Critical Vulnerabilities In Web-Based Password Managers Found 114
An anonymous reader writes A group of researchers from University of California, Berkeley, have analyzed five popular web-based password managers and have discovered vulnerabilities that could allow attackers to learn a user's credentials for arbitrary websites. The five password managers they analyzed are LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword. "Of the five vendors whose products were tested, only the last one (NeedMyPassword) didn't respond when they contacted them and responsibly shared their findings. The other four have fixed the vulnerabilities within days after disclosure. 'Since our analysis was manual, it is possible that other vulnerabilities lie undiscovered,' they pointed out. They also announced that they will be working on a tool that automatizes the process of identifying vulnerabilities, as well as on developing a 'principled, secure-by-construction password manager.'"
KeePass? (Score:4, Interesting)
I'd be really curious to here there opinions on KeePass, which isn't web-based but certainly in the same category.
Re:Storing cloud passwords in the cloud? (Score:4, Interesting)
The problem is that there is an conflict between a password suitable enough for protection (i.e. 20+ characters), and something quick enough to access in a short time.
mSecure addresses this in an interesting way -- they cache the extra long sync password used for the cloud. The password that is used to encrypt the synchronized database that sits in iCloud or DropBox is different from the app's passphrase. Since most phones have decent innate protection, it is not impossible, but very difficult to dump the data on a locked device [1], so one can have a fairly easy to type in PIN on the device, but the synchronized backend file is protected with a much longer (and more secure) passphrase.
[1]: iOS on the iPhone 4 and up always encrypts. Android since 3.x has the option of using md-crypt and encrypting the /data partition, then using another tool to separate the password asked on boot to decrypt that partition from the screen locker password.
Re:Surprise (Score:2, Interesting)
The web in insecure, don't store passwords in the web. Use keepassx [keepassx.org] instead. You get it for Windows and OS X on the site, for Linux using package managers, for Android on the Play Store and maybe also for iOS (look for MiniKeePass).
I don't subscribe to this absolutist position. Web based password managers like Lastpass certainly have their uses and are extremely convenient when tons of forums and websites require you to have accounts. They make it easy to login effortlessly and across multiple computers. They are also safer in that they let you have unique passwords for every account.
That being said, the smart thing to do is to:
1) Not save any bank account / Money related passwords on a web based password manager. Heck, I wouldn't even trust my own computer. I store these strictly in my head
2) Enable 2-factor authentication on any website that if compromised, could allow the attacker to steal your identity and cause more mischief. Gmail would be a prime example of such a website.
This strikes a good balance of letting me have the convenience of online password managers for non-critical sites, and even some critical ones that support 2-factor authentication.
TL;DR - (from a security guy) (Score:5, Interesting)
From page 7 of the paper (http://devd.me/papers/pwdmgr-usenix14.pdf):
- LastPass, RoboForm and My1login all had "bookmarklet" vulnerabilities (used if you share passwords across the web - shudder)
- LastPass, Roboform and NeedMyPassword all had "web" vulnerabilities
- My1login and PasswordBox both had "authorization" vulnerabilities
- LastPass and RoboForm both had "UI" vulnerabilities
The other thing I wondered at was why the special mention of "creating tools to automatically identify such vulnerabilities" when there's a bunch of packages that already do that...until I looked on page 14 and saw the list of US government grants that sponsored this paper, plus mention of some Intel funding. (If you want the money to flow, first identify the problem...)