Remind me again...
why I don't trust any third parties to hold my passwords?
For most of us, Saturday morning is a time for a lie in, a leisurely brunch, or maybe taking the kids to the park. But for some it's bug-hunting time. Tavis Ormandy, a member of Google's crack Project Zero security team, was in the shower and thinking about LastPass – after finding a number of flaws in the password manager …
* That's how some readers responded to the Reg warning here: 'Security slip-ups in 1Password and other password managers 'extremely worrying' [28 Feb 2017]
* But you can't have more confidence in Password Managers than anything else in Tech. Sure, they're convenient, but they're also a giant goldmine for cybercrims / hackers / scammers / state agencies etc.
* Knowing there's lots more potential known-unknowns, how can LastPass management continue to sleep well at night???
Yes but:
This attack is unique and highly sophisticated. We don't want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post mortem once this work is complete," the firm said.
WHAT f*cking attack? You have not been attacked at all, by anyone. You released shoddily-crafted software and then some developers, to whom you had added your bug-ridden software by way of an extension to their browser, picked up on the fact that it was badly written and documented all the issues. LastPass should be thankful that Google do not release a Chrome update that blocks their extension.
</SELFRIGHTEOUSRANT>
This post has been deleted by its author
Are most of these password manager bugs (desktop versions) to be found in their browser plugins? Seems that way.
I know I don't use those, preferring to copy/paste (yes, though there are clipboard-aware malware) from the pm, only as needed. My basic idea is: run them as infrequently as you can and don't expose them to anything like cloud or browser.
Most of my non-sensitive passwords are happily stored in the browsers.
For those who do use PMs, what are your recommendations?
"Most of my non-sensitive passwords are happily stored in the browsers.
For those who do use PMs, what are your recommendations?"
I personally stick to something local - KeePass - rather than some cloudy solution that means my passwords are stored in some remote location on the intertubes, subject to someone else's security.
And as you say, I do let my browser hold less sensitive passwords - more on my desktop machine than my laptop, because the laptop stands a better chance of ending up in the wrong hands. But the browser's own password database is also behind (and encrypted with) a password.
>For those who do use PMs, what are your recommendations?
LastPass with a version greater than 4.1.43, that has been out for a couple of months without there being an announcement from Travis or another member of Project Zero ! :)
This is because it is getting a lot of attention and this disclosure will only encourage others to go looking, so unless the LastPass dev's show themselves up to be time wasters, we can expect it to rapidly become 'secure' at which point security experts such as Travis will turn their attentions on to 1Password et al.
In the interim, get a little black book and practise your handwriting skills. Remember you don't need to store in one place your full login details. So LastPass can retain your user id or passwords and your little black book the other parts of your credentials. Interestingly, you'll surprise yourself to find that you start to remember the login details of the sites and services you use frequently...
I use Lastpass at work, because I have to, and KeePass at home.
For personal use, KeePass all the way. On Google drive with 2fa is you need to share. On a true crypt volume on Google drive if you're paranoid.
LastPass has some features that make corporate admins happy. It's typically LastPass that my corporate admin can get a report telling him whether I have 2FA (OK, in LastPass's implementation 1FA) but as an end user I can't. There are some huge flaws - it's impossible as a user to tell if fred@example.com is part of the corporate account for example.com or a scammer having registered the LastPass account name already.
The penalty is the truly atrocious user interface and the "security software written in JavaScript running in the browser, what could possibly go wrong".
Oh, and that someone at LastPass thought that having an "execute arbitrary code" feature was a good idea.
LastPass with a version greater than 4.1.43, that has been out for a couple of months without there being an announcement from Travis or another member of Project Zero ! :)
But 4.1.43 is the latest version, released last week, after Tavis informed them of the last hole, last weekend...
But 4.1.43 is the latest version, released last week, after Tavis informed them of the last hole, last weekend...
Precisely, the version Travis found a hole in was 4.1.42, the latest Travis 'discovery' is in 4.1.43, so can be expected to be fixed in version 4.1.44 which is the first version "greater than 4.1.43". Thus wait a few months to allow Travis and colleagues the opportunity for a few more shower "epiphany's"...
I suggest given the nature of the exploits being discovered it would seem the code is fairly secure. The question is thus how much do you trust a product that we now know has and is being security tested or one that we don't know if the experts are or have tested?
In some respect's it does seem that the standard EAL and AV lab tests with results being put into the public domain, needs to be extended into other product areas.
For those who do use PMs, what are your recommendations?
I use 1Password. You can use various cloud options or manual file copy to sync multiple computers. It does, unfortunately, cost.
We're also looking at their 1Password Teams offering that allows groups of people to share passwords. (A subscription cost, but does give you access to all their clients)
One thing I like about 1Password is that even though you can use cloud to sync across multiple devices, you can still access your passwords with no network connection. The cloud is just a sync mechanism.
Keepass is Free, and Open Source. http://keepass.info/
Available for all major platforms. For Android, this is the best option:
https://play.google.com/store/apps/details?id=keepass2android.keepass2android
It has built-in keyboard so no need to use clipboard, which is insecure.
And you can opt to have no internet connection, or if you prefer, syncing to Cloud storage.
Why do people carry on using password managers (or did to start with). I have the worlds worst memory (I have sleep apnoea, it affects memory, seriously) and as an IT Director have hundreds of unique passwords to every single tiny thing, all complex, all high entropy (because if you're using an eight character password you might aswell not be) and I don't need a password manager and have never forgotten one - it's not that hard, really.
as an IT Director have hundreds of unique passwords to every single tiny thing, all complex, all high entropy (because if you're using an eight character password you might aswell not be) and I don't need a password manager and have never forgotten one - it's not that hard, really.
Let me guess: you have a substantial amount of your IT budget set aside for 3M Post-It notes.
:)
I'm the same.
Terrible memory for virtually everything EXCEPT those things I desperately need to remember.
Passwords of obscure accounts that other people use once in a blue moon aren't one of those.
But I still know them.
Alternatively, I have a password file stored encrypted on a USB stick (actually two) in the safe in my workplace, if I REALLY need to save them and/or I get run over by a bus.
Are you honestly telling me that using a bit of buggy software to auto-insert those passwords on forms, and store those passwords in the cloud with a random third-party is more secure than either my own memory, or an encrypted USB stick stored in a secure place that only the relevant people (me, my boss - who's data controller and won't reveal it) know is there and/or know the password to, and that it's inside a box that reveals if you've tried to tamper / access it (and hence is checked regularly whenever the passwords are updated)?
Get a clue.
Hmm, I'm of the opinion that if you can reliably remember the passwords for even as few as the top 20 accounts you use, you're either using passwords with too little entropy, or you're using a scheme that, if one password is exposed, will effectively weaken many of the other ones...
Are you honestly telling me that using a bit of buggy software to auto-insert those passwords on forms, and store those passwords in the cloud with a random third-party is more secure than either my own memory, or an encrypted USB stick stored in a secure place that only the relevant people (me, my boss - who's data controller and won't reveal it) know is there and/or know the password to, and that it's inside a box that reveals if you've tried to tamper / access it (and hence is checked regularly whenever the passwords are updated)?
ANYTHING we do that relates in even the most remote way to security it audited, and we did find software that does the job well. The problem with your USB stick is that you need at least two to prevent a hardware failure from becoming a real massive recovery risk.
And no, I wouldn't trust your own memory. Unless you have an algorithm based approach to passwords, you will eventually forget the ones you use less frequently. In additions, crisis never happen during office hours so your brain may not be running on all cylinders when recall is called upon..
Are you honestly telling me that using a bit of buggy software to auto-insert those passwords on forms, and store those passwords in the cloud with a random third-party is more secure than either my own memory, or an encrypted USB stick stored in a secure place
Quite a good summary of Single SignOn systems; only they tend to use certificates rather than passwords; so losing the encrypted USB stick is a much bigger problem...
"We want to thank people like Tavis who help us raise the bar for online security with LastPass, and work with our teams to continue to make LastPass the most secure password manager on the market."
That last statement is a kicker, because some on Twitter got very upset at Ormandy for disclosing that there was an issue with LastPass. It seems some people prefer to think that ignorance is bliss.
Let me guess: Amber Rudd?
:)
Issue 176 of LinuxUser, currently in the shops contains a brief review of four open-source password managers: Clipperz(8), Passopolis(6), Encryptr(9) and KeePass(8) - the numbers in brackets are their overall rating of each. Encryptr getting a higher rating in part because it's cloud implementation and support for all the common platform OS's, so looks more like a potential like-for-like replacement of LastPass.
I did a lot of research before picking my password manager. This one won because:
- The database is stored in a cloud location of my choice. I use Google Drive which has a strong password and 2FA
- I can back it up locally so I am not at the behest of a particular provider
- It's cross platform, with mobile and portable versions
- It has browser plugins (if you wish to use them)
Highly recommended. Now I only need to remember three secure core passwords (for my phone/computer, for Google, and for the password manager) and the rest are highly secure, random, unique passwords, so I can rest safe that any data dumps will not put my other accounts at risk.
Alright, probably time to switch. Looking at Enpass as a likely one, which lets you use your own storage and uses an open source encryption engine. Question though - are these only *appearing* to be less insecure because all the attention from researchers and the media is on Lastpass at the moment? Would they find just as many flaws if they looked at the competitors just as closely (do they?)
Tavis Ormandy has made it a habit of auditing Password Managers and Anti-Virus software. But lots of others have discovered flaws in both over the years. However, Keepass Password Manager had a major Code Audit last year, and this was for Free, Open Source software. If you are thinking about a move, Keepass can import from over 30 other Password vendors. Here is homepage:
http://keepass.info/ They are available for all major platforms, but the best one for Android is this app on playstore: https://play.google.com/store/apps/details?id=keepass2android.keepass2android
Keepass is one of the very few who incorporated a built-in keyboard for better safety on Android. No need to use clipboard which is not secure.
Am I the only LastPass user who wasn't notified by email that there was a problem?
I would have thought if there are problems that are bad enough to have LastPass say:
And we want to offer our users with a few steps they can take to further protect themselves from these types of client-side issues.
then why do I have to find out about it through El Reg? Is LastPass's email system not able to send out a warning? Oh, and it seems it isn't a problem, it's an issue. Pardon me.