What should password managers not do? Leak your passwords? What a great idea, LastPass

Re: Anyone remember Gator?

Gator changed their name several times including Claria and Jelly cloud (more like slime cloud), to try and throw off the stench of malware.

What's more interesting is tracing where the morally bankrupt senior management ended up. eHarmony, facebook, eHow / Livestrong, among others.

How is having all my unknown-to-me passwords exfiltrated from my password manager "way better" than having my known-to-me passwords guessed/hijacked? They both seem about equivalent to me (though they'd have a hard time getting someone to enter all the passwords that they re-use in a single attack, so perhaps it's marginally worse to use LastPass?).

Both of which are worse than just securing your machine (not letting people see you type your passwords), choosing sensible passwords (* long, not complex) and not running third-party software with access to EVERYTHING on your computer, including an explicit list of every password you've ever used, anywhere, ever.

Like antivirus - the only program to run as SYSTEM, begin at startup, run for every user, intercept every possible file access on the entire machine, able to hide anything it does, not let itself get shut down, connect to the Internet, update itself automatically, and even nowadays run your firewall, decide what can get out or see packets, and what can come back in, often with remote-support tools built in. Yeah, that's not a recipe for disaster.

(*) Human-rememberable passwords are WAY outside brute-force limits - just make sure they are LONG, not faff around with fancy characters in your potential alphabets. Starting with just an ordinary alphabet, a character added to password length would make the password 26 times stronger, while including a new character (e.g. an asterisk) into the alphabet itself only makes it 1/26th stronger. STOP IT.

Oops

I really do not believe that you meant to say that. Perhaps LastPass' next venture should be a decent notepad with a corporate pen.

Indeed. I keep each horrendously long and complex password in an encrypted LibreOffice document along with associated information such as username, site URL etc. All the documents are stored inside a TrueCrypt drive which is only temporarily mounted when access to a password is needed. It may be a bit of a faff to login to my bank etc but I prefer this method to trusting some third party on the web.

For starters, local storage is great... if it's 1990 and you use exactly one computer for all the things you do.

For second, local storage is great... if you don't mind losing a small piece of your life to managing yet another application including backing up said local storage.

For third, local storage is great... if it's not 2017 and you don't already have half your life in the cloud anyways, trusting it with tons of other important shit like I don't know, your finances, School curriculum, taxes, email, calendar, photos, relationships, etc.

It's called modern life. The horse and buggy was awesome too, until it wasn't.

Local storage for passwords

Indeed, use keepass and combine it with your favorite method of keeping data synchronized (e.g., Dropbox, OneDrive, OneDrive, USB sticks, ...) across your computers and phones. It adds a copy/paste step when you use it with your browser, but you are in control and you offer a much smaller attack surface.

Also, is there anything wrong about the browser (Chrome) autofill method for low priority passwords (e.g. for the comment section of ElReg)?

Re: WTF is so wrong about local storage ?

Did you read the article?

This vulnerability has little to do with the actual storage location of the passwords and lots to do with the available RFC's used by the (LastPass) browser extension to access the stored information.

Given the nature of the vulnerability and the level of information disclosed, we can expect developers of other password managers that have browser extensions that access the password store to also be reviewing their code. Also given the nature of the vulnerability developers of browser extensions that utilise cloud services should also be reviewing their code...

The fundamental problem with LastPass is that it doesn't seem to have a standalone client, so disabling it in Chrome etc. means you are unable to access your password store. A possible workaround is to have the extension enabled in one web browser (eg. IE) that you don't use for web browsing and use a different browser (eg. Chrome/Firefox) for your normal web browsing.

The cloud storage vs local is a moot point though in this case.

It was the browser extension leaking the data, local storage wouldn't have made any difference.

Re: The perfect Password

Brute force attacks do not care which characters humans use.

Yes, yes they do.

Iamsostupidthatiforgetmypasswords%^£thetime2000 is way - way - stronger than Iamsostupidthatiforgetmypasswordsallthetime2000.

Larger the key space the less feasible the attack. Adding an extra possible character increases the complexity by an order of magnitude. This stuff isn't even complicated.

Re: The perfect Password

Assuming you can remember all those passphrases for all your different accounts - I assume you're not advocating using the same password everywhere?

Re: The perfect Password

That's all well and good, but there are a number of services that still limit the length of passwords to a ridiculously short number of characters. In that type of situation, the string of words method or xkcd method is useless. Password managers allow you to generate random passwords containing a mix of upper/lower case letters, numbers and special symbols of whatever length you like, so you can have much stronger passwords than "Iamsostupidthatiforgetmypasswordsallthetime2000". Also, unless you are recommending reusing the same password across many sites, that method is not practicable for most people. I currently have 116 passwords stored in my password manager. They are all unique and impossible to guess, even by me. I don't have photographic memory, so I simply can't remember that many unique passwords. I use a password manager for everything except banking, email and Amazon. For my banking and Amazon I have 12 character impossible to guess root passwords that I've memorized and never change, and I have an additional 18 character suffix stored on a Yubikey that I can change at regular intervals. I also use 2FA wherever it's allowed. There is no perfect password solution. Whatever solution you choose to use, you have compromised to some degree on usability, convenience or security. To what degree one is willing to compromise in any one of those areas is up to each individual. Saying that one should never use a password manager is a bit like saying to an investor "no one should ever have more than 50% of one's investments in equities as they are too risky".

Re: The perfect Password

"Brute force attacks do not care which characters humans use." Wow you obv have no idea how brute force attacks work!

Re: The perfect Password

Robert, that's nonsense. Of course dictionary attacks can still work. Attackers can combine words just as they can combine letters in brute force searches.

The first password you quoted has 16 characters, taken from a set of upper and lower case letters, digits and punctuation - say a set of 90 characters. Let's leave aside the amount of repetition in it, which is bad, and assume it was supposed to be a random selection of characters. That would give about 104 bits of entropy - a very strong password (if truly random).

"horsefrenchfriesgreengrass" comprises 5 very common words, or maybe only 3 if the attacker has common phrases "french fries" and "green grass" in their dictionary. Likely 60-ish bits of entropy, much weaker than the 16 random character password.

Your 13 word alternative is probably not much better, because it's not 13 randomly-chosen words. Most of it is a syntactically valid English sentence, which really reduces the entropy. "I am so stupid" and "I forget my passwords all the time" both get a ton of hits on google and could easily be in password dictionaries. So your 13 word password might really only be 4 words. A sophisticated dictionary attack will try variations of spacing and capitalisation. And attackers _are_ using such sophisticated attacks.

Your word-based passwords certainly have the benefit of being easier to remember, but I don't think you're right to believe they're safer.

Re: The perfect Password

> "horsefrenchfriesgreengrass" is also pretty nice. And you can rember it.

Until you hit the site which asks for upper and lower case so you chnage it to HorseFrenchFriesGreenGrass

then you hit the site that reqires upper and lowercase and a number so you start using

H0rSeFrenchFr1e5GreenGra55

then you hit the site taht needs a symbol as well so you use

H0r5eFrenchFr!e5GreenGra55

then you hit the site that says "passwords must be between 8 and 12 characters"

etc etc

then you get to a site and find you have forgotten which combination of rules its applies so in deperation you have to click the "forgotten password" link and get to reset your password - you then find what the combination of case/numbers/symbols etc the site uses but then find you can't use any of your existing versions of your password as they are "too similar to previous password" and are rejected

Re: Fuck LogMeIn.

Seconded

Re: Fuck LogMeIn.

That's my password too. Works well with speech to text.

Re: Still using SecureSafe..

but the free version is enough for the average end user

I'm a little sceptical as it has a 50 password limit. But suspect that for many non-IT end users that only really use the Internet for email and managing their utility accounts this may not be an issue.

My only real issue with SecureSafe is that it still doesn't have a Linux client.

Re: Just remember passwords

.. and there we have the real problem :)

The issue is that you need a location that ties them together, so that would either be a private SFTP server or some secure webdav storage, and the shared data should be encrypted before it's stored there.

That would indeed be a good thing to have. At the moment I already have my own server to sync calendars and contacts across iOS, macOS and Linux. Adding a password sync would be cool, but the challenge is finding applications you can trust..

"LastPass is the only user freindly"

Have you seen the LastPass GUI?

To answer your question though, there are tools that will sync KeePass databases between machines and/or s3.

Keepass

Use DropBox or similar for synchronisation, and then use KeePass for the password manager.

Re: The only problem

I guess the idea is that you only really have one file that lives in Dropbox or somewhere - you don't 'sync' the file as such.

But then you open a whole other can of security worms - picking a secure cloud storage platform that you trust. I certainly wouldn't trust Dropbox with anything more than important than cat pictures!

I think this story shows how good LastPass actually is. They accepted the fault and worked with the guy to fix it then admitted the problem. How many companies do we see burying their head in the sand when these problems are found? Microsoft - I'm looking at you!

Re: Name the securest, usable, multi-platform password manager (and describe how to configure it!)

Not sure if fingerprint adds anything. It only works on a platform where a fingerprint is available which raises the question what you're going to do if that isn't the case, and, if you solved that one, why still bother with a fingerprint on the platform you started with..

I already provided an alternative, and they're in a country where liability is actually enforceable.

Re: Name the securest, usable, multi-platform password manager (and describe how to configure it!)

Well the big issue is the convenience factor of being able to enter a password once on any device and have it automatically propagated (or made available) to all your other devices, which can then automatically enter the new credentials...

My expectation (I'm also a long-term user of LastPass personal/enterprise) is that tools such as 1Password and RoboForm should provide a similar service to LastPass; although one of the reasons for using LastPass was it's extensive platform coverage, perhaps the others have caught up. However, given the nature of the LastPass vulnerability, and the absence of any statements from the other vendors, we can not be sure at the present time that these tools don't possess a similar browser integration vulnerability. Thus the solution has to be different, but even this will require the browser integration if the automatic entry of credentials is required...

The question does arise as to how the various browsers manage access to their password files, ie. is it really any more secure. If it is then we can expect LastPass to effectively lift the ideas and concepts from a suitable public source code repository and update their product.

So I suggest the short term workaround (for the individual) is to effectively break the multi-platform sync and automatic entry of credentials and revert to manual entry of credentials - either via copy-paste (issue here is credential information being held in the scratchpad) or from a "little black book". For the enterprise, I'm not sure whether disabling LastPass is actually an option.

In the longer-term, I expect in browser security software to increasingly monitor extension RFC access to guard against usage by unauthorised applications. The question that therefore arises is whether existing tools such as MBAE and security suites can be readily updated with a new set of rules for LastPass et al that can effectively block unauthorised access to the RFCs...

I'm sticking with Lastpass

Given that all the security issues mentioned in the article were fixed within 24 hours, I'm sticking with Lastpass.

Re: Untrue statements?

I haven't received any comms either, and the statement on their website just mentions a "vulnerability" - it doesn't say what the problem was or how long it existed for. I'm now deeply concerned about having used them!

Re: Untrue statements?

"From what I can see, the extensions are still vulnerable?"

No, they're not. If you install a 4.x extension from https://lastpass.com/misc_download2.php currently you get 4.1.36a , which has the most recently reported vuln fixed:

https://bugs.chromium.org/p/project-zero/issues/detail?id=1217#c1

If you get a 3.x extension from the Firefox addon store, you get 3.3.4 , which has the earlier-disclosed vuln fixed. It's not explicitly stated in any of the discussion I could find, but if I'm reading between the lines correctly, the 1217 vuln would not exist in the 3.x addon.