoid LastPass:
@dangeRuss said in Why you should avoid LastPass:
In a real language (have to figure out what that would be first) .
Arrr - the pirate language? That's hardly suitable for keeping passwords.
-
-
-
@dangeRuss said in Why you should avoid LastPass:
Arrr - the pirate language?
Nope, R looks like this:
And the one before was Rust - the best programming language in the world for those who can wait for it to compile.
-
@Gąska said in Why you should avoid LastPass:
And the one before was Rust - the best programming language in the world for those who can wait for it to compile.
You mean it's slower than C++ to compile?!
-
@dkf Given that:
- Templates are Turing complete (by accident!)
- the C++ grammar is formally undecideable
It has 2 different ways that it's possible for compilation of correct code to literally take forever.
Therefore no, nothing is slower to compile than C++.
-
@DCoder So... using PHP files is considered bad practice in php?
-
@masonwheeler said in Why you should avoid LastPass:
- Templates are Turing complete (by accident!)
The worst part about that is that now that it happened, people use it deliberately, making C++ templates into a (crappy) scripting language.
- the C++ grammar is formally undecideable
It has 2 different ways that it's possible for compilation of correct code to literally take forever.
I believe the correct way to compile any C++ program is whatever way doesn't lead to an error. Or at least that's how I interpret SFINAE. I also interpret that to include a large dose of massive facepalm.
-
-
@anonymous234 said in Why you should avoid LastPass:
@DCoder So... using PHP files is considered bad practice in php?
Oh snap :D I was almost done writing an explanation before I stopped and realised I can't tell if this was a question or not.
-
@DCoder said in Why you should avoid LastPass:
@anonymous234 said in Why you should avoid LastPass:
@DCoder So... using PHP files is considered bad practice in php?
Oh snap :D I was almost done writing an explanation before I stopped and realised I can't tell if this was a question or not.
Either way, you show them, girl!
-
@dkf said in Why you should avoid LastPass:
The worst part about that is that now that it happened, people use it deliberately, making C++ templates into a (crappy) scripting language.
I repent that remark!
Filed under: templates are great
-
@bb36e the concept is fairly simple - if you're trying to resolve
Tmpl<T>
withT
=int
, and one of the definitions ofTmpl
has aT::foo
in it, the compiler shouldn't just throw its hands up and go "WTF isint::foo
? I give up", but keep looking at the other definitions. Only when none of them make any sense withT
=int
, you're allowed to scold the user.The things it's used for, though... Oh boy, that Wikipedia example with determining whether a type has a typedef in it is a horrible, horrible hack that shouldn't find its way into any sort of production code, let alone be called a programming technique.
-
@DCoder Not really, I thought literally the whole point of PHP was you could use each file as an entry point, which is simple and easy to understand.
-
@anonymous234 said in Why you should avoid LastPass:
@DCoder Not really, I thought literally the whole point of PHP was you could use each file as an entry point, which is simple and easy to understand.
No one has programmed like that in 10 years.
Read the quoted HN post for reasons why.
-
@dkf said in Why you should avoid LastPass:
I believe the correct way to compile any C++ program is whatever way doesn't lead to an error. Or at least that's how I interpret SFINAE. I also interpret that to include a large dose of massive facepalm.
Fuck! no more home-made SFINE! Let the standard library handle that crap, SWITCH TO C++14+ NOW! And then use type traits, true_type, false_type, ... let's just assume template magic never existed. Never re-invent things with
sizeof()
and think you are smart for hacking the language!
-
@Maciejasjmj said in Why you should avoid LastPass:
The things it's used for, though... Oh boy, that Wikipedia example with determining whether a type has a typedef in it is a horrible, horrible hack that shouldn't find its way into any sort of production code, let alone be called a programming technique.
Want to look at hack, read some of the boost library code, it looks like it is Assembly language. Which is not bad, as long as it is all in a single place written by smart people and tested by multitude of compilers and compiler options.
Thankfully now the standard library has a much better solution than boost, people who still use pre-C++11 should be sent to a PHP-mining labor camp maintaining legacy PHP all their life.
-
@anonymous234 Could, yes. Should, no. It's one of those spectres like
"SELECT * FROM users WHERE username='{$_POST['username']}'"
, that was common practice a long time ago. Modern PHP overwhelmingly uses centralized alternatives like Front Controller instead.Incidentally, I spent the last few weeks updating such a legacy project, and while I haven't excised all the warts (no time to fix all of them, already missed some deadlines due to these fixes), it's in a much better shape than it was. No more
$$var = $_GET['var']
orprint $template->handleRequest()
around!
-
@dangeRuss said in Why you should avoid LastPass:
doesn't want to bother figuring out KeePass
KeePass 1.x is a lot easier to figure out than 2.x, basically because it does less. I like it much better.
Dropbox also works extremely well as the place to put the authoritative version of your .kdb passwords file.
-
@flabdablet said in Why you should avoid LastPass:
KeePass 1.x is a lot easier to figure out than 2.x, basically because it does less. I like it much better.
And what figuring out is needed for Keepass 2?
-
@dse said in Why you should avoid LastPass:
Thankfully now the standard library has a much better solution than boost
Alas, there's much of the standard library (and boost) that we can't use on our current project. The issue? The target is custom hardware that lacks a lot of features that many people take for granted. (OK, we've got a lot of that custom hardware, but individual CPU core has much memory at all or any floating-point support…)
And our current users would much rather write Python.
-
@dse said in Why you should avoid LastPass:
sent to a PHP-mining labor camp maintaining legacy PHP all their life.
Pretty sure this is a human rights violation
-
@cartman82 said in Why you should avoid LastPass:
@anonymous234 said in Why you should avoid LastPass:
@DCoder Not really, I thought literally the whole point of PHP was you could use each file as an entry point, which is simple and easy to understand.
No one has programmed like that in 10 years.
Read the quoted HN post for reasons why.
oh wait, you think the real world actually does this?
I know a platform that doesn't do it this way. 1.3 million fucking lines, thousands of files, and the same 10 lines of bootstrap. Or almost the same 10 lines of bootstrap, it isn't in perfectly the same order each time because even copy/pasting that is too hard.
This is, also, incidentally why Rasmus is all you don't need a router (aka front side controller) because Apache will do that for you'.
-
@dkf said in Why you should avoid LastPass:
@masonwheeler said in Why you should avoid LastPass:
- Templates are Turing complete (by accident!)
The worst part about that is that now that it happened, people use it deliberately, making C++ templates into a (crappy) scripting language.
That's ...
I can't ...Are those people totally insane ?
fake edit: search for 'totally insane' got a hit to http://list25.com/25-totally-crazy-photos-from-russia/ , from which I take three that seems somewhat appropriate ...
and this summarizes the elegance in such approach ...
-
@cabrito said in Why you should avoid LastPass:
This one is definitely from Poland based on the brands of products.
-
@dkf said in Why you should avoid LastPass:
You mean it's slower than C++ to compile?!
Sometimes, yes. If you heavily abuse generics, it can get extremely slow (I've once written a ~100 line program that used a parser library made in very generic-trait-heavy fashion - it compiled about 15 seconds in debug mode on i5-4440). Also, it doesn't have incremental compilation yet (IIRC they started the implementation on nightly recently).
@dse said in Why you should avoid LastPass:
Fuck! no more home-made SFINE! Let the standard library handle that crap, SWITCH TO C++14+ NOW! And then use type traits, true_type, false_type, ... let's just assume template magic never existed. Never re-invent things with
sizeof()
and think you are smart for hacking the language!Look, not everyone has the luxury of being able to add
std=c++14
to their compiler invocation.@dse said in Why you should avoid LastPass:
Want to look at hack, read some of the boost library code, it looks like it is Assembly language.
Assembly language is orders of magnitude more readable than Boost source. And has much less boilerplate around each function.
-
@Gąska said in Why you should avoid LastPass:
Look, not everyone has the luxury of being able to add std=c++14 to their compiler invocation.
Visual Studio 2015 with
/TP /std:c++14
will do too, make sure to get "Update 3". Even Intel compiler has a/Q
switch. gcc and clang of course both have it.Which compiler do you use? TCC?
-
@dse I think he means that not everyone can just switch to c++14
-
@dse for me, it's not about a compiler, but about political wars of higher-ups and backwards compatibility shenanigans.
-
@Gąska said in Why you should avoid LastPass:
@dse for me, it's not about a compiler, but about political wars of higher-ups
I guess I am lucky then! I hated C++ about 5 years ago, but in the current team started with C++14 and some very capable colleagues. It is a breeze with Visual Studio! I almost feel like I am writing Python in PyCharm.
and backwards compatibility shenanigans.
Do you write open sores software you have to support?
-
@flabdablet said in Why you should avoid LastPass:
Dropbox also works extremely well as the place to put the authoritative version of your .kdb passwords file.
When your workplace allows access to dropbox. Also I hate to have dropbox installed on my phone, so I use s3 to store the KeePass files. It's great when it's set up, but the setup step is a bit of a PITA.
-
@dangeRuss said in Why you should avoid LastPass:
Also I hate to have dropbox installed on my phone, so I use s3 to store the KeePass files
You could try:
or if you have a server anyway:
-
I've never had any problems with it. I've used it for several years now. #worksforme
-
^^ Supposed to download your passwords (if you're logged in).
-
@Tsaukpaetra said in Why you should avoid LastPass:
^^ Supposed to download your passwords (if you're logged in).
? The legacy code does that?
-
@GodEmperor said in Why you should avoid LastPass:
@Tsaukpaetra said in Why you should avoid LastPass:
^^ Supposed to download your passwords (if you're logged in).
? The legacy code does that?
I.... Don't know what you're asking here. Sorry.
-
@Tsaukpaetra said in Why you should avoid LastPass:
@GodEmperor said in Why you should avoid LastPass:
@Tsaukpaetra said in Why you should avoid LastPass:
^^ Supposed to download your passwords (if you're logged in).
? The legacy code does that?
I.... Don't know what you're asking here. Sorry.
OIC. Looks like you were talking about the post above mine. Sorry for the confusion.
-
@GodEmperor said in Why you should avoid LastPass:
@Tsaukpaetra said in Why you should avoid LastPass:
@GodEmperor said in Why you should avoid LastPass:
@Tsaukpaetra said in Why you should avoid LastPass:
< img src="https://lastpass.com/export.php">
^^ Supposed to download your passwords (if you're logged in).
? The legacy code does that?
I.... Don't know what you're asking here. Sorry.
OIC. Looks like you were talking about the post above mine. Sorry for the confusion.
Yeah, it doesn't work, but there's supposed to be an "image" there that should trigger a download in your browser. Doesn't seem to work (that I can tell). Un-html-tagged it for reference in the quote.
-
@dse said in Why you should avoid LastPass:
@Gąska said in Why you should avoid LastPass:
and backwards compatibility shenanigans.
Do you write open sores software you have to support?No, it's all closed source. We have full stack of custom inhouse solutions - all the way from hardware through half dozen layers of middleware up to cluster management - with absolutely awful release cycle (branching off every month, each branch gets new build for every commit, each build has a different version of several always-changing APIs, same with all upstream and downstream projects). For reasons real, surreal and unreal, all projects have to use the same compiler in the same version (as to avoid ABI getting fucked up or something like that). So upgrading compiler version is a very big deal (needs to be deployed on all build servers, config of several independent CI systems needs to be updated, etc.). Also, since we use
-Werror
, every time GCC gets better at finding issues with code and reporting warnings, we have to fix all the new compilation errors that emerge. There's also a problem of verifying if our workarounds for compiler bugs still work after compiler update (we have a couple of those), and if they're still needed.Our current GCC version doesn't support C++14. Updating to one that does will be PITA and ain't nobody got time for that (according to managers). After updating, changing C++ version would be a repeat of everything I mentioned above, plus some random problems due to C++14 being not-actually-backwards-compatible with C++11. Rinse repeat for each of couple dozen project in our company. I think you should understand by now why it won't happen anytime soon.
-
@Gąska The joys of working for a megacorporation. Luckily all of our code is in C...
-
@PleegWat said in Why you should avoid LastPass:
Luckily all of our code is in C...
Like...bad luck?
-
@boomzilla C isn't anywhere near as sensitive to differing toolchain versions (or even vendors) as C++.