Java? On iOS?
This article makes much more sense if you replace every "Java" with "Javascript".
Researchers have detailed a series of quickly patched vulnerabilities in five popular password managers that could allow attackers to steal user credentials. "Critical" vulnerabilities were discovered and reported in LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword in work described by the University of California …
Yes, Pauli got that completely wrong, and the Reg editors failed to catch it, which is doubly embarrassing. No IT site worth its salt should commit the Java / Javascript error twice in an article. (Once could conceivably be a typographical error.)
For the record, the paper mentions "Java" exactly zero times. (The authors use the unfortunately Pascal-cased "JavaScript", when they should be using "Javascript" or, better, "ECMAScript", but at least we know they're talking about the right language.)
I guess we're lucky Pauli didn't tell us the problem was with password safes for "the Google".
Sorry but I cannot think of any "nicer" term to describe them. This was always going to be an issue. I was wondering how long it'd take since LastPass became popular for things like this to be "discovered" or even exploited.
KeePassX is really the only password manager you should even place a little trust in, it at least being opensource and all and more importantly, not online and doesn't contain "fancy" convenience features that are basically more gateways for exploitations.
That and never use password managers on a mobile device. Good ole desktop that is properly maintained is the only computing terminal you should even consider could be safe, and I'm not being paranoid given what's been happening for the past 6 or so years.
[quote]
Store your db on Dropbox or Google Drive and use KyPass for iOS.
[/quote]
Please tell me you were joking.
First rule of passwords: never give them to anyone else. That includes putting them on someone else's server, even if the passwords are encrypted.
Re the article itself. I note this is for the web-based versions. I'm hoping the desktop local versions of the various managers are in a better state.
*I still haven't gotten round to testing out 1Password yet, but I will eventually.
"Please tell me you were joking."
Please tell me you were joking.
For personal password management, dropbox losing your keepass db and then having your db cracked is hardly a major concern. All of the instances of people I know getting hacked have involved layers of horrifying security practices - guessable passwords, failing to log off, physical access. For highly sensitive data the whole discussion is moot. No USB no mobiles, and also no dropbox, obviously. But most of our passwords are of the more boring sort anyway.
[quote]
First rule of passwords: never give them to anyone else. That includes putting them on someone else's server, even if the passwords are encrypted.
[/quote]
You mean like my FB password on FB servers?...or LinkedIn - or El Reg, all my banks and financial institutes, Amazon, Ebay...
With a Password Manager at least I now use different passwords for everything which I didn't do before.
Everything comes with risk, surely the question you need to ask yourself is how acceptable is that risk, and I daresay that will be different for everyone.
[quote]
You mean like my FB password on FB servers?...or LinkedIn - or El Reg, all my banks and financial institutes, Amazon, Ebay...
[/quote]
:p
I think most people understood my comment to be about stored lists of passwords on things like cloud servers, and not about the individual password that has to be sent to a specific server to access the service(s) on it...
>Store your db on Dropbox or Google Drive and use KyPass for iOS.
What you meant to say was "Store them in your own private ownCloud server, and only allow access to that server on the LAN, then have the ownCloud client and KyPass on your phone"
As it happens no. USB devices are not forbidden. That could change of course.
Also valid point about tablets/phones. I have considered password managers that are multiplatform in which case I could sync when required (or use UTG on the phone/tablet).
I didn't in any way mean USB stick would be perfect solution, just that for me it works and is preferable to storing somewhere outside my control. I do appreciate not everyone is in the same situation.
"And what good would that do me when I'm away from my desk?"
Using a random computer to access a secure asset or system is a bit like asking a random stranger to help you key in your PIN at an ATM; your systems may be squeaky clean but does your friend's/colleague's/internet café's computer have a key-logging trojan sitting there waiting for your credentials?
How do you know your desktop is secure? Did you compile everything from source that you'd read through? Are you sure your compiler is secure and not silently patching in exploits?
Maybe your mobile phone is listening in when you type your master password and guessing what it is?
I'm content to reign in my paranoid impulses and let someone else look after my passwords for me. The most I can lose is *all* my money, which isn't much.
Anyone - and that includes most of the people contributing to this thread - who makes blanket statements about what is and is not a "safe" or "secure" practice without specifying a threat model is a sophomore whose opinion on the matter is worthless.
this information is very old. If it was thesis research, then it took a long time to get it written up and published. If LastPass fixed their bookmarklets problem nearly a year ago, then it sounds like this really was a kick in the pants for the password vault industry last year, as opposed to something that vault users should panic over.
Thanks to the boffins for doing the research. I use a password manager myself. @AC I know that having a unique password for the 300+ sites I use is better than having 4 passwords for everything per my previous solution. Using a password manager puts me in a much better place than I was before, where I'd have a password get compromised and have to change my password on 50 websites. This has been the year of password compromises for me. 3 major companies I did business with allowed my password to be compromised and another two might have. I've few worries about using a password manager on a mobile device as on android, proper security can be installed. Lookout Mobile Security is a good one.
I never have been able to make sense of this obsession with sharing. It seems that every app in the world has to have an option to share something or other and makes a big deal about it. Evernote went on and on about how you could share your notes with Facebook. Is that something that's going to be used THAT often? OneNote on Windows Phone seems to think you're more likely to want to share your notes than format them. LastPass also bigs up sharing.
No. I don't want to share personal stuff.
Also, access to websites such as LastPass should always be two-factor (but not the PayPal way because that's just silly).
I have to disagree with with the statement "don't share. Nothing is stopping you." I'm seeing more and more reports and discussions (per the following link) where details shared via social networks are an expectation, and I can only see this getting worse, not better.
http://www.forbes.com/sites/deborahljacobs/2011/10/11/what-to-say-on-linkedin-when-youve-been-laid-off/
This is a single example (and I agree a fairly poor one). I have also read on forums where someone states that they do not want to share those details online - and I, for one, can relate to that - to which the reponse was "Well, you shouldn't expect to get a job unless your shared details verify your CV".
As for personal experience, my last employer actually complained that they could not find me on Facebook or LinkedIn before I joined the business. I guess some of the privacy settings DO actually work.
Please do tell me again how people with no interest in sharing are not affected by that craze, while I'm waiting for dozens of seconds for the eleventy-billionth time for a non-responsive webpage to render, considering the non-responsive part invariably turns out to be one or more of those lovely "share" buttons from everybody and their uncle somewhere at the bottom of the page (but one absolutely can't even scroll the damn page until those - and the damned analytics - are fully loaded!). Or more exactly, that's what kept happening before I discovered that Adblock Plus can also get rid of that sort of filth for me. Pure bliss, I tell you!
But if you wish, we can also discuss how every bloody Android app just needs permission to full network access for it's latest built-in sharing features, scuttling my efforts to stay no more vulnerable than I absolutely have to...
I think the sharing feature in LastPass is for teams of people to share passwords together. As opposed to the current system in most places I've ever worked of having individual logins, and then the exact same root password on pretty much everything. And not a complex password either.
You have important passwords, and very important passwords. Just because they are passwords doesn't mean you should treat them all in the same way!!!
I save passwords for many websites and other services (e.g. El Reg) in one of the above. What's the worst that can happen - someone can compromise my account and post as me online.
I keep my very important passwords in a completely different manner.
As has been said many times before, security is about layers - you're more secure the more layers of protection you have
Very sensible advice. My collection of passwords for sites that force me to "create an account" so I can order some cat litter (really!) is low priority.
Everything else is written in Ancient Sumerian and kept under the doormat with the front door key.
Velv (posting as Zog_but_not_the_first)
With the ridiculous number of passwords you seem to aquire for the web these days, I'm extremely grateful for the convenience of the Lastpass + Yubikey combination for run of the mill sites of little consequence; the alternative of recycling passwords seems like a greater evil. But with it being browser based, I just can't quite bring myself to use it for anything where compromised passwords would cost money or have real consequences; that inner voice of long honed sceptiscism just screams "don't do it!" every time I curse the contortions of getting my payment details.
Its really starting to get overdue for a solution that gut instinct tells you is good enough for all your passwords. Password cracking gets better by the day and the necessity of strong unique passwords and increasing need for portability suggest we need something more ironclad /confidence inspiring than exists at the moment.
Nathan-
You're the reason cutpurses still exist! Chew on that.
Seriously, I'm interested. As a Septic, I wonder what counts as a 'purse' for a fellow across the pond these days? I just can't get the picture out of my mind of a leather pouch with a drawstring hanging from your belt next to your dagger and longsword.
...Cirdan...
p.s. thanks for the password card idea/reminder. awesome.
Stored in my face.
I generate them by repeatedly smashing my face on my keyboard.
Then when I need to login I just keep smashing my face on the keyboard until it lets me in.
Im still trying to log into my gmail to click the confirmation link so I can get into facebook 4 years after I signed up. I cant wait to get in and show everyone a picture of my battered toothless face.
This is a reason I use a password generation tool (PasswordMaker, to be precise) rather than password storage - the tool, given the master password and the domain you're trying to access, generates the password you'll use to log in. You never need to store that password, as all you need to find out what it was is the master password and the domain (along with the settings you use - e.g. which hashing algo, password length and which characters are acceptable), and the master password never leaves the device.
It allows per-domain specific settings overriding elements of the defaults, too - so if a site you used it for is compromised, you can create a custom config for that site which causes the password generated to be different to what it was before.