Slashdot Mirror
LastPass Bugs Allow Malicious Websites To Steal Passwords (bleepingcomputer.com)
Earlier this month, a Slashdot reader asked fellow Slashdotters what they recommended regarding the use of password managers. In their post, they voiced their uncertainty with password managers as they have been hacked in the past, citing an incident in early 2016 where LastPass was hacked due to a bug that allowed users to extract passwords stored in the autofill feature. Flash forward to present time and we now have news that three separate bugs "would have allowed a third-party to extract passwords from users visiting a malicious website." An anonymous Slashdot reader writes via BleepingComputer: LastPass patched three bugs that affected the Chrome and Firefox browser extensions, which if exploited, would have allowed a third-party to extract passwords from users visiting a malicious website. All bugs were reported by Google security researcher Tavis Ormandy, and all allowed the theft of user credentials, one bug affecting the LastPass Chrome extension, while two impacted the LastPass Firefox extension [1, 2]. The exploitation vector was malicious JavaScript code that could be very well hidden in any online website, owned by the attacker or via a compromised legitimate site.
......your local 3-letter government agency.
also, first post!
I am surprised that anyone serious about security would ever install a web browser password plugin for their password management software. It seems logical that it is just a bug away from password compromise.
Don't use an online password manager. Copy and paste your password when needed, then clear the clipboard. It's not perfect, but I'll take mSecure over some of these other password managers any day. And I don't back up my passwords in the cloud. They're encrypted on an SD card.
So, I with being online over 20 years. I still use variations of passwords from when i was a kid in the 90's. Use a few passwords and variations of those. add caps and exchange letters for numbers aka "l33t" never once has one of my accounts been compromised. Although im security conscious and often think how i would hack myself to keep myself safe. I dont understand how so many people fall victim. I feel its pure laziness.
Has simply never been hacked.
Comment removed based on user account deletion
Comment removed based on user account deletion
Is the convenience of the "cloud" really worth it when it comes to your data's security? At least keepass is 100% local, doesn't need an internet connection and can run in a "portable mode", meaning no installation required so you can run it off a usb flash drive when not at home and need access to one of your accounts. (though that's also a security risk, as you never know if the computer you're borrowing is safe or not)
This is the sort of thing why I've never let any sort of browser thing do autofill. I have a password manager on my phone and when I need to, I look it up and *type* it in. A minor nuisance, but for frequently used passwords, I then don't need it as I actually remember them. The others are by definition infrequently used.
Though I have to admit, it's the most used feature of my phone. It also means I don't have to worry about synchronizing across many different browsers and computers, or the lack of security having all that in multiple places.
Bugs have already been patched. Stop with the FUD please. Yea it's bad they existed, but they're gone.
"Oh my God. This is terrible. This is the end of my Presidency. I'm fucked."; ~ Donald J. Trump
No hacker, no mater how skilled, will ever be able to hack a piece of paper in your desk drawer.
Looks like they already patched it.
It's a question of how fast you can build a wall before someone tears a hole though it. Security is only temporary.
To you, the douchebag that said use password manager or your will be hacked. I have been using the same formula for generating passwords for almost 2 decades and I have not had any issues. Enjoy your increased threat level by using additional software to store your password. You almost convinced me.
I know of companies (perhaps even my current) which recommends people use LastPass over KeePass/KeePassX. The fact that they recommend a person use a password generator is good, but anything in the Cloud means that you _DO_NOT_ have physical control of the system storing passwords. The First rule of security is that you must have physical control of everything. All other Security rules come after that one.
The Company problem is a symptom of promoting "marketing geniuses" and "number crunchers" to be in charge of Security, instead of promoting Security geniuses to be in charge of Security. As a security expert I have some great horror stories about bad decisions, and can tell you that stock options are constantly ready to be sold.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
The three articles you posted were all about what Lorrie Cranor said, but you seem to misunderstand what she said. Cranor did NOT say that it's a bad idea to change YOUR password.
What Cranor said is that there are downsides to forcing everyone to change their password every month or so.
People will not remember a new password every month, so if forced to "change" it monthly they'll either write it on a Post-It note or just use [password]1, [password]2, [password]3, etc, not really changing the password, Cranor said. She's not wrong - there absolutely is a limit to how *often* you should *force* people to change their password.
Also, leaks happen, leaks with millions of accounts, so you will be safer if you change your password *ocassionally*. I use a system in which I can change my password 6-12 months, without having to remember a new password. Another fact about passwords is that the safe length for a password keeps getting longer - I now normally call it a "pass phrase". When I started in security, an eight-character password was considered secure. So what I do is every so often I add a couple characters to my base password.
Imagine in 1998 maybe I could have used "pallFurt" as my base password. In 2000 I'd start using "pallFurt!?". In 2002, "4pallFurt!?". In 2004, "4pallFurt!?Dh". So I don't have to remember something completely different each time, but password changes, meaning dumps from old sites don't have my current password (besides it's slightly different for each site).
LastPass Bugs Allow Malicious Websites To Steal Passwords
And yet, I, as the owner can't get my Master Password back out.
Passwords are easy. variations of a few passwords works. and when it comes to brute force, length and numbers capitol and special characters add a lot of time to that process. years on current hardware. password managers are a bad idea because of being hacked and like articles say people are lazy. it defaults to ease over security so there is really no argument here. if you dont want to be hacked because of silliness like this dont be an incompetent fool when it comes to security. i dont have this problem i'm just trying to help people see the issue.
Correction, ONLINE password managers are a bad idea. I don't think there is anything wrong with OFFLINE password managers. For instance, I use KeyPass, and it keeps the password vault file encrypted on my HDD. That file can get backed up locally and to the cloud in an already encrypted state so that [CloudProvider] can't access the file.
There is no such password manager as KeyPass.
correction: KeyPass = KeePass
FYI, on Twitter, someone asked Ormandy what was the best password manager. His reply was "KeePass or KeePassX are both perfectly reasonable choices." Source: https://twitter.com/taviso/sta...
Okay, I'll admit it, I'm the maker of a lesser known password manager that has been around for ages. The weakest part is the operating system's handling of the clipboard - there is no OS-level support for clipboard wiping and no guarantee that sensitive data isn't written to disk. Moreover, there is generally not enough protection against keystroke loggers, who are the #1 method for obtaining the master passphrase.Apart from these obvious vulnerabilities against which I cannot do anything, my application works fine, is cross-platform, has high data integrity and is fairly secure, primarily because it stores everything locally, validates every file written to disk, uses standard encryption libraries and does not use the browser at all.
But here's the catch: There really is no need for a password manager at all. What's important is to use a random password generator. You can then store your passwords in a text file on an encrypted disk image, which is more convenient and easier to use than the vast majority of password managers out there.
As for password managers that use the 'cloud' or browser extensions, in my opinion they're mostly crap and #1 hacking targets anyway.
I am surprised that anyone serious about security would ever install a web browser password plugin for their password management software. It seems logical that it is just a bug away from password compromise.
Oh I agree. I think people have been recommending password managers despite the, "all your eggs in one internet connected basket" thing.
Unfortunately there aren't many options. All I can think of is an air-gapped encrypted tablet whose sole purpose is to keep passwords. And then physically typing them.
Which makes the bunch of random words the much more attractive way; easy to read and type.
Why would anyone with even pretensions of being a geek link their password manager to a browser, beyond the two applications sharing the same OS install? I've been using a password manager for years, and it would NEVER have occurred to me to make it easy for my browser to access it directly. I don't consider myself terribly security conscious; but dangling a LOT of low-hanging fruit in front of would-be attackers was just never even on my radar. Goes without saying that the first thing I did when browsers introduced 'remember passwords' was to turn the damned thing off.
Security and convenience will always be at odds. But most people who don't have alarm systems will at least lock up their houses and cars. When it comes to The Interwebs, they should also go at least that far.
'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
Ok thats a bit safer, but still not fully. You have to always assume your pc has been hacked. Anything on that pc is up for grabs, as soon as keepass unencrypts in memory, and has all your passwords there while it chooses which one it needs, or if it only pulls the one and decrypts it. i can still use a memory leak exploit thats in almost every piece of software for windows, and now i still have the password you were trying to hide and keep secure. passwords themselfs are inherently insecure. thats why the security field is trying to get rid of them. as far as practice goes. i would say offline encrypted passwords is second to using your brain as the vault. but i hope everybody learns from this and stops using online password managers.
One of the big issues that I run into is different sites having different password rules. Some, for instance, force you to have at least 1 uppercase, 1 lowercase, 1 numeric and 1 special character. Some other, however, preclude the use of certain characters. Am Ex, for instance, doesn't allow one to use '$' in the password. Then there is the requirement that the length be at least 8 characters. I use different passwords that are related to the site/application being used. But being forced to occasionally change them is annoying.
It is spelled KeePass.
-- ssoorrrryy,, dduupplleexx sswwiittcchh oonn.. -Quote found on actual fortune cookie.
To me, the scariest part of the numerous vulnerabilities report is not the bugs themselves, but rather the response that LastPass had to project-zero #1209. See Comment #4 at https://bugs.chromium.org/p/pr... : "[LastPass] also said they couldn't get my exploit to work, but I checked my apache access logs and they were using a Mac. Naturally, calc.exe will not appear on a Mac." If this is the level of scrutiny that LastPass is putting into its security incidents, I'm losing confidence in their ability to safeguard user data.
SO time and time again i see people in high paying positions reachign out here in hopes someone will do their job for nothing.. /. encourages them to do so, at the expense of the reputation of this publication..
they reach out here with questions "without paying a professional, how to i train my people and, leverage them to the fullest??
Whats worse is that
While I will admit, it's not as bad as it was when DICE was in charge,, but it seems to be creeping up again..
Pull your Millenneial heads out..
One thing LastPass will do for you that the copy/paste solutions won't is that LastPass will not autofill your wellsfargo.com credentials into a login page at wallsfergo.com. (Substitute less obvious domain-squatting combination.) For the even slightly security-aware, the "no domains match" is a speedbump between you and total pwnage.
Bruce Schneier disagrees with you.
Note that online password managers use your password to encrypt the list of passwords, and then they back that up for you to the cloud. It's the self-same process you use, and has the same vulnerabilities.
-WolfWithoutAClause
"Gravity is only a theory, not a fact!"> You have to always assume your pc has been hacked.
LOL. You can't polish a turd. If your PC is hacked they can grab your password as you type it in anyway, so using an online password storage makes no material difference to security as opposed to using your brain, but the online security is much more convenient, and the online stored passwords are much longer and more random, whereas you've admitted that your passwords are total shit.
-WolfWithoutAClause
"Gravity is only a theory, not a fact!"yes. 8-16 character passwords with upper lower numbers and special characters is shit. I'm glad you know my passwords. as ive said before. I dont worry about it because i use strong passwords and dont open myself up to attack vectors that are poorly protected. it seems like alot of people do so im trying to help people learn good practice. online password managers, as this example shows is not good practice. And it depends on what kind of infection your pc may have, if their payload doesnt include a keylogger, and alot dont. it can only pull your passwords from programs like steam and chrome and edge and wotnot. i used to be one of the people that did such activitys. but apparently nobody here wants to hear from somebody with experience on the other side of the fence. and people wonder why this world is turning to shit. you obviously know more about everything than i do. so please do tell.
LOL you still don't seem to hear or understand- LastPass's passwords are specifically being stored FOR steam and chrome and edge etc- if your web browser is sufficiently subverted, the game is lost anyway.
-WolfWithoutAClause
"Gravity is only a theory, not a fact!"