back to article Password management site plugs info-leak bug

Password management site LastPass has plugged a security hole in its website that created a means to extract the email addresses - though not the passwords - of enrolled users. The cross-site scripting bug meant that logged-in users induced to visit a malicious site would disclose their email addresses and sites associated …

COMMENTS

This topic is closed for new posts.
  1. Yann BZH

    Firefox saved passwords?

    Just wondering, how is that better than Firefox's saved passwords and Master password, especially if you're using the Firefox sync extension to sync your passwords on several machines?

    1. NG

      How it is better...

      It is cross platform and multi browser - a bit like Xmarks which LastPass now control.

  2. dotdavid
    Thumb Up

    How it should be done

    The way they've handled the fix is admirable in my opinion.

    1. Anonymous Coward
      Alert

      If only

      If they had been competent the incident would not have happened at all.

      So,

      FAIL

      1. Jason Hall

        @AC

        Yeah - that's right. A piece of their code had an error in it.

        Are you so fucking idiotic to think that no code has errors in it?

      2. Chris007
        FAIL

        you sir are an idiot.

        title says it all.

  3. Steven Knox

    Not an Architectual Problem

    It's a problem in the principle, not the architecture.

    cf. Eggs v Basket

  4. Framitz
    Flame

    Anyone ?

    Anyone stupid enough to trust such important information to the cloud?

    1. trarch

      Re: Anyone ?

      Presumably you're one of the people who would also call people out for the use and reuse of simple passwords.

      I'm going to go out on a limb and assume that I am not the only one who uses a variety of machines, operating systems and browsers.

      This requires some form of central management for passwords, given that they are long and randomly generated and I lack the ability to remember them. The alternative is for me to not have access to sites/services.

      Off the top of my head, I think there are only two ways for this to be achieved. One is the 'local' option - carry a USB stick with you everywhere you go, with a password manager on or a portable browser with the passwords stored in it.

      As everyone well knows, it's easy to forget to bring your USB stick with you, or even lose it.

      The former is an inconvenience. The latter is a disaster.

      The other is the 'cloud' option. This has the same pitfall as the first option - all eggs in one basket. However, I'd hazard a guess at saying the chance of losing a USB stick is greater than the loss of cloud data.

      With this option, it doesn't matter if your machine dies or is stolen as your passwords are all online, readily accessible for you on another machine.

    2. Bibbleq
      Thumb Up

      information in the cloud?

      If you look at how Lastpass actually works it only stores the encrypted data in the cloud. All encryption and decryption of your passwords happens on the local client.

      Lastpass also take this kind of stuff seriously, you can use multifactor authentication to access your account (Yuibikey or they have even developed a "one time" password grid system). I use a hybrid system of lastpass and keepass. The advantage of having everything sync nicely arround my pc's is great (I use mesh to sync my keepass database).

      1. Yann BZH
        Thumb Up

        An interesting alternative to passwords

        is passfaces (http://www.passfaces.com). No need to remember multitude of complex passwords, just use your brain to recognise faces. Simple and secure.

  5. ttuk

    risk vs convenience

    It's all a matter of assessing risk isn't it..

    I cycle to work rather than getting public transport because I feel that the time saved and benefit to my health outweighs the greater risk of my being involved in an accident while commuting.

    As has been said, only a USB stick style system (or an incredible memory) is really more secure when you need to have unique non dictionary based passwords made up of upper/lower case, numbers and symbols and that has weaknesses of being, lost / stolen / put through washing machine.

    On top of that since the (de/en)cryption happens locally its only ever encrypted data that goes into the cloud. And the exploit discovered was not even able to get hold of that, just email addresses.

    finally, I know that all really critical sites I use ie, banking, have more secure login systems that require me to enter additional information from dropdown boxes or use a card reader, this isn't in my lastpass info so even if someone did get hold of my password they'd still need physical access to my card / my brain..

    low risk

This topic is closed for new posts.

Other stories you might like