confirm pop up is raised, but password profile is not delete

works on chrome extension

Consider a scenario where user forgot actual password options after some changes.
This can really happen when these options are available like this:

Is there any significant reason to leave these settings so accessible?
Maybe it makes sense to get away from password options?

When i run npm run build command.Exception happed.

[11:42:01] Starting 'build'...
[11:42:01] Starting 'lesspass'...
[11:42:01] Starting 'images'...
[11:42:01] Starting 'favicon'...
[11:42:01] Finished 'build' after 109 ms
[11:42:01] Starting 'default'...
[11:42:01] Finished 'default' after 20 μs
[11:42:13] Finished 'lesspass' after 12 s
[11:42:13] Finished 'images' after 12 s
events.js:141
      throw er; // Unhandled 'error' event
      ^

Error: no writecb in Transform class
    at afterTransform (/Users/simon/Project/lesspass/frontend/node_modules/through2/node_modules/readable-stream/lib/_stream_transform.js:74:40)
    at TransformState.afterTransform (/Users/simon/Project/lesspass/frontend/node_modules/through2/node_modules/readable-stream/lib/_stream_transform.js:58:12)
    at /Users/simon/Project/lesspass/frontend/node_modules/favicons/index.js:238:17
    at /Users/simon/Project/lesspass/frontend/node_modules/async/lib/async.js:52:16
    at Immediate._onImmediate (/Users/simon/Project/lesspass/frontend/node_modules/async/lib/async.js:1206:34)
    at processImmediate [as _immediateCallback] (timers.js:383:17)

npm ERR! Darwin 16.1.0
npm ERR! argv "/usr/local/Cellar/node/0.12.4/bin/node" "/usr/local/bin/npm" "run" "build"
npm ERR! node v5.4.1
npm ERR! npm  v3.3.12
npm ERR! code ELIFECYCLE
npm ERR! [email protected] build: `rm -rf dist && gulp && rm dist/index.html`
npm ERR! Exit status 1

I have installed docker and docker-compose run the script and it appears to have completed successfully but I can't access it. What is the address? I tried the ip address of the box I'm running it on. Is it running on a different port?

command _execute_browser_action add to fix #8 doesn't work on Firefox
It seems like Firefox doesn't support _execute_browser_action yet
We need to wait for Firefox 52 to test

We should encourage people doing application with LessPass like https://github.com/Rudloff/lesspass-cordova

Is there a way to self host this without docker?

thanks

Browser inputs have native autocomplete. They're not used by the app. They'd make the UX better.

From @guillaumevincent on July 18, 2016 8:25

Copied from original issue: lesspass/nginx#2

The password for https://cdn-images-1.medium.com/max/800/1*wgrq2WIxhyBSfL1Tbr5Qbw.gif above is 'passwordpassword' -- this can be trivially determined by trying letters until the verification images are correct for each successive frame. (I did it by hand.)

This means that the master password is leaked if anyone can see your screen, including remotely etc. This is an unacceptable security risk.

I'd suggest that you shouldn't show any verification images until the user is done entering the password. Exactly what that means isn't entirely obvious, but I'd suggest it includes as a minimum

• minimum password length before showing any verification images, sufficient to make brute-forcing expensive even on 'correcthorsebatterystaple' type passwords with low entropy-per-character
• not showing images when the user still has focus on the text box; exceptions might be made if they're also hovering the copy button and haven't edited the password whilst doing so yet.
• reducing entropy in general in the final verification image -- a 99% verification accuracy is probably sufficient for a valid user who has typo'd their password but makes verification of a guessed password from the images more difficult for an offline attacker who has seen only the last image; I'm guessing the current verification image entropy is probably (10 colours * 100 emoji) ^ 3 images which rules out all but one in a billion passwords without querying the remote site, meaning 'correcthorsebatterystaple' type passwords need only dozens (69) of online attempts to get a password.

Certains sites ont des contraintes comme :
au moins 2 chiffres, non consécutif
Au moins deux majuscules, non consécutif
Et parfois un nombre de caractères spécifique imposé (genre 8)
Dans ce genre de situation, en l'état actuel, il n'est si je ne me trompe pas possible de garantir ces règles pour un mot de passe généré ?

Hi, I see a few possible (security) issue with this system.
Would you like to respond to my concerns?

Security

I could make a webservice that provides some service for free so alot of customers would sign up.
I would store Passwords in plain text.
Some of these customers may use lesspass.
Now i could filter out obvious non-random passwords.
After that i may bruteforce masterpasswords with lesspass and prove that against customer passwords.
By having the masterpassword i can generate all passwords for that given user.

convenience

Am i supposed to remember the password-generation setting for each service on each login?
Some services deny some characters for passwords. There is an option for that, but do i really have to remember that an every login?

Some Services have quite specific requirements to a password, like 8 to 10 chars (my bank) how does that work?

My employer uses the AD credentials for a lot of services, there a different webservices under differen domain names, all using the same username and password, how does that fit in?

My employer enforces a new password every 3 month, how does that fit?

My employer enforces a password to be at least 8 characters long, has lower and upper letters numbers and one of the following chars: !"+-*%=?, no other special char how does that fit?

The number of rounds of PBKDF2 is designed to be constantly scaled up as CPUs get faster. I think the default value of 8192 is too low, but my bigger concern is that there is no way to change this value.

It would probably be best if it was part of the 'password profile', with the other complexity information. This way the default can be bumped from time to time, and newly generated passwords will be stronger, and passwords will get stronger when they are changed, but old password can remain unchanged by specifying the smaller value.

@edouard-lopez Imagine if we can offer a game to change its master password.
I want to change my master password :

1/ backup your internet history : bookmarks-2016-10-31.json
2/ load your internet history in the game
3/ change password one by one on your sites (I can see my progression)

It can be a complete different software

When email is too long it overflow and "break" the layout (see page 2).

Need to update screenshot.png and tile.png in https://github.com/lesspass/webextension

From @guillaumevincent on July 11, 2016 12:32

Because Comodo try to register at least three trademarks for the term “Let’s Encrypt,” for a variety of CA-related services, we need to stop using their services :

https://letsencrypt.org/2016/06/23/defending-our-brand.html

Copied from original issue: lesspass/nginx#1

User powercf pointed this out in https://news.ycombinator.com/item?id=12889807

It seems like every password starts with one of these [aeiouy] characters. This makes me wonder if there's a faster way of breaking these passwords than brute force. I feel unsure about this algorithm.

From @sctfic on October 20, 2016 6:58

serai t il possible de ne pas saisir le Master PassWord au clavier mais plutôt a la sourie (choix possible) ?

ou même cliquer sur les icones pour reconstituer le finger a la sourie, au lieux du masteur PassWord.

ainsi même sur un poste "Pourri" lesspass reste Sûr

Would it be possible to enter the Master Password using the mouse instead of the keyboard?

Or maybe click on the icons to reconstruct the fingerprint with the mouse

so even on a corrupt device [keylogger] LessPass remains safe

Copied from original issue: lesspass/frontend#4

People can easily type "facebook" or "Facebook" which'd lead to a different password being generated. A would provide some autocompletion help for most used websites.

When updating a password to be managed by LessPass I yell: "One more!".

It would be a nice idea to leverage this behavior by letting people share with their friends (i.e. peer-recommendation). Thus create awareness about lesspass.

The secret key of the Django installation is based on the date and thus guessable. Since this value is being used for salts by Django, it would be a good idea to generate it in a more random fashion, or at least instruct the user to change it.

(See https://github.com/lesspass/lesspass/blob/master/lesspass.sh#L16)

Master Password was removed after some time in previous version, there is a regression.

Hello,

It would be nice to have a web app manifest, so that the app can be used in standalone mode on Android.
(See https://developers.google.com/web/updates/2014/11/Support-for-installable-web-apps-with-webapp-manifest-in-chrome-38-for-Android)

Thinking about switching, but I have a few questions about annoying password rules.

• No recurring characters. I work with a system that won't allow two or more consecutive characters. So abc%%123 won't be accepted.
• No sequential characters. Similarly, I have a system which will reject 23, xyz, and so on.
• Password can't contain the username.
• Passwords must start with a letter

I appreciate that some of these passwords are unlikely to be generated by LessPass - but is there any way to ensure that they won't be? Or do I have to rely on incrementing the password?

Thanks for great tool for password managing. I actually wrote something like this for myself without knowing about you but maybe I'll switch to your solution instead of mine 👍

I wrote a short blog post about LessPass and what should be done in near future. You can check it out here if you want but basically it says some security audit would be great before the app spread to millions of users...

Anyway, thanks and keep up the good work.

Great tool! I am actually changing all my passwords using only lesspass.
But when I need to login to some app on my phone, it's not really easy.
Are you considering developping a mobile app that at least copy/paste the password generated?

I'm using the Google Chrome extension and LessPass generates different passwords for different subdomains/protocols. For example www.example.com leads to a different password than example.com or http://example.com. This could be very misleading and frustrating in some situations.

Maybe you could strip everything before the actual domain?

Sur Firefox ubuntu, on ne peut pas utiliser la touche '@' ce qui empêche de se connecter ou d'entrer un mail en login.
Sur Chrome pas de soucis

A l'appui de la touche 'altgr' pour taper un '@', l'extension disparaît.

Thanks a lot for your great tool!
I just want to know what are the main differences between lesspass and SuperGenPass?

Something I noticed is the helping hash (with color) is generated thanks to the Login and Master Password (MP).

I think it's not a good thing since I have not all the time the same login (Zykino, e-mail, ...). So when I first used an other login I thought I misspelled my MP. My thought may come from the fact that the hash is in the MP input.

Cons:

• May be less secure against a man in your back (But he will see your login anyway so not sure)
• Check only typos on the MP and not the Login
• Everyone will have to remember a new hash (But only one this time)

Pros:

• The hash depend only on the hidden input -> Change Login keep the same hash
• You are sure the MP is the good one without clicking to see it (Man in your back will only see the hash even if you misspelled, and you will type it again)

There may be more of pros/cons.
What do you think about it?

From @guillaumevincent on July 12, 2016 11:48

Auto login on https://forum.cozy.io/ doesn't works.

Copied from original issue: lesspass/webextension#1

We need a refresh of the french version LessPass comment ça marche ? and an English version.

And we need to explain what's new in LessPass Aurora.

• What's new in LessPass Aurora release ?
• Ce qui est nouveau dans la nouvelle version de LessPass ?
• LessPass how it works?
• LessPass comment ça marche ? (refresh)

https://github.com/lesspass/webcrypto doesn't work well on mobile browsers.

Maybe we need a way to add some polyfill or wait for the implementation in all browsers

Chrome Mobile iOS 54.0.2840 (iOS 10.0.2) LessPass encryptLogin should use pbkdf2 with 8192 iterations and sha256 FAILED
    The operation is not supported.
    importKey@[native code]
    [email protected]:16:46
    [email protected]:42:25
    tests/api.tests.js:6:34

For now use django console backend as a mail server.
Need to set up a real mail server for the production.

From a UX interview with @cbyem40 on July 8, 2016 9:20:

but then I found it's quite useful. I like this idea. Life is easier lol - @cbyem40

• delete aurore branch for my cozy and use master
• delete aws bucket
• update addons descriptions (Firefox & Chrome) remove auto login info

From @bluet on July 9, 2016 15:52

I belive I registered an account ([email protected]) on LessPass.com, but I'm not able to login.
I'm not sure if I typed wrong password or there's system error.

My steps and error msgs:

1. At register page, I key in my email and test passowrd.
2. System shows success and redirect my to login page.
3. Key in my email and password, shows error: invalid Email or password. The msg flashed too quick, I tried many times to make sure it's content.
4. Go to register page, key in the same email and password, shows error: the info I provide are invalid. And I had been redirect to login page again. The same, the msg flashes too quick, I had to check multiple times to make sure the content.
5. Still failed at login.

It would be nice if:

• Keep the msg showing longer. (Users can see what's wrong)
• Make error msg more clear.
• Double check Users input (prevent typo in passowrd)
• Send confirmation/welcome email. (Users can confirm that their email had been used on registering the service, by themself or someone else.)
• Can send "password rest" request or "retrive account" email.

Copied from original issue: lesspass/frontend#3

From @edouard-lopez on July 8, 2016 9:17

Motivation

They plainly asked for it

I think it's better to have more instructions of how to use this service. Cause I didn't know how to use it until I played it for like 10 mins
I would say, if there are more instructions, and easier way to set the "site" field, it would be even better. - Rachel

Get confused

Nope, you have your master password and compute the app/website (see #4 for details)

but every time I open the site, the fingerprint changes, so I won't be able to know what password (lesspass's result) I use on the site I want to login (ex, gmail), right?

Currently the Extenstions shows the password generation field where you have to manually enter the sitename, username and master password.
Can't we simplify this by using data from the current tab or having a handy keyboard shortcut to fill in the password when we have the username field filled?

(J'ouvre un autre ticket pour ne pas polluer #24.)
En fait ça m'embête de devoir mettre le master password en clair comme argument.
Ça serait pas mal d'avoir un prompt avec texte invisible comme le fait par exemple sudo.

From @sctfic on October 19, 2016 14:20

je voudrai coupler LessPass as d'autres outils deja existant afin de remplacer l’interrogation de la base de donné des mdp.

existe t il une API REST (over https) ?

ainsi je pourrai coupler ceci a un fichier excel par exemple
A B C
1 ClientName UserLogin0 =lesspass(A1; B1; MasterPass)
2 ClientName UserLogin1 =lesspass(A2; B2; MasterPass)
3 ClientName UserLogin2 =lesspass(A3; B3; MasterPass)

Copied from original issue: lesspass/core#1

Most (all?) of the lesspass projects have a README that states:

report issues on LessPass project

But all of those projects still have an "Issues" tab. You might consider disabling issues in other projects (just like the wiki has been disabled) in the Github settings.

I'm lazy and don't like to use my mouse to open the extension pop-up.

Using the form is straight-forward and fast, adding a keyboard shortcut will reduce friction even more (good for power-user).

Plutôt que de proposer un compte aux utilisateurs pour qu'ils puisse mémoriser leurs règles de password pour leur site, une autre approche serai de proposer une liste de règles alimentée par la communauté, pour proposer des règles par défaut pour chaque site (tout du moins pour les plus répandu, par la même probablement plus susceptible d'avoir des règles spécifiques).

Avantage : plus besoin de stocker quoi que ce soit lié aux utilisateurs (s'ils veulent savoir sur quels site ils ont un compte, d'autres outils comme des marques pages peuvent faire l'affaire)

Inconvénient : En cas de mise à jour des règles par défaut pour un site, les mots de passes généré serons différents pour tout les utilisateurs existant, ce qui peux poser problème pour se reconnecter.

from @Cheesebaron on #6

If you are making a mobile app, it would be much appreciated if it would work kind of like LastPass on Android, where you can have it installed as a Accessibility helper with a persistent notification, so it can fill apps too. Instead of having to switch between two apps to fill in details and copy pasting values.

ces exemple ne passe pas

lesspass '<site>' '<login>' '<masterPassword>'

La syntaxe de la commande n'est pas correcte.

lesspass 'site' 'login' 'masterPasswo>rd'
lesspass 'site' 'login' 'masterPa$$word'