Sign in / up

back to article What should password managers not do? Leak your passwords? What a great idea, LastPass

Password vault LastPass is scrambling to patch critical security flaws that malicious websites can exploit to steal millions of victims' passphrases. The programming cockups were spotted by Tavis Ormandy, a white-hat hacker on Google's crack Project Zero security team. He found that the LastPass Chrome extension has an …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *

Page:

  1. hellwig

    Anyone remember Gator?

    Oh, how naiive we all were. At least I uninstalled Gator when it moved to spamware (hey, I was a teenager).

    I though LastPass was user encrypted, like even Last Pass couldn't unencrypt the data without your password. But if that's the case, why/how does the plugin expose anything to a website? Shouldn' all data go from webpage to plugin? All the plugin has to do is fill out fields, right? What possible reason is there for even including functionality a web page can manipulate?

    Here's the process I see:

    Plugin grabs URL from browser.

    Plugin scans rendered HTML for fields.

    Plugin prompts user to fill fields.(important, especially for hidden fields!!!)

    User fills fields.

    End of Transaction.

    The fact that "1min-ui-prod.service.lastpass.com" exposed this issue makes me think it was used by LastPass as some sort of backdoor (oh, I'm sure they'll claim it was a test server they never meant to be released to public). But still, in the end, if they're trying to be legitimate, what possible reason is there for LastPass to be controllable by a webpage?

    2 6 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Anyone remember Gator?

      Gator changed their name several times including Claria and Jelly cloud (more like slime cloud), to try and throw off the stench of malware.

      What's more interesting is tracing where the morally bankrupt senior management ended up. eHarmony, facebook, eHow / Livestrong, among others.

      6 0 Reply
  2. Warm Braw

    There are hundreds of internal LastPass RPCs

    Why? Oh, why, oh why...

    11 0 Reply
  3. Frozit

    Still way better than no password manager and reusing human rememberable passwords.

    2 38 Reply
    1. Invidious Aardvark
      Reply Icon

      How is having all my unknown-to-me passwords exfiltrated from my password manager "way better" than having my known-to-me passwords guessed/hijacked? They both seem about equivalent to me (though they'd have a hard time getting someone to enter all the passwords that they re-use in a single attack, so perhaps it's marginally worse to use LastPass?).

      15 0 Reply
      1. The Bam
        Reply Icon

        Security is a process, not a product. Obviously any specific technology may have bugs, but avoiding all technological aids to security is not the solution.

        1 0 Reply
    2. Lee D Silver badge
      Reply Icon

      Both of which are worse than just securing your machine (not letting people see you type your passwords), choosing sensible passwords (* long, not complex) and not running third-party software with access to EVERYTHING on your computer, including an explicit list of every password you've ever used, anywhere, ever.

      Like antivirus - the only program to run as SYSTEM, begin at startup, run for every user, intercept every possible file access on the entire machine, able to hide anything it does, not let itself get shut down, connect to the Internet, update itself automatically, and even nowadays run your firewall, decide what can get out or see packets, and what can come back in, often with remote-support tools built in. Yeah, that's not a recipe for disaster.

      (*) Human-rememberable passwords are WAY outside brute-force limits - just make sure they are LONG, not faff around with fancy characters in your potential alphabets. Starting with just an ordinary alphabet, a character added to password length would make the password 26 times stronger, while including a new character (e.g. an asterisk) into the alphabet itself only makes it 1/26th stronger. STOP IT.

      3 9 Reply
      1. I am the liquor
        Reply Icon

        Lee D, your entropy calculations leave something to be desired.

        A 10-character password taken randomly from a set of 26 characters has 47 bits of entropy.

        A 10-character password taken randomly from a set of 27 characters has 47.5 bits of entropy, i.e. it's about 40% stronger, not 1/26. Adding a character to the alphabet makes the password only 1/26 stronger if it's a 1-letter password.

        And that's if the attacker has somehow divined which punctuation mark you added to your character set. In reality, their search space probably includes at least 10 commonly-used punctuation characters. 10 characters from an alphabet of 36 has 51.7 bits of entropy, making it (coincidentally) 26 times stronger than the just-letters version.

        12 1 Reply
    3. Blitterbug
      Reply Icon
      Facepalm

      Still way better than no password manager and reusing human rememberable passwords...

      Just... no.

      3 1 Reply
    4. Anonymous Coward
      Reply Icon
      Happy

      My complex password is on a post-it note.

      Beats both methods.

      I'd do a joke icon, but it is actually better than both methods.

      16 0 Reply
      1. Orv Silver badge
        Reply Icon

        "My complex password is on a post-it note."

        That does leave you open to "evil maid" attacks. That may not be a concern if we're talking about a home environment and you don't have service workers there unsupervised. Otherwise I'd suggest putting the password in your wallet or something else you always carry on your person, and changing it ASAP if you realize your wallet has been stolen.

        2 0 Reply
      2. Wensleydale Cheese
        Reply Icon
        Alert

        "My complex password is on a post-it note."

        You use one password for multiple accounts?

        0 0 Reply
        1. Alumoi Silver badge
          Reply Icon

          You use one password for multiple accounts?

          I do. One password for forums and other non important crap, one for each mail account and one for online banking. So all I have to do is remember at most 10 passwords. No biggie, right?

          2 0 Reply
    5. macjules
      Reply Icon

      Oops

      I really do not believe that you meant to say that. Perhaps LastPass' next venture should be a decent notepad with a corporate pen.

      1 0 Reply
  4. Anonymous Coward
    Anonymous Coward

    You had me at browser extensions...

    5 0 Reply

    1. This post has been deleted by its author

  5. Anonymous Coward
    Anonymous Coward

    Could someone please inform me why I should keep my passwords in some black cloud ??

    WTF is so wrong about local storage ?

    25 2 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Indeed. I keep each horrendously long and complex password in an encrypted LibreOffice document along with associated information such as username, site URL etc. All the documents are stored inside a TrueCrypt drive which is only temporarily mounted when access to a password is needed. It may be a bit of a faff to login to my bank etc but I prefer this method to trusting some third party on the web.

      1 1 Reply
    2. Anonymous Coward
      Reply Icon
      Anonymous Coward

      For starters, local storage is great... if it's 1990 and you use exactly one computer for all the things you do.

      For second, local storage is great... if you don't mind losing a small piece of your life to managing yet another application including backing up said local storage.

      For third, local storage is great... if it's not 2017 and you don't already have half your life in the cloud anyways, trusting it with tons of other important shit like I don't know, your finances, School curriculum, taxes, email, calendar, photos, relationships, etc.

      It's called modern life. The horse and buggy was awesome too, until it wasn't.

      18 52 Reply
      1. a_yank_lurker
        Reply Icon

        "For starters, local storage is great... if it's 1990 and you use exactly one computer for all the things you do." - One very hidden benefit of local storage with no cloudy backup is it forces one to have one device used for managing important financial and purchasing activities. I prefer to keep mine on a desktop and have no banking, credit card, etc. apps on my phone. If the phone is lost or stolen its still a pain but I do not need to worry about my information leaking out.

        35 3 Reply
      2. ecarlseen
        Reply Icon

        That's a nice false choice fallacy you have there.

        Shame if something were to happen to it.

        There are a lot of ways to distribute your information between devices that you own without using public cloud services. For an example relevant to the article, 1Password lets you use a shared folder or a WiFi connection to sync devices.

        11 0 Reply
      3. krivine
        Reply Icon

        Local storage

        Syncthing and Veracrypt

        3 0 Reply
      4. Pascal Monett Silver badge
        Reply Icon

        "local storage is great... if it's not 2017 and you don't already have half your life in the cloud anyways, trusting it with tons of other important shit like I don't know, your finances, School curriculum, taxes, email, calendar, photos, relationships, etc"

        Congratulations, you have been perfectly assimilated integrated and are now a valuable marketing commodity. I wish you luck on relying on someone else's server and backup procedures to provide you with what you apparently still think is your data.

        As for me, I prefer "losing a small piece of my life" actually backing up MY photos and data, rather than discover one day that the cloudy thingy I thought had my back actually didn't.

        21 3 Reply
      5. David Nash Silver badge
        Reply Icon

        "local storage is great... if it's not 2017 and you don't already have half your life in the cloud anyways, trusting it with tons of other important shit like I don't know, your finances, School curriculum, taxes, email, calendar, photos, relationships, etc"

        Stuff like finances, taxes etc are not "the cloud". They are on hopefully well-protected servers of specific organisations dedicated to that task.

        That's no reason to keep the passwords to those services in another "cloud". Keep them locally. Back them up, yes. I am not sure I would trust a cloud-based service with my passwords and NO local backup.

        1 2 Reply
      6. patrickstar
        Reply Icon

        The proper way to do this is to generate all passwords from a master password combined with a site identifier. Then the only thing you need to share between different boxes is the generator itself, which isn't security critical. Unfortunately this is somewhat complicated by differing password length and complexity rules.

        1 1 Reply
        1. Orv Silver badge
          Reply Icon

          "The proper way to do this is to generate all passwords from a master password combined with a site identifier."

          That works until one of those sites gets hacked and is caught storing passwords in cleartext. Then people might just figure out that if "stupidsiteFooBarBiz" is your password for stupidsite, there's a good chance "mybankFooBarBiz" will work at mybank.com...

          0 0 Reply
          1. patrickstar
            Reply Icon

            I meant "generate" as in "hash"... Obviously, but should have been clearer perhaps.

            0 0 Reply
      7. John 104
        Reply Icon

        @AC

        For starters, local storage is great... et, all.

        You sir, are an average user. Clueless, or careless, take your pick. Your statements about all sorts of personal things living in the cloud is indicative of the general populace's lack of understanding of risk they take when do so.

        It's 2017. Cloud services and corporate systems are constantly under attack. Thinking you can put anything in these systems and keep your data yours is foolish. The only way to keep things secure is to use throw away creds for some services, stay off social media, bank in person, and keep things that are important to you on local storage, preferably air gapped from any network.

        Or you could just continue with your head in the sand technique. In fact, I think there's some cool articles on Wired that you can read about the next latest cool thing. Don't let the door...

        7 0 Reply
        1. Anonymous Coward
          Reply Icon
          Anonymous Coward

          @John104

          Or here's an idea ..why not just give up and withdraw from modern life entirely which is pretty much the next effect of what you are suggesting.

          Most people don't have multiple pcs including one that's never online and air gapped; lots of people can't bank in person now as the branches are being shut down at increasing rate .. In our not tiny town, lloyds has already shut , hshc is shortly to close too and if you can't drive what then? Rely on a once an hour bus to get to a branch in your lunch hour and be late back for work .. "sorry boss, I'm a tin foil hat so everytime i need to go to the bank i need 2 hours out of the office".,.. yeah watch that fly... Am not really on social media myself but for many it's crucial link to friends and family in world of increasing isolation...

          your dismissive, arrogant, miserable snarkiness is beyond counterproductive ..it's like telling a burglary victim ..."well i've never bought anything so i don;t get burgled .. you shouldn't buy shit you moron.." i mean really, ... if you can't share any advice useful to a normal human being, don't bother.

          4 8 Reply
          1. Anonymous Coward
            Reply Icon
            Anonymous Coward

            just a tick

            Is this false dichotomy? I almost the entire logic but I kept it in teh clood

            1 0 Reply
          2. tiggity Silver badge
            Reply Icon

            I only bank at physical bank branches.

            It's possible to change banks - vote with your feet if your local branch closes down.

            Banks open (a bit) at weekends too!

            I'm not using a banking app on insecure (non rooted) android, and the apps won't run on a more locked down (rooted) android due to stupid idea of rooted = insecure.

            As for PCs, I generally run old (unsupported, ditto for browser updates) OS versions on old feeble hardware (run it till it dies) and so there are (obviously) potential security issues as the software vendors like forced obsolescence, so nothing sensitive is done on those, no banking etc..

            0 0 Reply
      8. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Companies come and go

        Yes, as we've all seen having a local hard backup is a bad idea. Just ask the people who've been hit with ransomware.

        You're mixing banks, school, fed taxing authorities who have a vested interest in storing your data with your useless-to-anybody-but-you personal email, calendar, photos and 'likes'. If you want to store your personal shit with a company that may/will change hands, fees, limits, terms of use, etc. have at it.

        From someone who's seen companies live and die before the time you've been peeing in your huggies, I'll keep my personal data where I can control it.

        2 0 Reply
    3. Schultz
      Reply Icon

      Local storage for passwords

      Indeed, use keepass and combine it with your favorite method of keeping data synchronized (e.g., Dropbox, OneDrive, OneDrive, USB sticks, ...) across your computers and phones. It adds a copy/paste step when you use it with your browser, but you are in control and you offer a much smaller attack surface.

      Also, is there anything wrong about the browser (Chrome) autofill method for low priority passwords (e.g. for the comment section of ElReg)?

      8 0 Reply
      1. a_yank_lurker
        Reply Icon

        Re: Local storage for passwords

        It is philosophical issue not technical. I personally like to keep key services localized to on machine - currently an immobile desktop. This lessens the risk that losing a device or a hack of Dropbox endangers my password. If one is more comfortable with the risks, what you describe is a reasonable solution.

        4 0 Reply
        1. Stuart Moore
          Reply Icon

          Re: Local storage for passwords

          This is where keepass works well. I can have a keyfile that I manually install on the devices I want to have access as a one time action (never stored in the cloud). So the file in dropbox is useless without both that key file and my password. But if I add a password on my phone it syncs to my desktop.

          4 0 Reply
        2. Brangdon
          Reply Icon

          Re: a hack of Dropbox

          If you use KeePass, the password file is encrypted locally before DropBox sees it. You're main vulnerability is if your local machine gets compromised to the point that someone can inject a DLL into the address space of the KeePass process, but if they can do that, they pretty much own you anyway.

          (A simple key logger isn't enough, because KeePass uses a secure desktop for its master password, and a simple clipboard sniffer isn't enough if you use its autotype mechanism instead of copy and paste.)

          4 0 Reply
      2. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: Local storage for passwords

        is there anything wrong about the browser (Chrome) autofill method for low priority passwords (e.g. for the comment section of ElReg)?

        That depends. It is less secure than not using autofill. Individually, does that matter, eg if your ElReg account was hacked, used to post spam or offensive comments, and got deleted? You might have to become SchultTheSecond, round these parts. As a one off, that's modestly inconvenient, but if you either reuse a common password, or a guessable config of a root-plus-site-related, then any other sites may be compromised - although an effective browser autofill hack could (like this) expose all of your saved logins anyway.

        Curiously enough, I suspect that us pseudonymous types can cope with most of that, yet I think that any "proper" social media account is much more of a problem. Sure, nobody pays cash for Facebook or LinkedIn, but the damage that could be inflicted to your reputation by a hijacking, or the inconvenience of losing access to aggregated time-series content could be more costly.

        As a general rule then, the logical approach would be that if the account is publicly associated with you and links to any form of network of your contacts, then don't use autofill. But I'm not taking my own advice.....

        0 0 Reply
    4. Roland6 Silver badge
      Reply Icon

      Re: WTF is so wrong about local storage ?

      Did you read the article?

      This vulnerability has little to do with the actual storage location of the passwords and lots to do with the available RFC's used by the (LastPass) browser extension to access the stored information.

      Given the nature of the vulnerability and the level of information disclosed, we can expect developers of other password managers that have browser extensions that access the password store to also be reviewing their code. Also given the nature of the vulnerability developers of browser extensions that utilise cloud services should also be reviewing their code...

      The fundamental problem with LastPass is that it doesn't seem to have a standalone client, so disabling it in Chrome etc. means you are unable to access your password store. A possible workaround is to have the extension enabled in one web browser (eg. IE) that you don't use for web browsing and use a different browser (eg. Chrome/Firefox) for your normal web browsing.

      2 0 Reply
      1. Orv Silver badge
        Reply Icon

        Re: WTF is so wrong about local storage ?

        "The fundamental problem with LastPass is that it doesn't seem to have a standalone client, so disabling it in Chrome etc. means you are unable to access your password store"

        Actually you can still access your vault via their website, and use the copypasta method. Although I'm unconvinced that having a password sitting on my clipboard, where any application can access it, is much of a security improvement. All the non-extension methods share that weakness, though, including the old standby encrypted text file method.

        1 0 Reply
      2. thondwe
        Reply Icon

        Re: WTF is so wrong about local storage ?

        Lastpass has Apps - so use of an independent browser is unncessary

        0 0 Reply
    5. dl
      Reply Icon

      The cloud storage vs local is a moot point though in this case.

      It was the browser extension leaking the data, local storage wouldn't have made any difference.

      3 0 Reply
  6. robertcirca

    The perfect Password

    The perfect password is not "''jjjJJz6&&//§ww".

    Using "Iamsostupidthatiforgetmypasswordsallthetime2000" is a 1000 times safer. Brute force attacks do not care which characters humans use. It is the lenght of the password.

    Just combine several words and password dictionaries will not work anymore.

    "horsefrenchfriesgreengrass" is also pretty nice. And you can rember it.

    And if you like to click on attachments of weird emails no password will ever protect you.

    10 6 Reply
    1. streaky
      Reply Icon

      Re: The perfect Password

      Brute force attacks do not care which characters humans use.

      Yes, yes they do.

      Iamsostupidthatiforgetmypasswords%^£thetime2000 is way - way - stronger than Iamsostupidthatiforgetmypasswordsallthetime2000.

      Larger the key space the less feasible the attack. Adding an extra possible character increases the complexity by an order of magnitude. This stuff isn't even complicated.

      6 5 Reply
      1. Anonymous Coward Silver badge
        Reply Icon
        Facepalm

        Re: The perfect Password

        "Larger the key space the less feasible the attack" - that only works when it's a predictable key space.

        If you don't know whether my password is purely lowercase letters, or letters+numbers, or extended alpha, or including emojis etc... you don't know what combinations to try, so must try all of them to guarantee success. You may choose to start simple and work up the complexity, but you may also choose to start short and wide and work up the length.

        7 1 Reply
    2. ozobken
      Reply Icon

      Re: The perfect Password

      Assuming you can remember all those passphrases for all your different accounts - I assume you're not advocating using the same password everywhere?

      4 0 Reply
    3. grandours
      Reply Icon

      Re: The perfect Password

      That's all well and good, but there are a number of services that still limit the length of passwords to a ridiculously short number of characters. In that type of situation, the string of words method or xkcd method is useless. Password managers allow you to generate random passwords containing a mix of upper/lower case letters, numbers and special symbols of whatever length you like, so you can have much stronger passwords than "Iamsostupidthatiforgetmypasswordsallthetime2000". Also, unless you are recommending reusing the same password across many sites, that method is not practicable for most people. I currently have 116 passwords stored in my password manager. They are all unique and impossible to guess, even by me. I don't have photographic memory, so I simply can't remember that many unique passwords. I use a password manager for everything except banking, email and Amazon. For my banking and Amazon I have 12 character impossible to guess root passwords that I've memorized and never change, and I have an additional 18 character suffix stored on a Yubikey that I can change at regular intervals. I also use 2FA wherever it's allowed. There is no perfect password solution. Whatever solution you choose to use, you have compromised to some degree on usability, convenience or security. To what degree one is willing to compromise in any one of those areas is up to each individual. Saying that one should never use a password manager is a bit like saying to an investor "no one should ever have more than 50% of one's investments in equities as they are too risky".

      5 0 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: The perfect Password

        Please stop using the phrase "impossible to guess" as it's simply incorrect. It's likely more suitable to say "extremely unlikely to guess".

        3 1 Reply
        1. grandours
          Reply Icon

          Re: The perfect Password

          From a pedantic point of view you are correct, but you are using the term "guess" in the sense of a random selection. I am using the term to denote using some knowledge about a person to make an educated guess about what a password might be. A very simple example might be someone using their child's birthday as a password. My password-manager generated passwords have no bearing to me, anyone related to me, or anything I might dream up using my imagination. Yes, one could still "guess" one of those passwords, but the odds of doing so would be far worse than winning the powerbowl jackpot. From a practical point of view, they are impossible to guess.

          Incidentally, another benefit of using a password manager is when dealing with those annoying but mandatory "security questions", which do nothing but weaken security. For those, I use more password-manager generated passwords. That way, I don't have to worry about people who might know my mother's maiden name, etc., getting access to my accounts.

          9 0 Reply
    4. MrKrotos
      Reply Icon

      Re: The perfect Password

      "Brute force attacks do not care which characters humans use." Wow you obv have no idea how brute force attacks work!

      4 0 Reply
    5. I am the liquor
      Reply Icon

      Re: The perfect Password

      Robert, that's nonsense. Of course dictionary attacks can still work. Attackers can combine words just as they can combine letters in brute force searches.

      The first password you quoted has 16 characters, taken from a set of upper and lower case letters, digits and punctuation - say a set of 90 characters. Let's leave aside the amount of repetition in it, which is bad, and assume it was supposed to be a random selection of characters. That would give about 104 bits of entropy - a very strong password (if truly random).

      "horsefrenchfriesgreengrass" comprises 5 very common words, or maybe only 3 if the attacker has common phrases "french fries" and "green grass" in their dictionary. Likely 60-ish bits of entropy, much weaker than the 16 random character password.

      Your 13 word alternative is probably not much better, because it's not 13 randomly-chosen words. Most of it is a syntactically valid English sentence, which really reduces the entropy. "I am so stupid" and "I forget my passwords all the time" both get a ton of hits on google and could easily be in password dictionaries. So your 13 word password might really only be 4 words. A sophisticated dictionary attack will try variations of spacing and capitalisation. And attackers _are_ using such sophisticated attacks.

      Your word-based passwords certainly have the benefit of being easier to remember, but I don't think you're right to believe they're safer.

      1 0 Reply

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like