Slashdot Mirror

Autofill API: https://blog.lastpass.com/2017...

Yes - the Autofill API:
https://blog.lastpass.com/2017...

Ah, spotted the /. security expert! You've reverse engineered LastPass up to the last undocumented opcode they are using, so you can assure us their program is safe!

Jokes aside, if you're fine with trusting all your passwords in the hands of a company located in Washington D.C., USA, then you should be fine. I personally wouldn't, but at least they look alright.

LastPass has had some recent problems as well.

https://www.theguardian.com/te...
https://blog.lastpass.com/2017...

I figured OneLogin would be decrypting/encrypting on the local PC, NOPE those idiots does it on the server side, hack the server and it's lights out. What were they thinking? https://support.onelogin.com/h...
Was worried for second that lastpass was doing something stupid also, no lastpass does all decrypting/encrypting on the client side. AES-256 in javascript on the client local pc and in c++ for their browser extension. Basically lastpass only stores an encrypted file in the cloud, and the file gets downloaded and decrypted only with your password on the client. https://lastpass.com/whylastpa...

I am not spreading FUD. I am just asking. I am not the one who is claiming that the source is available. And no, I don't consider the fact that it's a browser extension an automatic guarantee that the source code for every single part of it is available in human-readable form. Because of obfuscation, because there is the possibility of compiling other languages to javascript, and because maybe they did not release the whole toolchain. Moreover, the docs on their site mention a "binary component" of the browser extension, https://helpdesk.lastpass.com/..., which makes things even more confusing for me. I don't see a "clean" github repo for the browser extension as I see one for the CLI.

Why is this going to fking CNET instead of the LastPass blog? Here is the actual article https://blog.lastpass.com/2016...

There are still features exclusive to premium and enterprise users: https://lastpass.com/features/

I don't use LastPass, but they make it abundantly clear that all encryption and decryption is local-only, done on-device, not in the cloud, so that they never have access to the information in your vault. From what I can gather, their cloud is little more than a sync engine between devices, rather than the place from which you access your data.

from How It Works:
Local-Only Encryption
User data is encrypted and decrypted at the device level. Data stored in the vault is kept secret, even from LastPass.

Now, you don't have to believe that if you don't want to, but unless you have evidence I'm gonna say you appear to be mistaken in your understanding of how it works.

Someone has a MD5 search to see if your password shows up:
https://lastpass.com/lastfm/

When I try it, it throws an error ... anyways ...

Their javascript file tries to inject some PHP to get a random number.
Since it's a javascript file, not PHP, the random injection is not executed and remains as a string.
The string is then used as part of an AJAX request url: https://lastpass.com/lastfm/index.php?rand=%3C?php%20echo%20rand(23,238923892389)?%3E
Finally, their security crap goes "OH NO! ATTEMPTED PHP INJECTION" and crashes.

See https://lastpass.com/js/breach_crypto.js line 44. Then laugh heartily.

Someone has a MD5 search to see if your password shows up:
https://lastpass.com/lastfm/

When I try it, it throws an error ... anyways ...

Their javascript file tries to inject some PHP to get a random number.
Since it's a javascript file, not PHP, the random injection is not executed and remains as a string.
The string is then used as part of an AJAX request url: https://lastpass.com/lastfm/index.php?rand=%3C?php%20echo%20rand(23,238923892389)?%3E
Finally, their security crap goes "OH NO! ATTEMPTED PHP INJECTION" and crashes.

See https://lastpass.com/js/breach_crypto.js line 44. Then laugh heartily.

Someone has a MD5 search to see if your password shows up:
https://lastpass.com/lastfm/

When I try it, it throws an error ... anyways ...

I should put one of those up. It's a great way to harvest passwords.

Someone has a MD5 search to see if your password shows up:
https://lastpass.com/lastfm/

When I try it, it throws an error ... anyways ...

LastPass, too, was the victim of a 'malicious hack':
LastPass breach, 2015

My picks would be:
* uBlock Origin
* LastPass
* Youtube Video Downloader
* Data Saver (For Chrome Only)

No. It uses a standard, well known encryption algorithm - specifically https://en.wikipedia.org/wiki/... and https://en.wikipedia.org/wiki/... as stated here https://lastpass.com/how-it-wo... so the encryption technique isn't security by obscurity. That took a total of 10 minutes to find out, and that isn't what was broken.

I wasn't talking about LastPass, I was responding to the person arguing that closed source is inherently more secure.

No. It uses a standard, well known encryption algorithm - specifically https://en.wikipedia.org/wiki/... and https://en.wikipedia.org/wiki/... as stated here https://lastpass.com/how-it-wo... so the encryption technique isn't security by obscurity. That took a total of 10 minutes to find out, and that isn't what was broken.

going paperless on multiple accounts will mean having that information scattered under different user names and passwords.

Which is then collected again under one username and password.

Lastpass has now enabled the verification email for users with 2FA enabled. See https://lastpass.com/support.p...

https://lastpass.com/support.p...

It seems they've turned on email confirmation even for users with 2FA, along with a couple of other in-browser measures.

Also here's a link to Sean Cassidy's Twitter account: https://twitter.com/sean_a_cas...

https://twitter.com/sean_a_cas...
"LastPass now requires email confirmation for logins from new IPs, even with 2FA: https://lastpass.com/support.p..."

Does that mean the 2FA issue is addressed?

Here's the response from LastPass:
https://lastpass.com/support.p...
(I think this link should be in the main summary for balance)

As for Google Chrome, LastPass asks that you star Issue 39511 for extension infobars outside the DOM. Specifically here's LastPass asking for improvement in Chrome January 12th, 2012:
https://code.google.com/p/chro...

I am NOT affiliated with LastPass.

It is funny. Last pass openly stated they dont know the extent of the data that was take, just that they feel it was not much, yet you think that is handled well?

"We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised."

https://blog.lastpass.com/2015...

That looks pretty specific to me.

" I've been in the software business for almost 40 years,"

Software, not security.

"I suggest you study texts on encryption, and maybe read the technical details of how a good cloud-based password manager like LastPass actually works"

https://blog.lastpass.com/2015...

That's all I fucking need to know. A piece of paper holding my passwords is more secure in my wallet than my passwords are with LastPass or KeepPass. I also have the ability to actually defend my stuff if someone tries to take it, whereas someone hacks your shit and it's gone, you're fucked. By the time you realize it, it's too late, they've made off with your stuff.

"Your super-whiz-bang method still requires a password, it seems"

Good authentication requires everything, including a password. We could switch to biometrics, you're fucked because there are any number of ways to get around that, including taking your head off. With a password added for second verification (or third verification, in this case) taking your head does me no good unless I was able to get the password from you before hand.

"How do you hash the passwords for your sites? Still using MD5?"

You silly noobs using hashes and salts. Nowdays smart people embed that information in an image file, good old steganography. You think you got a password database? Enjoy the cluster of hentai you just downloaded. Get past the fact that there's information inside the image? Good luck decrypting the white noise format used to encode it. Unless you have used my server software, you aren't going to be able to do much with it.

n00bs, eh? I've been in the software business for almost 40 years, you young whippersnapper.

I suggest you study texts on encryption, and maybe read the technical details of how a good cloud-based password manager like LastPass actually works. https://lastpass.com/whylastpa... https://lastpass.com/support.p...

Your super-whiz-bang method still requires a password, it seems. Without a password manager, users will still need to remember their password and many will either reuse passwords from other sites or choose simple ones. The image/caption thing you talk about is often used as an anti-phishing technique, but that's not authentication. If you're requiring the user to choose from among multiple pictures or captions, then that's effectively another one or two passwords. Yes, it will make it harder to attack YOUR site through the web interface, but doesn't itself strengthen protection of the users' passwords.

The goal for password managers is not to protect individual sites, it's to protect the users against their own misuse of passwords and reducing the risk when some site (not yours, hopefully) gets hacked and has their password database stolen. (How do you hash the passwords for your sites? Still using MD5?)

n00bs, eh? I've been in the software business for almost 40 years, you young whippersnapper.

I suggest you study texts on encryption, and maybe read the technical details of how a good cloud-based password manager like LastPass actually works. https://lastpass.com/whylastpa... https://lastpass.com/support.p...

Your super-whiz-bang method still requires a password, it seems. Without a password manager, users will still need to remember their password and many will either reuse passwords from other sites or choose simple ones. The image/caption thing you talk about is often used as an anti-phishing technique, but that's not authentication. If you're requiring the user to choose from among multiple pictures or captions, then that's effectively another one or two passwords. Yes, it will make it harder to attack YOUR site through the web interface, but doesn't itself strengthen protection of the users' passwords.

The goal for password managers is not to protect individual sites, it's to protect the users against their own misuse of passwords and reducing the risk when some site (not yours, hopefully) gets hacked and has their password database stolen. (How do you hash the passwords for your sites? Still using MD5?)

"We’ve commissioned a write only off-site aggregated log server which can only be accessed via the console. This will allow us a guarantee that any logging is intact." ref

Hey bud, you would have been better-off using this:

LastPass Adobe email hack check

LastPass got a hold of the database and offers a checking service.

1) Very few websites supported it

It's getting better, but this is still a problem. One option is to just set it up for LastPass and maybe Google. I agree that securing your online banking access would be a good idea, but very few bank websites support this.

3) Too expensive - $18 - $50 each.

If you just need a key for a desktop or laptop (no NFC), you can get a FIDO U2F key for $6. The downside is that LastPass doesn't support these yet (although they're working on it). Google already supports them.

does it also state whether they allow a backup key?

Yes, both LastPass and Google allow you to associate multiple Yubikeys with your account. So it's no problem to add your spouse's key to your account and vice versa, or to keep a backup key in the desk drawer and have that associated with multiple accounts.

How would you use it with an ipad or iphone?

Unfortunately, the iPhone 6 still isn't supported for use with the Neo, although they might add it in the future. I don't know about the iPad, but my guess is no. Any Android phone with NFC should support it already.

The best solution I could think of was if a password manager like KeePass would support managed multi-user credentials. That is, each individual has their own KeePass keychain with their own personal passswords, but an administrative user can insert a special hook for a shared password. So the user could use their KeePass passphrase to login to the shared Twitter account, but they wouldn't actually know the Twitter password and it wouldn't be stored on their keychain. Any time they needed to login, their KeePass would authenticate itself with the admin KeePass, which would log them into Twitter for them. When the person quits or is fired, the admin can just revoke that person's access to the admin KeePass keychain. No need to change the password and email the new password to everyone (thus creating a potential security breach) because the person who left is a potential security breach.

LastPass supports this on their "Premium" and "Enterprise" accounts.

You can add sites to a folder which the administrator can control and that administrator can decide if the user will be able to 'see' the password or leave it hidden to all users.

Users will need their own unique password (and potentially Two Factor auth) to access the 'hidden' Twitter password account.

https://enterprise.lastpass.co... enterprise
https://helpdesk.lastpass.com/... 'premium'

The best solution I could think of was if a password manager like KeePass would support managed multi-user credentials. That is, each individual has their own KeePass keychain with their own personal passswords, but an administrative user can insert a special hook for a shared password. So the user could use their KeePass passphrase to login to the shared Twitter account, but they wouldn't actually know the Twitter password and it wouldn't be stored on their keychain. Any time they needed to login, their KeePass would authenticate itself with the admin KeePass, which would log them into Twitter for them. When the person quits or is fired, the admin can just revoke that person's access to the admin KeePass keychain. No need to change the password and email the new password to everyone (thus creating a potential security breach) because the person who left is a potential security breach.

LastPass supports this on their "Premium" and "Enterprise" accounts.

You can add sites to a folder which the administrator can control and that administrator can decide if the user will be able to 'see' the password or leave it hidden to all users.

Users will need their own unique password (and potentially Two Factor auth) to access the 'hidden' Twitter password account.

https://enterprise.lastpass.co... enterprise
https://helpdesk.lastpass.com/... 'premium'

There's at least 1: lastpass.

https://lastpass.com/how-it-wo...

You're telling us not to trust a web based service, but then tell us you keep your data shared like google drive or dropbox? I see no appreciable difference in practice there. Lastpass is essentially Keepass + a specialized dropbox-type service. Your advice is especially ironic given the spotty security dropbox is known for.

At some point, you have to make informed decisions about the tradeoffs between security and convenience. For me, using Lastpass is a convenient way to synchronize the strongest possible unique passwords - essentially gibberish - across my multiple computers. I feel that having strong, unique passwords across the web is critical to keeping my numerous accounts secure.

This is exactly how security is supposed to work - a researcher discovers a potential flaw, discloses it to the vulnerable companies, who then promptly fix it and discloses this fact in detail to it's customers. The system is arguably more secure than before, not less.

Incidentally, as it turns out, this attack is apparently only applicable to those not using a browser plugin. That's not to discount the seriousness, but I was never actually vulnerable to this attack, since I only use Lastpass from my PC using Firefox + Lastpass plugin.

Put it in secure notes. Give them all the login/password.

If they test it regularly, then have a locally cached copy if Lastpass goes belly up, which can be opened with Lastpass Pocket or whatever it's called now.

Did _you_ know that your wireless router was using OpenSSL to manage EAP? Or did you just assume that having SSH blocked and not serving HTTPS would be enough?

And even if you did, is it even possible for you to upgrade a single library on your access point?

Try going back to the original CVE, the plethora of vulnerability checkers, or any of the press surrounding it. Every reference to Heartbleed pointed to HTTPS or, rarely, TLS and VPN services as being vulnerable to the bug. Now pretend that you don't know the implementation details of WPA and EAP. Based on all of that, why would you even consider updating or replacing every wireless device you have which don't use HTTPS unless the manufacturer told you?

Moreover, when have manufacturers of popular wireless equipment _ever_ produced timely and relevant updates without at least eight months lead time and court cases in at least three countries?

There have been a number of sites.
SSLLabs scanner has been updated to check for Heartbleed, and also will report when the cert validity starts (handy if you want to see whether they're using a new cert). https://www.ssllabs.com/ssltes...
LastPass has a pretty decent scanner that just focuses on Heartbleed (without all the other info that you get from SSLLabs): https://lastpass.com/heartblee...
There are some others out there as well, of course.

There's even one for client-side testing (almost as critical):
Pacemaker is an awesome little POC script (python 2.x) for testing whether a *client* is vulnerable (many that use OpenSSL are...). https://github.com/Lekensteyn/...

I've been using them for years, and I love it so much that I subscribe to their premium service, even though I don't have a use for it, to provide support for them...their basic service is free.

It autofills my username and password on any machine where I have the app installed. If I don't have the app installed but need to get to my username/passwords, they have an online vault I can log on to.

And searching is easy - I can search by username or site or keyword in description. They auto-filter my passwords as I type into the search box.

https://lastpass.com/

I'm at a loss to understand what the security issues you would have such that cloud-based password managers are a hazard. And yet, such that you can get away with passwords that you can commit to memory.

Any password you can remember is a password that is already in thousands of crackers' try-these-first password lists. All of the online security breaches of password database have provided a rich and extensive database of passwords that people actually use. No, you need to use a password manager. Like five years ago. But a password-managing device is the worst possible option you can consider. How can you back up your password database?

A good, completely off-line option is Steve Gibson's 'Off the Grid' password generator here: https://www.grc.com/offthegrid.... You could generate a paper grid and use that. It can be reprinted as needed, and even if you lose it, no problem.

Some/all of the cloud-based managers can be used offline. I know for a fact that LastPass does not need to be connected to the 'Net to work. It's free, try it out - see if it works for you. There are 'LastPass Portable' versions, designed to run off a thumbdrive.

For a buck a month, LastPass provides stellar technical support (one of the programmers called me at home to sort out an issue I was having when using 'LastPass for Applications' with the steaming pile of a crap that is iTunes): https://lastpass.com/go-premiu... Their security has been vetted by trusted reviewers, they use best practice encryption and protocols. Perhaps their Enterprise services will fit the bill?

Cheap at twice the price. I can't recommend them enough.

The select the option on the website that allows you store your database in europe. (requires paid version currently)

https://lastpass.com/use_eu.ph...

This idea of one password to rule them all is not new, in fact, Lastpass has already developed a perfect TNO (Trust No One) password storage system.

And it's free on all your computers

They charge $1 per month to use on mobile devices.

If Chrome is going to enter your password for you, it has to know your password. This simple requirement ultimately means that any attempt to obfuscate the stored password is going to be trivial to overcome by anyone who has physical access to the box, unless you're flat out encrypting them with another password that the user would have to enter to decrypt them, and at that point, we've pretty handily defeated the purpose of storing passwords (because let's face it, it's not like you're going to want to do this EVERY time you need to autofill a password, so we're just going to do it once and then leave the db unlocked), so you may as well just remember your passwords and enter them manually in the first place.

Others: you've modded this driven insightful? For shame.

AC: You should call LastPass and patiently explain to them why nobody will pay them money for their password manager, because this is exactly what it does. Well, 'exactly' with the exception that you can set it to remember your master password until you close the brower session and/or are idle for a specified time and/or (implicitly) log off. Sort of addresses that "EVERY time you need to autofill a password" thing.

After all if you memorize one password you may as well just memorize all of them and enter them manually in the first place... there's no convenience at in memorizing just a handfull.

If only such a thing existed...

Oh, wait. It does.

http://lastpass.com/

Now I *know* the gobbledygook password you generated for me is not compromising me anywhere else on the net. I have no financial interest in LastPass; just a big fan.

I've "given up" too. Until the pony is delivered, LastPass is a good solution. It supports Firefox, Chrome, and Dolphin on Android (have to subscribe to get the mobile support), which covers my needs, and uses local strong encryption so the LastPass people's can't get at your data. My first dog's name was jRffr9CDMNhD (I just generated that automagically with Alt-G - different for every site). It should be %6mjDYs*uwysVz%YYwTz2!7rcAt8!B%H, but too many websites don't sanitize input and have length limitations. Conveniently the length and character class differences are just a click away. Inconveniently, almost no websites will tell you what kind of data they will accept for a given field (that would make a nice form field spec enhancement).

Yes, it's basically using a short key without the benefits of PKI, but compared to using human-recalled passwords, it's better.

Browsers should really have implemented this sort of password manager 5 years ago, and also provided a usable UI for doing client-side certificates 10 years ago, but here we are today with nothing like that in sight.

I use five different operating systems. (Osx , ios, linux, windows, android ) name one keychain program that can be used across them all and keep that program easily sync'd?

http://lastpass.com/

I don't know why the parent isn't modded higher.

You can do a few easy things to take yourself out of the "low hanging fruit" category, listed in order of extremeness & difficulty :)

1. Diable all browser plugins. I only use Flash very occasionally on an as needed basis. There's loads of hidden Flash on sites. Very easy to do in Chrome.
2. Install an extension called DoNotTrackMe, it's free and blocks nearly all of the nasty commercial trackers. https://abine.com/dntdetail.php
3. Install another extension called HTTPS Everywhere from the good people at EFF. https://www.eff.org/https-everywhere
4. Use an app or manually manage your cookies regularly. On the Mac at home I have an app that regularly erases all the cookies and DBs web surfing leaves behind except for the ones I have marked as favorites. I have a similar app that erases other data at regular intervals such as caches, logs, etc.
5. Don't use FB and other free social sites and services e.g. Google Docs. (Use Libre, etc.)
6. Use a Robots.txt file in every directory that could ever put online. They work.
7. Use LastPass (free) which stores all your web site login data in an encrypted file which only you can access from any computer. You can use a different email address and login ID with every website you surf to then.
Even if you just don't want to have to remember multiple web site logins and passes I could not imagine web life without LastPass anymore. https://lastpass.com/
8. Use pre-paid credit cards.
9. Change your name to be the same as that of a famous actor who is the same sex and a similar in age & appearance as you. I happen to have this by luck, if you Google me you must troll through several pages of celebrity garbage to even get to results for anyone with the same name.

Do all of the above in a VM with default settings from a variety of connections and you're pretty un-trackable for all but the most sophisticated out there.

Use LastPass, log to LP site from anywhere, ta-da!!

I have just got to plug LastPass. Decided to give lastpass a try and already it's been incredibly helpful.

You can Google Authenticator, grid multifactor, fingerprint, card reader, and yubikeys. You can customize when you need your masterkey, you can limit login to specific countries, have multiple form fill profiles, etc. A few features require premium for $12/year, such as yubikey, mobile apps, and better support.

But seriously, check it out.

I should introduce my mom to it.

I have just got to plug LastPass. Decided to give lastpass a try and already it's been incredibly helpful.

You can Google Authenticator, grid multifactor, fingerprint, card reader, and yubikeys. You can customize when you need your masterkey, you can limit login to specific countries, have multiple form fill profiles, etc. A few features require premium for $12/year, such as yubikey, mobile apps, and better support.

But seriously, check it out.

I should introduce my mom to it.