back to article What should password managers not do? Leak your passwords? What a great idea, LastPass

Password vault LastPass is scrambling to patch critical security flaws that malicious websites can exploit to steal millions of victims' passphrases. The programming cockups were spotted by Tavis Ormandy, a white-hat hacker on Google's crack Project Zero security team. He found that the LastPass Chrome extension has an …

  1. hellwig Silver badge

    Anyone remember Gator?

    Oh, how naiive we all were. At least I uninstalled Gator when it moved to spamware (hey, I was a teenager).

    I though LastPass was user encrypted, like even Last Pass couldn't unencrypt the data without your password. But if that's the case, why/how does the plugin expose anything to a website? Shouldn' all data go from webpage to plugin? All the plugin has to do is fill out fields, right? What possible reason is there for even including functionality a web page can manipulate?

    Here's the process I see:

    Plugin grabs URL from browser.

    Plugin scans rendered HTML for fields.

    Plugin prompts user to fill fields.(important, especially for hidden fields!!!)

    User fills fields.

    End of Transaction.

    The fact that "1min-ui-prod.service.lastpass.com" exposed this issue makes me think it was used by LastPass as some sort of backdoor (oh, I'm sure they'll claim it was a test server they never meant to be released to public). But still, in the end, if they're trying to be legitimate, what possible reason is there for LastPass to be controllable by a webpage?

    1. Anonymous Coward
      Anonymous Coward

      Re: Anyone remember Gator?

      Gator changed their name several times including Claria and Jelly cloud (more like slime cloud), to try and throw off the stench of malware.

      What's more interesting is tracing where the morally bankrupt senior management ended up. eHarmony, facebook, eHow / Livestrong, among others.

  2. Warm Braw Silver badge

    There are hundreds of internal LastPass RPCs

    Why? Oh, why, oh why...

  3. Frozit

    Still way better than no password manager and reusing human rememberable passwords.

    1. Invidious Aardvark

      How is having all my unknown-to-me passwords exfiltrated from my password manager "way better" than having my known-to-me passwords guessed/hijacked? They both seem about equivalent to me (though they'd have a hard time getting someone to enter all the passwords that they re-use in a single attack, so perhaps it's marginally worse to use LastPass?).

      1. The Bam

        Security is a process, not a product. Obviously any specific technology may have bugs, but avoiding all technological aids to security is not the solution.

    2. Lee D Silver badge

      Both of which are worse than just securing your machine (not letting people see you type your passwords), choosing sensible passwords (* long, not complex) and not running third-party software with access to EVERYTHING on your computer, including an explicit list of every password you've ever used, anywhere, ever.

      Like antivirus - the only program to run as SYSTEM, begin at startup, run for every user, intercept every possible file access on the entire machine, able to hide anything it does, not let itself get shut down, connect to the Internet, update itself automatically, and even nowadays run your firewall, decide what can get out or see packets, and what can come back in, often with remote-support tools built in. Yeah, that's not a recipe for disaster.

      (*) Human-rememberable passwords are WAY outside brute-force limits - just make sure they are LONG, not faff around with fancy characters in your potential alphabets. Starting with just an ordinary alphabet, a character added to password length would make the password 26 times stronger, while including a new character (e.g. an asterisk) into the alphabet itself only makes it 1/26th stronger. STOP IT.

      1. I am the liquor

        Lee D, your entropy calculations leave something to be desired.

        A 10-character password taken randomly from a set of 26 characters has 47 bits of entropy.

        A 10-character password taken randomly from a set of 27 characters has 47.5 bits of entropy, i.e. it's about 40% stronger, not 1/26. Adding a character to the alphabet makes the password only 1/26 stronger if it's a 1-letter password.

        And that's if the attacker has somehow divined which punctuation mark you added to your character set. In reality, their search space probably includes at least 10 commonly-used punctuation characters. 10 characters from an alphabet of 36 has 51.7 bits of entropy, making it (coincidentally) 26 times stronger than the just-letters version.

    3. Blitterbug
      Facepalm

      Still way better than no password manager and reusing human rememberable passwords...

      Just... no.

    4. Anonymous Coward
      Happy

      My complex password is on a post-it note.

      Beats both methods.

      I'd do a joke icon, but it is actually better than both methods.

      1. Orv Silver badge

        "My complex password is on a post-it note."

        That does leave you open to "evil maid" attacks. That may not be a concern if we're talking about a home environment and you don't have service workers there unsupervised. Otherwise I'd suggest putting the password in your wallet or something else you always carry on your person, and changing it ASAP if you realize your wallet has been stolen.

      2. Wensleydale Cheese
        Alert

        "My complex password is on a post-it note."

        You use one password for multiple accounts?

        1. Alumoi

          You use one password for multiple accounts?

          I do. One password for forums and other non important crap, one for each mail account and one for online banking. So all I have to do is remember at most 10 passwords. No biggie, right?

    5. macjules Silver badge

      Oops

      I really do not believe that you meant to say that. Perhaps LastPass' next venture should be a decent notepad with a corporate pen.

  4. Boohoo4u

    You had me at browser extensions...

    1. This post has been deleted by its author

  5. Anonymous Coward
    Anonymous Coward

    Could someone please inform me why I should keep my passwords in some black cloud ??

    WTF is so wrong about local storage ?

    1. Anonymous Coward
      Anonymous Coward

      Indeed. I keep each horrendously long and complex password in an encrypted LibreOffice document along with associated information such as username, site URL etc. All the documents are stored inside a TrueCrypt drive which is only temporarily mounted when access to a password is needed. It may be a bit of a faff to login to my bank etc but I prefer this method to trusting some third party on the web.

    2. Anonymous Coward
      Anonymous Coward

      For starters, local storage is great... if it's 1990 and you use exactly one computer for all the things you do.

      For second, local storage is great... if you don't mind losing a small piece of your life to managing yet another application including backing up said local storage.

      For third, local storage is great... if it's not 2017 and you don't already have half your life in the cloud anyways, trusting it with tons of other important shit like I don't know, your finances, School curriculum, taxes, email, calendar, photos, relationships, etc.

      It's called modern life. The horse and buggy was awesome too, until it wasn't.

      1. a_yank_lurker Silver badge

        "For starters, local storage is great... if it's 1990 and you use exactly one computer for all the things you do." - One very hidden benefit of local storage with no cloudy backup is it forces one to have one device used for managing important financial and purchasing activities. I prefer to keep mine on a desktop and have no banking, credit card, etc. apps on my phone. If the phone is lost or stolen its still a pain but I do not need to worry about my information leaking out.

      2. ecarlseen

        That's a nice false choice fallacy you have there.

        Shame if something were to happen to it.

        There are a lot of ways to distribute your information between devices that you own without using public cloud services. For an example relevant to the article, 1Password lets you use a shared folder or a WiFi connection to sync devices.

      3. krivine

        Local storage

        Syncthing and Veracrypt

      4. Pascal Monett Silver badge

        "local storage is great... if it's not 2017 and you don't already have half your life in the cloud anyways, trusting it with tons of other important shit like I don't know, your finances, School curriculum, taxes, email, calendar, photos, relationships, etc"

        Congratulations, you have been perfectly assimilated integrated and are now a valuable marketing commodity. I wish you luck on relying on someone else's server and backup procedures to provide you with what you apparently still think is your data.

        As for me, I prefer "losing a small piece of my life" actually backing up MY photos and data, rather than discover one day that the cloudy thingy I thought had my back actually didn't.

      5. David Nash Silver badge

        "local storage is great... if it's not 2017 and you don't already have half your life in the cloud anyways, trusting it with tons of other important shit like I don't know, your finances, School curriculum, taxes, email, calendar, photos, relationships, etc"

        Stuff like finances, taxes etc are not "the cloud". They are on hopefully well-protected servers of specific organisations dedicated to that task.

        That's no reason to keep the passwords to those services in another "cloud". Keep them locally. Back them up, yes. I am not sure I would trust a cloud-based service with my passwords and NO local backup.

      6. patrickstar

        The proper way to do this is to generate all passwords from a master password combined with a site identifier. Then the only thing you need to share between different boxes is the generator itself, which isn't security critical. Unfortunately this is somewhat complicated by differing password length and complexity rules.

        1. Orv Silver badge

          "The proper way to do this is to generate all passwords from a master password combined with a site identifier."

          That works until one of those sites gets hacked and is caught storing passwords in cleartext. Then people might just figure out that if "stupidsiteFooBarBiz" is your password for stupidsite, there's a good chance "mybankFooBarBiz" will work at mybank.com...

          1. patrickstar

            I meant "generate" as in "hash"... Obviously, but should have been clearer perhaps.

      7. John 104

        @AC

        For starters, local storage is great... et, all.

        You sir, are an average user. Clueless, or careless, take your pick. Your statements about all sorts of personal things living in the cloud is indicative of the general populace's lack of understanding of risk they take when do so.

        It's 2017. Cloud services and corporate systems are constantly under attack. Thinking you can put anything in these systems and keep your data yours is foolish. The only way to keep things secure is to use throw away creds for some services, stay off social media, bank in person, and keep things that are important to you on local storage, preferably air gapped from any network.

        Or you could just continue with your head in the sand technique. In fact, I think there's some cool articles on Wired that you can read about the next latest cool thing. Don't let the door...

        1. Anonymous Coward
          Anonymous Coward

          @John104

          Or here's an idea ..why not just give up and withdraw from modern life entirely which is pretty much the next effect of what you are suggesting.

          Most people don't have multiple pcs including one that's never online and air gapped; lots of people can't bank in person now as the branches are being shut down at increasing rate .. In our not tiny town, lloyds has already shut , hshc is shortly to close too and if you can't drive what then? Rely on a once an hour bus to get to a branch in your lunch hour and be late back for work .. "sorry boss, I'm a tin foil hat so everytime i need to go to the bank i need 2 hours out of the office".,.. yeah watch that fly... Am not really on social media myself but for many it's crucial link to friends and family in world of increasing isolation...

          your dismissive, arrogant, miserable snarkiness is beyond counterproductive ..it's like telling a burglary victim ..."well i've never bought anything so i don;t get burgled .. you shouldn't buy shit you moron.." i mean really, ... if you can't share any advice useful to a normal human being, don't bother.

          1. Anonymous Coward
            Anonymous Coward

            just a tick

            Is this false dichotomy? I almost the entire logic but I kept it in teh clood

          2. tiggity Silver badge

            I only bank at physical bank branches.

            It's possible to change banks - vote with your feet if your local branch closes down.

            Banks open (a bit) at weekends too!

            I'm not using a banking app on insecure (non rooted) android, and the apps won't run on a more locked down (rooted) android due to stupid idea of rooted = insecure.

            As for PCs, I generally run old (unsupported, ditto for browser updates) OS versions on old feeble hardware (run it till it dies) and so there are (obviously) potential security issues as the software vendors like forced obsolescence, so nothing sensitive is done on those, no banking etc..

      8. Anonymous Coward
        Anonymous Coward

        Companies come and go

        Yes, as we've all seen having a local hard backup is a bad idea. Just ask the people who've been hit with ransomware.

        You're mixing banks, school, fed taxing authorities who have a vested interest in storing your data with your useless-to-anybody-but-you personal email, calendar, photos and 'likes'. If you want to store your personal shit with a company that may/will change hands, fees, limits, terms of use, etc. have at it.

        From someone who's seen companies live and die before the time you've been peeing in your huggies, I'll keep my personal data where I can control it.

    3. Schultz

      Local storage for passwords

      Indeed, use keepass and combine it with your favorite method of keeping data synchronized (e.g., Dropbox, OneDrive, OneDrive, USB sticks, ...) across your computers and phones. It adds a copy/paste step when you use it with your browser, but you are in control and you offer a much smaller attack surface.

      Also, is there anything wrong about the browser (Chrome) autofill method for low priority passwords (e.g. for the comment section of ElReg)?

      1. a_yank_lurker Silver badge

        Re: Local storage for passwords

        It is philosophical issue not technical. I personally like to keep key services localized to on machine - currently an immobile desktop. This lessens the risk that losing a device or a hack of Dropbox endangers my password. If one is more comfortable with the risks, what you describe is a reasonable solution.

        1. Stuart Moore

          Re: Local storage for passwords

          This is where keepass works well. I can have a keyfile that I manually install on the devices I want to have access as a one time action (never stored in the cloud). So the file in dropbox is useless without both that key file and my password. But if I add a password on my phone it syncs to my desktop.

        2. Brangdon

          Re: a hack of Dropbox

          If you use KeePass, the password file is encrypted locally before DropBox sees it. You're main vulnerability is if your local machine gets compromised to the point that someone can inject a DLL into the address space of the KeePass process, but if they can do that, they pretty much own you anyway.

          (A simple key logger isn't enough, because KeePass uses a secure desktop for its master password, and a simple clipboard sniffer isn't enough if you use its autotype mechanism instead of copy and paste.)

      2. Anonymous Coward
        Anonymous Coward

        Re: Local storage for passwords

        is there anything wrong about the browser (Chrome) autofill method for low priority passwords (e.g. for the comment section of ElReg)?

        That depends. It is less secure than not using autofill. Individually, does that matter, eg if your ElReg account was hacked, used to post spam or offensive comments, and got deleted? You might have to become SchultTheSecond, round these parts. As a one off, that's modestly inconvenient, but if you either reuse a common password, or a guessable config of a root-plus-site-related, then any other sites may be compromised - although an effective browser autofill hack could (like this) expose all of your saved logins anyway.

        Curiously enough, I suspect that us pseudonymous types can cope with most of that, yet I think that any "proper" social media account is much more of a problem. Sure, nobody pays cash for Facebook or LinkedIn, but the damage that could be inflicted to your reputation by a hijacking, or the inconvenience of losing access to aggregated time-series content could be more costly.

        As a general rule then, the logical approach would be that if the account is publicly associated with you and links to any form of network of your contacts, then don't use autofill. But I'm not taking my own advice.....

    4. Roland6 Silver badge

      Re: WTF is so wrong about local storage ?

      Did you read the article?

      This vulnerability has little to do with the actual storage location of the passwords and lots to do with the available RFC's used by the (LastPass) browser extension to access the stored information.

      Given the nature of the vulnerability and the level of information disclosed, we can expect developers of other password managers that have browser extensions that access the password store to also be reviewing their code. Also given the nature of the vulnerability developers of browser extensions that utilise cloud services should also be reviewing their code...

      The fundamental problem with LastPass is that it doesn't seem to have a standalone client, so disabling it in Chrome etc. means you are unable to access your password store. A possible workaround is to have the extension enabled in one web browser (eg. IE) that you don't use for web browsing and use a different browser (eg. Chrome/Firefox) for your normal web browsing.

      1. Orv Silver badge

        Re: WTF is so wrong about local storage ?

        "The fundamental problem with LastPass is that it doesn't seem to have a standalone client, so disabling it in Chrome etc. means you are unable to access your password store"

        Actually you can still access your vault via their website, and use the copypasta method. Although I'm unconvinced that having a password sitting on my clipboard, where any application can access it, is much of a security improvement. All the non-extension methods share that weakness, though, including the old standby encrypted text file method.

      2. thondwe

        Re: WTF is so wrong about local storage ?

        Lastpass has Apps - so use of an independent browser is unncessary

    5. dl

      The cloud storage vs local is a moot point though in this case.

      It was the browser extension leaking the data, local storage wouldn't have made any difference.

  6. robertcirca

    The perfect Password

    The perfect password is not "''jjjJJz6&&//§ww".

    Using "Iamsostupidthatiforgetmypasswordsallthetime2000" is a 1000 times safer. Brute force attacks do not care which characters humans use. It is the lenght of the password.

    Just combine several words and password dictionaries will not work anymore.

    "horsefrenchfriesgreengrass" is also pretty nice. And you can rember it.

    And if you like to click on attachments of weird emails no password will ever protect you.

    1. streaky Silver badge

      Re: The perfect Password

      Brute force attacks do not care which characters humans use.

      Yes, yes they do.

      Iamsostupidthatiforgetmypasswords%^£thetime2000 is way - way - stronger than Iamsostupidthatiforgetmypasswordsallthetime2000.

      Larger the key space the less feasible the attack. Adding an extra possible character increases the complexity by an order of magnitude. This stuff isn't even complicated.

      1. Anonymous Coward Silver badge
        Facepalm

        Re: The perfect Password

        "Larger the key space the less feasible the attack" - that only works when it's a predictable key space.

        If you don't know whether my password is purely lowercase letters, or letters+numbers, or extended alpha, or including emojis etc... you don't know what combinations to try, so must try all of them to guarantee success. You may choose to start simple and work up the complexity, but you may also choose to start short and wide and work up the length.

    2. ozobken

      Re: The perfect Password

      Assuming you can remember all those passphrases for all your different accounts - I assume you're not advocating using the same password everywhere?

    3. grandours

      Re: The perfect Password

      That's all well and good, but there are a number of services that still limit the length of passwords to a ridiculously short number of characters. In that type of situation, the string of words method or xkcd method is useless. Password managers allow you to generate random passwords containing a mix of upper/lower case letters, numbers and special symbols of whatever length you like, so you can have much stronger passwords than "Iamsostupidthatiforgetmypasswordsallthetime2000". Also, unless you are recommending reusing the same password across many sites, that method is not practicable for most people. I currently have 116 passwords stored in my password manager. They are all unique and impossible to guess, even by me. I don't have photographic memory, so I simply can't remember that many unique passwords. I use a password manager for everything except banking, email and Amazon. For my banking and Amazon I have 12 character impossible to guess root passwords that I've memorized and never change, and I have an additional 18 character suffix stored on a Yubikey that I can change at regular intervals. I also use 2FA wherever it's allowed. There is no perfect password solution. Whatever solution you choose to use, you have compromised to some degree on usability, convenience or security. To what degree one is willing to compromise in any one of those areas is up to each individual. Saying that one should never use a password manager is a bit like saying to an investor "no one should ever have more than 50% of one's investments in equities as they are too risky".

      1. Anonymous Coward
        Anonymous Coward

        Re: The perfect Password

        Please stop using the phrase "impossible to guess" as it's simply incorrect. It's likely more suitable to say "extremely unlikely to guess".

        1. grandours

          Re: The perfect Password

          From a pedantic point of view you are correct, but you are using the term "guess" in the sense of a random selection. I am using the term to denote using some knowledge about a person to make an educated guess about what a password might be. A very simple example might be someone using their child's birthday as a password. My password-manager generated passwords have no bearing to me, anyone related to me, or anything I might dream up using my imagination. Yes, one could still "guess" one of those passwords, but the odds of doing so would be far worse than winning the powerbowl jackpot. From a practical point of view, they are impossible to guess.

          Incidentally, another benefit of using a password manager is when dealing with those annoying but mandatory "security questions", which do nothing but weaken security. For those, I use more password-manager generated passwords. That way, I don't have to worry about people who might know my mother's maiden name, etc., getting access to my accounts.

    4. MrKrotos

      Re: The perfect Password

      "Brute force attacks do not care which characters humans use." Wow you obv have no idea how brute force attacks work!

    5. I am the liquor

      Re: The perfect Password

      Robert, that's nonsense. Of course dictionary attacks can still work. Attackers can combine words just as they can combine letters in brute force searches.

      The first password you quoted has 16 characters, taken from a set of upper and lower case letters, digits and punctuation - say a set of 90 characters. Let's leave aside the amount of repetition in it, which is bad, and assume it was supposed to be a random selection of characters. That would give about 104 bits of entropy - a very strong password (if truly random).

      "horsefrenchfriesgreengrass" comprises 5 very common words, or maybe only 3 if the attacker has common phrases "french fries" and "green grass" in their dictionary. Likely 60-ish bits of entropy, much weaker than the 16 random character password.

      Your 13 word alternative is probably not much better, because it's not 13 randomly-chosen words. Most of it is a syntactically valid English sentence, which really reduces the entropy. "I am so stupid" and "I forget my passwords all the time" both get a ton of hits on google and could easily be in password dictionaries. So your 13 word password might really only be 4 words. A sophisticated dictionary attack will try variations of spacing and capitalisation. And attackers _are_ using such sophisticated attacks.

      Your word-based passwords certainly have the benefit of being easier to remember, but I don't think you're right to believe they're safer.

    6. Anonymous Coward
      Anonymous Coward

      Re: The perfect Password

      > "horsefrenchfriesgreengrass" is also pretty nice. And you can rember it.

      Until you hit the site which asks for upper and lower case so you chnage it to HorseFrenchFriesGreenGrass

      then you hit the site that reqires upper and lowercase and a number so you start using

      H0rSeFrenchFr1e5GreenGra55

      then you hit the site taht needs a symbol as well so you use

      H0r5eFrenchFr!e5GreenGra55

      then you hit the site that says "passwords must be between 8 and 12 characters"

      etc etc

      then you get to a site and find you have forgotten which combination of rules its applies so in deperation you have to click the "forgotten password" link and get to reset your password - you then find what the combination of case/numbers/symbols etc the site uses but then find you can't use any of your existing versions of your password as they are "too similar to previous password" and are rejected

      1. Martyn Welch

        Re: The perfect Password

        Any site that can claim "too similar to previous password" rather than "identical to a previously used password" should lead to probing questions like "Are you storing my passwords in plain text?".

        1. This post has been deleted by a moderator

  7. Anonymous Coward
    Anonymous Coward

    One Password Manager to bind them all.

  8. Abacus

    Fuck LogMeIn.

    That is all.

    1. psychonaut

      Re: Fuck LogMeIn.

      Seconded

    2. Stuart Moore

      Re: Fuck LogMeIn.

      That's my password too. Works well with speech to text.

      1. Anonymous Coward
        Anonymous Coward

        Re: Fuck LogMeIn.

        "Fuck LogMeIn"? That's amazing! I've got the same password on my IoT smartphone-enabled luggage!

        1. Rich 11 Silver badge

          Re: Fuck LogMeIn.

          Shut up, all of you! Every time you say that my fucking IoS fridge orders another pint of milk!

          1. John Gamble

            Re: Fuck LogMeIn.

            You can never have too much milk.

  9. Anonymous Coward
    Anonymous Coward

    Still using SecureSafe..

    Some of my passwords are important to my family if something happens to me, so I've been a SecureSafe user for *years* as it has a well thought out inheritance function that is abuse resistant.

    It is worth knowing that the banks it lists as clients have actively reviewed the product - that's how I found out as I consulted for one of those banks.

    I am personally not really enamoured by their efforts to make more of this than a password manager (storage, team spaces, secure email), but the free version is enough for the average end user and thankfully doesn't get in the way much with that cruft.

    1. Roland6 Silver badge

      Re: Still using SecureSafe..

      but the free version is enough for the average end user

      I'm a little sceptical as it has a 50 password limit. But suspect that for many non-IT end users that only really use the Internet for email and managing their utility accounts this may not be an issue.

      My only real issue with SecureSafe is that it still doesn't have a Linux client.

  10. Anonymous Coward
    Anonymous Coward

    i commended on this a week or two back

    password managers are not inherently safe, especially if cloud based.

    pats self on back with unnecessary vigour

  11. Alan Bourke

    Just remember passwords

    with your brain.

    1. Anonymous Coward
      Anonymous Coward

      Re: Just remember passwords

      .. and there we have the real problem :)

  12. GingerOne

    Can anyone recommend a password manager that doesn't keep stuff in a third party cloud but does allow you to sync yourself across Windows, Linux & Android devices. At the moment it seems LastPass is the only user freindly tool that does this.

    *I don't use it for banking or email...

    1. Anonymous Coward
      Anonymous Coward

      The issue is that you need a location that ties them together, so that would either be a private SFTP server or some secure webdav storage, and the shared data should be encrypted before it's stored there.

      That would indeed be a good thing to have. At the moment I already have my own server to sync calendars and contacts across iOS, macOS and Linux. Adding a password sync would be cool, but the challenge is finding applications you can trust..

    2. Adam 52 Silver badge

      "LastPass is the only user freindly"

      Have you seen the LastPass GUI?

      To answer your question though, there are tools that will sync KeePass databases between machines and/or s3.

    3. julian.smith
      1. Anonymous Coward
        Anonymous Coward

        KeePass seems to work really well for this, I have it combined with DropBox so it syncs across all devices.

        I haven't tried it yet, but the key file that was mentioned earlier would add an extra layer of security over the unlock password for it.

    4. Brangdon

      Use DropBox or similar for synchronisation, and then use KeePass for the password manager.

  13. cb7

    The only problem

    With using file level sync tools to try and sync passwords between multiple devices (say PC, laptop & mobile) is a) knowing which files to sync b) hope the sync tool is avail on each device c) hope you don't mind quitting your browser everytime the sync tool needs to overwrite the older file d) hope you remember to sync before changing or adding a new password on a device...

    In other words it's pretty darn unworkable. But hey, where would we be without sadists?

    1. GingerOne

      Re: The only problem

      I guess the idea is that you only really have one file that lives in Dropbox or somewhere - you don't 'sync' the file as such.

      But then you open a whole other can of security worms - picking a secure cloud storage platform that you trust. I certainly wouldn't trust Dropbox with anything more than important than cat pictures!

      I think this story shows how good LastPass actually is. They accepted the fault and worked with the guy to fix it then admitted the problem. How many companies do we see burying their head in the sand when these problems are found? Microsoft - I'm looking at you!

  14. Anonymous Coward
    Anonymous Coward

    Name the securest, usable, multi-platform password manager (and describe how to configure it!)

    So, as a long-time user of LastPass with 2FA (Authy), plus fingerprint where poss (but not yet Yubikey), reading this article, and comments, I am left thinking what would be better? And whether all those folks expressing their understanding of the exploit and the dangers of using LastPass, would share what they believe to be the most secure, multi-platform password manager.

    Go on, for the upvotes.

    1. Anonymous Coward
      Anonymous Coward

      Re: Name the securest, usable, multi-platform password manager (and describe how to configure it!)

      Not sure if fingerprint adds anything. It only works on a platform where a fingerprint is available which raises the question what you're going to do if that isn't the case, and, if you solved that one, why still bother with a fingerprint on the platform you started with..

      I already provided an alternative, and they're in a country where liability is actually enforceable.

      1. Orv Silver badge

        Re: Name the securest, usable, multi-platform password manager (and describe how to configure it!)

        FIngerprint authentication is useful because entering secure passwords on a mobile keyboard is difficult at best, especially when you're not allowed to see what you're typing.

    2. Roland6 Silver badge

      Re: Name the securest, usable, multi-platform password manager (and describe how to configure it!)

      Well the big issue is the convenience factor of being able to enter a password once on any device and have it automatically propagated (or made available) to all your other devices, which can then automatically enter the new credentials...

      My expectation (I'm also a long-term user of LastPass personal/enterprise) is that tools such as 1Password and RoboForm should provide a similar service to LastPass; although one of the reasons for using LastPass was it's extensive platform coverage, perhaps the others have caught up. However, given the nature of the LastPass vulnerability, and the absence of any statements from the other vendors, we can not be sure at the present time that these tools don't possess a similar browser integration vulnerability. Thus the solution has to be different, but even this will require the browser integration if the automatic entry of credentials is required...

      The question does arise as to how the various browsers manage access to their password files, ie. is it really any more secure. If it is then we can expect LastPass to effectively lift the ideas and concepts from a suitable public source code repository and update their product.

      So I suggest the short term workaround (for the individual) is to effectively break the multi-platform sync and automatic entry of credentials and revert to manual entry of credentials - either via copy-paste (issue here is credential information being held in the scratchpad) or from a "little black book". For the enterprise, I'm not sure whether disabling LastPass is actually an option.

      In the longer-term, I expect in browser security software to increasingly monitor extension RFC access to guard against usage by unauthorised applications. The question that therefore arises is whether existing tools such as MBAE and security suites can be readily updated with a new set of rules for LastPass et al that can effectively block unauthorised access to the RFCs...

    3. AdamWill

      I'm sticking with Lastpass

      Given that all the security issues mentioned in the article were fixed within 24 hours, I'm sticking with Lastpass.

      1. Roland6 Silver badge

        Re: I'm sticking with Lastpass

        Given that all the security issues mentioned in the article were fixed within 24 hours

        Fixed possibly, deployed no.

        Yes it is nice to see that LastPass in Chrome has today quietly been updated from 4.1.42 to 4.1.43.

        However:

        - Firefox is still running 3.3.2 - with auto update enabled. Yes I discovered that I can either install a 'development' 4.x build or wait for the automatic upgrade to occur sometime after 31-March-2017.

        - Maxthon is still on 3.3.0

        - IE11 is still on 2.0.0.0 !

        What I found a little irritating was that LastPass.com announced the fix details in their Blog (https://blog.lastpass.com/2017/03/important-security-updates-for-our-users.html/ ) as well as the details of the Firefox update (https://blog.lastpass.com/2017/03/plans-to-retire-the-lastpass-3-3-2-firefox-add-on.html/ ), yet their home webpage and main download section don't mention they released a new update today...

  15. Anonymous Coward
    Anonymous Coward

    It's all about risk

    Using password managers arguably increases the risk, but also increases protection from using duplicate or simple passwords. It's a balancing act and for every person it's different.

    This latest exploit requires a website to have been compromised or complicit in an attack, likewise it also requires the browser extension to be installed. So personally I think I'm find as I use the mobile app and don't do much internet browsing particularly of less than reputable sites.

    It's all risk, I'm not going to panic over this. At least with Lastpass I know they'll patch it reasonably quickly and get a few newer bugs in to replace it.

  16. Anonymous Coward
    Holmes

    "Access control"

    Apart from my previous (small) rants on security and lack of understanding / insight knowledge from the users another important aspect is control and access.

    The more access you allow "security software" to get, the higher the risks you'll take. Sure, it's easy to have the whole thing automated within your browser, but it's also an extra hurdle which a potential attacker doesn't have to take.

    Of course I'm highly old fashioned. My password manager consists of something I cooked up within VBA which utilizes some office components. No, not Office 365; the kind of Office which doesn't even fully realize the Internet actually exists. It doesn't even sync with my phone and other devices.

    But I also don't have to. If I really, really, need a password I'll simply hook up to my VPN, connect to my PC and from there I can retrieve my stuff. Awkward? Maybe. But I'm also not the kind of person who needs to log on to his social media accounts or whatever other leisure stuff when I'm on the road either. That can wait until I'm back at home.

  17. AxelF
    Thumb Down

    Untrue statements?

    "We have made our LastPass community aware of the report made by Tavis Ormandy and have confirmed that the vulnerabilities have been fixed."

    I'm a premium Lastpass user and the information above is untrue - I received no notifications (the extension has the capability to send you notifications). From what I can see, the extensions are still vulnerable?

    I've disabled the extensions and expect a refund for the time I can't use the service.

    1. BigAndos

      Re: Untrue statements?

      I haven't received any comms either, and the statement on their website just mentions a "vulnerability" - it doesn't say what the problem was or how long it existed for. I'm now deeply concerned about having used them!

    2. AdamWill

      Re: Untrue statements?

      "From what I can see, the extensions are still vulnerable?"

      No, they're not. If you install a 4.x extension from https://lastpass.com/misc_download2.php currently you get 4.1.36a , which has the most recently reported vuln fixed:

      https://bugs.chromium.org/p/project-zero/issues/detail?id=1217#c1

      If you get a 3.x extension from the Firefox addon store, you get 3.3.4 , which has the earlier-disclosed vuln fixed. It's not explicitly stated in any of the discussion I could find, but if I'm reading between the lines correctly, the 1217 vuln would not exist in the 3.x addon.

  18. Anonymous Coward
    Anonymous Coward

    binary component of LastPass installed to be vulnerable to this attack.

    'A victim must have the binary component of LastPass installed to be vulnerable to this attack.'

    This sentence is buried in the article but is important as not all LastPass users have the binary component installed. This is a serious topic and reporting should articulate if this is something the vast majority or small minority of user have installed. Without this quantification the article feels a bit sensationalist and click bait'y'.

  19. Anonymous Coward
    Anonymous Coward

    What about Enpass?

    Enpass came up as a recommendation for me a week or so ago. Arguments about whether you should use cloud services / password vaults aside (it's encrypted before it goes anywhere near external storage, fyi), could this be a better option? It seems alright, and syncs with your choice of Dropbox, Onedrive, Google Drive, Box, WebDAV/ownCloud or a folder. But it's down to how secure their extensions and apps are(n't).

    You could also make the argument that this was a white hat discovery and Lastpass admitted to it and quickly set to work. Everything has vulnerabilities. Would you rather just not know about them? Ignorance is bliss? If Enpass or others don't have such reports, part of me is more worried that they just sweep them under the carpet.

  20. Pompous Git Silver badge

    What's missing in this discussion...

    ... is the fact that your personal details are far more vulnerable in others' keeping than your own. I've been pwned four times to my knowledge. Adobe, Linux Mint, LinkedIn and vBulletin have all exposed varying amounts of my personal data because of their poor security. Troy Hunt's Have I been pwned is worth being subscribed to.

    Cross platform password keeper I use is Password Safe. It works with Windows, Linux, and Android. It's popular and FOSS so likely as secure as can be.

  21. VulcanV5

    The LastPass blog referenced by El Reg is notable for the company's inability to describe how its product can be managed as well as uncritical eulogies from LastPass users oddly sanguine about the way things have gone. But perhaps they pay for the 'premium' edition.

    Nothing in my LastPass 3.3.4 installation allows for updating. Nothing in the LastPass security blog article describes that installation: "please check the LastPass Icon > More options > About LastPass to check your version". But "More options" doesn't exist.

    If LastPass can't even get that right in a security post, God alone knows what hope there might be of it getting anything else right of rather greater complexity. I note that The Register has re-christened this as 'LostPass'. Well said, dear vulture -- and in my case, how apt.

  22. oneguycoding

    Damn

    The only thing more annoying than this issue this morning is the technology of the Regs bloody forum implementation. Seriously, this is scaring the shit out of me. What is the purpose of this remote lastpass.com site? Why oh why would anything need to be sent to it? Is this part of the "allow lastpass to improve its services" option? Fsck.

  23. This post has been deleted by a moderator

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019