LastPass in 2FA lock down after 'fessing up to phishing attack Cloud castle for passwords LastPass has introduced mandatory sign in requirements for all new devices after security researcher Sean Cassidy dropped code allowing criminals to plunder vaults with mirror-perfect phishing attacks. As of today, users who set two factor authentication will need to hop to their registered email …
My wife, my two teenagers, and myself are all LastPass Premium subscribers. This has worked very well until now as we move between our communal collection of Windows, OSX, IOS and Android devices.
Both myself and one teenager are computer literate and wouldn't have issues with the KeePass-Dropbox shuffle.
The other two household members aren't so hot. If they have to come to grips with KeePass AND Dropbox I can see them quickly giving up on the whole thing and going back to the bad old days of recording passwords in notebooks/address books/on the backs of envelopes.
Are their any decent self-synching options out there?
https://keepass2android.codeplex.com/ - android Keepass2 client that you can give access to an app folder in your dropbox account. There is a non-network access version in the Play store that you can use if you're paranoid, or a networked version if you wish to trade a little security for convenience of sropbox sync.
Set up the desktop application to read/write directly to the Keepass2 file stored in the app folder in your dropbox folder on your PC/Laptop/MacBook/Mac/etc...
Can't help with iOS, sorry.
Slightly more advanced:
http://keepass.info/download.html - use the portable version of Keepass2 to allow access to your passwords on a USB stick. I have yet to find an acceptable dropbox add-on for the main application, so this route requires the odd synchronisation between the USB stored file and the dropbox version (Ctrl-R works really well for me, no problems so far).
> going back to the bad old days of recording passwords in notebooks/address books/on the backs of envelopes
To be honest, that wouldn't overly bother me, assuming the said notebooks/address books/etc are not in some share house or on airbnb or something. The more likely regression I can imagine is the bad days of using the same credentials for all their online services, meaning the moment that one of these does a talk talk, all your accounts are compromised.
To be fair they've had 2FA for quite some time. If you choose not to use it for your convenience then you should be aware how it weakens the security of your centrally stored data. I have KeePassX but find the idea of using that at home, work, and mobile to be next to impossible.
This post has been deleted by its author
How long have LogMeIn owned LastPass?
After LMI's terrible screw-up of the LastPass interface I was going to ask how long would it be before LMI totally forked-up LastPass beyond all recognition.
That question is now redundant. It's Symantec /Norton (or Symantec/Xtree for those of my vintage) all over again.
So, LastPass is now, effectively, history.
What password manager to use now?
No votes
The potential for this sort issue to occur has existed forever, certainly long before the LMI takeover. The LastPass UI has always been a bit of a shonky mishmash of browser prompts that would lend themselves to spoofing. But then again, what other facilities are there for a browser plugin to display UI? I've always felt that Chrome should do a much better job of distinguishing "trusted" extension UI from general internet content. The only visible difference is the URL which is hardly obvious as this attack demonstrates.
I see no relevance to LMI takeover, apart from your obvious axe grinding. FWIW I prefer the refreshed UI.
From what I understand it is Chrome's insistence in using viewport in the browser that make it particularly easy for the attackers. What I'm trying to find out is if the spoof is separate from the browser session; if it is not, then IBM's Rapport end point security could defeat it from happening in the first place. If it is separate malcode throwing up the box, the next question is will Keyscrambler work against it like a keylogger? This is what I'm trying to find out from Lastpass. They have an obligation to notify users of these threats, and they fell down this time. I'm going to hold them to determining of there are any other mitigations besides the improvements in version 4.0 and 2nd factor settings in the vault.
Most people (commentards excepted, of course) don't know how to use a computer. As in, they can browse the internet and use Microsoft Word, and that's it.
The problem with Keepass is that it requires you to not be one of those people. LastPass is simple and that makes it automatically better than Keepass because people will actually use it.
The real alternative to LastPass isn't Keepass or anything else. The real alternative is post-it notes and "password123" in a hundred places.
I ditched Lastpass (which I loved) after doing some research on LogMeIn's style of business and track record (and suspicions confirmed when the takeover news coincided with the 'export to csv' option being canned from Lastpass). Eventually settled on KeepassX - MiniKeepass across my iOS / OSX / *nix/ Windows devices. Although I felt I had to make some compromises (syncing kdb via GDrive) I must say I feel I have made the the best of a bad job and it works without too much inconvenience. I cannot see anyone I know bothering to jump through the hoops though; I just do not think any of my nearest and dearest give a tinker's cuss about information security. I am sure I'll get the tearful phone call when someone finds an astronomical Amazon bill bought out of Kazakhstan.
Just to verify, why do you say that "export to CSV" was canned in LastPass? I still use LastPass, and I just checked and verified that the option to export to CSV is still there.
As a LogMeIn user, I wasn't too happy that they killed off the free edition, however, since I had a mix of free and pro they upgraded all of the free clients to pro for a year for no charge. Sometimes you have to take the bad with the good, but if you are going to preemptively trash a product because you THINK that they might change something then you are never going to use anything.
My LastPass vault has 156 passwords in it. They're all between 15 and 20 characters and different so that if one site gets compromised, the vulnerability doesn't spread. I need to be able to access them anywhere, including other people's computers from time to time.
I don't suppose there are more than few dozen people in the world who have the memory to manage that without a password manager.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
