LastPass Bug Leaks Credentials From Previous Site (zdnet.com) 62
Password manager LastPass has released an update last week to fix a security bug that exposes credentials entered on a previously visited site. From a report: The bug was discovered last month by Tavis Ormandy, a security researcher with Project Zero, Google's elite security and bug-hunting team. LastPass, believed to be the most popular password manager app today, fixed the reported issue in version 4.33.0, released last week, on September 12. If users have not enabled an auto-update mechanism for their LastPass browser extensions or mobile apps, they're advised to perform a manual update as soon as possible. This is because yesterday, Ormandy published details about the security flaw he found. The security researcher's bug report walks an attacker through the steps necessary to reproduce the bug.
My password manager: (Score:3, Insightful)
Re: (Score:2)
Cool. Now, we know where to find your passwords. :P
Why are people that insane? (Score:2, Insightful)
We REALLY need ubiquitous home servers. And the death of "the cloud" and everyone who ever helped that un-word spread.
Re:Why are people that insane? (Score:4, Informative)
Whether browser extensions for filling passwords is a good idea or not is an entirely different discussion, and comes down to convenience vs security, as well as user psychology (as in people won't use password managers at all if they are too much of a hassle, and as a result fall back on poor password practices so that they can actually remember them).
Re: (Score:1)
Re: (Score:2)
Re: (Score:3)
Not sure I follow -- there is a plugin [keepass.info] that allows KeePass to be used in e.g. Chrome, and there's no reason it couldn't exhibit similar or other security flaws. And if users choose not to use that or any other browser plugin, then it returns to the security vs convenience matter I brought up.
I choose that way. I copy and paste from the keepass application.
I have a significant distrust of browser plugins handling my secrets. They do not have a good track record.
Re: (Score:3)
Re: (Score:2)
Posting AC to preserver moderation.
CTRL+ALT+A in KeePass is your friend. Learn to use it.
Alternatively, right click an entry, autotype, choose a sequence.
Re: (Score:2)
Re: (Score:2)
The problem with LastPass is that there is no offline client. It's all online, you have to use their browser extension or their web site. It's all written in Javascript.
Re:Why are people that insane? (Score:5, Insightful)
Uploding your entire password database to a third pary ..."
Is neither the cause of this issue, nor a solution to prevent it. If you ran a password app that stored your passwords locally or on a home server it could have had the same flaw.
This is the risk you take not for using a cloud solution, but for using any solution that can auto-fill your saved passwords.
You can debate the merits of storing your password database on the cloud, but that's a completely separate issue. And for what its worth, when i used "Password Safe" I kept the safe file synced to the cloud too.
We REALLY need ubiquitous home servers.
Says every hacker on the planet. Because THOSE will be behind on updates, poorly secured, poorly managed, unmonitored, and just waiting to be assembled into the botnet.
If/When joe sixpack has a home server it'll be because it's plug and play and will be about as secure as the rest of the "IoT trash"
Re: (Score:2)
Re: (Score:2)
I do not trust the cloud. I trust myself even less.
I may just steal that for my sig.
The common /. notion that "My server is more secure than cloud servers" is an example of the Dunning-Kruger effect. Granted that there are some additional reasons for distrusting the cloud, but they're dominated by the reasons for distrusting oneself.
Re: (Score:1)
Re: (Score:3)
Re: (Score:2)
Does LastPass support keyfiles and 2 factor auth? It would be unwise to have the encryption key purely derived from a password.
Re: (Score:2)
To anyone else, it would be nothing but a random binary stream.
Such as “ji32k7au4a83” [gizmodo.com]?
Re: (Score:3, Informative)
We REALLY need ubiquitous home servers.
And keep your home server locked in a bathroom closet. It worked so well for Hillary.
Re: (Score:2)
>Uploding your entire password database to a third party ...
Is what makes sense. Encrypt it. Upload it to an online file store. Sync that file store with multiple devices. Now you have many physical copies, both local and remote.
Re: (Score:2)
>Uploding your entire password database to a third party ...
Is what makes sense. Encrypt it. Upload it to an online file store. Sync that file store with multiple devices. Now you have many physical copies, both local and remote.
I do that but using Keepass https://keepass.info/features.... [keepass.info] , on this password manager you take care of the encrypted file database.
Re: (Score:2)
I'm using keepass.
Any competent password keeper should do, but there's evidence that Keepass is written by competent people.
Re: (Score:2)
We already have two places offering very good home server offerings -- Synology and QNAP. They can do a lot of cloud functionality, even allowing you to use KeePass.
Wish more people used them, as they work quite well.
Re: (Score:2)
Both Synology and QNAP are pretty easy to backup TO, but they seem to be painful make solid backups *of*. You can always hack something together, but its usually unsupported by anyone but you; and backup monitoring and backup status etc is not well handled. The built in backup software is pretty limited in my experience.
Also, both represent a series of single points of failure in the average home network.
The device might keel over.
The router might keel over.
The "modem" might keel over.
Your internet service
Password Manager = Single Point of Failure (Score:2, Interesting)
Re:Password Manager = Single Point of Failure (Score:5, Funny)
I pick really strong passwords and store them where I could never lose them: I just get them tattooed on my body. It's worked so far, but with my work forcing me to change my password every 3 months it's been a real pain in the neck.....and the arm....then the other arm.....
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Or just put it in a folder labeled "Garbage", right next to your copy of the da Vinci virus.
Re: (Score:2)
I just listened to a man describe how he beat the government of China when bringing his laptop in that country. He put his contraban (Evangelical Christian training materials) in his Windows folder, because nobody would ever look there! And then he wanted to look up a Bible verse online, and come to find out the site wasn't blocked-- no vpn needed! So he browsed from his computer sitting in one of those "underground" (i.e., clandestine) locations reading materials officially not approved by the government t
Re: (Score:2)
You may be sarcastic but you're not far off:
Create a file listing the sites and usernames where you have accounts, one per line
Memorize one password.
Memorize a systematic way to paste the contents of that line into the following command (windows users will have to use a more complicated cli):
cat - | sha256sum
Paste the content in, type in the one password after that (or before it, or somwhere in the middle, as long as it's systematic) hit enter, hit control-D. Out pops a number ....unique to each website...
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Comment removed (Score:5, Insightful)
Re: (Score:2)
Don't forget 2FA. If someone gets my password out of the PW manager, they still have to figure out either the six digit code, or how to spoof the FIDO key.
MFA is a nice thing -- I don't have to guard my password with my life anymore.
Re: (Score:2)
Re: (Score:2)
What's really needed is for companies to quit collecting all our data and then "accidentally" divulging it to the world.
Re: (Score:2)
Personally, I use a password manager but I do NOT keep my main email and main bank credentials in the manager. Email is the most important, since all password resets go there. I'm fine with memorizing a good password just for email.
Re: (Score:2)
"On the one side you have absolute security. On the other side you have absolute ease of use. "
TBF, you can have bad security that is also hard to use.
Re: (Score:2)
As long as you don't reuse passwords
That's exactly the reason why experts recommend password managers. Remembering dozens of secure passwords is too much to ask for most people. If you can do that, by all means do it, but if you have to chose between using a password manager and reusing password, of course you should use a password manager.
If you are don't trust your password manager completely, you don't have to use it for your most critical passwords.
Re: (Score:2)
This is all about security tradeoffs.
I use BitWarden which doesn't paste info into fields until told to, which completely mitigates this vulnerability. Yes, it is less convenient than having your username/PW auto populated, but it stops these attacks cold. I also use a PW manager because I rather use a 32 character password on each site that is completely different, than to reuse a PW and have an attacker be able to use it on multiple sites.
The chance of someone getting my BitWarden account is far, far le
Re: (Score:2)
The problem is not password managers, it's LastPass. Decent password managers work offline and are free. You can copy/paste passwords in to the browser if you need to.
If you want cloud sync the KeePass supports it, including using your own server.
If your offline password manager is compromised then you are screwed anyway because the attacker controls your PC and has every keystroke and your browser and all the rest anyway.
Memorizing hundreds of different site specific passwords is not an option for most peo
Re: (Score:2)
LastPass has been in the news ... (Score:2)
... before on / [slashdot.org].
LastPass, the popular password manager, has been hacked. The company says that the “vast majority” of users are safe, and has posted [slashdot.org] a notice which begins: "We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised."
Re: (Score:2)
It was breached, but at least the attack was mitigated by the user's master passwords.
I do wonder if 1Password's method may be better, because for one to be able to decrypt from their servers, it requires the password, and a randomly generated encryption key which a user is supposed to put in a recovery kit and set aside. This in addition to 2FA which adds authentication protection (although it doesn't help with security of encrypted data if a bad guy filches that.) 1Password's method makes brute forcing
Project Zero (Score:2)
discovered last month by Tavis Ormandy, a security researcher with Project Zero, Google's elite security and bug-hunting team.
Imagine if someone managed to break into Project Zero's system(s). Who knows how many embargoed zero-days would suddenly become available. Mass pandemonium as companies scrabble over fixes.
Almost makes a security researcher into a liability.
Re: (Score:2)
This isn't something we really want to see. First thing that would happen is that the companies who usually have the most insecure stuff will run to the lawmakers and ask for DMCA-like laws against security breach divulging. The result of this is that yes, there wouldn't be any Project Zeros, except more companies finding their stuff breached and telling the press, "we did everything... the hackers were too good for us".
Of course, the C-levels would be making a ton of cash shorting their stocks before the
Seriously? (Score:1)
Conveniences instead of security? (Score:2)
Re: (Score:2)
You mean third parties other than the third party sites you're typing your passwords into, right?
Chrome (Score:2)
Who uses LastPass anyway? (Score:1)
Who loads a file with sensitive material (passwords, for goodness sake!) to the cloud, under the control of some third party, whose security processes and mechanisms you have no way to assess and vet? How irresponsible can you be?
CLOUD: Certainly Lose Our Unique Data.
Does the following mitigate lastpass attacks? (Score:1)
lastpassplugin -> extension options -> site access (Allow this extension to read and change all your data on websites you visit) -> onclick
Re: (Score:2)
4.11 android (Score:1)
Who would get the bug bounty? (Score:2)
Let's prevent LastPass has a bug bounty program (I don't know either way), also let's prevent he was working for Project Zero at the time it was discovered. Would Tavis get the bounty? Or would it go to Google? Or Google just say, "Nah, keep your money. Just fix it."?
Aptly named application! (Score:3)
At least they named their application appropriately: "Last Pass". You need access to the last password they used? You've got it!
Mitigation? (Score:2)
For several weeks, my "recently used" menu in Lastpass was empty.
It was annoying as Hell ((recently used sites are usually the ones used more frequently, so it is a convenient feature).
Many users (including me) posted complains in the forum. We were surprised - and rather upset - to get no feedback at all from Lastpass (at least the last time I checked the forums - after a while I gave up).
After the latest update of the software, the "recently used" menu works again.
Now I wonder if disabling the "recently u