back to article LastPass in 2FA lock down after 'fessing up to phishing attack

Cloud castle for passwords LastPass has introduced mandatory sign in requirements for all new devices after security researcher Sean Cassidy dropped code allowing criminals to plunder vaults with mirror-perfect phishing attacks. As of today, users who set two factor authentication will need to hop to their registered email …

  1. TXITMAN
    Coat

    Never saw this coming

    Sharing your passwords on the Internet will always be a bad idea.

    1. Novex

      Re: Never saw this coming

      Agreed. That's why I use KeePass/KeeFox. No online element unless I choose it, allowing me to manage my passwords locally, not someone else on some cloud somewhere.

      1. Abacus

        KeePass Cross Platform Synching

        My wife, my two teenagers, and myself are all LastPass Premium subscribers. This has worked very well until now as we move between our communal collection of Windows, OSX, IOS and Android devices.

        Both myself and one teenager are computer literate and wouldn't have issues with the KeePass-Dropbox shuffle.

        The other two household members aren't so hot. If they have to come to grips with KeePass AND Dropbox I can see them quickly giving up on the whole thing and going back to the bad old days of recording passwords in notebooks/address books/on the backs of envelopes.

        Are their any decent self-synching options out there?

        1. clanger9

          Re: KeePass Cross Platform Synching

          Yes: 1Password does subscription-free cross-platform self-sync, with the password vault stored in a place of your choosing.

          No vested interest (other than being a happy customer). Sure to be other options out there.

        2. alexdonald

          Re: KeePass Cross Platform Synching

          https://keepass2android.codeplex.com/ - android Keepass2 client that you can give access to an app folder in your dropbox account. There is a non-network access version in the Play store that you can use if you're paranoid, or a networked version if you wish to trade a little security for convenience of sropbox sync.

          Set up the desktop application to read/write directly to the Keepass2 file stored in the app folder in your dropbox folder on your PC/Laptop/MacBook/Mac/etc...

          Can't help with iOS, sorry.

          Slightly more advanced:

          http://keepass.info/download.html - use the portable version of Keepass2 to allow access to your passwords on a USB stick. I have yet to find an acceptable dropbox add-on for the main application, so this route requires the odd synchronisation between the USB stored file and the dropbox version (Ctrl-R works really well for me, no problems so far).

        3. Adam 1

          Re: KeePass Cross Platform Synching

          > going back to the bad old days of recording passwords in notebooks/address books/on the backs of envelopes

          To be honest, that wouldn't overly bother me, assuming the said notebooks/address books/etc are not in some share house or on airbnb or something. The more likely regression I can imagine is the bad days of using the same credentials for all their online services, meaning the moment that one of these does a talk talk, all your accounts are compromised.

    2. Mark 65

      Re: Never saw this coming

      To be fair they've had 2FA for quite some time. If you choose not to use it for your convenience then you should be aware how it weakens the security of your centrally stored data. I have KeePassX but find the idea of using that at home, work, and mobile to be next to impossible.

    3. Anonymous Coward
      Anonymous Coward

      Re: Never saw this coming

      But lastpass is easy, and safer than my father in laws method of using fido21 for every single password.

  2. This post has been deleted by its author

  3. Abacus

    F**k LogMeIn

    How long have LogMeIn owned LastPass?

    After LMI's terrible screw-up of the LastPass interface I was going to ask how long would it be before LMI totally forked-up LastPass beyond all recognition.

    That question is now redundant. It's Symantec /Norton (or Symantec/Xtree for those of my vintage) all over again.

    So, LastPass is now, effectively, history.

    What password manager to use now?

    No votes

    1. anothercynic Silver badge

      Re: F**k LogMeIn

      1Password. KeePass. DashLane.

    2. phuzz Silver badge
      Stop

      Re: F**k LogMeIn

      This wasn't a problem caused by logmein (as much fun as it is blaming them for everything). This is a problem brought about by keeping the password manager as a browser plugin.

    3. Malcolm 1

      Re: F**k LogMeIn

      The potential for this sort issue to occur has existed forever, certainly long before the LMI takeover. The LastPass UI has always been a bit of a shonky mishmash of browser prompts that would lend themselves to spoofing. But then again, what other facilities are there for a browser plugin to display UI? I've always felt that Chrome should do a much better job of distinguishing "trusted" extension UI from general internet content. The only visible difference is the URL which is hardly obvious as this attack demonstrates.

      I see no relevance to LMI takeover, apart from your obvious axe grinding. FWIW I prefer the refreshed UI.

      1. JCitizen Bronze badge
        Coffee/keyboard

        Re: F**k LogMeIn

        From what I understand it is Chrome's insistence in using viewport in the browser that make it particularly easy for the attackers. What I'm trying to find out is if the spoof is separate from the browser session; if it is not, then IBM's Rapport end point security could defeat it from happening in the first place. If it is separate malcode throwing up the box, the next question is will Keyscrambler work against it like a keylogger? This is what I'm trying to find out from Lastpass. They have an obligation to notify users of these threats, and they fell down this time. I'm going to hold them to determining of there are any other mitigations besides the improvements in version 4.0 and 2nd factor settings in the vault.

  4. Anonymous Coward
    Anonymous Coward

    password-store, if you are geeky enough to understand gpg.

    http://www.passwordstore.org/

    http://git.zx2c4.com/password-store/about/

    https://github.com/zeapo/Android-Password-Store

    Anyway, there was a roundup here:

    http://m.theregister.co.uk/2015/12/02/password_manager_get_out_options/

  5. John Doe 6

    Different font and font on [Log In] does not match font on the rest of the form... and the arrow in the emai field looks fishy.

    Both can be however due to browser settings or a missing font so it is very well made.

  6. jzl

    Simplicity

    Most people (commentards excepted, of course) don't know how to use a computer. As in, they can browse the internet and use Microsoft Word, and that's it.

    The problem with Keepass is that it requires you to not be one of those people. LastPass is simple and that makes it automatically better than Keepass because people will actually use it.

    The real alternative to LastPass isn't Keepass or anything else. The real alternative is post-it notes and "password123" in a hundred places.

  7. Bbbbit

    A real shame - a good product

    I ditched Lastpass (which I loved) after doing some research on LogMeIn's style of business and track record (and suspicions confirmed when the takeover news coincided with the 'export to csv' option being canned from Lastpass). Eventually settled on KeepassX - MiniKeepass across my iOS / OSX / *nix/ Windows devices. Although I felt I had to make some compromises (syncing kdb via GDrive) I must say I feel I have made the the best of a bad job and it works without too much inconvenience. I cannot see anyone I know bothering to jump through the hoops though; I just do not think any of my nearest and dearest give a tinker's cuss about information security. I am sure I'll get the tearful phone call when someone finds an astronomical Amazon bill bought out of Kazakhstan.

    1. Donn Bly

      Re: A real shame - a good product

      Just to verify, why do you say that "export to CSV" was canned in LastPass? I still use LastPass, and I just checked and verified that the option to export to CSV is still there.

      As a LogMeIn user, I wasn't too happy that they killed off the free edition, however, since I had a mix of free and pro they upgraded all of the free clients to pro for a year for no charge. Sometimes you have to take the bad with the good, but if you are going to preemptively trash a product because you THINK that they might change something then you are never going to use anything.

    2. Anonymous Coward
      Anonymous Coward

      Re: A real shame - a good product

      "the 'export to csv' option being canned from Lastpass"

      Still works for me. When did it go missing for you?

  8. Anonymous Coward
    Childcatcher

    Come on MSFT!

    I for one would welcome MSFT creating a password manager as part of Windows 'Hello' that will keep all my information secure in Azure

    1. Anonymous Coward
      Anonymous Coward

      Re: Come on MSFT!

      I for one would welcome MSFT creating a password manager as part of Windows 'Hello' that will keep all my information secure in Azure

      Guessing that's either with your black hat on, or I just missed your sarcasm? :)

    2. joed

      Re: Come on MSFT!

      Safe/convenient until someone got into your MSTF account. BTW, MSFT keeps keys to your stuff as opposed to LastPass, so "thanks but no biscuit" (I agree with Anonymous Coward's comment above).

  9. ZenCoder

    Last pass didn't remove the export option.

    I export weekly to .cvs, put that into an strongly encrypted archive then drop in into my dropbox and google drive accounts. I'd have noticed if they dropped the export option.

  10. Syntax Error

    Yet another fail by the IT industry.

  11. allthecoolshortnamesweretaken

    I currently use around 25 passwords and PINs, and I permanently store them in my brain. What's wrong with me?

    1. Anonymous Coward
      Anonymous Coward

      You clearly don't surf the web enough. 173 passwords and counting here... :-)

      1. Novex
        Coat

        Only 173...?

    2. jzl

      My LastPass vault has 156 passwords in it. They're all between 15 and 20 characters and different so that if one site gets compromised, the vulnerability doesn't spread. I need to be able to access them anywhere, including other people's computers from time to time.

      I don't suppose there are more than few dozen people in the world who have the memory to manage that without a password manager.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021