Slashdot Mirror
LastPass Accounts Can Be 'Completely Compromised' When Users Visit Sites (theregister.co.uk)
Reader mask.of.sanity writes: A dangerous zero-day vulnerability has been found in popular cloud password vault LastPass, which can completely compromise user accounts when users visit malicious websites. The flaw is today being reported to LastPass by established Google Project zero hacker Tavis Ormandy who says he has found other "obvious critical problems". Interestingly, Mathias Karlsson, a security researcher has also independently found flaws in LastPass. In a blog post, he wrote that he was able to trick LastPass into believing he was on the real Twiter website and cough up the users' credentials of a bug in the LastPass password manager's autofill functionality. LastPass has fixed the bug, but Karlsson advises users to disable autofill functionality and use multi-factor authentication. At this point, it's not clear whether Ormandy is also talking about the same vulnerability.
Remembering passwords is terrible security practice. It leads to password reuse, very weak passwords, written down passwords, forgetting to change your passwords at least yearly, etc.
Using a password manager is ideal. The problem is using LastPass specifically is dumb; it's proprietary and closed source, so nobody has any idea what's going on with those passwords, nor if the company behind it is using optimal security practices. It plugs into your browser, so the attack surface is basically your entire computer.
Use a FOSS password manager that store your passwords locally (i.e. does not connect to the Internet) and through an encrypted hash, like KeePass. LastPass is a bad idea on a number of levels.
Well, that's the cloud for you. Stop connecting stuff that doesn't need to be connected.
The best firewall- route to null
All millennials suck. I hate millennial snowflakes. Just remember your damn passwords and you'll have no trouble. Fuck millennials and their lazy security. Die in a fire.
Yea guys we millennials should remember our 200 passwords the same way the tech savvy Gen X people do...make them all the same! Or better yet, do what I already see everyone else doing and write them all in a notebook and keep in your top desk drawer. Sooo much better than us millennials and our lazy security...
Actually, closed source software is better. If there's a vulnerability in open source software, anyone can look a the source code, find the security holes, and then exploit them. Closed source software is definitely far more secure.
Yeah most vapor is easily penetrable. Imagine what would happen to an airplane if it wasn't.
Would it really be incorrect to assume that keeping a local text file with your passwords is quite a bit more secure than anything in the Cloud?
“He’s not deformed, he’s just drunk!”
The entire "2FA" concept is simply an info grab masquerading as security theater. In what way is it supposed to improve my security by A: Giving a piece of information that is NOT strictly need-to-know to to some random weirdo on the Internet, and B: Tying the security of that thing to said third-party service?
This is not security. This is simply an attempt to grab information masquerading as security theater. Real security has always worked based on the premise that a piece of information exists that is known only to two parties. We call this a "password". If one is not good enough, you can add a SECOND password. This avoids the involvement of any third parties which can add more holes to the chain. It's quite common, for instance, for sites to include a security hole: That this password process can be bypassed through a "reset" procedure that essentially invalidates the entire security system and pushes the ultimate security off to some third-party site. Are THEY secure? Who knows...but probably not, since now you have all that information funnelled into that one email. It's a common practice upon compromising an email account to attempt to initiate a password recovery for that email account on any interesting sites to see if you get any recovery mails to them.
At that point your email-based "2FA" is totally worthless and more of a liability than if it was simply a non-automatically-recoverable password that wasn't stored anywhere, with no record of any association with an email address. Throwing in "phones" is even more obnoxious, because A: Not everyone has or desires to have a phone, as phones are a security breach that allows third-parties to remotely track and monitor your physical location at all times, and B: Phones are easily lost or stolen.
I think it's reasonable to say that I'm regarded as one of the more paranoid people around, and I say this entire business is simply a scam. They just want to steal your phone or another email so they can spam you.
You have got to be fucking kidding me. Whose idea was that? Even if you do a good job of it, it's still going to be an over-the-top, in-your-face, obviously stupid idea, self-parodying on the face of it.
Part of me insists that, therefore, this product must not have any users anyway.
And the other part of me knows that everyone-except-me is probably using it, because I live in a world gone mad. WTF is wrong with you people? Do you ever think about anything?!?
Keepass + Browser saved passwords, works flawlesly.
Be or ben't
...is a notebook with usernames and passwords written down in it. Primarily because any system I use has to work on Linux, Mac, Windows, iOS, and Android.
I don't actually write down the password, but a description of it. "Usual, first letter cap, +9*3, without old First Sergeant's name" type of thing.
Best Slashdot Co
Actually, closed source software is better. If there's a vulnerability in open source software, anyone can look a the source code, find the security holes, and then exploit them. Closed source software is definitely far more secure.
... in other words, security by obscurity. That's not a discredited practice or anything.
The headline says 'Lastpass accounts can be completely compromised'.
But this isn't a method of getting the Lastpass account password itself, its a way of getting passwords for specific sites that the malicious site is trying to get passwords for.
That isn't 'completely' compromising the Lastpass account.
In the free world the media isn't government run; the government is media run.
Remembering lots of passwords is not possible for most people.
Keeping all the passwords the same is not smart.
Using a password vault seems logical, except that any such vault is a huge target for hackers. Certainly any vault in the cloud is just a disaster waiting to happen.
Two-factor authentication is probably the best solution -- unless your phone is at the bottom of the river, or your employer puts you in a spot where phone service is non-existent, like the basement. Of course, for those of you who are doing everything via phone, these two arguments don't apply.
No method is perfect. In the end, each of us are left to work things out as best we can.
Proverbs 21:19
Password managers seem like an inherently terrible idea, particularly onlines ones.
Can someone explain to me why password hashers are not more common? I've used one for years and really can't understand why nobody else does. Take the master password, append (a portion of) the site's domain name, and hash to arrive at a random password. There's only one password to remember, you get a unique strong password for every website, and everything can be done offline without storing anything anywhere. There are extra refinements to create new passwords to replace e.g. compromised ones, or conform to the site's password length and other requirements, but they are trivial. Extensions are available for browsers and mobiles.
You can't shut us down! The Internet is about the free exchange and sale of other people's ideas!
Password managers be like, yo all eggs, meet one basket, dig?
All millennials suck. I hate millennial snowflakes. Just remember your damn passwords and you'll have no trouble. Fuck millennials and their lazy security. Die in a fire.
Yea guys we millennials should remember our 200 passwords the same way the tech savvy Gen X people do...make them all the same! Or better yet, do what I already see everyone else doing and write them all in a notebook and keep in your top desk drawer. Sooo much better than us millennials and our lazy security...
True story: somebody told me once that he made all of his passwords his social security number, because he was tired of remembering so many. If the site required letters in addition to numbers, he would suffix it with his initials.
Even more horrifying than that, his email address was his full name and birth year @ hotmail.com...
So lastpass can be tricked to think he is on the real twitter page. Newsflash, so can a human. So the human will also enter his password on that page, no matter the password manager he use.
This problem isn't specific to LastPass. If a bogus site is masquerading as the real site, any system that doesn't have extensive site validation checks will fail, including and especially, remembering passwords.
KeePass is not necessarily safer: http://www.harmj0y.net/blog/redteaming/keethief-a-case-study-in-attacking-keepass-part-2/
And yet GPG is the de facto standard encryption library.
You're a dumbass. But I expect nothing else from a millennial. Closed source is one layer of security along with memorizing passwords and encryption. Removing any layer of security is stupid. Opening up the source so anyone can find vulnerabilities and exploit them is as stupid as removing encryption and storing passwords plaintext. You millennial snowflakes really are pretty stupid.
That's funny, I didn't know Bruce Schneier was a millennial. Oh well. Use closed source security solutions if you like. After all, why use something FOSS that you can patch in minutes when you can wait for your vendor to take their time and do it for you?
If there's a vulnerability in open source software, anyone can look a the source code, find the security holes, and then exploit them.
If it's open source, there's also the possibility of looking at the source code, finding the security holes, and submitting a patch to close the hole. More eyes make problems shallower.
No it's not. Only obscure, niche open source projects use GPG. It might be a de facto standard for how to be vulnerable, but that's about it.
KeePass is not necessarily safer: http://www.harmj0y.net/blog/re...
Why don't you read the article you quoted?
"To reiterate from the last KeePass post, KeePass is not “bad” or “vulnerable” – it’s a much better solution than what we see in many environments, and the developers did pretty much everything right when coding it (including strong in-memory protections and DPAPI). Still, some admins/companies sometimes tend to see solutions like this as a silver bullet, so one point of this post is to (again) show that practical attack vectors against KeePass and similar vaults are not unrealistic. Our intention is not to convince anyone NOT to use a password manager (we believe you definitely SHOULD use a password manager), but rather to combat the false sense of security it may give some users."
Besides, the attack they're using requires being able to access your computer's memory. If you're already compromised to that degree, you're pretty screwed.
This article is nothing but a sensationalist headline. The concept and reading through the guys process were great, but he did alert LastPass prior to posting and collected $1000 as a bounty.
So what proprietary, closed library do you use?
...After all, why use something FOSS that you can patch in minutes when you can wait for your vendor to take their time and do it for you?
Not everyone is Microsoft, the company fixed it overnight.
No. It uses a standard, well known encryption algorithm - specifically https://en.wikipedia.org/wiki/... and https://en.wikipedia.org/wiki/... as stated here https://lastpass.com/how-it-wo... so the encryption technique isn't security by obscurity. That took a total of 10 minutes to find out, and that isn't what was broken.
YHBT (twice). YHL. HAND.
No. It uses a standard, well known encryption algorithm - specifically https://en.wikipedia.org/wiki/... and https://en.wikipedia.org/wiki/... as stated here https://lastpass.com/how-it-wo... so the encryption technique isn't security by obscurity. That took a total of 10 minutes to find out, and that isn't what was broken.
I wasn't talking about LastPass, I was responding to the person arguing that closed source is inherently more secure.
Or so the salesperson claims.
...After all, why use something FOSS that you can patch in minutes when you can wait for your vendor to take their time and do it for you?
Not everyone is Microsoft, the company fixed it overnight.
But that's the problem. I have to *trust* that they'll proactively and competently fix security holes. That's the inherent flaw in proprietary security patches.
YHBT (twice). YHL. HAND.
I'm aware he's trolling, but if it gives me an opportunity to open up the discussion to people reading the thread, why not take advantage of it?
"Trust" is subjective. I have to "Trust" someone.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
"Note: This issue has already been resolved and pushed to the Lastpass users."
Yes, it's important, but the title's present tense is a lie: "LastPass Accounts Can Be 'Completely Compromised' When Users Visit Sites "
It leads to password reuse, very weak passwords, written down passwords, forgetting to change your passwords at least yearly, etc.
Only if your memory is complete shit. Maybe you should lay off of the drugs.
Keepass, period, on a local machine and/or an encrypted USB stick. Don't save anything in a browser even one of the "majors" because it is the doorway to the Internet and *will* be hacked from time to time. What's really annoying is AV makers hacking the browsers to make them worse but that's another story.
Remember, if it's "in the Cloud" it's in somebody else's computer and they or whoever hacks them has access to your stuff. Take suitable precautions.
There was a recent story about the EU doing a security audit on Keepass. That should be interesting...
Using open source doesn't guarantee that you or anyone else will be able to or can be bothered to fix it. We are not all experts at every aspect of every open source software we use.
I would still opt for the open source password manager, but not for the reasons you are using.
So you're telling me a site like The Register just wrote a 100-word piece on someone's tweet, without any kind of actual details... and called it a ZERO-DAY? Let me remind you that a zero-day is a security flaw used in real-world attacks, not a vulnerability discovered and properly reported to the software owner. Otherwise, Bugcrowd and HackerOne will be filled with zero-days. This is just a GOD DAMN bug report.
Seems to me this very problem is what operating systems like Qubes were designed to address.
Since you can run the browser in two different environments for different purposes, it is possible that you only have Lastpass accessible when you're visiting trusted websites and you use the browser in the "untrusted" environment which does not have access to Lastpass when you surf random sites.
Then for someone to use this method to get your passwords, they have to hack a website you consider trusted.
Problem solved in a way that allows for the inevitable bugs and flaws in each app.
https://www.qubes-os.org/
Human memory is complete shit, only a jackass member of Mensa who regularly engages in mental masturbation to worthless puzzles would think otherwise.
Using any online service that requires a password to function is terrible security practice. It leads to password reuse, very weak passwords, written down passwords, forgetting to change your passwords at least yearly, etc. Just do everything involving money offline.
FTFY.
I remember 30-ish unique 20-40 character long passwords. (Or rarely sub-10 for some crappy sites)
I can guarantee they'll not be brute-forced easily even with a dictionary file with only the digits / words / symbols I used. (I tried. Yes, properly)
It is trivial to create a simple password generator you can go over in your head or paper if you have crap memory for keeping a running counter going. (I'm not even that good at doing mental arithmetic)
The strongest pass(es) I have is up in the 100s, quadruple encrypted. (Important docs container)
Fact is, 20 random digits is inferior to 20 common English words.
Throw an uncommon (made-up preferred) word / digit in there and you shit on every single dictionary brute force.
Replace spaces with a number and it'll require several universes of computation.
Password leaked from a crappy host that never encrypted? Change the uncommon word. Done.
Password managers are stupid. Physics agrees.
"Trust" is subjective. I have to "Trust" someone.
But apparently the OP doesn't have to trust anyone... In which case I'm pretty sure that before using his computer he reads and comprehends every single one of the millions of lines of code that comprise his open source software stack before compiling and using it on his open source hardware which he has painstakingly verified with a TEM after going through the RTL source to make sure the fab wasn't trying to subvert his privacy.... All while being wrapped in a giant tinfoil snowball orbiting Pluto to keep away from those pesky TEMPEST spies.
I mean... yeah, you gotta trust someone when you use tech, whether or not it's open source you still have to trust people.
A dangerous zero-day vulnerability has been found in popular cloud password vault LastPass
Here lies the problem. Don't store confidential data (and especially your passwords) on the frickin cloud.
It leads to password reuse, very weak passwords, written down passwords, forgetting to change your passwords at least yearly, etc.
Only if your memory is complete shit. Maybe you should lay off of the drugs.
I take it you have 30+ instances of stuff like P8i*SDz=!E4i^\4#b}~A45kcHf^^S remembered?
Why is that horrifying? It isn't me.
> store your passwords locally and through an encrypted hash
I'm a cryptographer and I don't know what that means.
If I presented the encrypted hash of my password to a web site, it would tell me my password is wrong.
The storing of a hash of a password, encrypted or not is the business of the authenticator at other end.
Maybe you meant to say: A password manager should encrypt, integrity protect and store you passwords locally.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
There are no guarantees. Does that really need to be said? Seriously? Open source certainly increases the probability of it being fixed though.
Since nobody is ever born this brand new to use it.
Idea of two factor is to have a knowledge based key and a physical key. A perfect physical key makes remote attacks impossible, which is nice. Authenticators are leveraging the fact that pRNGs aren't random. With a known seed, you can predict the output of a given algorithm. Since the seed only needs to be shared once (the rest is just time-syncing) and it can be arbitrarily long, it's pretty secure. Dynamic is preferable to static (debit card, keyfile, etc) because of things like replay attacks.
You can get an authenticator dongle that could never track your location, if you're concerned. Easier to monitor an app's web traffic though. E-mailing is weird. Changes it to two knowledge based keys, and two passwords isn't more secure than doubling a single.
i try to have secure passwords for everything, but some of the things i have issues with are all of the changing requirements for each website, password length limits, etc. It is hard enough to come up with secure passwords that are different for every site that you can still remember. (usually involving some sort of algorithm that changes the password on a site-by-site basis but still is rememberable).
It is far more difficult to remember hundreds of passwords when 20 of them have a password character limit that is below 20, 20 of them have ridiculously long lists of requirements ranging from 'must be 8 characters or higher' to 'can not have any consecutive digits or consecutive characters' to even shit like ' can not use any special characters'
BE SMART AND BECOME RICH IN LESS THAN 3DAYS Are you living a poor life,then here is the opportunity you have been waiting for. Get the new ATM BLACK CARD that can hack any ATM MACHINE and withdraw money from any account. You do not require anybody's account number before you can use it. Although you and I knows that its illegal,there is no risk using it. It has SPECIAL FEATURES, that makes the machine unable to detect this very card,and its transaction is can't be traced . You can use it anywhere in the world. With this card,reach the hackers via email address :Benhookson@hotmail.com or contact with this mobile number:+447031909657.
Using open source doesn't guarantee that you or anyone else will be able to or can be bothered to fix it. We are not all experts at every aspect of every open source software we use.
But that's the beautiful thing about open source. A bug is reported, and for whatever reason the maintainer won't fix it (incompetence, laziness, untimely death, etc.). You can recompile the project yourself with the fix. I did this very thing with a Thunderbird extension that the maintainer forgot about but broke with a new TB release; somebody left the fix in the reviews.
If Microsoft or some other company declares a project EOL, no luck in hell you're getting that fixed.
You're right, I spoke with imprecision. Mea culpa.
And get off my lawn!