Jump to content

Recommended Posts

Posted

47bc15f29dfa0749699acecd9854a953.jpg

 

Another severe bug has been found in LastPass, giving yet another reason to stop using browser-based password manager extensions

 

It's been over a year since I presented on LostPass at ShmooCon, and in that time, many more bugs have been found in password managers.

The most severe of which are in browser-based password managers extensions such as LastPass.

 

Tavis Ormandy yesterday demonstrated a remote code execution on the latest LastPass version.

This isn't the first extremely severe bug he's found in LastPass, either; there've been so many extremely severe bugs in LastPass it would be tedious to list them out.

But LastPass isn't alone: Keeper, Dashlane and even 1Password have had severe vulnerabilities that allowed attackers to steal all of the passwords in a user's account without their knowledge.

 

This should be obvious to everyone who has been paying attention: browser-based password manager extensions should no longer be used because they are fundamentally risky and have the potential to have all of your credentials stolen without your knowledge by a random malicious website you visit or by malvertising.

 

When you use a browser extension password manager, you give attackers an API to interact with your password manager via JavaScript or the DOM.

That's how LostPass worked, and it's how many of the new attacks work, too.

Desktop-based password managers have no such access, as they require compromising the local machine first, which is much harder than visiting a webpage.

 

Your password manager extension de jour might not be as bug ridden as LastPass, but it suffers from the same risk vector if it's a browser extension.

If you're using it in a corporate environment to share passwords, now only one user of many needs to be attacked to steal all of your passwords via a previously undisclosed bug.

If you think criminals aren't mining LastPass and others for bugs right now, you're naive.

 

What password managers should you use instead?

 

Does this mean you should give up and not use a password manager at all?

No, but the choice is trickier than these companies' marketing would leave you to believe.

 

Desktop-based password managers

 

Any program that is not resident in your browser is safer than one that is.

There are many choices to choose from in this category, and none of them suffers from the direct-access-via-JavaScript risk category.

 

If you do use one, do not install the browser extensions.

Copy and paste the passwords from the app into your browser.

I use pass because it's simple to understand for technical folks, but I have many friends who use KeePass.

If you are buying a password manager from a company, you should ask to see the details of their latest source code security review.

If they're reluctant, maybe you should be reluctant to put the crown jewels of your company in their hands.

 

Copying and pasting passwords into the wrong place is not a large enough risk to use a risky browser password manager extension.

If you accidentally paste one password in the wrong place, it is easy to change.

If you get all your passwords stolen by a new bug, you'll never even know, and you'll have little to no recourse.

 

Built-in browser password managers

 

Every major browser now has a well-designed, built-in password manager that is easy to use.

These are a nice choice if you dislike copying and pasting passwords into websites.

All of them also offer mobile sync so you can have your passwords on the go.

Since two-factor authentication is not available for these, use a very strong and unique passphrase.

 

I recommend non-technical users use the built-in password managers because they're easy to use and plenty secure.

 

Literally anything else

 

An encrypted text file on your computer is safer than a browser extension password manager.

Think of how it would be compromised: Someone would need to get at least user-level access to your computer and then either read it when it's temporarily unencrypted, or wait for you to unencrypt it.

That cannot be done by efficient attackers at scale.

And if they've compromised your machine, you have bigger things to worry about.

 

 

Source:

http://www.networkworld.com/article/3183675/security/stop-using-password-manager-browser-extensions.html#tk.rss_security

76c90dd0e79a714317a8daeecc1584d2.png

Posted
I think LastPass has been patched

@plodr

Thanks for the update.

 

Note: I don't use any password managers.
Neither do I ...... I just use old fashion memory. ( works most of the time)
76c90dd0e79a714317a8daeecc1584d2.png

Posted

Hah, when I turned 65 half my brain decided it had worked long enough. My husband and I say that on a good day between us, we have one functioning brain!

 

I write everything down but since my husband and I are the only people with access to the computers (we have no children and hence no grandchildren), written down notes are safe.

 

When we travel, cryptic notes are placed on a note card that I keep on me. I wipe all the usernames and saved passwords on the netbook I travel with so if it gets lost or stolen, someone can see where I go and perhaps know that on 98% of the forums I am plodr but they haven't a clue as to what the nonsense, all different passwords might be.

Posted
I have 2 flash drives with all the passwords. They are also on a sheet of paper I printed to refer to and keep concealed. When traveling the sticks go with me around my neck. If one stick fails I use the other to replace it.
Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...