Slashdot Mirror

← Back to Stories (view on slashdot.org)

LastPass Bugs Allow Malicious Websites To Steal Passwords (bleepingcomputer.com)

Posted by BeauHD on from the irony-at-its-finest dept.

Earlier this month, a Slashdot reader asked fellow Slashdotters what they recommended regarding the use of password managers. In their post, they voiced their uncertainty with password managers as they have been hacked in the past, citing an incident in early 2016 where LastPass was hacked due to a bug that allowed users to extract passwords stored in the autofill feature. Flash forward to present time and we now have news that three separate bugs "would have allowed a third-party to extract passwords from users visiting a malicious website." An anonymous Slashdot reader writes via BleepingComputer: LastPass patched three bugs that affected the Chrome and Firefox browser extensions, which if exploited, would have allowed a third-party to extract passwords from users visiting a malicious website. All bugs were reported by Google security researcher Tavis Ormandy, and all allowed the theft of user credentials, one bug affecting the LastPass Chrome extension, while two impacted the LastPass Firefox extension [1, 2]. The exploitation vector was malicious JavaScript code that could be very well hidden in any online website, owned by the attacker or via a compromised legitimate site.

85 of 126 comments (clear)

  1. please use a password manager.... by turkeydance · · Score: 1

    ......your local 3-letter government agency.

    1. Re:please use a password manager.... by Anonymous Coward · · Score: 1

      Tell us how you really feel. Most decent operating systems have a password manager built in. Why not just use the one that is included in your system, which is encrypted with your login password and doesn't post itself to the internet? I mean if your system is compromised your passwords are compromised either way right?

    2. Re: please use a password manager.... by Highdude702 · · Score: 1

      The problem is the generated passwords. go read a few IPSec articles about passwords. Also changing passwords on sites is bad idea unless an absolute necessity. Also in said articles.

    3. Re: please use a password manager.... by s4f · · Score: 1

      Platform interoperability. That's why.

    4. Re: please use a password manager.... by Nunya666 · · Score: 1

      The problem is the generated passwords. go read a few IPSec articles about passwords. Also changing passwords on sites is bad idea unless an absolute necessity. Also in said articles.

      Citation required for any absurdity claiming that changing passwords is a bad thing.

    5. Re: please use a password manager.... by Desler · · Score: 1

      Keychain in OS X and iOS does. In OS X you can even choose between various premade rules or make your own for how the password is generated.

    6. Re: please use a password manager.... by Ol+Olsoc · · Score: 1

      What? Maybe an OS lets you store a password but they don't generate passwords for you.

      Umm - MacOS will generate passwords for you if you like.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    7. Re: please use a password manager.... by Zaelath · · Score: 1

      Yeah, what AC said.

      Those articles are all about passwords that you're:
      a) forced to type (Windows Login for example),
      b) forced to change regularly, and
      c) required to ensure different to other passwords (She mentions 6 government passwords because you're not allowed to have the same password on all 6 systems)

      For that limited case she's undeniably correct, but changing passwords itself isn't a bad idea. A better idea is using a different 20 characters of random entropy on every website, but you can change those occasionally too.. it's fine.

    8. Re: please use a password manager.... by Highdude702 · · Score: 1

      its security that causes insecurity, 20 characters of entropy as you said isnt memorable, causing the need to trust these passwords to something other than your own brain. which becomes insecure. but why do that when you can simply use secure variations of your password to protect against password lists and brute forcing, 10 characters with special characters capitol and lower letters and numbers takes a long time to crack if hashes properly which all people that make you use passwords should be doing by default. and most do. the few that dont you hear about in the news.

    9. Re: please use a password manager.... by 93+Escort+Wagon · · Score: 1

      Doesn't even require Safari - there's a password assistant built into the OS, even though it's not exposed as an application.

      I still have (and use) a third-party utility called "Password Assistant", which was written by the guy behind the now-defunct website CodePoetry.net. It provides a wrapper application which gives you direct access to the built-in password generator. It's extremely handy, even outside the web browser.

      --
      #DeleteChrome
    10. Re: please use a password manager.... by shumacher · · Score: 1

      Huh?

      20 characters would probably be a strong password.

      20 bits of entropy almost certainly would be a very poor password.

      I'm not sure what twenty characters of entropy would be. I guess it would depend on your encoding.

    11. Re: please use a password manager.... by Zero__Kelvin · · Score: 1

      Really? 20 characters are hard to remember?
      YouDidntThinkThat1ThroughVeryWell!

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    12. Re: please use a password manager.... by Dog-Cow · · Score: 1

      What kind of crappy OS has a password manager that won't generate passwords on demand?

    13. Re: please use a password manager.... by TheRaven64 · · Score: 1

      Doesn't even require Safari - there's a password assistant built into the OS, even though it's not exposed as an application.

      For those wanting more than a vague hint: it's in the Keychain Access app. The New Password Item menu item brings up a dialog box that lets you generate a password matching various criteria.

      --
      I am TheRaven on Soylent News
    14. Re: please use a password manager.... by fluffernutter · · Score: 1

      Except you can't use English words on some oses (redhat 7) and you can't make obvious substitutions like 1 for I and 0 for O.

      --
      Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
    15. Re: please use a password manager.... by Highdude702 · · Score: 1

      i never said anything about a VPN. but in this situation theres not much a VPN can do to help.

    16. Re: please use a password manager.... by Zaelath · · Score: 1

      Yeah, you remember one "good" password for your OS, the rest is in a key management system like KeePass or similar. That's why I went to great lengths to disassociate the password for your OS from the general case. But you know, people are idiots as you say...

    17. Re: please use a password manager.... by Zaelath · · Score: 1

      entropy:lack of order or predictability
      characters:unit of information that roughly corresponds to a grapheme, grapheme-like unit, or symbol, such as in an alphabet or syllabary in the written form of a natural language.
      bit:0 or 1

      20 characters of entropy: W6iIfgerBGbAk6bNVpcL
      20 bits of entropy:01110010001000111001

      What's your definition of entropy exactly?

  2. KeePass FTW! by OutOnARock · · Score: 4, Informative

    also, first post!

    1. Re:KeePass FTW! by Anonymous Coward · · Score: 1

      ++

      A password manager running in a browser process is a terrible idea.

    2. Re:KeePass FTW! by PhrostyMcByte · · Score: 5, Informative

      I'll second KeePass. Not just because it's what I use, but because it takes serious measures to protect your data. Anyone can make a functioning password safe, but the way KeePass does it shows it was designed with an eye toward security. As a dev, I can appreciate it.

      A browser extension? Really? Your OS has a massive, old, reliable security feature in that one process can not easily access the memory of another process, and you choose to not use that and instead build support directly into the largest attack vector on your PC, the browser?

    3. Re:KeePass FTW! by Desler · · Score: 1

      At least your honest...

    4. Re:KeePass FTW! by laejoh · · Score: 1

      African or European?

    5. Re:KeePass FTW! by bill_mcgonigle · · Score: 2

      Having to manually lookup the site in your manager, copy the password and paste it in the form is too cumbersome.

      Right, so most users without an intergrated password manager will just use an easy-to-guess password.

      LastPass isn't perfect, but as a system it improves overall web security to a large extent by enabling people to use very-high-entropy passwords.

      People who want to copy and paste from Keepass (I do for very high security sites) should keep on doing that. But, for Pete's sake, I hope you're not using the totally insecure X11 clipboard.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  3. Keep passwords away from web browser integration by 0x537461746943 · · Score: 5, Insightful

    I am surprised that anyone serious about security would ever install a web browser password plugin for their password management software. It seems logical that it is just a bug away from password compromise.

  4. Simple solution by Anonymous Coward · · Score: 1

    Don't use an online password manager. Copy and paste your password when needed, then clear the clipboard. It's not perfect, but I'll take mSecure over some of these other password managers any day. And I don't back up my passwords in the cloud. They're encrypted on an SD card.

    1. Re:Simple solution by Anonymous Coward · · Score: 5, Insightful

      Copy and paste works fine, but beware of the risk of other scripts within the login webpage and other open browser tabs accessing the clipboard.

      To digress a bit, but related to this topic. Slashdot has jumped the shark with ads in recent months. Makes one wonder how secure Slashdot is serving up hundreds (really! 392 at the moment, but seen it upwards of 500 already) of cookies and numerous trackers. Slashdot is often associated, whether rightly or wrongly, with being populated by many tech related users, it's within the realm of possibility of rogue scripts being served with Slashdot to scarf up clipboard data, passwords, etc in hopes of hacking well known websites that Slashdot users do work for.

      Bottom line, be wary of having Slashdot open in a separate tab while doing anything sensitive. Likewise for many other sites that serve up obnoxious ads. Use of an blocker can help, but isn't fully comprehensive security in and of itself...

      Ironically, in light of the above issues, use of a password manager, whether cloud based or not, is likely safer than copy and pasting from a local text file.

    2. Re:Simple solution by BradleyUffner · · Score: 1

      And I don't back up my passwords in the cloud. They're encrypted on an SD card.

      How do you enter passwords on your cell phone?

    3. Re:Simple solution by ShaunC · · Score: 1

      Slashdot is often associated, whether rightly or wrongly, with being populated by many tech related users, it's within the realm of possibility of rogue scripts being served with Slashdot to scarf up clipboard data, passwords, etc in hopes of hacking well known websites that Slashdot users do work for.

      No doubt. If the "good guys" target Slashdot users, you can bet the black hats do, as well.

      --
      Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
  5. My Post-It Password Manager by BoRegardless · · Score: 1

    Has simply never been hacked.

  6. Comment removed by account_deleted · · Score: 2

    Comment removed based on user account deletion

  7. Comment removed by account_deleted · · Score: 5, Funny

    Comment removed based on user account deletion

  8. Re:It's sooo easy! by Daemonik · · Score: 3, Insightful

    Nobody has to hack YOU, they hack the website you log into and download all their passwords then just keep trying those password/username combinations on other websites until they crack another one over and over again. You individually aren't worth much other than a shim to try to break into the next web server. Your accounts could be shared all over Russian hacking circles and you'd never know until the website you use reports a break in that might include your login.

    Smug people are just victims who don't know it yet.

  9. Re:KeePass... by Ash-Fox · · Score: 1

    The exploits mentioned weren't closed based, but locally in the browser though?

    --
    Change is certain; progress is not obligatory.
  10. Never use autofill by vanyel · · Score: 4, Interesting

    This is the sort of thing why I've never let any sort of browser thing do autofill. I have a password manager on my phone and when I need to, I look it up and *type* it in. A minor nuisance, but for frequently used passwords, I then don't need it as I actually remember them. The others are by definition infrequently used.

    Though I have to admit, it's the most used feature of my phone. It also means I don't have to worry about synchronizing across many different browsers and computers, or the lack of security having all that in multiple places.

    1. Re:Never use autofill by 0x537461746943 · · Score: 4, Informative

      You should not use autofill for other reasons... Hidden fields can be passed to websites without you knowing it... http://www.digitaltrends.com/c...

    2. Re:Never use autofill by raind · · Score: 1

      I'm sure your fone is secure....just saying....

      --
      Get up!
  11. Allowed. Not allows by Gojira+Shipi-Taro · · Score: 4, Insightful

    Bugs have already been patched. Stop with the FUD please. Yea it's bad they existed, but they're gone.

    --
    "Oh my God. This is terrible. This is the end of my Presidency. I'm fucked."; ~ Donald J. Trump
    1. Re:Allowed. Not allows by AmiMoJo · · Score: 1

      We don't know how long they were exploited for, or by how many people. This is why having your password manager running in a separate process with only a manual copy/paste bridge between them is a really good idea.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    2. Re:Allowed. Not allows by phantomfive · · Score: 1

      If one existed, then two exist. There's a high probability of that heuristic being true.

      --
      "First they came for the slanderers and i said nothing."
  12. Re:It's sooo easy! by Highdude702 · · Score: 1

    As i said, Variations. I know a few of the black hatters. and that's now how they work. now if there was a large dump they would run the credentials at a few sites(would effect me none) that they want to gain access to. and it is completely about personal info. in case you didn't know and want to do some research sometime before you talk to somebody that used to be involved. the personal information is the part that's worth money. the trying user/pass to other sites is to get MORE personal info. like credit card number zip expiration and CCV. So next time you want to talk blackhat i suggest you select your target better.

  13. UPDATE [March 22, 2017 17:15 ET]: Article updated by p51d007 · · Score: 1

    Looks like they already patched it.

  14. Re:It's sooo easy! by Desler · · Score: 1

    Using 1337speak does very little in making your password safer.

  15. Sorry Folks.. by Neuronwelder · · Score: 1

    It's a question of how fast you can build a wall before someone tears a hole though it. Security is only temporary.

  16. MY PASSWORDS HAVE NOT BEEN HACKED by fadethepolice · · Score: 1

    To you, the douchebag that said use password manager or your will be hacked. I have been using the same formula for generating passwords for almost 2 decades and I have not had any issues. Enjoy your increased threat level by using additional software to store your password. You almost convinced me.

    1. Re:MY PASSWORDS HAVE NOT BEEN HACKED by cyberfunkr · · Score: 1

      I have three deadbolt on my main door

      Deadbolts are only as secure as the windows next to them....

  17. This! by s.petry · · Score: 4, Insightful

    I know of companies (perhaps even my current) which recommends people use LastPass over KeePass/KeePassX. The fact that they recommend a person use a password generator is good, but anything in the Cloud means that you _DO_NOT_ have physical control of the system storing passwords. The First rule of security is that you must have physical control of everything. All other Security rules come after that one.

    The Company problem is a symptom of promoting "marketing geniuses" and "number crunchers" to be in charge of Security, instead of promoting Security geniuses to be in charge of Security. As a security expert I have some great horror stories about bad decisions, and can tell you that stock options are constantly ready to be sold.

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    1. Re:This! by TheCarp · · Score: 1

      In a twisted way it makes sense. File loss is more common a problem than actual compromise. This absolves them of needing to offer a solution.

      Personally I ditched even keepass for password store because it solves this by supporting git for sync.

      Its cross platform, uses gnupg in the back end, meaning no custom encryption code and a well known, trusted code base. Plus, because it is gpg based, all but a couple of special snowflake implementations natively get the benefit of hardware keys that gpg supports.

      Since the gpg keys can be used as ssh keys, the whole process becomes seamless.

      --
      "I opened my eyes, and everything went dark again"
    2. Re:This! by s.petry · · Score: 1

      if you don't control the Git server you suffer from the same problem. Once someone obtains your files, the cracking can begin. I'm not saying that cracking would be easybut the amount of resources available to hackers is insane. There are millions of compromised hosts being used constantly for these purposes, as well as sending spam, serving malware, etc... The old days of simply being concerned with State Actors is no longer valid.

      --

      -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    3. Re:This! by s.petry · · Score: 1

      I should also have provided my solution. I have Mac, Linux and Windows versions of Keepass and KeepassX on a thumb drive. I clone the drive and maintain a backup in a safe. My thumb drive contains the keepass DBs as well as the binaries. It's portable and self contained so I don't worry about someone snagging my data. The master password is a beyatch for my master DB containing other passwords. Other keepass DBs which actually contain connection data have a 32 character random "strong" password stored in the master.

      --

      -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    4. Re:This! by mattwarden · · Score: 4, Interesting

      I hear you. It's a tough subject. I am pretty paranoid (in the general spectrum, not the slashdot spectrum), and I used KeePass and resisted LastPass for a long time. And I kept my KeePass vault in a TrueCrypt volume. It was a pain in the rear, and useless on my mobile device, and I slowly slid back to password strategies I could remember, which were unique to each site but if one site was compromised an attacker could figure out the pattern.

      I did move to LastPass after reviewing managers and reading about how LastPass decrypts your vault locally, and deciding I believe them well enough. Of course that doesn't matter too much, because if they ever wanted my passphrase they could get it and store it when I log in. But again, my point is that there is a balance, and my own behavior when convenience was low was to slide into poor practices. With LastPass, I have a single point of failure, but I'm comfortable with it and outside of that my password practices are much much better.

    5. Re: This! by Zero__Kelvin · · Score: 1

      That is a ridiculous statement. A hacker can have infinite motivation. He might even break into my system. That doesn't mean he can ever get my password.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    6. Re:This! by AmiMoJo · · Score: 1

      Lots of commentators on Slashdot have recommended LastPass over Keepass too, despite repeating warnings that having your password manager running in the browser process is a really, really stupid idea. Seems like even people who should know better are for some reason keen to trust LastPass.

      This is now the 4th major severe security incident to affect LastPass. Do they have an affiliate scheme or something?

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    7. Re:This! by Agent0013 · · Score: 1

      I use KeePass on my Android phone. There are mobile versions of that tool if you want to use them.

      --

      -- ssoorrrryy,, dduupplleexx sswwiittcchh oonn.. -Quote found on actual fortune cookie.
    8. Re:This! by TheCarp · · Score: 1

      1. Yes but, you can have many git servers. Each repo is a full copy so central repos are basically throwaway. Lose one, make a new one, push to it.

      2. The amount of available resources is amazing but, still, nobody cracks gpg encrypted files, nobody is dumb enough to try. Keeping up with the tool chain and updating keys every few years as the recomendations and capabilities change should do you fine.

      generally the weak point anyone would assault a gpg based setup is either key storage or end point usage.

      Nothing will stop a malware you don't know about from scraping the decrypted passwords as you decrypt them. If you store keys locally in an exportable form and type the decryption passphrase, then it can all be stolen by maleware as well.

      However, if you store subkeys on hardware that can't export them, and requires a touch, so it can't be used as an oracle easily.... then the best they can do is that.

      In this scheme each password has its own decryption session key, and that key is the only sensitive data that the hardware key works with. At best they get one message at a time, as you use them; and that requires that they own your endpoint in some way.

      --
      "I opened my eyes, and everything went dark again"
    9. Re:This! by TheCarp · · Score: 1

      Not going to lie, I miss keepass and its autotype function. I tried to mock something up with xdotool but never really worked right.

      That is mostly what I did, though instead of a thumb drive I just used git to keep some copies around...though, on windows I just used scp because I had trouble with git-annex. I never trusted thumb drives that much. I have lost data from them and if a backup procedure is too manual, I know I wont follow it.

      Then I bought a yubikey, and the more I looked at it, the more attractive the password-store model was. Worst case scenario, the only tools I really need are ssh, git, and opengpg. The only backup data, aside from my multiply-replicated repo is my restoration keyring, which can be copied to several USB sticks and is valid for potentially a decade or more. I can toss one in a bank safe deposit box (and some day I will get around to doing that!)

      You CAN setup a yubikey in OTP mode with keepass via a plugin, but, OTP mode is suboptimal and could be very problematic if you have sync/backup issues.

      --
      "I opened my eyes, and everything went dark again"
    10. Re:This! by Anonymous Coward · · Score: 1

      then use their binary version and don't install the extension.

      at least understand the product before criticizing it

    11. Re:This! by s.petry · · Score: 1

      What a great idea! Distribute secure information to as many locations as possible! Pure Genius!

      --

      -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

  18. 3 articles referencing the same statement, misunde by raymorris · · Score: 4, Insightful

    The three articles you posted were all about what Lorrie Cranor said, but you seem to misunderstand what she said. Cranor did NOT say that it's a bad idea to change YOUR password.

    What Cranor said is that there are downsides to forcing everyone to change their password every month or so.

    People will not remember a new password every month, so if forced to "change" it monthly they'll either write it on a Post-It note or just use [password]1, [password]2, [password]3, etc, not really changing the password, Cranor said. She's not wrong - there absolutely is a limit to how *often* you should *force* people to change their password.

    Also, leaks happen, leaks with millions of accounts, so you will be safer if you change your password *ocassionally*. I use a system in which I can change my password 6-12 months, without having to remember a new password. Another fact about passwords is that the safe length for a password keeps getting longer - I now normally call it a "pass phrase". When I started in security, an eight-character password was considered secure. So what I do is every so often I add a couple characters to my base password.

    Imagine in 1998 maybe I could have used "pallFurt" as my base password. In 2000 I'd start using "pallFurt!?". In 2002, "4pallFurt!?". In 2004, "4pallFurt!?Dh". So I don't have to remember something completely different each time, but password changes, meaning dumps from old sites don't have my current password (besides it's slightly different for each site).

  19. Re:Write them on a f...ing piece of paper by DontBeAMoran · · Score: 1

    Desk drawer? I'm writing on post-its and sticking them all around my monitor.

    --
    #DeleteFacebook
  20. Re:It's sooo easy! by WolfWithoutAClause · · Score: 1

    I too have a password I've used over ten years.

    I only use this for low security accounts that don't have any financial implications associated to them. But yes, that password got hacked.

    I know this because I typed it into a 'has your password been hacked' site and it said yep, and told me what had happened. These sites exist because lists of passwords that have been hacked exist.

    IRC I think it got cracked on yahoo or something; it wasn't like anything I'd done wrong.

    --

    -WolfWithoutAClause

    "Gravity is only a theory, not a fact!"
  21. Re:It's sooo easy! by Highdude702 · · Score: 1

    depending on the words you use it will fool almost all password list files, and bruteforce becomes a lot harder with multiple numbers letters lengths capitols and special characters.

  22. Re:3 articles referencing the same statement, misu by Highdude702 · · Score: 1

    Passwords are easy. variations of a few passwords works. and when it comes to brute force, length and numbers capitol and special characters add a lot of time to that process. years on current hardware. password managers are a bad idea because of being hacked and like articles say people are lazy. it defaults to ease over security so there is really no argument here. if you dont want to be hacked because of silliness like this dont be an incompetent fool when it comes to security. i dont have this problem i'm just trying to help people see the issue.

  23. Re:It's sooo easy! by Highdude702 · · Score: 1

    I know this because I typed it into a 'has your password been hacked' site and it said yep

    Thanks for the great laugh before bed. thanks for adding your password to a password file that a few, probably not many have. but those people are not fools. Please do not do that ever again. lol

  24. Re:3 articles referencing the same statement, misu by amxcoder · · Score: 1

    Correction, ONLINE password managers are a bad idea. I don't think there is anything wrong with OFFLINE password managers. For instance, I use KeyPass, and it keeps the password vault file encrypted on my HDD. That file can get backed up locally and to the cloud in an already encrypted state so that [CloudProvider] can't access the file.

  25. Re:3 articles referencing the same statement, misu by amxcoder · · Score: 1

    correction: KeyPass = KeePass

  26. Ormandy recommends by campuscodi · · Score: 1

    FYI, on Twitter, someone asked Ormandy what was the best password manager. His reply was "KeePass or KeePassX are both perfectly reasonable choices." Source: https://twitter.com/taviso/sta...

  27. Use an encrypted text file by admin7087 · · Score: 1

    Okay, I'll admit it, I'm the maker of a lesser known password manager that has been around for ages. The weakest part is the operating system's handling of the clipboard - there is no OS-level support for clipboard wiping and no guarantee that sensitive data isn't written to disk. Moreover, there is generally not enough protection against keystroke loggers, who are the #1 method for obtaining the master passphrase.Apart from these obvious vulnerabilities against which I cannot do anything, my application works fine, is cross-platform, has high data integrity and is fairly secure, primarily because it stores everything locally, validates every file written to disk, uses standard encryption libraries and does not use the browser at all.

    But here's the catch: There really is no need for a password manager at all. What's important is to use a random password generator. You can then store your passwords in a text file on an encrypted disk image, which is more convenient and easier to use than the vast majority of password managers out there.

    As for password managers that use the 'cloud' or browser extensions, in my opinion they're mostly crap and #1 hacking targets anyway.

    1. Re:Use an encrypted text file by garethjrowlands · · Score: 1

      How to you back up your text file? How do you secure those backups?

  28. Re:Keep passwords away from web browser integratio by Bongo · · Score: 1

    I am surprised that anyone serious about security would ever install a web browser password plugin for their password management software. It seems logical that it is just a bug away from password compromise.

    Oh I agree. I think people have been recommending password managers despite the, "all your eggs in one internet connected basket" thing.

    Unfortunately there aren't many options. All I can think of is an air-gapped encrypted tablet whose sole purpose is to keep passwords. And then physically typing them.

    Which makes the bunch of random words the much more attractive way; easy to read and type.

  29. Re: It's sooo easy! by Zero__Kelvin · · Score: 1

    I can see if your bank account has been hacked for you. Just send me the account number, routing number, and your name, address and SSN and I'll let you know in my own special way ASAP!

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  30. Why? by jenningsthecat · · Score: 1

    Why would anyone with even pretensions of being a geek link their password manager to a browser, beyond the two applications sharing the same OS install? I've been using a password manager for years, and it would NEVER have occurred to me to make it easy for my browser to access it directly. I don't consider myself terribly security conscious; but dangling a LOT of low-hanging fruit in front of would-be attackers was just never even on my radar. Goes without saying that the first thing I did when browsers introduced 'remember passwords' was to turn the damned thing off.

    Security and convenience will always be at odds. But most people who don't have alarm systems will at least lock up their houses and cars. When it comes to The Interwebs, they should also go at least that far.

    --
    'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
  31. Re:3 articles referencing the same statement, misu by Highdude702 · · Score: 1

    Ok thats a bit safer, but still not fully. You have to always assume your pc has been hacked. Anything on that pc is up for grabs, as soon as keepass unencrypts in memory, and has all your passwords there while it chooses which one it needs, or if it only pulls the one and decrypts it. i can still use a memory leak exploit thats in almost every piece of software for windows, and now i still have the password you were trying to hide and keep secure. passwords themselfs are inherently insecure. thats why the security field is trying to get rid of them. as far as practice goes. i would say offline encrypted passwords is second to using your brain as the vault. but i hope everybody learns from this and stops using online password managers.

  32. Re:3 articles referencing the same statement, misu by Agent0013 · · Score: 1

    It is spelled KeePass.

    --

    -- ssoorrrryy,, dduupplleexx sswwiittcchh oonn.. -Quote found on actual fortune cookie.
  33. Couldn't get calc.exe to run on a mac by mdmower · · Score: 1

    To me, the scariest part of the numerous vulnerabilities report is not the bugs themselves, but rather the response that LastPass had to project-zero #1209. See Comment #4 at https://bugs.chromium.org/p/pr... : "[LastPass] also said they couldn't get my exploit to work, but I checked my apache access logs and they were using a Mac. Naturally, calc.exe will not appear on a Mac." If this is the level of scrutiny that LastPass is putting into its security incidents, I'm losing confidence in their ability to safeguard user data.

  34. LastPass gives some domain-squatting protection by Mike+Van+Pelt · · Score: 1

    One thing LastPass will do for you that the copy/paste solutions won't is that LastPass will not autofill your wellsfargo.com credentials into a login page at wallsfergo.com. (Substitute less obvious domain-squatting combination.) For the even slightly security-aware, the "no domains match" is a speedbump between you and total pwnage.

  35. Re:It's sooo easy! by WolfWithoutAClause · · Score: 1

    You know what? You're not nearly as smart as you think you are. I first typed in random 'passwords' that weren't my LOW security password, and it said that those hadn't been hacked. And I didn't type in any of my high security passwords, and those are different on each site anyway, so there wouldn't be any point.

    "Use a few passwords and variations of those. add caps and exchange letters for numbers aka "l33t"

    Hahaha. Don't do that, moron.

    --

    -WolfWithoutAClause

    "Gravity is only a theory, not a fact!"
  36. Re:3 articles referencing the same statement, misu by WolfWithoutAClause · · Score: 1

    Bruce Schneier disagrees with you.

    Note that online password managers use your password to encrypt the list of passwords, and then they back that up for you to the cloud. It's the self-same process you use, and has the same vulnerabilities.

    --

    -WolfWithoutAClause

    "Gravity is only a theory, not a fact!"
  37. Re:3 articles referencing the same statement, misu by WolfWithoutAClause · · Score: 1

    > You have to always assume your pc has been hacked.

    LOL. You can't polish a turd. If your PC is hacked they can grab your password as you type it in anyway, so using an online password storage makes no material difference to security as opposed to using your brain, but the online security is much more convenient, and the online stored passwords are much longer and more random, whereas you've admitted that your passwords are total shit.

    --

    -WolfWithoutAClause

    "Gravity is only a theory, not a fact!"
  38. Re:3 articles referencing the same statement, misu by Highdude702 · · Score: 1

    yes. 8-16 character passwords with upper lower numbers and special characters is shit. I'm glad you know my passwords. as ive said before. I dont worry about it because i use strong passwords and dont open myself up to attack vectors that are poorly protected. it seems like alot of people do so im trying to help people learn good practice. online password managers, as this example shows is not good practice. And it depends on what kind of infection your pc may have, if their payload doesnt include a keylogger, and alot dont. it can only pull your passwords from programs like steam and chrome and edge and wotnot. i used to be one of the people that did such activitys. but apparently nobody here wants to hear from somebody with experience on the other side of the fence. and people wonder why this world is turning to shit. you obviously know more about everything than i do. so please do tell.

  39. Re:It's sooo easy! by Highdude702 · · Score: 1

    Well than your "low security" passwords were probably commonly used. i know mine arent and i dont worry. im trying to give people advice from an ex black hat. I try to help now, but MOST of those "is your pasword hacked" lists are nothing but a honeypot for more passwords. the only trust worthy ones are the ones that you enter the username and if its in a dump it will show you your password. and theres not many of those. take it how you will. but putting a password into the wild to "see if it was stolen" is a very bad idea. did the site even use SSL or did they transfer your passwords in plain text??

  40. Re:It's sooo easy! by WolfWithoutAClause · · Score: 1

    Didn't matter a lot. Maybe it was a honeypot, maybe it checked a whole bunch of sites in a man in the middle attack- but I DIDN'T type in my username, so they would have had to check all the lists of millions of entries and do it very quickly, so I don't think so. And it listed out which breach it was, and it matched up. And I think it used a rainbow table for checking it, so they (allegedly) weren't sending my password in the clear.

    It makes little difference, I didn't give a shit about any of the accounts, and I changed them all using LastPass to random 16 mixed character passwords.

    --

    -WolfWithoutAClause

    "Gravity is only a theory, not a fact!"
  41. Re:It's sooo easy! by Highdude702 · · Score: 1

    as i said if it was a honeypot, your password went into a password list. and there are some very sophisticated honeypots out there. i have a friend setting one up for whitehat purposes and you cant tell it from a real machine. it even lets you ddos from it. the fact of the matter is that password managers aren't a good idea. local encrypted ones are better, but the best is using strong memorable passwords. its harder for some people than others. i dont have an issue with it. im just trying to help people

  42. Re:3 articles referencing the same statement, misu by WolfWithoutAClause · · Score: 1

    LOL you still don't seem to hear or understand- LastPass's passwords are specifically being stored FOR steam and chrome and edge etc- if your web browser is sufficiently subverted, the game is lost anyway.

    --

    -WolfWithoutAClause

    "Gravity is only a theory, not a fact!"
  43. Re:It's sooo easy! by WolfWithoutAClause · · Score: 1

    Memorable passwords are usually not secure, particularly if you reuse those passwords in any way, and swapping characters, and replacing letters with numbers are really stupid things to do, since they are trivially easy to brute force. Then if you lose any account, they're likely all blown.

    --

    -WolfWithoutAClause

    "Gravity is only a theory, not a fact!"