Slashdot Mirror

← Back to Stories (view on slashdot.org)

Critical Vulnerabilities In Web-Based Password Managers Found

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes A group of researchers from University of California, Berkeley, have analyzed five popular web-based password managers and have discovered vulnerabilities that could allow attackers to learn a user's credentials for arbitrary websites. The five password managers they analyzed are LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword. "Of the five vendors whose products were tested, only the last one (NeedMyPassword) didn't respond when they contacted them and responsibly shared their findings. The other four have fixed the vulnerabilities within days after disclosure. 'Since our analysis was manual, it is possible that other vulnerabilities lie undiscovered,' they pointed out. They also announced that they will be working on a tool that automatizes the process of identifying vulnerabilities, as well as on developing a 'principled, secure-by-construction password manager.'"

15 of 114 comments (clear)

  1. KeePass? by Electricity+Likes+Me · · Score: 3, Interesting

    I'd be really curious to here there opinions on KeePass, which isn't web-based but certainly in the same category.

    1. Re:KeePass? by mlts · · Score: 4, Informative

      I'd probably say KeePass is as secure as things get, since it doesn't use the Web in any way, shape, or form.

      What I'd like to see with password apps that use a cloud provider for backend storage, (be it 1Password, mSecure, or so on), would be a keyfile that is manually transferred between devices, and never is put on the cloud backend. This way, if/when the cloud provider is hacked, the password file is not just protected by the passphrase, but by a keyfile that an attacker would have to compromise a physical device to get.

    2. Re:KeePass? by Anonymous Coward · · Score: 5, Funny

      I e-mail myself my passwords with the site name in the subject line and the password in the body of the e-mail. It works really well for sites I forgot the password for, and it's 100% safe as Google uses HTTPS by default now.

    3. Re:KeePass? by itsownreward · · Score: 3, Informative

      I have KeePass installed on my computers and KeyPassDroid on my phone and tablet. The file is shared between them all using Dropbox. This way, if I change it one place it's available at all the others automagically, and in case it gets corrupted I have a 30-day history of changes at Dropbox's site. I've had no problems, I like its built-in and configurable password generator, and it works a treat with the KeeFox plugin for Firefox.

      (YMMV in that you may have issues with Dropbox, but for me, it works.)

    4. Re:KeePass? by Anonymous Coward · · Score: 3, Informative

      The "magic to ensure that the next one-time password is unique" is a counter, an integer one higher than the previous time.

      The checksum of (counter + internal private key) is what results in the final 32 chars of the sequence (the first 12 being your userid).

    5. Re:KeePass? by Mister+Liberty · · Score: 3, Funny

      Which in Dutch --translated for the occasion to English-- would mean 'Ouch! Tom Ate Ice".

    6. Re:KeePass? by Jesus_666 · · Score: 4, Informative

      You can always try KeePassX (for Linux and OS X; use the latest 2.0 Alpha release) and MacPass (for OS X), both of which are compatible with the KeePass 2.x database format. They might not have all the features but they work rather well and you don't have to deal with the monstrosity that is KeePass on a non-Windows system.

      --
      USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
  2. For that reason... by Parker+Lewis · · Score: 5, Funny

    To avoid remember all the password managers, we need a password manager manager.

  3. Storing cloud passwords in the cloud? by QuietLagoon · · Score: 4, Insightful
    Even if the cloud-based password repositories are secure (and apparently, they are not), why not just target the cloud services themselves for security exploits?

    .
    Eliminate the middle-man, go wholesale.

    1. Re:Storing cloud passwords in the cloud? by Enry · · Score: 4, Informative

      In the case of LastPass at least, the passwords are encrypted locally and then sent to the server for storing. Your only possibility there would be searching through and finding stores with weak passwords, or finding a crack in the encryption. Otherwise, the attacks have to take place on the end user side.

    2. Re:Storing cloud passwords in the cloud? by mlts · · Score: 3, Interesting

      The problem is that there is an conflict between a password suitable enough for protection (i.e. 20+ characters), and something quick enough to access in a short time.

      mSecure addresses this in an interesting way -- they cache the extra long sync password used for the cloud. The password that is used to encrypt the synchronized database that sits in iCloud or DropBox is different from the app's passphrase. Since most phones have decent innate protection, it is not impossible, but very difficult to dump the data on a locked device [1], so one can have a fairly easy to type in PIN on the device, but the synchronized backend file is protected with a much longer (and more secure) passphrase.

      [1]: iOS on the iPhone 4 and up always encrypts. Android since 3.x has the option of using md-crypt and encrypting the /data partition, then using another tool to separate the password asked on boot to decrypt that partition from the screen locker password.

  4. Re:Surprise by jsherma2 · · Score: 5, Insightful

    I think there's a difference between "being willing to accept the risk of my credit card(s) being compromised on the internet" and "being willing to accept the risk of every account password I have being compromised on the internet". I essentially have insurance to help me recover losses from my credit cards. Having every bank account and retirement account drained by an enterprising criminal with access to all of my account and personal details is on a completely different risk level.

  5. TL;DR - (from a security guy) by xxxJonBoyxxx · · Score: 5, Interesting

    From page 7 of the paper (http://devd.me/papers/pwdmgr-usenix14.pdf):
    - LastPass, RoboForm and My1login all had "bookmarklet" vulnerabilities (used if you share passwords across the web - shudder)
    - LastPass, Roboform and NeedMyPassword all had "web" vulnerabilities
    - My1login and PasswordBox both had "authorization" vulnerabilities
    - LastPass and RoboForm both had "UI" vulnerabilities

    The other thing I wondered at was why the special mention of "creating tools to automatically identify such vulnerabilities" when there's a bunch of packages that already do that...until I looked on page 14 and saw the list of US government grants that sponsored this paper, plus mention of some Intel funding. (If you want the money to flow, first identify the problem...)

  6. Slightly misleading, fearmongery headline by myvirtualid · · Score: 4, Informative

    This was on HN a few days ago; my comment there was the same: In the case of LastPass, the headline is misleading and a little fearmongery.

    There were two issues with LastPass and NEITHER affected its storage of persistent passwords, that is, neither affected the feature the vast majority of us use passwords managers for!

    One concerned a targeted attack against one-time passwords (OTP), the other concerned bookmarklets, which are used by less than 1% of the user base, according to LastPass. Personally I didn't know either feature existed until I read the LastPass blog entry about these two vulnerabilities.

    A truer headline would have been Vulnerabilities found in less-frequently used features of LastPass; persistent site password storage unaffected".

    --
    I'm here EdgeKeep Inc.
  7. They had one job by Animats · · Score: 3, Informative

    A "web based password manager" has one job - keeping the passwords secure. That's all it does. If anyone easily finds a vulnerability in that, the service is a failure.