Putting all your passwords on the internet
Don't you do it.
LastPass has patched a flaw that meant Windows versions of its password-management software were capable of leaking login credentials that had been auto-filled into fields by its password manager. The bug – which affected Internet Explorer users on Windows only – meant that an attacker who managed to obtain a memory dump of …
Don't you do it.
I dunno, I quite like the lastpass security model. Your passwords only go "on the internet" in a peer-reviewed encrypted form. Thus any weak points should be limited to either machines you use, or your master password. (You did use a secure one, right?)
But the main advantage for me - it makes it practical to use and manage thousands of completely random long passwords, a unique one for everything you use.
The fact that its used by so many people and the security blips have been few and far between, and rather limited in practical risk anyway makes me relatively confident.
"""Pulling off the attack would normally require either physical access to a targeted machine or an attack involving the planting of malware on a mark's PC, a level of compromise that makes most security protections redundant."""
Which rather depends on being on the other side of the airtight hatchway.
Seriously WTF? Register journos are supposed to be IT literate. Physical access and/or the ability to install software mean GAME OVER. This is like saying: Attackers who gain access to your jacket can undo the little button on the inside pocket and remove your wallet.
If they gain physical and/or admin access to your machine they will still be able to do this after this "hole" is "plugged".
An attacker with physical access to the machine should have no access to LastPass passwords in plaintext though. That's the vulnerability which has been fixed. The fact that they can do other stuff with your machine doesn't mean all your online accounts need to be compromised.
This vulnerability, unless I'm missing something, could only leak passwords that had actually been used. With physical access to the machine (and privileges sufficient to do stuff like memory dumping of the process), that's plenty to be able to get the used passwords regardless. Unused passwords may remain encrypted, but in order for LastPass to actually fill in the form, the password must be given to IE in plaintext, and it remains right there in the web in plaintext before submission. Injecting a malicious extension could read it out of the DOM, or a man in the middle proxy locally installed could read it off the wire (remember, we have full local privileges so can easily mark an MITM SSL certificate as trusted).
As Ben has pointed out, if they have physical access to a machine and privileges sufficient to interact with your browser, it's game over, any password you use, and any unencrypted data can be regarded as compromised.
To be it always seemed odd to protect all of your important passwords with one single password. You might as well use the same password for everything as you can unlocked the passwords with just one password. Or am I missing something here?
Paris: Because she never misses a trick
You're missing the fact that one leaky or compromised site can give away your password for all the rest.
> Or am I missing something here?
Yes - LastPass supports 2 factor authentication using a variety of mechanisms. I use Google Authenticator on my phone. It can be set up to only require a password login on recognised machines.
The other thing it offers is an encrypted browser password store, rather than the (I believe) obfuscated plaintext used by most browsers if you let them store passwords for you.
Also you can change the master password regularly. However, anyone dumb enough to give all of their passwords to a complete stranger is probably using "passw0rd" for everything anyway.
... notwithstanding the strong convenience arguments laid out above..
"You're missing the fact that one leaky or compromised site can give away your password for all the rest."
Actually, that is still true with LastPass (or any online password vault). Of course it is a specific site that must be compromised, while if you use the same password everywhere, ANY site could be compromised.
What makes it even more compelling is that with last a password vault, you trust a site that have to take security seriously (or lose their business very quickly), with the same-password approach you trust a lot of random sites, many of which have a very lax approach to security (and some may even be set up specifically to snatch your password).
Attacking a strong target (I have to assume LP is 'strong') consumess a lot more resources than attacking several weak ones.. plus the weak ones (once compromised) may lead you to further clues, cutting down the options again
Of course if the 'strong' target has such a glaring hole then all bets are off
I've been using Lastpass for a couple of years and have found that it's really useful, especially when combined with the Xmarks bookmarking service.
Being able to access any website, each of which has its own secure password, from mobile, home laptop and work desktop makes web browsing far easier. You only have to remember one master password, which can be changed quickly. The browser plugins detect when you change a site password and update the vault accordingly. The "Fill Form" function makes online forms a doddle, especially given that you can have multiple forms for different locations. Logging in to one device even logs any others out, and this is all from the free version.
I did pay for the premium version for a year, but found that the free version was enough for me, as it probably is for most people.
"The browser plugins detect when you change a site password and update the vault accordingly. The "Fill Form" function makes online forms a doddle, especially given that you can have multiple forms for different locations. Logging in to one device even logs any others out, and this is all from the free version."
/This/ makes me shudder. The principle is fine, but the execution WRT security (allowing for the patched problem) is a nightmare. The 'Fill form' functionality can be picked out specifically for a) its usefulness & b) its potential security problems, /especially/ over wifi (although even cabled systems can be compromised)
IE available on platforms other than Windows? Microsoft's best kept secret?
I'm pretty sure you could get IE 5 or 6 on Mac OS9.
It was even worse than the windows version.
(wikipedia says that there was versions for HP-UX and Solaris as well. The mind boggles.)