back to article LastPass now supports 2FA auth, completely undermines 2FA auth

Password manager LastPass has added a new feature to its software: the ability to store two-factor authentication codes. This is great news. For hackers. Increasingly, people with sense use two-factor auth as a way of ensuring that it is much harder for miscreants to break into their accounts, and to detect if anyone is anyone …

Page:

  1. AegisPrime
    FAIL

    Better alternatives...

    With the increasing vulnerability of cloud-based services (not to mention governments wanting access to everything online) I've finally retired my LastPass account in favour of KeePass - I share the database via Sync.com (like DropBox but encrypted and zero-knowledge their end) and keep the key local.

    LastPass just has a huge target painted on it these days.

    1. a_yank_lurker

      Re: Better alternatives...

      I prefer a local password manager on my box. True it limits me if I am using a different device without the manager. Syncing is basically sneaker net if desired.

      1. Pompous Git Silver badge

        Re: Better alternatives...

        @ a_yank_lurker

        Bruce Schneier's Password Safe can run from a USB stick. One of several reasons I find it useful.

        1. Anonymous Coward
          Anonymous Coward

          Re: Better alternatives...

          @ Pompous Git

          Thanks for the Password Safe tip. Looks like they've got a Linux Beta.

          1. Pompous Git Silver badge

            Re: Better alternatives...

            "Thanks for the Password Safe tip."

            I use the Linux Beta (no issues during ~16 months of daily use), the Windows freebie, the paid-for exe that runs from a USB stick and there's an android app that also reads the same files.

        2. Adam JC

          Re: The Need For Speed

          A USB stick can be lost, I prefer a cloudy app to store it (Whether it's KeePass on Dropbox, OneDrive, etc) or LastPass in the cloud. You keep your KeePass file locally and your SSD bites the dust... boom, chaos.

          As I understand it, your 'vault' is encrypted in-situ on LastPass' server and even they can't access it, so even if their servers were ransacked, there's no way to get in unless they have your master password.

    2. big_D Silver badge

      Re: Better alternatives...

      I use KeePass at work and LastPass privately. To be honest, I hate KeePass, it feels so awkward, compared to LastPass. The UI is the one part that LastPass really has done well.

      1. Uplink

        Re: Better alternatives...

        KeeWeb.info is mentioned as an unendorsed alternative implementation on the KeePass website. If it's a nice UI you are after, that one looks quite nice.

      2. Sgt_Oddball

        Re: Better alternatives...

        I think I speak on behalf of a number of us here but we'd prefer a secure password manager you a good looking one. Both would be nice but first and foremost it should be secure.

        1. Pompous Git Silver badge

          Re: Better alternatives...

          @ Sgt_Oddball

          AFAICT Password Safe meets your criteria. Password Safe It's FOSS so would expect any vulns to be exposed quickly.

        2. DropBear

          Re: Better alternatives...

          @ Sgt_Oddball: as far as I'm concerned, security is a required feature, not a sufficient one. If I find something too unwieldy to use, I won't, no matter how super-safe it is. I'm not familiar with KeePass specifically, but I do know I'm sick and tired of 2017-edition apps that look dated even by Gingerbread / Win3.11 standards "because UI is just fluff, who cares about that, Real Men only need a CLI anyway"...

    3. PNGuinn
      Coat

      Re: Better alternatives...

      Store all your passwords and access codes in a manilla folder marked "Demolition notices" in a locked filing cabinet in a disused basement lavatory with a notice saying "Beware of the Leopard" chalked on the door ...

      I think I'll start keeping essential security info in a a camber pot under the bed. Is dampness / pong a security advantage?

      Security by obscurity and all that?

      Thankyou - It's the one with the bottle of perfumed waterproof invisible ink in the pocket.

      1. VinceH

        Re: Better alternatives...

        @PNGuinn

        "I think I'll start keeping essential security info in a a camber pot under the bed. Is dampness / pong a security advantage?

        Security by obscurity and all that?"

        That's not security by obscurity - it's security by odorosity.

      2. mr_souter_Working
        Pint

        Re: Better alternatives...

        have a beer for the Hitchhikers Guide reference

        I am going to assume you mean to use a full (to the brim) chamber pot, and put your encrypted USB stick in a sealed bag inside it - no burglar or hacker is going near it (especially not after it festers for a few weeks) - of course, you may have to move out of your own home due to the smell..............................and obviously write the password down on the underside of the pot. :D

      3. caffeine addict

        Re: Better alternatives...

        I think I'll start keeping essential security info in a a camber pot under the bed.

        Presumably a camber pot is for when you're on the piss?

    4. AbortRetryFail

      Re: Better alternatives...

      @AegisPrime - yes that's what I do too although currently still on Dropbox but I'll look into sync.com now - thanks!

      I agree with comments that KeePass is rather clunky though. But it works well enough for me despite not being as slick and convenient as I hear LastPass is.

    5. Anonymous Coward
      Anonymous Coward

      Re: Better alternatives...

      Me too. In my opinion it's a serious risk to keep on using LastPass. Now using the really excellent Sticky Password (with local network sync option than cloud if you prefer). For the really sensitive stuff like banking using Keepass for the time being.

      1. Anonymous Coward
        Anonymous Coward

        Re: Better alternatives...

        Care to explain why it's a serious risk? This is no less secure than using Google Authenticator app separately, vault and contents are still nowhere near being exploited and - Much like KeePass, if they get your master password they're still in your vault. Alternatives like KeePass don't even have the capability to implement 2FA let alone have it exploited :-/

        1. Adam 52 Silver badge

          Re: Better alternatives...

          "This is no less secure than using Google Authenticator app separately,"

          With Authenticator your 2FA seed is held locally. With LastPass's version it's at LastPass and therefore vulnerable to an attack on LastPass.

          "Much like KeePass, if they get your master password they're still in your vault."

          No they can't, just having a KeePass password doesn't help you without the database whereas a LastPass vault can be accessed from anywhere worldwide if you know the password.

          " Alternatives like KeePass don't even have the capability to implement 2FA"

          Oh yes they do.

          "let alone have it exploited :-/"

          LastPass's authenticator leaves all your 2FA vulnerable, not just you LastPass vault.

          Oh, and whoever preferred the LastPass GUI to KeePass. Each to their own but you are weird! Why on earth would "add item" in a shared folder add a private item? Why do you have to add an item to a private folder, then find it, the click share to share it? Why is there no way to tell the difference between a genuine LastPass user and a random phishing address when sharing secrets? The list goes on.

    6. ProperDave

      Re: Better alternatives...

      I've always been highly suspicious of on-line storage services and password vaults, so I'm running my own private OwnCloud instance off a PI at home. I've locked it down as best I can and keep it up to date, and I have a KeePass vault on it. Brilliantly the most popular KeePass app for Android supports opening a vault from OwnCloud as a data source. I'm really quite pleased, and now have most accounts online locked down with 32-char+ passwords.

      1. Adam JC

        Re: Better alternatives...

        Except of course the buffoons who insist on a ridiculously short max-char password (I'm looking at you, Microsoft...)

    7. leexgx

      Re: Better alternatives...

      i was trying to explain this issue with using a service that stores all your 2FA auth codes is very bad idea as if someone gets into your account (in this case authy) and has your username and password you can lose access to all your account

  2. adnim
    Meh

    256 bit AES encrypted plain text file

    Several copies:local disk, raid backup server and a couple of USB sticks.

    Use a pass phrase like a sentence of 30+ characters. "Why th@ fsck do ! n3Ed t0 b3 s0 P@r^noiD?"

    Why trust a third party? Trust no one.

    1. Anonymous Coward
      Anonymous Coward

      Re: 256 bit AES encrypted plain text file

      This is the answer I think. I use a GPG-encrypted TiddlyWiki but it's the same difference really. You can then sync it to everywhere with sime impunity, and anywhere there's GPG and something that will read a TW (or, better, plain text) you can read it if you have to.

      1. Charles 9

        Re: 256 bit AES encrypted plain text file

        That's one reason people like us like KeePass. It already uses strong encryption by default, let's you a file as a key, and it's FOSS.

    2. Orv Silver badge
      Coat

      Re: 256 bit AES encrypted plain text file

      Better type it by hand, then -- otherwise something might snoop it out of your copy/paste buffer. Wait, no, keyloggers...

  3. This post has been deleted by its author

    1. NonSSL-Login

      With all the database breaches the last few years, it's easy to spot and work out passwords for people who use these systems. I used such a system myself but now only use KeePass, considering myself wiser and more informed.

      As for LastPass...the major fails on their behalf makes me wonder time and time if they work with a certain government agency or not to introduce these fails. I mean the way someone could pull your password for any site with an iframe and a /www.site.com/ directory was just too bad to be true. To give them the seed for 2FA...just no!

      The majority will still use passwords like march46131, doggie12 or moimeme though...

      1. This post has been deleted by its author

    2. VinceH

      As NonSSL-Login says, algorithms like those can be reverse engineered fairly easily. Also, the example you give using first/last or second/fourth letters brings with it a serious limitation in the total number of computed passwords, and there will likely be a number of password clashes.

      Stick with KeePass.

    3. Anonymous Coward
      Anonymous Coward

      Straightforward algorithms

      are, unfortunately, straightforward to break. There really is no substitute for an 'algorithm' which is 'pick n random (really random, not pseudorandom) symbols from a sufficiently large alphabet'. This isn't actually an agorithm technically, hence the quotes.

      If you pick your alphabet to be 'printable ASCII' and n sufficiently large this yields strong passwords which you can't remember. If you pick your alphabet to be /usr/dict/words and n to be rather smaller (because the alphabet now contains tens or hundreds of thousands of symbols, rather than a few tens) this yields passphrases which are both strong and easy to remember. This trick was publicised by Randall Munroe. Note: it matters that you pick the words randomly: do not use a natural language or anything like it.

      1. Charles 9

        Re: Straightforward algorithms

        Even phrases become hard to remember past say ten or twenty sites. I always put it like this: "Was it CorrectHorseBatteryStaple or DonkeyEnginePaperclipWrong?" Especially if you refuse to leave grammar clues.

    4. Just Enough

      Not secure

      Everything about a "straightforward algorithm" is not secure by definition.

      "needs multiple passwords to at least stand a chance of figuring out how you build it, and every password is different..."

      .. but once someone has figured it out they have easy access to everything. The sad fact is that there are plenty of websites with shockingly bad security where your "straightforward algorithm" could be exposed, and you're saying maybe only two or three leaks would be enough to totally compromise every account you have?

      And using numbers in place of letters also ceased being a secure way of writing anything at least 15 years ago.

  4. Malcolm Weir Silver badge

    One challenge for those of us (like @Frank Long) who have devised a cunning scheme for generating passwords is that some total toss-winglers arbitrarily set moronic rules in the naive assumption that it improves security by increasing the sample space.

    Some of my favorites (read: "some of the first to go against the wall when the revolution comes") include those who only allow an arbitrary subset of special characters: so maybe "-" is allowed, but not "/", "%" but not "$", and so on.

    1. Number6

      If you look through the list of sites where I've had to reset the password, it's invariably the ones that try to impose a 'one of everything' rule. I guess I could learn to try 'expected password' and 'expected password plus this particular special character' before giving up, but normally it's try the password, try it again more slowly and carefully, then give up before the third failure locks the account.

    2. scrubber

      "an arbitrary subset"

      It may not be arbitrary, their backend system may be so poor that the ! character will break into a shell command, or a % will allow you to execute SQL.

      Never underestimate how crap some systems are or how stupid people are.

      1. Steven 1

        Re: "an arbitrary subset"

        Back in the day to change your password on Santander's site you'd have to enter your existing password all in upper case for it to accept it. Even though my actual password was upper and lowercase.

        Very worrying. I ceased having anything to do with them shortly after pointing that out and them not realising the significance of the problem. No idea if that's still a 'feature'.

    3. Anonymous Coward
      Anonymous Coward

      include those who only allow an arbitrary subset of special characters: so maybe "-" is allowed, but not "/", "%" but not "$", and so on.

      My favorite gripe here is inconsistent handling of ASCII control characters, especially ^C ^V and ^U. I've seen several cases where the password-change prompt will accept ^U as a valid character, but the login prompt will interpret it as an ASCII NAK control input, promptly erasing the input so far. Much hillarity ensues.

    4. gnasher729 Silver badge

      "One challenge for those of us (like @Frank Long) who have devised a cunning scheme for generating passwords is that some total toss-winglers arbitrarily set moronic rules in the naive assumption that it improves security by increasing the sample space."

      As an example, the Safari browser can suggest reasonably safe passwords that look like ABC-DEF-GHI-JKL-123 or something like that. Random obviously and not in alphabetical order. HMRC doesn't like it. First, it needs at least two digits (quite often these random passwords have only one) and it definitely doesn't like the hyphens. What's worse, I think (but I'm not 100% sure) they changed their rules, and my old password wasn't accepted anymore.

      I think the first step would be to check what passwords from popular and safe password generators look like, and always accept those.

    5. Ben Tasker

      include those who only allow an arbitrary subset of special characters: so maybe "-" is allowed, but not "/", "%" but not "$", and so on.

      Yep, it's one of my bugbears too, but actually, so are the majority of complexity rules - especially when the buggers don't tell you what they are head of time.

      Mind you, there's quite a lot wrong with a lot of things people think are "standard practice", or that they will improve security.

      Making it harder to come up with an acceptable password doesn't automatically make those passwords harder to crack, the rules often make it easier because they exclude a huge number of (otherwise) acceptable passwords.

      1. Whitter
        Paris Hilton

        Reuse security?

        I have occasionally wondered if the more obscure rule sets imposed by some sites were more to do with avoiding password reuse (and therefor potential breach from any half-assed site the user has a password with).

        Mind you, the 8-character maximum limit from Virgin Media is just madness.

  5. Anonymous Coward
    Anonymous Coward

    "Nothing can go wrong with this"

    There seems to be two clear factions: Those who believe pen and paper is decrepit, inflexible and open to abuse from someone close to you unless a cipher get used. Then there's the camp who believe if it can be hacked- it will.

    Pity there's no stats to see who will be proven right. But whatever your dogma, probably best if we don't all march off a cliff to the Cloud. Face time at banks / financial institutions is still worth something! Think 2016 Tesco bank hack!

    http://www.itproportal.com/features/lessons-from-the-tesco-bank-hack/

    1. Ben Tasker

      Re: "Nothing can go wrong with this"

      Those who believe pen and paper is decrepit, inflexible and open to abuse from someone close to you unless a cipher get used. Then there's the camp who believe if it can be hacked- it will.

      The two aren't mutually exclusive. It's about assessing the risk you're trying to counter.

      Whilst it'd be easy for someone nearby to nab your password book and take photos, it requires physical proximity, so as long as you're actually securing the book you've probably got a low risk of that happening (outside of being deliberately targeted). Post-it notes on the back of your keyboard are another matter though, as you've not taken steps to secure them.

      Stored online, on the other hand, there's no physical proximity required and anyone with an internet connection can have a go (though not all will have the ability to be successful). It takes away the advantage of physical proximity (leaving aside people should-surfing your master password) but opens the number of possible culprits from a select few to potentially billions of people.

      There's also another risk inherent with trusting a third party with your credentials - they might, without malice, make a mistake that leads to credential leakage. That's another risk that isn't present with a little book of passwords.

      To be honest, I see it more as a convenience trade-off than a security decision. If passwords are in a little book, and you haven't got that book with you, you're out of luck. If their online, then you can get at them any time (the problem being, that others could too).

      If you were after ultimate password storage security (with convenience not being a consideration), you'd generate long random passwords, write them in a book and lock that book in a safe that no-one else can open. Of course, you're screwed if you need a password while at work, or if the house burns down.

      Cloud based password managers are still better than memorising (and re-using) a small number of less complex passwords, but anyone who tells you they're more secure than pen, paper and a little bit of effort is an idiot.

      1. Anonymous Coward
        Anonymous Coward

        Re: "Nothing can go wrong with this"

        Agreed, but non-cloud based managers trump all - see KeePass with mobile app, where you store an encrypted file on your own flavour of cloud storage.

        If your cloud storage credentials are exposed, your password file is still (hopefully) encrypted with other more complex credentials. Also targeted attacks would have to break two authentication walls, one being 2FA cloud to get to your passwords.

        Why trust one login to a single cloud provider with all your logins seems nuts to me.

        1. Ben Tasker

          Re: "Nothing can go wrong with this"

          > Agreed, but non-cloud based managers trump all

          Nope, you're still trading security for convenience there.

          As others have said, a single keylogger (or malware targeting password lockers) and you're toast.

          They're better than a purely cloud-based storage solution, sure, but don't compare to the security of a properly secured offline record.

          Whether it's worth that trade, of course, is something else - I'd argue it should actually vary by the importance of (and ramifications of losing) the password. Social media logins and stuff? Get a bit of convenience. Credentials to access your life savings? Maybe give up a bit of that convenience

          > Why trust one login to a single cloud provider with all your logins seems nuts to me.

          Me too. Not to say that LastPass haven't put an impressive amount of effort into trying to ensure that a compromise of them doesn't mean a compromise for you, but it's still an exorbitant amount of trust to place in a 3rd party.

          1. Orv Silver badge

            Re: "Nothing can go wrong with this"

            Whether it's worth that trade, of course, is something else - I'd argue it should actually vary by the importance of (and ramifications of losing) the password. Social media logins and stuff? Get a bit of convenience. Credentials to access your life savings? Maybe give up a bit of that convenience.

            That's where I am. I use LastPass for all the random stupid passwords shopping, commenting, and social media sites want. But my bank password is only in my head.

    2. Anonymous Coward
      Anonymous Coward

      "non-cloud based managers trump all"

      ...."see KeePass with mobile app, where you store an encrypted file on your own flavour of cloud storage"....

      Sure, every account got hacked @ Yahoo etc. If that ever happens to a Cloud based Password-Manager it'll be a serious clusterfuck! Especially if users only find out years after because LastPass etc is taken over, and corporate due diligence means they must fess up!

      However, if any of your devices with KeePass gets hit by keyloggers / slurp-happy Malware, won't you be screwed too? Example: WAGS borrows your device in the car to look up directions to 'Hotpoint'. Hotpoint site gets compromised again... Game-Over, no???

      1. Charles 9

        Re: "non-cloud based managers trump all"

        "However, if any of your devices with KeePass gets hit by keyloggers / slurp-happy Malware, won't you be screwed too? Example: WAGS borrows your device in the car to look up directions to 'Hotpoint'. Hotpoint site gets compromised again... Game-Over, no???"

        If a point of entry gets pwned, you're screwed no matter what. Things like KeePass at least make it hard to pwn you OUTSIDE the point of entry. If LastPass gets hacked, you can get pwned outside the point of entry.

  6. big_D Silver badge

    Banking

    A comment to the bank sends a code comment in the article - mine doesn't, I need to generate a unique token using my debit card and card reader, plus the payee account number and the amount. This generates a unique code, which is used to verify the transaction. This is, for me, real 2 factor authentication.

    1. Anonymous Coward
      Anonymous Coward

      Re: Banking

      Every time I use my bank's 2FA code generator device - I make sure that all the numeric keys are pressed an equal number of times. Even if someone gets hold of the keypad and card - they can't do any wear analysis to work out which set of numbers are used. The pin is only in my head and that card is never used outside the house.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon