Critical Vulnerabilities In Web-Based Password Managers Found 114
An anonymous reader writes A group of researchers from University of California, Berkeley, have analyzed five popular web-based password managers and have discovered vulnerabilities that could allow attackers to learn a user's credentials for arbitrary websites. The five password managers they analyzed are LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword. "Of the five vendors whose products were tested, only the last one (NeedMyPassword) didn't respond when they contacted them and responsibly shared their findings. The other four have fixed the vulnerabilities within days after disclosure. 'Since our analysis was manual, it is possible that other vulnerabilities lie undiscovered,' they pointed out. They also announced that they will be working on a tool that automatizes the process of identifying vulnerabilities, as well as on developing a 'principled, secure-by-construction password manager.'"
Re:KeePass? (Score:5, Informative)
I'd probably say KeePass is as secure as things get, since it doesn't use the Web in any way, shape, or form.
What I'd like to see with password apps that use a cloud provider for backend storage, (be it 1Password, mSecure, or so on), would be a keyfile that is manually transferred between devices, and never is put on the cloud backend. This way, if/when the cloud provider is hacked, the password file is not just protected by the passphrase, but by a keyfile that an attacker would have to compromise a physical device to get.
Re:KeePass? (Score:4, Informative)
I have KeePass installed on my computers and KeyPassDroid on my phone and tablet. The file is shared between them all using Dropbox. This way, if I change it one place it's available at all the others automagically, and in case it gets corrupted I have a 30-day history of changes at Dropbox's site. I've had no problems, I like its built-in and configurable password generator, and it works a treat with the KeeFox plugin for Firefox.
(YMMV in that you may have issues with Dropbox, but for me, it works.)
Re:Storing cloud passwords in the cloud? (Score:5, Informative)
In the case of LastPass at least, the passwords are encrypted locally and then sent to the server for storing. Your only possibility there would be searching through and finding stores with weak passwords, or finding a crack in the encryption. Otherwise, the attacks have to take place on the end user side.
Re:KeePass? (Score:3, Informative)
The "magic to ensure that the next one-time password is unique" is a counter, an integer one higher than the previous time.
The checksum of (counter + internal private key) is what results in the final 32 chars of the sequence (the first 12 being your userid).
Re:KeePass? (Score:5, Informative)
Slightly misleading, fearmongery headline (Score:5, Informative)
This was on HN a few days ago; my comment there was the same: In the case of LastPass, the headline is misleading and a little fearmongery.
There were two issues with LastPass and NEITHER affected its storage of persistent passwords, that is, neither affected the feature the vast majority of us use passwords managers for!
One concerned a targeted attack against one-time passwords (OTP), the other concerned bookmarklets, which are used by less than 1% of the user base, according to LastPass. Personally I didn't know either feature existed until I read the LastPass blog entry about these two vulnerabilities.
A truer headline would have been Vulnerabilities found in less-frequently used features of LastPass; persistent site password storage unaffected".
They had one job (Score:4, Informative)
A "web based password manager" has one job - keeping the passwords secure. That's all it does. If anyone easily finds a vulnerability in that, the service is a failure.