Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us
topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • May 27, 2017, 06:49:50 AM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Multiple LastPass Vulnerabilities Discovered Recently  (Read 1609 times)

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 7,903
    • View Profile
    • Donate to Member
Multiple LastPass Vulnerabilities Discovered Recently
« on: March 21, 2017, 07:48:39 PM »
I (mostly) stopped using LastPass a couple years ago for reasons unrelated to this, but it seems multiple password-leaking vulnerabilities (and other dangerous exploits) have been discovered recently:

LastPass works by storing your passwords in the cloud. It provides browser extensions that connect to your LastPass account and automatically fill out your saved login details when you surf to your favorite sites.

However, due to the discovered vulnerabilities, simply browsing a malicious website would be enough to hand over all your LastPass passphrases to strangers. The weak LastPass script uncovered by Ormandy could be exploited by tricking it into granting access to the manager's internal data. It can also be potentially abused to execute commands on the victim's computer – Ormandy demonstrated this by running calc.exe simply by opening a webpage.

Even though I no longer use LastPass for new passwords, my account still has many old passwords I haven't updated in a while, and I have kept the extension installed because of that, since it seems to work more reliably than the extension for the password manager I switched to. So maybe it's time for me to fully ditch LastPass.

rgdot

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 1,927
    • View Profile
    • Donate to Member
Re: Multiple LastPass Vulnerabilities Discovered Recently
« Reply #1 on: March 21, 2017, 07:55:22 PM »
KeePass or bust

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 8,672
    • View Profile
    • Donate to Member
Re: Multiple LastPass Vulnerabilities Discovered Recently
« Reply #2 on: March 21, 2017, 08:11:15 PM »
Nothing about LessPass?  Surprisingly little activity on that thread, and that's what I'm looking at switching to.

fredemeister

  • Participant
  • Joined in 2013
  • *
  • default avatar
  • Posts: 19
    • View Profile
    • Donate to Member
Re: Multiple LastPass Vulnerabilities Discovered Recently
« Reply #3 on: March 21, 2017, 08:19:53 PM »
Just installed LastPass yesterday and deleted logins from my browser.  What now?  Sigh!!

mwb1100

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,547
    • View Profile
    • Donate to Member
Re: Multiple LastPass Vulnerabilities Discovered Recently
« Reply #4 on: March 21, 2017, 08:49:29 PM »
Nothing about LessPass?  Surprisingly little activity on that thread, and that's what I'm looking at switching to.

LessPass uses very interesting ideas, but I don't plan to move to it because I have an old-fashioned password manager program that runs locally (though it does sync the encrypted database via dropbox - or maybe it's google drive). I manually copy/paste my passwords instead of using any browser integration.  I'm happy with that solution.  I believe it's safe enough for me because even though the database is in the cloud, it's not in a centralized database with a lot of users - anyone compromising it would be someone targeting me specifically rather than collecting passwords for thousands or millions of people.

Though I would be quite interested in hearing about anyone else's experience - maybe it'll convince me to switch.

mwb1100

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,547
    • View Profile
    • Donate to Member
Re: Multiple LastPass Vulnerabilities Discovered Recently
« Reply #5 on: March 21, 2017, 08:52:04 PM »
Just installed LastPass yesterday and deleted logins from my browser.  What now?

you could export your data from LastPass (https://lastpass.com...=showfaq&id=1206) and put it into something else?

fredemeister

  • Participant
  • Joined in 2013
  • *
  • default avatar
  • Posts: 19
    • View Profile
    • Donate to Member
Re: Multiple LastPass Vulnerabilities Discovered Recently
« Reply #6 on: March 21, 2017, 10:17:08 PM »
Just installed LastPass yesterday and deleted logins from my browser.  What now?

you could export your data from LastPass (https://lastpass.com...=showfaq&id=1206) and put it into something else?

See on their forums they've fixed the problem with Chrome, and working on the FF version.  May just wait a while since I spent the effort and time migrating away from the browser this week.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 8,672
    • View Profile
    • Donate to Member
Re: Multiple LastPass Vulnerabilities Discovered Recently
« Reply #7 on: March 21, 2017, 11:40:23 PM »
Nothing about LessPass?  Surprisingly little activity on that thread, and that's what I'm looking at switching to.

LessPass uses very interesting ideas, but I don't plan to move to it because I have an old-fashioned password manager program that runs locally (though it does sync the encrypted database via dropbox - or maybe it's google drive). I manually copy/paste my passwords instead of using any browser integration.  I'm happy with that solution.  I believe it's safe enough for me because even though the database is in the cloud, it's not in a centralized database with a lot of users - anyone compromising it would be someone targeting me specifically rather than collecting passwords for thousands or millions of people.

Though I would be quite interested in hearing about anyone else's experience - maybe it'll convince me to switch.


I have a different use case, wanting to share with my wife so that in case something happens to me, or I'm just incommunicado, she has access to all of them.  She's not technically inclined, nor does she switch things or like technology switches lightly.  I don't think that KeePass satisfies my needs from those requirements.  LessPass seems to do so, in a deceptively simple way.

Just installed LastPass yesterday and deleted logins from my browser.  What now?

you could export your data from LastPass (https://lastpass.com...=showfaq&id=1206) and put it into something else?

See on their forums they've fixed the problem with Chrome, and working on the FF version.  May just wait a while since I spent the effort and time migrating away from the browser this week.

Yeah, to say multiple vulnerabilities in this case seems a little less than forthright, considering that I don't think that anyone would be exposed to both.

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 7,903
    • View Profile
    • Donate to Member
Re: Multiple LastPass Vulnerabilities Discovered Recently
« Reply #8 on: March 22, 2017, 01:22:27 AM »
Yeah, to say multiple vulnerabilities in this case seems a little less than forthright, considering that I don't think that anyone would be exposed to both.

Just because they fixed it quickly doesn't mean it wasn't discovered recently.

And supposedly, even though the Chrome extension automatically updates, the vulnerable Firefox extension, even though it's older, is still the most widely used version (on Firefox, possibly). So it seems quite possible to me for someone to be exposed to both the Chrome and Firefox vulnerabilities if they haven't been keeping their software up to date.

KeePass or bust

Would you care to expound on what, in your opinion, makes KeePass so great compared to the myriad other password managers out there?

rgdot

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 1,927
    • View Profile
    • Donate to Member
Re: Multiple LastPass Vulnerabilities Discovered Recently
« Reply #9 on: March 22, 2017, 08:46:11 AM »

Would you care to expound on what, in your opinion, makes KeePass so great compared to the myriad other password managers out there?

Certified/audited, open source, offline.

More generally, it really doesn't require a technical analysis or knowing the technology insideout to have reached the point that storing things online is a risk, this is not even paranoia at all, I am hardly paranoid, it's a fact of life. Even a service with a perfect security record is waiting to be the next to fall. We live in a world where there is interest to not only 'large scale' hacking ala Yahoo email but small scale too (I am member of at least two sites, not big sites really, whose database was stolen, the DB  would be of zero value other than if some users used same passwords elsewhere) ... my point being hackers are random and go after all sorts of targets, in such a scenario all are at risk and the domino will eventually fall.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 8,672
    • View Profile
    • Donate to Member
Re: Multiple LastPass Vulnerabilities Discovered Recently
« Reply #10 on: March 22, 2017, 02:04:32 PM »
Offline isn't really an advantage to some of us.  My use case, it's a disadvantage.

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 7,903
    • View Profile
    • Donate to Member
Re: Multiple LastPass Vulnerabilities Discovered Recently
« Reply #11 on: March 22, 2017, 05:12:13 PM »

Would you care to expound on what, in your opinion, makes KeePass so great compared to the myriad other password managers out there?

Certified/audited, open source, offline.

More generally, it really doesn't require a technical analysis or knowing the technology insideout to have reached the point that storing things online is a risk, this is not even paranoia at all, I am hardly paranoid, it's a fact of life. Even a service with a perfect security record is waiting to be the next to fall.

How do you handle logins from your various devices? Do you sync your password file somehow?

rgdot

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 1,927
    • View Profile
    • Donate to Member
Re: Multiple LastPass Vulnerabilities Discovered Recently
« Reply #12 on: March 23, 2017, 12:31:33 AM »
How do you handle logins from your various devices? Do you sync your password file somehow?

There have been times where I have had KeePass in Dropbox folder, but mostly everything is already logged in on all devices and a password change only means re-logging on devices 'manually', obviously site admin panels and banking/money related ones I don't stay logged in but that is a special case and banking accounts especially are either memorized or accessed from one machine only.
I see sync as more an appointment, calendar thing than a password thing.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 8,672
    • View Profile
    • Donate to Member
Re: Multiple LastPass Vulnerabilities Discovered Recently
« Reply #13 on: March 23, 2017, 07:53:12 AM »
How do you handle logins from your various devices? Do you sync your password file somehow?

There have been times where I have had KeePass in Dropbox folder, but mostly everything is already logged in on all devices and a password change only means re-logging on devices 'manually', obviously site admin panels and banking/money related ones I don't stay logged in but that is a special case and banking accounts especially are either memorized or accessed from one machine only.
I see sync as more an appointment, calendar thing than a password thing.


Yeah, definitely different use case than me.  I have a two pronged problem that lastpass helps me with, and I haven't been able to find anything that really solves them (1Password came closest, but in the end wasn't what I needed for a final solution)

1. I use my passwords on many devices.
2. I share my passwords with my wife in the case that I'm indisposed.
3. I have many devices/items that are 2fa enabled (a lot of them time out after a given time, and a lot of them time out for no particular reason at all)
4. My workplace is paranoid for home workers (they have 2fa every time something happens, i.e. I login to office and am logged  in, then go to skype - which is connected- they text me again for 2fa, and they time out the connections on different intervals.)
5. Their password requirements are very long and complex.

Too much security with too many passwords, with the need to share and be able to 2fa.  I feel like a hacker sometimes with what I have to go through for a simple login, but they probably have it easier.

I had to change my master work password yesterday, and spent a good 2-3 hours getting everything synced and working before I could get back to work.  And heaven help me if I don't have cell/email reception.

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 7,903
    • View Profile
    • Donate to Member
Re: Multiple LastPass Vulnerabilities Discovered Recently
« Reply #14 on: March 29, 2017, 03:19:28 AM »
Ouch. Things are looking worse and worse for LastPass. This is the third vulnerability found in LastPass this month.

The flaw, which affects the latest version of the LastPass browser extension, was briefly described on Saturday by Tavis Ormandy, a researcher with Google's Project Zero vulnerability reporting team. When people have the LastPass binary running, the vulnerability allows malicious websites to execute code of their choice. Even when the binary isn't present, the flaw can be exploited in a way that lets malicious sites steal passwords from the protected LastPass vault. Ormandy said he developed a proof-of-concept exploit and sent it to LastPass officials. Developers now have three months to patch the hole before Project Zero discloses technical details.

"It will take a long time to fix this properly," Ormandy said. "It's a major architectural problem. They have 90 days, no need to scramble!"

rgdot

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 1,927
    • View Profile
    • Donate to Member
Re: Multiple LastPass Vulnerabilities Discovered Recently
« Reply #15 on: March 29, 2017, 08:13:53 AM »
We are at the point where either use cases require LastPass or people just want to use more 'convenient' ones and use LastPass (or alikes), as evidenced by the comments on that Arstechnica article, those that mention KeePass seem more prone to downvotes  :-\

Steven Avery

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 878
    • View Profile
    • Donate to Member
Re: Multiple LastPass Vulnerabilities Discovered Recently
« Reply #16 on: March 29, 2017, 10:03:31 AM »
Hi,

Let's say I have 100 active passwords.  90 of them are DonationCoder, BitsDuJour, various Bible and Business forums.  The only ones that are actively sensitive are financial (banks, credit cards, Amazon, Paypal). Maybe two or three social could be considered a bit sensitive (Facebook, Linkedin).

To what extent do you think that the following group of techniques would allow LastPass web browser continuing:

a) safe browsing techniques (no gambling, porn, etc)

b) Avast or another decent web shield

c) make all important sites have unique user-password combinations

d) 2FA on all sites with financial capabilities

LastPass is in fact very convenient.  And most of what it is used for is non-essential stuff (there used to be discussions about having two "last" passwords, one for critical, one for general, for awhile I tried two LP accounts).   

The goal I see is to make it so that if passwords are stolen,  damage is limited, essentially zero.

I think of 2FA as only affecting the first time signing in from a locale (not sure what is the definition of a locale with a moving laptop).   A cell phone buzz is a very minor extra step in those cases. And a google email is not much trouble. I prefer the buzz because it is more accessible and less hackable.

Switching to a personal Dropbox style alternative is in fact an attractive alternative, e.g. using Keepass, one has to weight the utility lost.

Switching to an alternative web browser alternative (Dashlane?, 1Password?) likely means similar vulnerabilities, although perhaps less likely to be exploited simply because the size of LastPass makes them an attractive target. 

The big help with browser integration is automatic adding and updating of passwords.  You could enter by hand from a vault, but the real-time web browser update help saves time, and helps make sure the passwords are accurate.

Why is not a review of 2FA and password practices on those big 10 (or 20) accounts sufficient?

Steven

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 8,672
    • View Profile
    • Donate to Member
Re: Multiple LastPass Vulnerabilities Discovered Recently
« Reply #17 on: March 29, 2017, 11:27:38 AM »
We are at the point where either use cases require LastPass or people just want to use more 'convenient' ones and use LastPass (or alikes), as evidenced by the comments on that Arstechnica article, those that mention KeePass seem more prone to downvotes  :-\


LastPass provides a service, not software.  I don't see why they don't OpenSource their software, so that it can be audited by external sources.  It would do away with these embarrassing episodes.  Vulnerabilities, I'm sure would be found - and I'm sure they happen in KeePass too, but it's not as newsworthy.

(What is alikes?  Couldn't find it with a google search.  And truthfully, I'm having trouble parsing that whole sentence.  :-[)

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 8,672
    • View Profile
    • Donate to Member
Re: Multiple LastPass Vulnerabilities Discovered Recently
« Reply #18 on: March 29, 2017, 11:30:14 AM »
I think of 2FA as only affecting the first time signing in from a locale (not sure what is the definition of a locale with a moving laptop). 

Notice my requirements above.  Every time I close my browser (or it times out), I have to use 2FA.  Which, because of how they implemented it, requires an active cell signal (MS sends me a text with a number.  I have to text that number back from that device).  Every time I join a meeting with Skype for Business Web Client, I have to log in too- which uses 2fa.  It's a pain in my ass.  I also have to change my password every so often (I think 30 days, but sometimes it's more than that, and sometimes less... so I'm not really sure what the interval is).

rgdot

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 1,927
    • View Profile
    • Donate to Member
Re: Multiple LastPass Vulnerabilities Discovered Recently
« Reply #19 on: March 29, 2017, 01:00:36 PM »
We are at the point where either use cases require LastPass or people just want to use more 'convenient' ones and use LastPass (or alikes), as evidenced by the comments on that Arstechnica article, those that mention KeePass seem more prone to downvotes  :-\


LastPass provides a service, not software.  I don't see why they don't OpenSource their software, so that it can be audited by external sources.  It would do away with these embarrassing episodes.  Vulnerabilities, I'm sure would be found - and I'm sure they happen in KeePass too, but it's not as newsworthy.

(What is alikes?  Couldn't find it with a google search.  And truthfully, I'm having trouble parsing that whole sentence.  :-[)


Alikes = alternatives.

Not sure how service vs software distinction is relevant here. All I meant is online is bigger risk and therefore online options are the poorer option unless your use case demands it, I would disagree with the notion that 'I have 100 passwords therefore I need an online service', in my opinion use case needs to be way more than that, needs to be something like yours perhaps Simple case of 'many password therefore I need sync' I don't get.
KeePass can have vulnerabilities but installed in a folder locally the chances of it being hacked is lower, not sure how that is debatable.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 8,672
    • View Profile
    • Donate to Member
Re: Multiple LastPass Vulnerabilities Discovered Recently
« Reply #20 on: March 29, 2017, 01:36:42 PM »
Not sure how service vs software distinction is relevant here.

The vulnerabilities haven't really been in the service, but the software that surrounds it.  If that was open source, it would be able to be audited for vulnerabilities by third parties.  Even if the surrounding software was open source, it doesn't seem like they'd be giving things up- you'd still need to pay to sync and to use it in any online way, since you'd need the server on the other end to facilitate this.

IainB

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 6,500
    • View Profile
    • Donate to Member
Re: Multiple LastPass Vulnerabilities Discovered Recently
« Reply #21 on: March 29, 2017, 04:56:29 PM »
...Not sure how service vs software distinction is relevant here. All I meant is online is bigger risk and therefore online options are the poorer option unless your use case demands it...
...KeePass can have vulnerabilities but installed in a folder locally the chances of it being hacked is lower, not sure how that is debatable.
__________________________

Thankyou for that. Yes, that (emboldened) all seems to follow. Yet, despite the truth of the third emboldened clause and my having known that, I am still a LastPass user, and accepted the risks, thinking them to be miniscule.

That's probably about to change though. I have to face up to the fact that the apparent flaw/weakness identified in the software (binary component) of some versions of LastPass would not be of such concern nor present such a risk and be so susceptible/vulnerable to attack if said software was not necessarily keyed/tied into the LastPass Service component.
Bother! LastPass was so convenient too.

mwb1100

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,547
    • View Profile
    • Donate to Member
Re: Multiple LastPass Vulnerabilities Discovered Recently
« Reply #22 on: March 30, 2017, 03:15:05 AM »
I have chosen to use a smaller password manager, SafeInCloud, that synchronizes the database by storing it on a configurable cloud storage provider such as Dropbox or Google Drive.  I figured this was safer than or preferable to LastPass for a couple reasons:

  - the manager allows you to select from one of several storage providers - if one got compromised, it would be easy enough to move the database to another
  - if the manager's vendor went away, I'd be stuck without updates, but the software would likely continue to work as long as the cloud storage provider didn't change their API  (that problem happened to me with an earlier password safe vendor - the database was synchronized using their servers, and when they stopped operating, the sync no longer worked. Who knows what happened to the databases?)

Someone has even posted a python script that will decrypt a SafeInCloud database (you have to provide the master password, of course): https://github.com/e...ilsocket/SafeInCloud.  This should make it so there at least some possibility of verifying that the database is in fact fully encrypted using the standard AES algorithm.  I imagine that you could also use it as a starting point for providing access to the password database on Linux (which the vendor does not support as far as I know).  If you have too much spare time on your hands.

SafeInCloud relatively recently started supporting using your own WebDAV server for database storage/sync.  However the instructions for setting it up were more complicated than I wanted to deal with.  So mine is still on Dropbox.

I don't use any kind of browser integration. It's supposed to be support it, but I have no idea how well it works.

Another password manager that allows similar choices in cloud storage is Enpass (https://www.enpass.io/).  I haven't tried Enpass - I'm happy enough with SafeInCloud.

Finally, if you're adventurous, SpiderOak has an open-source password manager that syncs via the cloud somehow, but I have no idea what makes it better (or worse) than other options - other than open source can give you some freedoms and possibility of someone being able to vet the code.  I haven't tried it.

  - https://github.com/SpiderOak/Encryptr

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 7,903
    • View Profile
    • Donate to Member
Re: Multiple LastPass Vulnerabilities Discovered Recently
« Reply #23 on: March 30, 2017, 06:28:52 PM »
Another password manager that allows similar choices in cloud storage is Enpass (https://www.enpass.io/).  I haven't tried Enpass - I'm happy enough with SafeInCloud.

I've been using Enpass since it was recommended/suggested about 1.5 years ago by 40hz in this thread asking for LastPass Alternatives.

I started to write up a bit of a review of it here, but figured I didn't want to derail this topic, so I'll finish it up and post it into the thread linked above.