Overclock.net banner

[engadget] Critical security flaws found in LastPass on Chrome, Firefox

4K views 81 replies 41 participants last post by  jologskyblues 
#1 ·


Quote:
Last year Google Project Zero researcher Tavis Ormandy quickly found some "obvious" security problems in the popular password manager LastPass, and now he's done it again. Last week Ormandy mentioned finding an exploit in one version of its extension for Firefox, before following that up with a new bug that affected both Chrome and Firefox, and finally a third vulnerability that could allow "stealing passwords for any domain."
Source

This is getting ridiculous....

http://www.overclock.net/t/1588164/betanews-lastpass-has-serious-flaw-called-lostpass-your-passwords-and-more-are-at-risk

http://www.overclock.net/t/1560592/lastpass-lastpass-hacked-change-your-master-password
 
See less See more
1
#4 ·
What is better to use? I researched some but thought after weighing all pros and cons that lastpass was the best. I literally just ordered the yubico and lastpass premium. I havnt received the key yet or created my lastpass. I also just read how yubico went closed source. Thoughts? Should i return?
 
#8 ·
Quote:
Originally Posted by Oubadah View Post

Yes, what is the best alternative?
Pen and paper, followed by the good, old typing it out.
 
#10 ·
Quote:
Originally Posted by sepiashimmer View Post

Using a password manager itself is a security risk, only the most laziest of people use it, I think.
No offence but that statement is ridiculous. How in God's name do you expect people to remember unique passwords to over 100 sites?

It has nothing to do with being lazy, it's just not feasible for the average person to possess a photographic memory.

I use LastPass to manage the passwords for most of the websites I am a member of. However I resort to memorization for the few passwords I use for key critical resources, such as my main Email, Bank account, Paypal, Steam account etc....in Total 7 unique strong passwords. If for whatever reason LastPass is compromised no big deal, I can just change the passwords through Email conformation which is not tied to my LastPass.
 
#12 ·
I stopped using LastPass after the last breach. I use PASS with a firefox plugin and QtPass (also availble for Windows) as it's GUI. It's better to save passwords locally than in the cloud.
 
#14 ·
Pick a word or phrase you can remember.
translate it into a foreign language.
phonetically spell in language of choice.
Add special character
Add number
Add capital letter.

Do this for 1-3 phrases.

Though of course the problem will always be initiative.
 
#15 ·
Quote:
Originally Posted by Oubadah View Post

Yes, what is the best alternative?
KeePass or KeyPass, one of them is completely local. There is no cloud storage of passwords.

Keep it on a usb stick which then acts as your "key" that you take around with you.
 
#16 ·
Quote:
Originally Posted by TheReciever View Post

Pick a word or phrase you can remember.
translate it into a foreign language.
phonetically spell in language of choice.
Add special character
Add number
Add capital letter.

Do this for 1-3 phrases.

Though of course the problem will always be initiative.
Sure, that's great for a few services, but try to remember one of these for each site you use, it's impossible. I use a password manager for the vast majority of sites, but since I switched I've come across quite a few websites that I simply didn't remember signing up for. If I don't even remember using them, how would I ever remember a unique password?
Quote:
Originally Posted by sepiashimmer View Post

Using a password manager itself is a security risk, only the most laziest of people use it, I think.
Using a password manager with a password generator is the current best practice, not a security risk. Cloud storage might be a risk, but password managers in general are not.
Quote:
Originally Posted by spinFX View Post

KeePass or KeyPass, one of them is completely local. There is no cloud storage of passwords.
Keep it on a usb stick which then acts as your "key" that you take around with you.
Good way to infect your own PC if you're not careful. A USB stick like that should never go in a stranger's PC.
 
#18 ·
Quote:
Originally Posted by TheReciever View Post

The point went straight over your head I guess...

Im signed up to maybe 2 dozen services and have yet to have any issues remembering their phrases. I have more problems with region locks than I do with passwords.
What point? I have a system too, but that doesn't make it easy to remember, just easier. Two dozen really isn't that many. I have well over 100 accounts.
 
#20 ·
Quote:
Originally Posted by Oubadah View Post

That doesn't seem like a very good solution in a time where 70% of most people's internet usage is happening on the go. Carrying around all your passwords on your person is an invitation for trouble.
how is that any different from putting all your passwords in lastpass?

simply put, if lastpass is breached, every single one of your password will get stolen.
 
#22 ·
Quote:
Originally Posted by epic1337 View Post

simply put, if lastpass is breached, every single one of your password will get stolen.
No, that's not how LastPass works. Maybe if everything was just stored in plaintext somewhere (perhaps even on paper?), then yeah. LastPass is backed with a ridiculous amount of encryption and scrambling so that even if the raw data somehow gets accessed, it's still useless without the master password.

As for the browser extension issues, it looks like they jumped in and fixed them ridiculously fast. That's some pretty remarkable support on their part.
 
#23 ·
Quote:
Originally Posted by riscorpian View Post

No, that's not how LastPass works. Maybe if everything was just stored in plaintext somewhere (perhaps even on paper?), then yeah. LastPass is backed with a ridiculous amount of encryption and scrambling so that even if the raw data somehow gets accessed, it's still useless without the master password.

As for the browser extension issues, it looks like they jumped in and fixed them ridiculously fast. That's some pretty remarkable support on their part.
but getting breached can also involve the master password getting stolen.
so whether or not your stored passwords are still safe, why risk it?

my point is, storing them all in the same place is no good.
as the saying goes "don't put all your eggs in one basket".
 
#24 ·
Quote:
Originally Posted by epic1337 View Post

but getting breached can also involve the master password getting stolen.
so whether or not your stored passwords are still safe, why risk it?
See previous quote. That is not how LastPass works. That's not even how regular websites work.
Quote:
Originally Posted by epic1337 View Post

my point is, storing them all in the same place is no good.
as the saying goes "don't put all your eggs in one basket".
That saying does hold true for many things, but it starts falling apart pretty fast when it comes to password management (see the part about "scrambling"). LastPass and services like it are certainly not ideal solutions, but they offer a great balance between security and convenience. In the case of LastPass, they're targeted quite often, but they're also very popular. If anything, that's only strengthened their bragging rights about security. Look at how fast they fixed this specific issue. That was a turnaround of barely half a day, wasn't it? And for a service that's predominantly free. Bugs and unseen vulnerabilities are always inevitable. But they've at least shown solid commitment to nailing them almost immediately. Heck, even the more recent issues for which they've come under fire were mostly caused by the old version of the Firefox addon, which is slated to be discontinued permanently in April. They still fixed the vulnerabilities anyway though, because something something commitment again.
 
#25 ·
Quote:
Originally Posted by riscorpian View Post

No, that's not how LastPass works. Maybe if everything was just stored in plaintext somewhere (perhaps even on paper?), then yeah. LastPass is backed with a ridiculous amount of encryption and scrambling so that even if the raw data somehow gets accessed, it's still useless without the master password.

As for the browser extension issues, it looks like they jumped in and fixed them ridiculously fast. That's some pretty remarkable support on their part.
Exactly this.

.....and you should be changing your master password on a fairly regular basis.

I use lastpass with randomly generated passwords, with 2 factor authentication, with confidence.
 
#26 ·
Quote:
Originally Posted by Nightingale View Post

No offence but that statement is ridiculous. How in God's name do you expect people to remember unique passwords to over 100 sites?

It has nothing to do with being lazy, it's just not feasible for the average person to possess a photographic memory.

I use LastPass to manage the passwords for most of the websites I am a member of. However I resort to memorization for the few passwords I use for key critical resources, such as my main Email, Bank account, Paypal, Steam account etc....in Total 7 unique strong passwords. If for whatever reason LastPass is compromised no big deal, I can just change the passwords through Email conformation which is not tied to my LastPass.
Well you know... we store everything on pen and paper in a fireproof safe.
 
This is an older thread, you may not receive a response, and could be reviving an old thread. Please consider creating a new thread.
Top