Slashdot Mirror

← Back to Stories (view on slashdot.org)

Critical Vulnerabilities In Web-Based Password Managers Found

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes A group of researchers from University of California, Berkeley, have analyzed five popular web-based password managers and have discovered vulnerabilities that could allow attackers to learn a user's credentials for arbitrary websites. The five password managers they analyzed are LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword. "Of the five vendors whose products were tested, only the last one (NeedMyPassword) didn't respond when they contacted them and responsibly shared their findings. The other four have fixed the vulnerabilities within days after disclosure. 'Since our analysis was manual, it is possible that other vulnerabilities lie undiscovered,' they pointed out. They also announced that they will be working on a tool that automatizes the process of identifying vulnerabilities, as well as on developing a 'principled, secure-by-construction password manager.'"

4 of 114 comments (clear)

  1. Re:KeePass? by Anonymous Coward · · Score: 5, Funny

    I e-mail myself my passwords with the site name in the subject line and the password in the body of the e-mail. It works really well for sites I forgot the password for, and it's 100% safe as Google uses HTTPS by default now.

  2. For that reason... by Parker+Lewis · · Score: 5, Funny

    To avoid remember all the password managers, we need a password manager manager.

  3. Re:Surprise by jsherma2 · · Score: 5, Insightful

    I think there's a difference between "being willing to accept the risk of my credit card(s) being compromised on the internet" and "being willing to accept the risk of every account password I have being compromised on the internet". I essentially have insurance to help me recover losses from my credit cards. Having every bank account and retirement account drained by an enterprising criminal with access to all of my account and personal details is on a completely different risk level.

  4. TL;DR - (from a security guy) by xxxJonBoyxxx · · Score: 5, Interesting

    From page 7 of the paper (http://devd.me/papers/pwdmgr-usenix14.pdf):
    - LastPass, RoboForm and My1login all had "bookmarklet" vulnerabilities (used if you share passwords across the web - shudder)
    - LastPass, Roboform and NeedMyPassword all had "web" vulnerabilities
    - My1login and PasswordBox both had "authorization" vulnerabilities
    - LastPass and RoboForm both had "UI" vulnerabilities

    The other thing I wondered at was why the special mention of "creating tools to automatically identify such vulnerabilities" when there's a bunch of packages that already do that...until I looked on page 14 and saw the list of US government grants that sponsored this paper, plus mention of some Intel funding. (If you want the money to flow, first identify the problem...)