back to article LastPass scrambles to fix another major flaw – once again spotted by Google's bugfinders

For most of us, Saturday morning is a time for a lie in, a leisurely brunch, or maybe taking the kids to the park. But for some it's bug-hunting time. Tavis Ormandy, a member of Google's crack Project Zero security team, was in the shower and thinking about LastPass – after finding a number of flaws in the password manager …

  1. Andy Non Silver badge
    FAIL

    Remind me again...

    why I don't trust any third parties to hold my passwords?

  2. Anonymous Coward
    Anonymous Coward

    "some people prefer to think that ignorance is bliss."

    * That's how some readers responded to the Reg warning here: 'Security slip-ups in 1Password and other password managers 'extremely worrying' [28 Feb 2017]

    * But you can't have more confidence in Password Managers than anything else in Tech. Sure, they're convenient, but they're also a giant goldmine for cybercrims / hackers / scammers / state agencies etc.

    * Knowing there's lots more potential known-unknowns, how can LastPass management continue to sleep well at night???

    1. grumpyoldeyore
      Pint

      Re: "potential known-unknowns."

      You are Donald Rumsfeld and I claim my free beer

    2. macjules

      Re: "some people prefer to think that ignorance is bliss."

      Yes but:

      This attack is unique and highly sophisticated. We don't want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post mortem once this work is complete," the firm said.

      WHAT f*cking attack? You have not been attacked at all, by anyone. You released shoddily-crafted software and then some developers, to whom you had added your bug-ridden software by way of an extension to their browser, picked up on the fact that it was badly written and documented all the issues. LastPass should be thankful that Google do not release a Chrome update that blocks their extension.

      </SELFRIGHTEOUSRANT>

      1. DavCrav

        Re: "some people prefer to think that ignorance is bliss."

        "WHAT f*cking attack? You have not been attacked at all, by anyone. [snipped]"

        The word 'attack' here is a metaphor. When someone attacks a problem they don't go running towards it with an axe.

        Seriously, calm down.

  3. This post has been deleted by its author

    1. A Non e-mouse Silver badge

      Re: Best Practice...

      Password managers are probably the least worst option for storing the hundreds of passwords we in IT need to juggle.

      1. Charles 9

        Re: Best Practice...

        Unless, of course, you don't OWN the computers you use everyday, meaning you have no control over the programs you can install on them.

    2. razorfishsl

      Re: Best Practice...

      No..... A password manager.

    3. macjules

      Re: Best Practice...

      Not sure what other 'lazy' methods exist. Personally I have all 'remember password' options unchecked on browsers and if I need a password then I have a password-protected iOS note with everything on it ... until Google Keep allows secure notes.

    4. Anonymous Coward
      Anonymous Coward

      Re: Best Practice...

      Trying to find the least worst option.

      I have settled o. Google chrome password manager and 2 factor authentication on my account, it seems to offer the convenience and reasonable level of security.

  4. JLV

    best practices?

    Are most of these password manager bugs (desktop versions) to be found in their browser plugins? Seems that way.

    I know I don't use those, preferring to copy/paste (yes, though there are clipboard-aware malware) from the pm, only as needed. My basic idea is: run them as infrequently as you can and don't expose them to anything like cloud or browser.

    Most of my non-sensitive passwords are happily stored in the browsers.

    For those who do use PMs, what are your recommendations?

    1. VinceH

      Re: best practices?

      "Most of my non-sensitive passwords are happily stored in the browsers.

      For those who do use PMs, what are your recommendations?"

      I personally stick to something local - KeePass - rather than some cloudy solution that means my passwords are stored in some remote location on the intertubes, subject to someone else's security.

      And as you say, I do let my browser hold less sensitive passwords - more on my desktop machine than my laptop, because the laptop stands a better chance of ending up in the wrong hands. But the browser's own password database is also behind (and encrypted with) a password.

    2. Roland6 Silver badge

      Re: best practices?

      >For those who do use PMs, what are your recommendations?

      LastPass with a version greater than 4.1.43, that has been out for a couple of months without there being an announcement from Travis or another member of Project Zero ! :)

      This is because it is getting a lot of attention and this disclosure will only encourage others to go looking, so unless the LastPass dev's show themselves up to be time wasters, we can expect it to rapidly become 'secure' at which point security experts such as Travis will turn their attentions on to 1Password et al.

      In the interim, get a little black book and practise your handwriting skills. Remember you don't need to store in one place your full login details. So LastPass can retain your user id or passwords and your little black book the other parts of your credentials. Interestingly, you'll surprise yourself to find that you start to remember the login details of the sites and services you use frequently...

      1. Adam 52 Silver badge

        Re: best practices?

        I use Lastpass at work, because I have to, and KeePass at home.

        For personal use, KeePass all the way. On Google drive with 2fa is you need to share. On a true crypt volume on Google drive if you're paranoid.

        LastPass has some features that make corporate admins happy. It's typically LastPass that my corporate admin can get a report telling him whether I have 2FA (OK, in LastPass's implementation 1FA) but as an end user I can't. There are some huge flaws - it's impossible as a user to tell if fred@example.com is part of the corporate account for example.com or a scammer having registered the LastPass account name already.

        The penalty is the truly atrocious user interface and the "security software written in JavaScript running in the browser, what could possibly go wrong".

        Oh, and that someone at LastPass thought that having an "execute arbitrary code" feature was a good idea.

        1. big_D Silver badge

          Re: best practices?

          @Adam52 here it is the other way round, LastPass with 2FA (Yubikey) for home and KeePass at work.

          I prefer the LastPass interface, each to his own.

          1. Roland6 Silver badge

            Re: best practices?

            >I prefer the LastPass interface, each to his own.

            I preferred the old LastPass desktop interface. Whilst each to his own, I see no real reason why an 'Explorer' style interface isn't available given how well understood that interface is even by non-IT end users.

      2. big_D Silver badge
        Facepalm

        Re: best practices?

        LastPass with a version greater than 4.1.43, that has been out for a couple of months without there being an announcement from Travis or another member of Project Zero ! :)

        But 4.1.43 is the latest version, released last week, after Tavis informed them of the last hole, last weekend...

        1. Roland6 Silver badge

          Re: best practices?

          But 4.1.43 is the latest version, released last week, after Tavis informed them of the last hole, last weekend...

          Precisely, the version Travis found a hole in was 4.1.42, the latest Travis 'discovery' is in 4.1.43, so can be expected to be fixed in version 4.1.44 which is the first version "greater than 4.1.43". Thus wait a few months to allow Travis and colleagues the opportunity for a few more shower "epiphany's"...

          I suggest given the nature of the exploits being discovered it would seem the code is fairly secure. The question is thus how much do you trust a product that we now know has and is being security tested or one that we don't know if the experts are or have tested?

          In some respect's it does seem that the standard EAL and AV lab tests with results being put into the public domain, needs to be extended into other product areas.

          1. big_D Silver badge

            Re: best practices?

            @Roland6 sorry, I read it the other way round. My bad.

    3. A Non e-mouse Silver badge

      Re: best practices?

      For those who do use PMs, what are your recommendations?

      I use 1Password. You can use various cloud options or manual file copy to sync multiple computers. It does, unfortunately, cost.

      We're also looking at their 1Password Teams offering that allows groups of people to share passwords. (A subscription cost, but does give you access to all their clients)

      One thing I like about 1Password is that even though you can use cloud to sync across multiple devices, you can still access your passwords with no network connection. The cloud is just a sync mechanism.

    4. oneeye

      Re: best practices?

      Keepass is Free, and Open Source. http://keepass.info/

      Available for all major platforms. For Android, this is the best option:

      https://play.google.com/store/apps/details?id=keepass2android.keepass2android

      It has built-in keyboard so no need to use clipboard, which is insecure.

      And you can opt to have no internet connection, or if you prefer, syncing to Cloud storage.

  5. Sampler

    I don't get it

    Why do people carry on using password managers (or did to start with). I have the worlds worst memory (I have sleep apnoea, it affects memory, seriously) and as an IT Director have hundreds of unique passwords to every single tiny thing, all complex, all high entropy (because if you're using an eight character password you might aswell not be) and I don't need a password manager and have never forgotten one - it's not that hard, really.

    1. Adam 52 Silver badge

      Re: I don't get it

      'cos we're not all superhuman like you?

    2. stan816

      Re: I don't get it

      a) I don't believe you

      b) I store the rest of my account related info in them too, such as billing dates and obscure notes

      c) I use the TOTP function on dozens of locations and that's in there too, keeping the seed key encrypted and safe

    3. Anonymous Coward
      Anonymous Coward

      Re: I don't get it

      as an IT Director have hundreds of unique passwords to every single tiny thing, all complex, all high entropy (because if you're using an eight character password you might aswell not be) and I don't need a password manager and have never forgotten one - it's not that hard, really.

      Let me guess: you have a substantial amount of your IT budget set aside for 3M Post-It notes.

      :)

      1. Lee D Silver badge

        Re: I don't get it

        I'm the same.

        Terrible memory for virtually everything EXCEPT those things I desperately need to remember.

        Passwords of obscure accounts that other people use once in a blue moon aren't one of those.

        But I still know them.

        Alternatively, I have a password file stored encrypted on a USB stick (actually two) in the safe in my workplace, if I REALLY need to save them and/or I get run over by a bus.

        Are you honestly telling me that using a bit of buggy software to auto-insert those passwords on forms, and store those passwords in the cloud with a random third-party is more secure than either my own memory, or an encrypted USB stick stored in a secure place that only the relevant people (me, my boss - who's data controller and won't reveal it) know is there and/or know the password to, and that it's inside a box that reveals if you've tried to tamper / access it (and hence is checked regularly whenever the passwords are updated)?

        Get a clue.

        1. Gwyn Evans

          Re: I don't get it

          Hmm, I'm of the opinion that if you can reliably remember the passwords for even as few as the top 20 accounts you use, you're either using passwords with too little entropy, or you're using a scheme that, if one password is exposed, will effectively weaken many of the other ones...

        2. Anonymous Coward
          Anonymous Coward

          Re: I don't get it

          Are you honestly telling me that using a bit of buggy software to auto-insert those passwords on forms, and store those passwords in the cloud with a random third-party is more secure than either my own memory, or an encrypted USB stick stored in a secure place that only the relevant people (me, my boss - who's data controller and won't reveal it) know is there and/or know the password to, and that it's inside a box that reveals if you've tried to tamper / access it (and hence is checked regularly whenever the passwords are updated)?

          ANYTHING we do that relates in even the most remote way to security it audited, and we did find software that does the job well. The problem with your USB stick is that you need at least two to prevent a hardware failure from becoming a real massive recovery risk.

          And no, I wouldn't trust your own memory. Unless you have an algorithm based approach to passwords, you will eventually forget the ones you use less frequently. In additions, crisis never happen during office hours so your brain may not be running on all cylinders when recall is called upon..

        3. Roland6 Silver badge

          Re: I don't get it

          Are you honestly telling me that using a bit of buggy software to auto-insert those passwords on forms, and store those passwords in the cloud with a random third-party is more secure than either my own memory, or an encrypted USB stick stored in a secure place

          Quite a good summary of Single SignOn systems; only they tend to use certificates rather than passwords; so losing the encrypted USB stick is a much bigger problem...

  6. Anonymous Coward
    Anonymous Coward

    We KNOW who this is :)

    "We want to thank people like Tavis who help us raise the bar for online security with LastPass, and work with our teams to continue to make LastPass the most secure password manager on the market."

    That last statement is a kicker, because some on Twitter got very upset at Ormandy for disclosing that there was an issue with LastPass. It seems some people prefer to think that ignorance is bliss.

    Let me guess: Amber Rudd?

    :)

  7. EnviableOne

    Re: best practices?

    PassSafe designed Bruce Schneier is a nice little app that gives you a encrypted store you can keep on a USB and the app can even work as portable, or an enterprise credential management system would do the trick eg Passworks, Secret Server, Password Vault, etc

    1. Roland6 Silver badge

      Re: best practices?

      Issue 176 of LinuxUser, currently in the shops contains a brief review of four open-source password managers: Clipperz(8), Passopolis(6), Encryptr(9) and KeePass(8) - the numbers in brackets are their overall rating of each. Encryptr getting a higher rating in part because it's cloud implementation and support for all the common platform OS's, so looks more like a potential like-for-like replacement of LastPass.

  8. Anonymous Coward
    Anonymous Coward

    I use SafeInCloud

    I did a lot of research before picking my password manager. This one won because:

    - The database is stored in a cloud location of my choice. I use Google Drive which has a strong password and 2FA

    - I can back it up locally so I am not at the behest of a particular provider

    - It's cross platform, with mobile and portable versions

    - It has browser plugins (if you wish to use them)

    Highly recommended. Now I only need to remember three secure core passwords (for my phone/computer, for Google, and for the password manager) and the rest are highly secure, random, unique passwords, so I can rest safe that any data dumps will not put my other accounts at risk.

  9. Cloudane

    Alright, probably time to switch. Looking at Enpass as a likely one, which lets you use your own storage and uses an open source encryption engine. Question though - are these only *appearing* to be less insecure because all the attention from researchers and the media is on Lastpass at the moment? Would they find just as many flaws if they looked at the competitors just as closely (do they?)

    1. oneeye

      Tavis Ormandy has made it a habit of auditing Password Managers and Anti-Virus software. But lots of others have discovered flaws in both over the years. However, Keepass Password Manager had a major Code Audit last year, and this was for Free, Open Source software. If you are thinking about a move, Keepass can import from over 30 other Password vendors. Here is homepage:

      http://keepass.info/ They are available for all major platforms, but the best one for Android is this app on playstore: https://play.google.com/store/apps/details?id=keepass2android.keepass2android

      Keepass is one of the very few who incorporated a built-in keyboard for better safety on Android. No need to use clipboard which is not secure.

  10. Magani
    FAIL

    Flaw? What Flaw?

    Am I the only LastPass user who wasn't notified by email that there was a problem?

    I would have thought if there are problems that are bad enough to have LastPass say:

    And we want to offer our users with a few steps they can take to further protect themselves from these types of client-side issues.

    then why do I have to find out about it through El Reg? Is LastPass's email system not able to send out a warning? Oh, and it seems it isn't a problem, it's an issue. Pardon me.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon