avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • December 13, 2018, 09:39 PM
  • Proudly celebrating 13 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Good week for Software Security FUD (MSE and LastPass vulnerability found)  (Read 1755 times)

Paul Keith

  • Member
  • Joined in 2008
  • **
  • Posts: 1,987
    • View Profile
    • Donate to Member
MSE vulnerability

Lastpass Vulnerability

XSS flaw explanation (don't really understand this)

Yep... I'd have left LastPass immediately if they'd revealed passwords. I'm not that bothered about someone potentially knowing the sites I got to. Most of them are stuff like forums (where you can see my username anyway) and Facebook (which are obvious sites for just about everyone).
What you said about password variations is fine, but it doesn't take into account this wouldn't work in practice. Most, if not all, sites I go to will lock you out for 10 to 30 minutes after 3 to 5 password fails. The only way any type of brute force (even a variation guessing) attack would work is if they had access to the database itself, which would be extremely rare and while possible (Gawker!) is very unlikely. Also, my example of adding "123" was just an example, and would probably be very early in any list of variations. You could use something better which would be harder to guess as a variation.
(A) is true, but there are also risks with not using such a service that you have to weigh up. For example, password re-use, tending to use predictable passwords versus random passwords, risk of phishing (LP would only enter the pw on the real site), keyloggers, being watched/recorded typing pw in, etc.
(B) + (C) exactly what I do. I can't (I don't think anyway) use LP for my bank as it asks for random characters from two passphrases. I don't use it for Gmail or PayPal (I use 2-factor though for both). I already use Facebooks login from new computer notification. All good advice.


Open source desktop password manager vs. Proprietary Cloud-based password manager food for thought discussion:

Why would anyone trust a proprietary security tool? Have we learned nothing?

Essential parts of their code can be reviewed.
Incentives matter. LastPass has every incentive to keep their system secure -- one serious breach and their business is dead.
While open source has advantages, it doesn't help if there are not enough people maintaining it, and if security patches are not pushed to you automatically. Peer review is not the only factor in the game.



  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 8,595
    • View Profile
    • The Blog of Deozaan
    • Donate to Member
Grr! I just started using LastPass since the whole Gawker fiasco! Now I have to switch? >:( :mad:

Perry Mowbray

  • N.A.N.Y. Organizer
  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 1,817
    • View Profile
    • Donate to Member
Grr! I just started using LastPass since the whole Gawker fiasco! Now I have to switch? >:( :mad:

No... I'd just keep your very sensitive passwords (banks etc) out of the cloud.

PayPal is my main issue I think as all my banks use other measures that are not stored in LP.
« Last Edit: February 27, 2011, 09:32 PM by Perry Mowbray »