LastPass Bugs Allow Malicious Websites To Steal Passwords (bleepingcomputer.com) 126
Earlier this month, a Slashdot reader asked fellow Slashdotters what they recommended regarding the use of password managers. In their post, they voiced their uncertainty with password managers as they have been hacked in the past, citing an incident in early 2016 where LastPass was hacked due to a bug that allowed users to extract passwords stored in the autofill feature. Flash forward to present time and we now have news that three separate bugs "would have allowed a third-party to extract passwords from users visiting a malicious website." An anonymous Slashdot reader writes via BleepingComputer: LastPass patched three bugs that affected the Chrome and Firefox browser extensions, which if exploited, would have allowed a third-party to extract passwords from users visiting a malicious website. All bugs were reported by Google security researcher Tavis Ormandy, and all allowed the theft of user credentials, one bug affecting the LastPass Chrome extension, while two impacted the LastPass Firefox extension [1, 2]. The exploitation vector was malicious JavaScript code that could be very well hidden in any online website, owned by the attacker or via a compromised legitimate site.
please use a password manager.... (Score:2)
Re: (Score:1)
Tell us how you really feel. Most decent operating systems have a password manager built in. Why not just use the one that is included in your system, which is encrypted with your login password and doesn't post itself to the internet? I mean if your system is compromised your passwords are compromised either way right?
Re: (Score:2)
The problem is the generated passwords. go read a few IPSec articles about passwords. Also changing passwords on sites is bad idea unless an absolute necessity. Also in said articles.
Re: (Score:2)
i never said anything about a VPN. but in this situation theres not much a VPN can do to help.
Re: (Score:2)
The problem is the generated passwords. go read a few IPSec articles about passwords. Also changing passwords on sites is bad idea unless an absolute necessity. Also in said articles.
Citation required for any absurdity claiming that changing passwords is a bad thing.
3 articles referencing the same statement, misunde (Score:5, Insightful)
The three articles you posted were all about what Lorrie Cranor said, but you seem to misunderstand what she said. Cranor did NOT say that it's a bad idea to change YOUR password.
What Cranor said is that there are downsides to forcing everyone to change their password every month or so.
People will not remember a new password every month, so if forced to "change" it monthly they'll either write it on a Post-It note or just use [password]1, [password]2, [password]3, etc, not really changing the password, Cranor said. She's not wrong - there absolutely is a limit to how *often* you should *force* people to change their password.
Also, leaks happen, leaks with millions of accounts, so you will be safer if you change your password *ocassionally*. I use a system in which I can change my password 6-12 months, without having to remember a new password. Another fact about passwords is that the safe length for a password keeps getting longer - I now normally call it a "pass phrase". When I started in security, an eight-character password was considered secure. So what I do is every so often I add a couple characters to my base password.
Imagine in 1998 maybe I could have used "pallFurt" as my base password. In 2000 I'd start using "pallFurt!?". In 2002, "4pallFurt!?". In 2004, "4pallFurt!?Dh". So I don't have to remember something completely different each time, but password changes, meaning dumps from old sites don't have my current password (besides it's slightly different for each site).
Re: (Score:2)
Passwords are easy. variations of a few passwords works. and when it comes to brute force, length and numbers capitol and special characters add a lot of time to that process. years on current hardware. password managers are a bad idea because of being hacked and like articles say people are lazy. it defaults to ease over security so there is really no argument here. if you dont want to be hacked because of silliness like this dont be an incompetent fool when it comes to security. i dont have this problem i
Re: (Score:2)
Re: (Score:2)
Ok thats a bit safer, but still not fully. You have to always assume your pc has been hacked. Anything on that pc is up for grabs, as soon as keepass unencrypts in memory, and has all your passwords there while it chooses which one it needs, or if it only pulls the one and decrypts it. i can still use a memory leak exploit thats in almost every piece of software for windows, and now i still have the password you were trying to hide and keep secure. passwords themselfs are inherently insecure. thats why the
Re: (Score:2)
Bruce Schneier disagrees with you.
Note that online password managers use your password to encrypt the list of passwords, and then they back that up for you to the cloud. It's the self-same process you use, and has the same vulnerabilities.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
> You have to always assume your pc has been hacked.
LOL. You can't polish a turd. If your PC is hacked they can grab your password as you type it in anyway, so using an online password storage makes no material difference to security as opposed to using your brain, but the online security is much more convenient, and the online stored passwords are much longer and more random, whereas you've admitted that your passwords are total shit.
Re: (Score:2)
yes. 8-16 character passwords with upper lower numbers and special characters is shit. I'm glad you know my passwords. as ive said before. I dont worry about it because i use strong passwords and dont open myself up to attack vectors that are poorly protected. it seems like alot of people do so im trying to help people learn good practice. online password managers, as this example shows is not good practice. And it depends on what kind of infection your pc may have, if their payload doesnt include a keylogg
Re: (Score:2)
LOL you still don't seem to hear or understand- LastPass's passwords are specifically being stored FOR steam and chrome and edge etc- if your web browser is sufficiently subverted, the game is lost anyway.
Re: (Score:2)
Yeah, what AC said.
Those articles are all about passwords that you're:
a) forced to type (Windows Login for example),
b) forced to change regularly, and
c) required to ensure different to other passwords (She mentions 6 government passwords because you're not allowed to have the same password on all 6 systems)
For that limited case she's undeniably correct, but changing passwords itself isn't a bad idea. A better idea is using a different 20 characters of random entropy on every website, but you can change thos
Re: (Score:2)
its security that causes insecurity, 20 characters of entropy as you said isnt memorable, causing the need to trust these passwords to something other than your own brain. which becomes insecure. but why do that when you can simply use secure variations of your password to protect against password lists and brute forcing, 10 characters with special characters capitol and lower letters and numbers takes a long time to crack if hashes properly which all people that make you use passwords should be doing by d
Re: please use a password manager.... (Score:2)
Huh?
20 characters would probably be a strong password.
20 bits of entropy almost certainly would be a very poor password.
I'm not sure what twenty characters of entropy would be. I guess it would depend on your encoding.
Re: (Score:2)
entropy:lack of order or predictability
characters:unit of information that roughly corresponds to a grapheme, grapheme-like unit, or symbol, such as in an alphabet or syllabary in the written form of a natural language.
bit:0 or 1
20 characters of entropy: W6iIfgerBGbAk6bNVpcL
20 bits of entropy:01110010001000111001
What's your definition of entropy exactly?
Re: please use a password manager.... (Score:1)
YouDidntThinkThat1ThroughVeryWell!
Re: please use a password manager.... (Score:2)
Re: (Score:2)
Yeah, you remember one "good" password for your OS, the rest is in a key management system like KeePass or similar. That's why I went to great lengths to disassociate the password for your OS from the general case. But you know, people are idiots as you say...
Re: (Score:2)
Doesn't even require Safari - there's a password assistant built into the OS, even though it's not exposed as an application.
I still have (and use) a third-party utility called "Password Assistant", which was written by the guy behind the now-defunct website CodePoetry.net. It provides a wrapper application which gives you direct access to the built-in password generator. It's extremely handy, even outside the web browser.
Re: (Score:2)
Doesn't even require Safari - there's a password assistant built into the OS, even though it's not exposed as an application.
For those wanting more than a vague hint: it's in the Keychain Access app. The New Password Item menu item brings up a dialog box that lets you generate a password matching various criteria.
Re: (Score:1)
Keychain in OS X and iOS does. In OS X you can even choose between various premade rules or make your own for how the password is generated.
Re: (Score:2)
What? Maybe an OS lets you store a password but they don't generate passwords for you.
Umm - MacOS will generate passwords for you if you like.
Re: (Score:2)
What kind of crappy OS has a password manager that won't generate passwords on demand?
Re: please use a password manager.... (Score:1)
KeePass FTW! (Score:5, Informative)
Re: (Score:3)
Comment removed (Score:5, Funny)
Re: (Score:1)
At least your honest...
Re: (Score:2)
Re: (Score:1)
++
A password manager running in a browser process is a terrible idea.
Re:KeePass FTW! (Score:5, Informative)
I'll second KeePass. Not just because it's what I use, but because it takes serious measures to protect your data [keepass.info]. Anyone can make a functioning password safe, but the way KeePass does it shows it was designed with an eye toward security. As a dev, I can appreciate it.
A browser extension? Really? Your OS has a massive, old, reliable security feature in that one process can not easily access the memory of another process, and you choose to not use that and instead build support directly into the largest attack vector on your PC, the browser?
Re: (Score:3)
Having to manually lookup the site in your manager, copy the password and paste it in the form is too cumbersome.
Right, so most users without an intergrated password manager will just use an easy-to-guess password.
LastPass isn't perfect, but as a system it improves overall web security to a large extent by enabling people to use very-high-entropy passwords.
People who want to copy and paste from Keepass (I do for very high security sites) should keep on doing that. But, for Pete's sake, I hope you're not us
Keep passwords away from web browser integration (Score:5, Insightful)
This! (Score:5, Insightful)
I know of companies (perhaps even my current) which recommends people use LastPass over KeePass/KeePassX. The fact that they recommend a person use a password generator is good, but anything in the Cloud means that you _DO_NOT_ have physical control of the system storing passwords. The First rule of security is that you must have physical control of everything. All other Security rules come after that one.
The Company problem is a symptom of promoting "marketing geniuses" and "number crunchers" to be in charge of Security, instead of promoting Security geniuses to be in charge of Security. As a security expert I have some great horror stories about bad decisions, and can tell you that stock options are constantly ready to be sold.
Re: (Score:2)
In a twisted way it makes sense. File loss is more common a problem than actual compromise. This absolves them of needing to offer a solution.
Personally I ditched even keepass for password store because it solves this by supporting git for sync.
Its cross platform, uses gnupg in the back end, meaning no custom encryption code and a well known, trusted code base. Plus, because it is gpg based, all but a couple of special snowflake implementations natively get the benefit of hardware keys that gpg supports.
Sin
Re: (Score:2)
Re: (Score:2)
1. Yes but, you can have many git servers. Each repo is a full copy so central repos are basically throwaway. Lose one, make a new one, push to it.
2. The amount of available resources is amazing but, still, nobody cracks gpg encrypted files, nobody is dumb enough to try. Keeping up with the tool chain and updating keys every few years as the recomendations and capabilities change should do you fine.
generally the weak point anyone would assault a gpg based setup is either key storage or end point usage.
Nothi
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Not going to lie, I miss keepass and its autotype function. I tried to mock something up with xdotool but never really worked right.
That is mostly what I did, though instead of a thumb drive I just used git to keep some copies around...though, on windows I just used scp because I had trouble with git-annex. I never trusted thumb drives that much. I have lost data from them and if a backup procedure is too manual, I know I wont follow it.
Then I bought a yubikey, and the more I looked at it, the more attracti
Re:This! (Score:5, Interesting)
I hear you. It's a tough subject. I am pretty paranoid (in the general spectrum, not the slashdot spectrum), and I used KeePass and resisted LastPass for a long time. And I kept my KeePass vault in a TrueCrypt volume. It was a pain in the rear, and useless on my mobile device, and I slowly slid back to password strategies I could remember, which were unique to each site but if one site was compromised an attacker could figure out the pattern.
I did move to LastPass after reviewing managers and reading about how LastPass decrypts your vault locally, and deciding I believe them well enough. Of course that doesn't matter too much, because if they ever wanted my passphrase they could get it and store it when I log in. But again, my point is that there is a balance, and my own behavior when convenience was low was to slide into poor practices. With LastPass, I have a single point of failure, but I'm comfortable with it and outside of that my password practices are much much better.
Re: (Score:2)
LastPass gives some domain-squatting protection (Score:2)
Re: This! (Score:1)
Re: (Score:2)
Lots of commentators on Slashdot have recommended LastPass over Keepass too, despite repeating warnings that having your password manager running in the browser process is a really, really stupid idea. Seems like even people who should know better are for some reason keen to trust LastPass.
This is now the 4th major severe security incident to affect LastPass. Do they have an affiliate scheme or something?
Re: (Score:1)
then use their binary version and don't install the extension.
at least understand the product before criticizing it
Re: (Score:2)
I am surprised that anyone serious about security would ever install a web browser password plugin for their password management software. It seems logical that it is just a bug away from password compromise.
Oh I agree. I think people have been recommending password managers despite the, "all your eggs in one internet connected basket" thing.
Unfortunately there aren't many options. All I can think of is an air-gapped encrypted tablet whose sole purpose is to keep passwords. And then physically typing them.
Which makes the bunch of random words the much more attractive way; easy to read and type.
Simple solution (Score:1)
Don't use an online password manager. Copy and paste your password when needed, then clear the clipboard. It's not perfect, but I'll take mSecure over some of these other password managers any day. And I don't back up my passwords in the cloud. They're encrypted on an SD card.
Re:Simple solution (Score:5, Insightful)
Copy and paste works fine, but beware of the risk of other scripts within the login webpage and other open browser tabs accessing the clipboard.
To digress a bit, but related to this topic. Slashdot has jumped the shark with ads in recent months. Makes one wonder how secure Slashdot is serving up hundreds (really! 392 at the moment, but seen it upwards of 500 already) of cookies and numerous trackers. Slashdot is often associated, whether rightly or wrongly, with being populated by many tech related users, it's within the realm of possibility of rogue scripts being served with Slashdot to scarf up clipboard data, passwords, etc in hopes of hacking well known websites that Slashdot users do work for.
Bottom line, be wary of having Slashdot open in a separate tab while doing anything sensitive. Likewise for many other sites that serve up obnoxious ads. Use of an blocker can help, but isn't fully comprehensive security in and of itself...
Ironically, in light of the above issues, use of a password manager, whether cloud based or not, is likely safer than copy and pasting from a local text file.
Re: (Score:2)
Slashdot is often associated, whether rightly or wrongly, with being populated by many tech related users, it's within the realm of possibility of rogue scripts being served with Slashdot to scarf up clipboard data, passwords, etc in hopes of hacking well known websites that Slashdot users do work for.
No doubt [slashdot.org]. If the "good guys" target Slashdot users, you can bet the black hats do, as well.
Re: (Score:1)
How do you enter passwords on your cell phone?
It's sooo easy! (Score:1)
So, I with being online over 20 years. I still use variations of passwords from when i was a kid in the 90's. Use a few passwords and variations of those. add caps and exchange letters for numbers aka "l33t" never once has one of my accounts been compromised. Although im security conscious and often think how i would hack myself to keep myself safe. I dont understand how so many people fall victim. I feel its pure laziness.
Re:It's sooo easy! (Score:4, Insightful)
Nobody has to hack YOU, they hack the website you log into and download all their passwords then just keep trying those password/username combinations on other websites until they crack another one over and over again. You individually aren't worth much other than a shim to try to break into the next web server. Your accounts could be shared all over Russian hacking circles and you'd never know until the website you use reports a break in that might include your login.
Smug people are just victims who don't know it yet.
Re: (Score:2)
As i said, Variations. I know a few of the black hatters. and that's now how they work. now if there was a large dump they would run the credentials at a few sites(would effect me none) that they want to gain access to. and it is completely about personal info. in case you didn't know and want to do some research sometime before you talk to somebody that used to be involved. the personal information is the part that's worth money. the trying user/pass to other sites is to get MORE personal info. like credit
Re: (Score:1)
Using 1337speak does very little in making your password safer.
Re: (Score:2)
depending on the words you use it will fool almost all password list files, and bruteforce becomes a lot harder with multiple numbers letters lengths capitols and special characters.
Re: (Score:2)
I too have a password I've used over ten years.
I only use this for low security accounts that don't have any financial implications associated to them. But yes, that password got hacked.
I know this because I typed it into a 'has your password been hacked' site and it said yep, and told me what had happened. These sites exist because lists of passwords that have been hacked exist.
IRC I think it got cracked on yahoo or something; it wasn't like anything I'd done wrong.
Re: (Score:2)
I know this because I typed it into a 'has your password been hacked' site and it said yep
Thanks for the great laugh before bed. thanks for adding your password to a password file that a few, probably not many have. but those people are not fools. Please do not do that ever again. lol
Re: (Score:2)
You know what? You're not nearly as smart as you think you are. I first typed in random 'passwords' that weren't my LOW security password, and it said that those hadn't been hacked. And I didn't type in any of my high security passwords, and those are different on each site anyway, so there wouldn't be any point.
"Use a few passwords and variations of those. add caps and exchange letters for numbers aka "l33t"
Hahaha. Don't do that, moron.
Re: (Score:2)
Well than your "low security" passwords were probably commonly used. i know mine arent and i dont worry. im trying to give people advice from an ex black hat. I try to help now, but MOST of those "is your pasword hacked" lists are nothing but a honeypot for more passwords. the only trust worthy ones are the ones that you enter the username and if its in a dump it will show you your password. and theres not many of those. take it how you will. but putting a password into the wild to "see if it was stolen" is
Re: (Score:2)
Didn't matter a lot. Maybe it was a honeypot, maybe it checked a whole bunch of sites in a man in the middle attack- but I DIDN'T type in my username, so they would have had to check all the lists of millions of entries and do it very quickly, so I don't think so. And it listed out which breach it was, and it matched up. And I think it used a rainbow table for checking it, so they (allegedly) weren't sending my password in the clear.
It makes little difference, I didn't give a shit about any of the accounts,
Re: (Score:2)
as i said if it was a honeypot, your password went into a password list. and there are some very sophisticated honeypots out there. i have a friend setting one up for whitehat purposes and you cant tell it from a real machine. it even lets you ddos from it. the fact of the matter is that password managers aren't a good idea. local encrypted ones are better, but the best is using strong memorable passwords. its harder for some people than others. i dont have an issue with it. im just trying to help people
Re: (Score:2)
Memorable passwords are usually not secure, particularly if you reuse those passwords in any way, and swapping characters, and replacing letters with numbers are really stupid things to do, since they are trivially easy to brute force. Then if you lose any account, they're likely all blown.
Re: It's sooo easy! (Score:1)
My Post-It Password Manager (Score:2)
Has simply never been hacked.
Re: (Score:2)
Never use autofill (Score:5, Interesting)
This is the sort of thing why I've never let any sort of browser thing do autofill. I have a password manager on my phone and when I need to, I look it up and *type* it in. A minor nuisance, but for frequently used passwords, I then don't need it as I actually remember them. The others are by definition infrequently used.
Though I have to admit, it's the most used feature of my phone. It also means I don't have to worry about synchronizing across many different browsers and computers, or the lack of security having all that in multiple places.
Re:Never use autofill (Score:5, Informative)
Re: (Score:2)
Allowed. Not allows (Score:5, Insightful)
Bugs have already been patched. Stop with the FUD please. Yea it's bad they existed, but they're gone.
Re: (Score:2)
We don't know how long they were exploited for, or by how many people. This is why having your password manager running in a separate process with only a manual copy/paste bridge between them is a really good idea.
Re: (Score:2)
Re: (Score:2)
Desk drawer? I'm writing on post-its and sticking them all around my monitor.
UPDATE [March 22, 2017 17:15 ET]: Article updated (Score:2)
Sorry Folks.. (Score:1)
MY PASSWORDS HAVE NOT BEEN HACKED (Score:2)
Re: (Score:2)
I have three deadbolt on my main door
Deadbolts are only as secure as the windows next to them....
Ormandy recommends (Score:2)
Use an encrypted text file (Score:2)
Okay, I'll admit it, I'm the maker of a lesser known password manager that has been around for ages. The weakest part is the operating system's handling of the clipboard - there is no OS-level support for clipboard wiping and no guarantee that sensitive data isn't written to disk. Moreover, there is generally not enough protection against keystroke loggers, who are the #1 method for obtaining the master passphrase.Apart from these obvious vulnerabilities against which I cannot do anything, my application wo
Re: (Score:2)
How to you back up your text file? How do you secure those backups?
Why? (Score:2)
Why would anyone with even pretensions of being a geek link their password manager to a browser, beyond the two applications sharing the same OS install? I've been using a password manager for years, and it would NEVER have occurred to me to make it easy for my browser to access it directly. I don't consider myself terribly security conscious; but dangling a LOT of low-hanging fruit in front of would-be attackers was just never even on my radar. Goes without saying that the first thing I did when browsers i
Couldn't get calc.exe to run on a mac (Score:1)