Forgot your password?
typodupeerror
Security Bug

Critical Vulnerabilities In Web-Based Password Managers Found 114

Posted by samzenpus
from the protect-ya-neck dept.
An anonymous reader writes A group of researchers from University of California, Berkeley, have analyzed five popular web-based password managers and have discovered vulnerabilities that could allow attackers to learn a user's credentials for arbitrary websites. The five password managers they analyzed are LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword. "Of the five vendors whose products were tested, only the last one (NeedMyPassword) didn't respond when they contacted them and responsibly shared their findings. The other four have fixed the vulnerabilities within days after disclosure. 'Since our analysis was manual, it is possible that other vulnerabilities lie undiscovered,' they pointed out. They also announced that they will be working on a tool that automatizes the process of identifying vulnerabilities, as well as on developing a 'principled, secure-by-construction password manager.'"
This discussion has been archived. No new comments can be posted.

Critical Vulnerabilities In Web-Based Password Managers Found

Comments Filter:
  • by QuietLagoon (813062) on Monday July 14, 2014 @12:29PM (#47449359)
    Even if the cloud-based password repositories are secure (and apparently, they are not), why not just target the cloud services themselves for security exploits?

    .
    Eliminate the middle-man, go wholesale.

  • Re:Surprise (Score:5, Insightful)

    by jsherma2 (549469) on Monday July 14, 2014 @12:31PM (#47449385)
    I think there's a difference between "being willing to accept the risk of my credit card(s) being compromised on the internet" and "being willing to accept the risk of every account password I have being compromised on the internet". I essentially have insurance to help me recover losses from my credit cards. Having every bank account and retirement account drained by an enterprising criminal with access to all of my account and personal details is on a completely different risk level.
  • Re:Surprise (Score:2, Insightful)

    by allquixotic (1659805) on Monday July 14, 2014 @12:50PM (#47449519)

    I think there's a difference between "being willing to accept the risk of my credit card(s) being compromised on the internet" and "being willing to accept the risk of every account password I have being compromised on the internet". I essentially have insurance to help me recover losses from my credit cards. Having every bank account and retirement account drained by an enterprising criminal with access to all of my account and personal details is on a completely different risk level.

    Let's assume for the moment that you're correct and that there is a difference in risk level between submitting your name, address, email, credit card number, CVV2 (these are the fields required for a standard online order form), and storing all your passwords on the Internet.

    Let's assume someone actually does intercept your order form, and gets all the above-mentioned personal data on you (perhaps because the company processing your order stored all your order info in an unprotected SQL database). Many people acknowledge that, with this amount of personal information, a lot of damage can be done, starting with identity theft. Yes, there are many protections on credit cards, but other personal details can be used as leverage to get access to even more details. This is starting to look like more than simple credit card theft.

    Also, if you're not storing your passwords on some website, where ARE you storing them? If you don't store any passwords anywhere, chances are you don't have a perfect, long-term eidetic memory, so you probably use the same password everywhere. That's just as risky, if not riskier, than using LastPass -- if an attacker compromises just one of the sites you use, they can try that password on random sites across the web and gain access to a slew of your accounts.

    Let's be a bit more charitable and assume you use completely different passwords on different sites. OK, now we're getting serious. You are going to need somewhere to store all these passwords -- that's the simple reality of it. Only the extremely rare individual can remember them all in their head. So what do you use? A paper card file? That's great, unless you invite a guest in your house who may not prove 100% trustworthy, like an A/C repairman... Or if you happen to live in a dangerous part of the world where house robberies are common, a password card file would definitely be something a thief would want to steal. Or you could just get really unlucky, even in a low-crime area, and get robbed anyway. The same logic as the card file effectively applies to such things as KeePassX, since an unhindered thief can take your laptop, phone, or whatever you use to store your KeePass database on. Once they have your device, you're basically owned. Remember, we have to be fair here; you're assuming the thief is smart enough to break the security model of a business that builds its entire reputation around security, like LastPass, so we have to also assume the thief is smart enough to break the security model on your physical box, whatever it may be. Most people are not going to employ physical or digital countermeasures that are sufficient to keep very sophisticated thieves from breaking into your box once they have physical access. Full disk encryption is still quite the rare thing, and brute forcing a typical-length KeePass password isn't all that hard anymore with GPGPU or an EC2 compute cluster once you've obtained the database file.

    Now, since LastPass supports two-factor authentication via various physical methods, such as the YubiKey, simply obtaining your LastPass password will not be sufficient for them to gain access. They'll also have to be a sophisticated thief, which brings us back to square one, where LastPass and KeePass are about equal on security: you'd have to get robbed, and the thief would have to steal the correct things, then break into them in order to gain access. I concede that users of LastPass or similar services who opt out of two-factor authentication are taking a greater risk,

  • Re:Surprise (Score:2, Insightful)

    by Anonymous Coward on Monday July 14, 2014 @01:38PM (#47449859)

    Your entire argument is based on a false premise.

    Food For Thought - It is easy to develop a simple algorithm to remember passwords and thus remember different passwords to any website. Essentially, unless you are being tortured, no one will be able to know your algorithm for setting passwords (you store the algorithm in your head). Your algorithm may appear "weak" if someone knew it but no one has to know it (i.e. you could use the first 5 letters in the web address to seed your algorithm).

  • brainpower (Score:3, Insightful)

    by clam666 (1178429) on Monday July 14, 2014 @02:40PM (#47450303)
    I just remember my passwords. As if someone else storing them is possibly safe.

To be a kind of moral Unix, he touched the hem of Nature's shift. -- Shelley

Working...