back to article Popular password protection programs p0wnable

Researchers have detailed a series of quickly patched vulnerabilities in five popular password managers that could allow attackers to steal user credentials. "Critical" vulnerabilities were discovered and reported in LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword in work described by the University of California …

  1. foxyshadis

    Java? On iOS?

    This article makes much more sense if you replace every "Java" with "Javascript".

    1. big_D Silver badge

      Re: Java? On iOS?

      exactly. I read "Java" and my first thought was either the story is bogus or the author doesn't know the difference between Java and JavaScript.

      1. earl grey
        Trollface

        Re: Java? On iOS?

        This article makes more sense if you replace JAVA everwhere with "insecure POS".

    2. Michael Wojcik Silver badge

      Re: Java? On iOS?

      Yes, Pauli got that completely wrong, and the Reg editors failed to catch it, which is doubly embarrassing. No IT site worth its salt should commit the Java / Javascript error twice in an article. (Once could conceivably be a typographical error.)

      For the record, the paper mentions "Java" exactly zero times. (The authors use the unfortunately Pascal-cased "JavaScript", when they should be using "Javascript" or, better, "ECMAScript", but at least we know they're talking about the right language.)

      I guess we're lucky Pauli didn't tell us the problem was with password safes for "the Google".

  2. Anonymous Coward
    Anonymous Coward

    Anyone using any web based password manager is just an idiot.

    Sorry but I cannot think of any "nicer" term to describe them. This was always going to be an issue. I was wondering how long it'd take since LastPass became popular for things like this to be "discovered" or even exploited.

    KeePassX is really the only password manager you should even place a little trust in, it at least being opensource and all and more importantly, not online and doesn't contain "fancy" convenience features that are basically more gateways for exploitations.

    That and never use password managers on a mobile device. Good ole desktop that is properly maintained is the only computing terminal you should even consider could be safe, and I'm not being paranoid given what's been happening for the past 6 or so years.

    1. Anonymous Coward
      Anonymous Coward

      Re: Anyone using any web based password manager is just an idiot.

      And what good would that do me when I'm away from my desk?

      1. boba1l0s2k9

        Re: Anyone using any web based password manager is just an idiot.

        Store your db on Dropbox or Google Drive and use KyPass for iOS.

        1. Novex

          Re: Anyone using any web based password manager is just an idiot.

          [quote]

          Store your db on Dropbox or Google Drive and use KyPass for iOS.

          [/quote]

          Please tell me you were joking.

          First rule of passwords: never give them to anyone else. That includes putting them on someone else's server, even if the passwords are encrypted.

          Re the article itself. I note this is for the web-based versions. I'm hoping the desktop local versions of the various managers are in a better state.

          *I still haven't gotten round to testing out 1Password yet, but I will eventually.

          1. Anonymous Coward
            Anonymous Coward

            Re: Anyone using any web based password manager is just an idiot.

            "Please tell me you were joking."

            Please tell me you were joking.

            For personal password management, dropbox losing your keepass db and then having your db cracked is hardly a major concern. All of the instances of people I know getting hacked have involved layers of horrifying security practices - guessable passwords, failing to log off, physical access. For highly sensitive data the whole discussion is moot. No USB no mobiles, and also no dropbox, obviously. But most of our passwords are of the more boring sort anyway.

          2. nobody really

            Re: Anyone using any web based password manager is just an idiot.

            [quote]

            First rule of passwords: never give them to anyone else. That includes putting them on someone else's server, even if the passwords are encrypted.

            [/quote]

            You mean like my FB password on FB servers?...or LinkedIn - or El Reg, all my banks and financial institutes, Amazon, Ebay...

            With a Password Manager at least I now use different passwords for everything which I didn't do before.

            Everything comes with risk, surely the question you need to ask yourself is how acceptable is that risk, and I daresay that will be different for everyone.

            1. Novex

              Re: Anyone using any web based password manager is just an idiot.

              [quote]

              You mean like my FB password on FB servers?...or LinkedIn - or El Reg, all my banks and financial institutes, Amazon, Ebay...

              [/quote]

              :p

              I think most people understood my comment to be about stored lists of passwords on things like cloud servers, and not about the individual password that has to be sent to a specific server to access the service(s) on it...

        2. mythicalduck

          Re: Anyone using any web based password manager is just an idiot.

          >Store your db on Dropbox or Google Drive and use KyPass for iOS.

          What you meant to say was "Store them in your own private ownCloud server, and only allow access to that server on the LAN, then have the ownCloud client and KyPass on your phone"

        3. Leeroy

          Re: Anyone using any web based password manager is just an idiot.

          Maybe a last resort backup in an encrypted pdf in an encrypted zip file in a TrueCrypt container ?

          Not easy to look at on a daily basis though.

      2. Down not across

        Re: Anyone using any web based password manager is just an idiot.

        And what good would that do me when I'm away from my desk?

        I have my password manager of choice and its data on a USB key. It goes where I go.

        1. durandal

          Re: Anyone using any web based password manager is just an idiot.

          That's handy. I'm going to assume you don't work in environments where USB access is disabled by default.

          1. Jim 59

            Re: Anyone using any web based password manager is just an idiot.

            Put eg. Keepassx on your home desktop and the app on your phone. Copy the database manually.

        2. big_D Silver badge

          Re: Anyone using any web based password manager is just an idiot.

          And where USB devices are not allowed?

          Or not possible? (tablets and smartphone etc.)

          1. CaptainBanjax

            Re: Anyone using any web based password manager is just an idiot.

            @big_D what about otg cables?

          2. Down not across

            Re: Anyone using any web based password manager is just an idiot.

            As it happens no. USB devices are not forbidden. That could change of course.

            Also valid point about tablets/phones. I have considered password managers that are multiplatform in which case I could sync when required (or use UTG on the phone/tablet).

            I didn't in any way mean USB stick would be perfect solution, just that for me it works and is preferable to storing somewhere outside my control. I do appreciate not everyone is in the same situation.

      3. Jim 59

        Storing your passwords online

        No.

      4. Anonymous Blowhard

        Re: Anyone using any web based password manager is just an idiot.

        "And what good would that do me when I'm away from my desk?"

        Using a random computer to access a secure asset or system is a bit like asking a random stranger to help you key in your PIN at an ATM; your systems may be squeaky clean but does your friend's/colleague's/internet café's computer have a key-logging trojan sitting there waiting for your credentials?

    2. Piro Silver badge

      Re: Anyone using any web based password manager is just an idiot.

      Yeah, I only use KeepAss too.

      Never did trust the idea of using some web service to do the job.

    3. phuzz Silver badge
      Meh

      Re: Anyone using any web based password manager is just an idiot.

      How do you know your desktop is secure? Did you compile everything from source that you'd read through? Are you sure your compiler is secure and not silently patching in exploits?

      Maybe your mobile phone is listening in when you type your master password and guessing what it is?

      I'm content to reign in my paranoid impulses and let someone else look after my passwords for me. The most I can lose is *all* my money, which isn't much.

    4. Michael Wojcik Silver badge

      Re: Anyone using any web based password manager is just an idiot.

      Anyone - and that includes most of the people contributing to this thread - who makes blanket statements about what is and is not a "safe" or "secure" practice without specifying a threat model is a sophomore whose opinion on the matter is worthless.

  3. big_D Silver badge

    It sounds like

    this information is very old. If it was thesis research, then it took a long time to get it written up and published. If LastPass fixed their bookmarklets problem nearly a year ago, then it sounds like this really was a kick in the pants for the password vault industry last year, as opposed to something that vault users should panic over.

  4. Aslan

    Thanks to the boffins for doing the research. I use a password manager myself. @AC I know that having a unique password for the 300+ sites I use is better than having 4 passwords for everything per my previous solution. Using a password manager puts me in a much better place than I was before, where I'd have a password get compromised and have to change my password on 50 websites. This has been the year of password compromises for me. 3 major companies I did business with allowed my password to be compromised and another two might have. I've few worries about using a password manager on a mobile device as on android, proper security can be installed. Lookout Mobile Security is a good one.

  5. Anonymous Coward
    Anonymous Coward

    Sharing schmaring

    I never have been able to make sense of this obsession with sharing. It seems that every app in the world has to have an option to share something or other and makes a big deal about it. Evernote went on and on about how you could share your notes with Facebook. Is that something that's going to be used THAT often? OneNote on Windows Phone seems to think you're more likely to want to share your notes than format them. LastPass also bigs up sharing.

    No. I don't want to share personal stuff.

    Also, access to websites such as LastPass should always be two-factor (but not the PayPal way because that's just silly).

    1. Test Man

      Re: Sharing schmaring

      Well... don't share. Nothing is stopping you.

      For everyone else that wants sharing, they have that option.

      Honestly, I don't know why people complain about features that don't affect them.

      1. PeeKay

        Re: Sharing schmaring

        I have to disagree with with the statement "don't share. Nothing is stopping you." I'm seeing more and more reports and discussions (per the following link) where details shared via social networks are an expectation, and I can only see this getting worse, not better.

        http://www.forbes.com/sites/deborahljacobs/2011/10/11/what-to-say-on-linkedin-when-youve-been-laid-off/

        This is a single example (and I agree a fairly poor one). I have also read on forums where someone states that they do not want to share those details online - and I, for one, can relate to that - to which the reponse was "Well, you shouldn't expect to get a job unless your shared details verify your CV".

        As for personal experience, my last employer actually complained that they could not find me on Facebook or LinkedIn before I joined the business. I guess some of the privacy settings DO actually work.

      2. DropBear

        Re: Sharing schmaring

        Please do tell me again how people with no interest in sharing are not affected by that craze, while I'm waiting for dozens of seconds for the eleventy-billionth time for a non-responsive webpage to render, considering the non-responsive part invariably turns out to be one or more of those lovely "share" buttons from everybody and their uncle somewhere at the bottom of the page (but one absolutely can't even scroll the damn page until those - and the damned analytics - are fully loaded!). Or more exactly, that's what kept happening before I discovered that Adblock Plus can also get rid of that sort of filth for me. Pure bliss, I tell you!

        But if you wish, we can also discuss how every bloody Android app just needs permission to full network access for it's latest built-in sharing features, scuttling my efforts to stay no more vulnerable than I absolutely have to...

    2. Anonymous Coward
      Anonymous Coward

      Re: Sharing schmaring

      +1 for Lastpass 2-factor auth. Ties into Google Auth on your phone. (Yes, like Github does, and PayPal should). Let's hope Google's Auth app is trustworthy...........

    3. phuzz Silver badge
      Facepalm

      Re: Sharing schmaring

      I think the sharing feature in LastPass is for teams of people to share passwords together. As opposed to the current system in most places I've ever worked of having individual logins, and then the exact same root password on pretty much everything. And not a complex password either.

  6. Velv
    Boffin

    You have important passwords, and very important passwords. Just because they are passwords doesn't mean you should treat them all in the same way!!!

    I save passwords for many websites and other services (e.g. El Reg) in one of the above. What's the worst that can happen - someone can compromise my account and post as me online.

    I keep my very important passwords in a completely different manner.

    As has been said many times before, security is about layers - you're more secure the more layers of protection you have

    1. Zog_but_not_the_first

      Very sensible advice. My collection of passwords for sites that force me to "create an account" so I can order some cat litter (really!) is low priority.

      Everything else is written in Ancient Sumerian and kept under the doormat with the front door key.

      Velv (posting as Zog_but_not_the_first)

  7. Anonymous Coward
    Anonymous Coward

    Limits

    With the ridiculous number of passwords you seem to aquire for the web these days, I'm extremely grateful for the convenience of the Lastpass + Yubikey combination for run of the mill sites of little consequence; the alternative of recycling passwords seems like a greater evil. But with it being browser based, I just can't quite bring myself to use it for anything where compromised passwords would cost money or have real consequences; that inner voice of long honed sceptiscism just screams "don't do it!" every time I curse the contortions of getting my payment details.

    Its really starting to get overdue for a solution that gut instinct tells you is good enough for all your passwords. Password cracking gets better by the day and the necessity of strong unique passwords and increasing need for portability suggest we need something more ironclad /confidence inspiring than exists at the moment.

  8. Nathan Brathahn

    Password Card anyone?

    Three of them are allways in my purse.

    Sometimes low tech works better

    1. Cirdan

      Re: Password Card anyone?

      Nathan-

      You're the reason cutpurses still exist! Chew on that.

      Seriously, I'm interested. As a Septic, I wonder what counts as a 'purse' for a fellow across the pond these days? I just can't get the picture out of my mind of a leather pouch with a drawstring hanging from your belt next to your dagger and longsword.

      ...Cirdan...

      p.s. thanks for the password card idea/reminder. awesome.

  9. CaptainBanjax

    I keep my passwords

    Stored in my face.

    I generate them by repeatedly smashing my face on my keyboard.

    Then when I need to login I just keep smashing my face on the keyboard until it lets me in.

    Im still trying to log into my gmail to click the confirmation link so I can get into facebook 4 years after I signed up. I cant wait to get in and show everyone a picture of my battered toothless face.

  10. Stevie

    Bah!

    Didn't see that coming.

    Oh wait.

  11. earl grey
    Joke

    I tattoo mine on the end of my schwartz

    Unfortunately, it's like reading a shrunken head.

    1. phuzz Silver badge
      Paris Hilton

      Re: I tattoo mine on the end of my schwartz

      Doctor:"so why do you need this viagra Mr Grey?"

      earl grey:"Well doc, now I'm getting on a bit, my eyesight's going, and I'm having trouble reading my passwords..."

      >>>>>>>>>>>>>>>> Paris, because she'd help you read them.

  12. David Precious

    Password generation instead of storage?

    This is a reason I use a password generation tool (PasswordMaker, to be precise) rather than password storage - the tool, given the master password and the domain you're trying to access, generates the password you'll use to log in. You never need to store that password, as all you need to find out what it was is the master password and the domain (along with the settings you use - e.g. which hashing algo, password length and which characters are acceptable), and the master password never leaves the device.

    It allows per-domain specific settings overriding elements of the defaults, too - so if a site you used it for is compromised, you can create a custom config for that site which causes the password generated to be different to what it was before.

  13. Jin

    Only for low security jobs

    The maxim is reconfirmed that it is not wise to put many eggs in a basket. Password managers should be recommended only for low-security jobs.

  14. Mr Michael Strelitz
    Holmes

    Password Safe

    PasswordSafe - originally designed by Bruce Schneier. The one and only.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like