back to article Zero-day hole can pwn millions of LastPass users, all that's needed is a malicious site

A dangerous zero-day vulnerability has been found in popular cloud password vault LastPass, which The Register has been told can completely compromise user accounts. Many millions of people can right now be compromised by merely visiting a malicious website using Firefox with LastPass's software installed, we understand. This …

  1. Pascal Monett Silver badge

    Beware the true geek with a keyboard

    This guy is the quintessential geek. He doesn't look like much, in his pic he seems the shy, quiet kind of guy, but give him a PC and Internet access and hang on to your hat 'cause there will be a storm.

    And he even gets to work with cute geekettes !

    Hats off to such mastery.

    1. Anonymous Coward
      Anonymous Coward

      Re: Beware the true geek with a keyboard

      If he's in Switzerland, surely he'd use SecureSafe?

  2. Tony Paulazzo

    cloud password vault

    The weak link is one of the words above. First right answer wins the internet for a day. Hint: For fucks sake!

    Hint 2: Keepass can be kept off the internet, can be used on iOS, Android & Windows (not sure about Linus*), and is free.

    * Security blanket :)

    1. Anonymous Coward
      Anonymous Coward

      Hint 2: Keepass can be kept off the internet, can be used on iOS, Android & Windows (not sure about Linus*), and is free.

      https://www.blackmoreops.com/2015/11/04/anti-hacking-tool-got-hacked-keefarce-can-break-your-keepass-password-safe/

      That is all.

      1. Charles 9 Silver badge

        That doesn't attack the safe itself (meaning it can still be put in like a Dropbox). It attacks the running process which puts you in the same situation as simply getting pwned, in which case all bets are off anyway.

    2. zanshin

      KeePass works on Linux. To my great surprise, you can actually directly pass the KeePass Windows binary's path to the "mono" command and it will work, as long you have the right runtime libraries installed.

      Unfortunately, most of the KP file synch plugins don't seem to share that cross-platform mojo, in my experience.

      With regards to KeeFarce, if something has the permissions needed to manage DLL injection, you are almost certainly well and truly hosed no matter how securely the KeePass application was written. Someone is running processes on your local machine as you or as an admin. Someone gaining this level of access for the express purpose of obtaining your passwords will likely be able to pop *any* password management scheme you where you actually access the password repository on that machine.

      1. JakeMS

        If you're on Linux you don't need to do the whole mono thing.

        You can just use KeePassX:

        https://www.keepassx.org/

        1. Anonymous Coward
          Anonymous Coward

          Personally I keep my KeePass files on a Corsair Padlock 2 usb stick.

          1. Captain Scarlet Silver badge
            Paris Hilton

            @AC Hopefully with a backup somewhere?

            Because I've accidently and violently destroyed several of my USB sticks before

            1. Anonymous Coward
              Anonymous Coward

              "Because I've accidently and violently destroyed several of my USB sticks before"

              Ymmv of course :)

            2. Chris King

              "Because I've accidently and violently destroyed several of my USB sticks before"

              Hello, little USB sticks. I'm Death Incarnate.

              Best one had to be the poor little stick that got squished under the wheels of a 20-ton bendy bus.

              "Pancaked" didn't even begin to describe the remains.

            3. Swarthy
              Joke

              Because I've accidently and violently destroyed several of my USB sticks before

              You need to be more careful with those cooling hammers.

        2. zanshin

          @JakeMS, I looked at KeePassX, but since it seems to have no plug-in support, there wasn't an obvious advantage to using it. (Perhaps not installing mono would count as an advantage for some, but it was already installed on my machine.)

    3. GoatFace

      The big draw for Lastpass is twofold: 1. Having your passwords available wherever you are. 2. Having Lastpass fill them in for you on webpages.

      Lastpass is also good in that I don't have to keep entering my master password every time I fire up my PC, only when I move to another device.

      Keepass may be more secure but it's a heck of a lot less convenient and more damaging to workflow.

      Lastpass ain't perfect, and this is a worrying report. But if there's something better than Lastpass out there I've yet to find it.

      1. Aedile

        KeePass can sorta fill them in web pages for you. If you've saved a sites URL you can right click an entry and pick open URL in: and pick a browser option. Then you can right click the entry again and select auto type. This will automatically fill in your user name and password automatically. Obviously it lacks the convenience LastPass provides since you have to fire up KeePass prior to going to the web site.

      2. Woodnag

        So use both!

        Lastpass for the non-finance, non-reputation damaging sites.

        Keepass for the others.

      3. Version 1.0 Silver badge

        RE: Having {appname} fill them in for you on webpages.

        You don't see a potential problem with that?

      4. tom dial Silver badge

        My Keepass password database is available on a usb key on the keychain that carries my house key. There is a risk associated with that, but but there are risks associated with any security system or protocol. If the keypass database is encrypted securely with secure methods, the risk is extremely low.

        It costs in convenience, in that the database and the passwords within are unusable on systems that do not have the keepass program installed. I consider that reasonable because I probably do not trust those machines anyhow, as I do not trust The Cloud, crusty old codger that I am.

    4. TheOtherPhil

      But the cloud isn't the issue.

      Indeed, as LP don't hold the encryption keys, it's no different from those who use keepass et al & sync it with dropbox.

      Sure, keeping your database (however encrypted it may be) offline will be safer - but less convenient. It's the balance that matters.

  3. cmannett85

    I recently decided to use a password manager and chose KeePass, primarily because it's open-source but also because it doesn't do any cloud stuff on your behalf. Unfortunately I've found that I end up using a cloud service to sync the keys database across all my devices - so I don't know how much better off I am now...

    Hopefully Tavis will set his sights on KeePass after he's done with the proprietary ones, as a good security audit is never a bad thing.

    1. Graham Cluley

      You could always ensure that the password manager's database that you are syncing via the cloud is itself encrypted.

      I would be surprised if the password manager isn't doing its own encryption, but I would recommend using a tool which automatically encrypts any data before it's shoved in your cloud-syncing folder anyway.

      1. Anonymous Coward
        Anonymous Coward

        Indeed

        Go nuts.

        Keepass, with a long, complex passphrase, and ideally a key file.

        That way, you can store your Keepass archive in 'a cloud', and it's encrypted. If someone manages to get your password AND archive, they still need the key file.

    2. Tony Paulazzo

      I've only got 4 devices (and don't change passwords that often), so cables work fine for me.

      Personally can't wait for biometrics to finally take off properly - got a fingerprint reader on the ipad, Surface Pro and phone yet none are properly integrated into the browser, or any password apps (that I'm aware of).

      1. yoganmahew

        Fingerprint me ars...

        It's just a string of numbers, it'll be stolen and spoofed. And what do you do when your fingerprint is stolen? Change it?

        1. Charles 9 Silver badge

          Re: Fingerprint me ars...

          YES! I've got ten of them to work with off the tips, then I can get more creative and use other parts of my fingers. And unlike a password, I don't have to remember them (which is an issue for people with poor recall or simply too many things to remember) or keep a second factor handy (which lots of people end up LOSING).

          PS. And even IF they lift my print, it probably wouldn't even work for them given my genuine finger only works about 3 times out of 10.

        2. fidodogbreath Silver badge

          Re: Fingerprint me ars...

          In the US, you can be forced by law enforcement and/or court order to unlock a device that is secured by a biometric factor. However, you cannot (yet) be compelled to divulge a password.

          1. Adam 52 Silver badge

            Re: Fingerprint me ars...

            I used to think that too but there was a story here - in the last few months - of someone in the US being ordered to hand over their keys.

      2. James Delaney

        1Password supports TouchID for what it's worth, though this is in addition to the master password.

      3. Anonymous Coward
        Anonymous Coward

        You are prepared to openly admit you have a Surface Pro? - Kudos.

        And why does Tavis have a picture of Carmarthen Bus Station on his website?

    3. Anonymous Coward
      Anonymous Coward

      The difference are:

      1) Your password database is just a file like many others, it's not a single high visible target with a single "entry point".

      2) It's encrypted with a key hopefully not stored together

    4. zanshin

      "I recently decided to use a password manager and chose KeePass, primarily because it's open-source but also because it doesn't do any cloud stuff on your behalf. Unfortunately I've found that I end up using a cloud service to sync the keys database across all my devices - so I don't know how much better off I am now..."

      You should be better off in the sense that you don't need to sign into a remote system over the wire in order to unlock the password database. In theory, someone needs to compromise you and/or your local system in order to obtain your master password and/or key file(s).

      KeePass was recently in the news here for being one of the pieces of software the EU set aside money with which to fund a code audit.

  4. Graham Cluley

    Tavis's next target

    Last sentence reads:

    "Ormandy will set sights on popular password vault Password1 after this audit."

    I suspect you mean 1Password from AgileBits rather than Password1.

    The confusion is probably caused by password1 being many people's password. :(

    1. fidodogbreath Silver badge

      Re: Tavis's next target

      It's astounding how many sites' "password strength meters" still give a green light to strings like PassWord1234, LetMeIn1, ASDqwe123, etc.

      Obviously we all know that they're terrible; but non-IT civilians are misled into thinking that a couple of capital letters and numbers have stymied all those pesky hackers.

      1. jpgoldberg

        Re: Tavis's next target

        fidodogbreath correctly pointed out that, "non-IT civilians are misled into thinking that a couple of capital letters and numbers have stymied all those pesky hackers."

        I'd go further and say that more than a few IT people have also bought into what has become a cargo cult of password requirements.

        There is some fascinating research on public beliefs about these in a paper titled: "I Added '!' at the End to Make It Secure": Observing Password Creation in the Lab( by Blase Ur and others from the CMU Usable Security group presented SOUPS in 2015). So, yes: The things that websites say about password requirements do in fact mislead people about what makes a good password.

  5. Anonymous Coward
    Anonymous Coward

    And there I was...

    Thinking "I'll not bother with a password vault, as it has a single point of failure".

    I'll probably stick to a second device (no internet, thus air gapped) with an encrypted list of passwords, possibly stored on usb stick. Yes the encryption will be poor, but it will need physical access to get at anyhow. Yes I'll need to type them in every time, so risk there. But the low hanging fruit is now hacking databases, not individual computers.

    1. Adam 1

      Re: And there I was...

      I seriously doubt that is a better idea. Unless lastpass are idiots, they aren't going to be able to decrypt your database because they won't know your master password. I'll be interested to see what the flaw is, but my guess is that it relates to a mechanism to trick it into auto populating the form on an imposter form delivered over an ad network, XCS or MitM attack.

      1. Stacy
        Meh

        Re: And there I was...

        I'm assuming that he managed to get around the master password issue - otherwise the pain is limited and not the 'its the end of the world' that this is reported as. It's still not good, obviously, but there are levels of 'We're screwed!' :)

        I am hoping that those users who use two factor authentication (one of the first things I set up when joining the site - and one of the first things they recommend doing just in case something like this ever happens) are protected... And I am very happy that whilst I use this, I also use two factor authentication for all of my important accounts and don't just rely on the passwords...

        I am wondering how long they will take to reply to the risk - one of the reasons I picked them is that I found good examples of them being open with issues in the past rather than trying to cover it up when I was researching a vault.

        1. Adam 52 Silver badge

          Re: And there I was...

          "open with issues"

          Was that before they were bought? Logmein's terms specifically prohibit the disclosure of vulnerabilities.

    2. fidodogbreath Silver badge

      Re: And there I was...

      I'll probably stick to a second device (no internet, thus air gapped) with an encrypted list of passwords, possibly stored on usb stick.

      Right. Because air gaps and USB sticks are secure.

      http://www.theregister.co.uk/2014/07/31/black_hat_hackers_drive_truck_through_hole_in_usb_security/

      http://www.theregister.co.uk/2016/03/23/usb_only_trojan/

      And so are hard drives.

      http://www.theregister.co.uk/2015/02/17/kaspersky_labs_equation_group/

  6. thondwe

    It's Risk Management

    Store your passwords on a USB stick and lose it (get's stolen) then you have to change ALL your passwords. Keep it on any system that has some sort of remote management, and if you lose that, you stand a chance of remote disabling it/changing password, etc.

    I tend to use Lastpass for random passwords for junk websites and use complex passwords and my memory for critical ones (like Bank, Lastpass, Mail, Social etc), enabling two factor if at all possible - though there's some benefit for having a physical secure "vault" for those which my wife can access in an emergency (been there done that once!), but of course that needs to be backed up into two locations... Hell, that's why something cloud based is worth the risk?

    1. Charles 9 Silver badge

      Re: It's Risk Management

      "I tend to use Lastpass for random passwords for junk websites and use complex passwords and my memory for critical ones..."

      And for people with BAD memories?

      1. Brewster's Angle Grinder Silver badge

        Re: It's Risk Management

        "And for people with BAD memories?"

        The sight's password reset function. Remember the frequent ones. Use reset for the rest.

        1. Stuart 22

          Re: It's Risk Management

          "The sight's password reset function. Remember the frequent ones. Use reset for the rest."

          Your sight is better than mine. I can't see the reset button for root ;-)

        2. Anonymous Coward
          Anonymous Coward

          Re: It's Risk Management

          So your email password is the master password?

      2. phuzz Silver badge

        Re: It's Risk Management

        You could use Lastpass (or whatever) to store a long password, but then add a suffix from memory. Practically two factor that is (not really).

        1. Sir Runcible Spoon
          Joke

          Re: It's Risk Management

          "The sight's password reset function"

          You need a password to see? What about audio?

          Also, can I assume that the reset 'button' is pressed with a sharp stick?

      3. Anonymous Coward
        Anonymous Coward

        Re: It's Risk Management

        And for people with BAD memories?

        For that I'd suggest a good counsellor. If you meant poor memory faculty... Oh wait, what were we discussing again?

      4. fidodogbreath Silver badge
        Pint

        Re: It's Risk Management

        And for people with BAD memories?

        Alcohol is good for dealing with bad memories.

  7. JakeMS

    Damn..

    That sucks for LastPass users, if attacked that could be very serious if all passwords are borrowed.

    This is also why I normally suggest a non-cloud based Password Manager, such as KeePassX. This way assuming your computer is configured securely, no one else will have access to your password database, and if they do get it, they still need the database password and keyfile before unlocking it.

  8. TeeCee Gold badge
    Facepalm

    What goes around...

    Well, I laughed.

    @ all those touting Lastpass every fucking time a password issue comes up: There's a saying about eggs and baskets which you should probably look up.

    1. Charles 9 Silver badge

      Re: What goes around...

      The thing with eggs, though, is that they MUST be in one place (right next to you) if you intend to actually USE them. So at some point, they MUST be in the same basket.

      Plus some of us have bad memories, meaning out of sight really means out of mind (and thus gets lost).

      1. Sir Runcible Spoon

        Re: What goes around...

        Answer: Keep all your eggs in one basket, but clone them and keep the clones locked away somewhere safe in case of emergency.

        Oh, as long as the basket is in your possession of course, not sitting on a cloud somewhere playing a harp or whatever it does when you're not looking.

        1. Admiral Grace Hopper Silver badge
          Joke

          Re: What goes around...

          We're cloning eggs? This is all getting a worryingly Jurassic Park

  9. psychonaut

    given its owned by log me in now

    expect this never to be fixed. or perhaps they will ramp up the price by 1500% before fixing it.

    1. SMFSubtlety

      Re: given its owned by log me in now

      Does this change the above statement?....

      http://www.theregister.co.uk/2016/07/26/citrix_logmein_goto/

      1. psychonaut

        Re: given its owned by log me in now

        yeah, i read that earlier. ive no idea if it means that LMI will start behaving unlike a bunch of see you next tuesdays. my moneys on not though.

        you?

      2. GrapeBunch

        Re: given its owned by log me in now

        options, share prices, dates. Brings in a whole new panoply of possibilities.

  10. Anonymous Coward
    Anonymous Coward

    LastPass/KeePass

    When LP was taken over I looked at KeePass. There was no direct way to import the hundreds of logins I had, and all the various "guides" over the internet (all of which referred to differing versions) were pretty clunky.

    "Don't fret" I thought "There's so much buzz about dumping LastPass that someone will produce a direct 1-click import tool"

    Nope. Still waiting. Seems it's true about things being worth what you pay for them. (I actually pay for LastPass. $12/year).

    I'm sure this post will be attacked by loads of people saying "all you need to do ....". I tried KeePass for a month - it's nowhere near as featured as LP.

    1. Anonymous Coward
      Anonymous Coward

      Re: LastPass/KeePass

      You can export from LP to KP, click on LP icon -> options -> advanced -> export

      I usually export as CSV then import to KP (only the KP v2 can import LP CSV)

      1. Anonymous Coward
        Anonymous Coward

        Re: LastPass/KeePass export

        No.

        The LP export is just a CSV.

        As you correctly, but I suspect disingenuously say "KeePass can import CSV". But the problem is KeePass doesn't have the same schema as LastPass. So the "import" is of varying use.

        I ended up having to manually correct nearly all the entries.

        So I restate my original point. You can't export from LastPass into KeePass.

        Given how wonderful KeePass is, with plugins for seemingly *everything* I find this omission curious, but not surprising. It's one of the downsides of free software.

        As I say, I pay for LastPass.

    2. fidodogbreath Silver badge

      Re: LastPass/KeePass

      KeePass is great for storing client logins in separate files. Often, they are system or console logins that are not amenable to auto fill anyway. I can easily open the password file on my phone, or (with portable KeePass) on a client box without installing any software.

      For my personal logins, I migrated >200 passwords from LastPass to Sticky Password pretty easily. The LP folder organization didn't come over, but redoing it was a good opportunity to get rid of old and unneeded logins.

      Sticky Password lets you choose whether or not to use their cloud sync, or manage your own database files offline. I really hope Ormand doesn't blow it open...

  11. 2+2=5 Silver badge
    Joke

    Fortunately I use...

    > A dangerous zero-day vulnerability has been found in popular cloud password vault LastPass

    Fortunately I use 1Password. Not the product - '1Password' is the password I use for all my sites.

  12. MojoJojo

    Second Today

    Another "all passwords lost" bug reported here https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/

    Although that one has been fixed and details given to the nature of the flaw. As suspected, the issue is with auto-fill, rather than the cloud.

  13. batfastad

    Why?

    Why would anyone, ever, give their passwords to anyone else?

    Me? For most general sites, non-e-commerce, I have a resonably long and complex base password as a salt then add a salt permutations and patterns of characters from the URL to pad the length. For anything a bit more sensitive, with payment or address details, then I have a more complex base and more rounds of my salting.

    Unique and complex password for each site and memorable/repeatable, for me at least.

    Secure enough now? Probably. Secure enough in 10 years' time, maybe not.

    But at least they're not stored on someone elses servers using unknown reversible encryption.

    1. Charles 9 Silver badge

      Re: Why?

      But many people can't work like that. They have such bad memories that "correcthorsebatterystaple" is a stretch ("Or was it 'donkeyenginepaperclipwrong'?").

      1. paulf
        Boffin

        Re: Why?

        As the XKCD comic explains "correcthorsebatterystaple" would be much easier to remember if it didn't have to contain an upper case letter, a lower case letter, a punctuation mark, the number you first thought of, blue, the smell of freshly cut grass, and your porn star name.

    2. John M. Drescher

      Re: Why?

      I have several hundred online accounts. There is no way I could possibly remember the passwords or even the usernames for all of them. I used to just use the same password for most but then sites started adding conflicting password complexity rules and change policies. Now I use LastPass for the non financial accounts and have to remember the complex password for the rest. Although technically the passwords are not as complex for the ones I need to secure but LP has been hacked multiple times so I don't trust its usage for financial accounts.

      1. batfastad

        Re: Why?

        I have several hundred online accounts too. And re-use a base password for most of them that don't really matter, forums etc.

        But on top of that I have a memorable and repeatable method of mixing extra characters, numbers and symbols into my base password. So I end up with a site-specific password of at least 25 characters, mixed in with all sorts of pseudo-random. The hash (assuming the site is hashing - grr!) will be different on every site and I only have to remember the base password and my "salting" method.

  14. Anonymous Coward
    Anonymous Coward

    Sophos currently has an article on the main page of their security blog helping people get started using LastPass.

    Amusing.

  15. Ilsa Loving

    1password

    I use 1password for this reason. I get to stick the data files where *I* want them to go, so there's no central point of failure.

    And to my knowledge, the encryption has yet to be compromised.

  16. Anonymous Coward
    Anonymous Coward

    The article doesn't mention specifics of how LastPass has actually been affected.

    As a user of 1Password, as others have mentioned there is no active 'cloud' element of my password handling, just the sync of the secured (i.e. encrypted, very secure master password'ed) 1Password file between my devices, and I'm not *too* worried about that bit (even if via Dropbox or iCloud or whatever).

    I am, however, far more worried if there could be leaks/issues in the various browser plugins that 1Password uses — that's a more likely attack vector, once the plugin is able to 'read' your password for a site, surely? I wonder if that is LastPass's failing - anyone know any more info yet?

    (Anonymous so that I don't give away info about my password storage usage!)

    1. Anonymous Coward
      Anonymous Coward

      I would agree with your assessment. It's most likely in the browser integration. Those sorts of vulnerabilities would impact any of the managers that have a tie in.

  17. FlamingDeath Silver badge

    Truecrypt + Notepad

    All my online account passwords are unique pseudo random 16 character alpha-numeric iterations, they are stored in a txt file, which is encrypted with a very strong key, and stored in the cloud on my Google drive account, in my view, other than being bruteforced with a super computer, I think I am safe.

    Who the hell needs a password manager ffs?

    Am I missing something?

    1. FlamingDeath Silver badge
      Meh

      Re: Truecrypt + Notepad

      Ok got a couple of downvotes, is anyone able to kindly explain why using Truecrypt + Notepad as a means of storing passwords, is somehow bad? or are these downvotes owned by idiots?

      Curious as to their mindset

      1. Charles 9 Silver badge

        Re: Truecrypt + Notepad

        The thing with databases is that they are much more efficient when it comes to searching, especially as the dataset grows. You think it's easy enough to sort through your text file, but how about when you have to sift through hundreds of them? Plus programs like KeePass are actually better at handling the clipboard, since it only keeps your password in the clipboard for a configurable number of seconds (default is 12), so you minimize the risk of clipboard sniffers.

        Not to mention it saves on a drive letter and packs everything into one neat program you can call up at will.

        1. Frank Marsh

          Re: Truecrypt + Notepad

          What Charles 9 said. You're basically creating your own poor man's version of KeePass. And if you think that a Truecrypt volume is security by obscurity in comparison to KeePass, look up how Hacking Team got their code stolen. An attacker got admin rights and grabbed the text password file when the lead engineer decrypted his Truecrypt volume to use a password.

          You have the exact same single point of vulnerability as KeePass (or 1Password minus browser plugins). And none of the features (additional fields for security questions, password generator, and many UI features beyond what Charles 9 said, such as auto-locking after various measures of inactivity).

    2. durandal

      Re: Truecrypt + Notepad

      Only psuedo-random? Tsk, you've left an obvious backdoor right there.

  18. spellucci

    Already fixed

    This bug only affected Firefox users and was fixed in version 4.1.21a. See https://blog.lastpass.com/2016/07/lastpass-security-updates.html/ for details.

  19. frankster

    Their entire raison d'etre is to keep your passwords more securely than you could keep them yourself. I seem to remember lastpass getting hacked a year or two ago. They sound like right cowboys.

  20. GeoGreg

    Fix on the way

    LastPass has published a blog post (less than 1 hour before I am writing this comment) in which they describe the problem as only affecting users of the Firefox plugin. They are pushing out a fix now, or users can download the latest plugin. Full post here:

    https://blog.lastpass.com/2016/07/lastpass-security-updates.html/

  21. jpgoldberg

    We (at 1Password) are looking forward to expert scrutiny

    Disclosure: I am the Chief Defender Against the Dark Arts at AgileBits, the makers of 1Password.

    I'd like to comment on a few things. First is that we welcome the kind of expert scrutiny that Tavis is capable of. And I look forward to working with him in providing details about how 1Password operates that may not yet have been properly documented. We do try to be open about our security design specifically so that experts can more easily evaluate it.

    I do, however, have to say that I don't think that is helpful for someone in Tavis' position to even disclose the existence of a major security problem in a product used by millions before the vendor has had a chance to look at it. Although LastPass is a competitor of ours, I would like to tell LastPass customers not to panic.

    Please also keep in mind that while it might seem that using a password manager is putting all of your eggs in one basket, the alternative is worse. When you reuse passwords (which is the alternative to using a proper password manager) you are also putting multiple eggs in some very very weak baskets. If you use the same password on sites A, B, C, D, and E. then you are putting five eggs (the ability to log in as you to those five sites) into a highly exposed basket. A breach of any one of those sites is a breach of all. So the more you reuse passwords, the more vulnerable you are.

    Now I don't know any more than you all about what Tavis may have found with LastPass. We don't know how easily exploitable it is, we don't know if it is the kind of thing that others are likely to find, and we don't know how quickly LastPass will be able to fix it. So I repeat my statement to LastPass customers: Don't panic. And do everyone else, you really are safer using a well designed password manager.

    1. Johnny2016

      Re: We (at 1Password) are looking forward to expert scrutiny

      Are you being facetious?

      The reason Tavis publicly tweeted that he found a critical bug is because LastPass were not communicating with him!

      He emailed their designated security address and their customer service team. Neither had the courtesy to reply to him. Would you prefer he had publicly disclosed the method of the attack rather than simply the fact that there was a serious vulnerability?

      Another security researcher found a separate (now fixed, apparently) bug in their software. He too had difficulty communicating with LastPass.

      I really don't see your point. What was Tavis supposed to do with an uncommunicative company?

      Also, is your company (1Password) not already paying for penetration testers? That'd be best practice considering you're charging customers a hefty amount now for Families/Teams accounts.

      If you want somebody like Tavis on board I hope you're going to pay him.

  22. WatAWorld

    As a google customer I was going to be very upset with Google, BUT it is okay for now

    "Full report sent to LastPass, they're working on it now. Yes, it's a complete remote compromise. Yes, I promise I'll look at 1Password."

    Okay good, I was going to say that I didn't appreciate Google paying people to make life difficult for myself and other Google customers.

    But he's sending the report to LastPass first.

    Hopefully he realizes that even a small company like LastPass can take a couple of months to create and test a fix up to the level where it is ready for production release.

    People who make their living writing code know, rushing out fixes to commercial software in a blind panic can open more holes than it closes.

    Google needs to remember that we customers don't only use Google products, we use other products to. And making Google customer lives miserable would affect Google's business model and profits.

    However, doing a service like this, where the report is sent to the product vendor and the product vendor is given sufficient time to design, write, test, re-write, re-test, beta test and release a well thought out fix, that is actually Google doing something good for us customers.

  23. SL1979

    Stallman said it best...

    "The term “cloud” means “please don't ask where.” - Richard Stallman

    Combining the words, "cloud", and "password manager" makes me recoil in horror. If you aren't in control of the security of the service that hosts your private data, you might as well consider it all public data.

  24. Anonymous Coward
    Big Brother

    Darn it!

    If only those pesky kids didn't keep finding the backdoors we mandate US and UK developers install!

  25. Anonymous Coward
    Anonymous Coward

    This is TavisO's write up of the vulnerability. The other person that said he 'also hacked LastPass' was a year ago but he hadn't previously detailed it except to LastPass.

    https://bugs.chromium.org/p/project-zero/issues/detail?id=884

    He ends it with -

    "Note that it is not correct to say "both exploits do require tricking a user via a phishing attack into going to a malicious website". In fact, neither of the attacks described require phishing. I assume the blog post was written by someone who is not familiar with the term phishing.

  26. Anonymous Coward
    Anonymous Coward

    I started using Enpass, which is free for the desktop but there is a charge for mobile use, after LastPass was bought out. It stores passwords locally with the option of syncing to a cloud service. It fills in sites that LastPass has trouble with but there is no autofill option but I guess that is a good thing. It can import a LP csv file but there are errors so I used both for some time till I felt comfortable.

    The only issue I see is if I'm storing my passwords on a USB that isn't always in the box there won't be an updated version automatically but they would be encrypted on a usb so maybe that is best.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021