LastPass Working on Yet Another Security Fix

[Zarathustra[H]]

It seems like the last couple of weeks have been pretty rough for LastPass. Tavis Ormandy at Googles Project Zero team apparently had a shower epiphany, and found yet another vulnerability in LastPass resulting in arbitrary code execution. That's quite a lot accomplished before putting your pants on on a Saturday morning.

This is why I have some discomfort when it comes to password managers. If you get phished or otherwise exploited on a site by site basis, you lose one password. If your password manager gets compromised you lose them all. Because of this, I personally keep all my passwords in my noggin. It's not easy though, and I often forget and have to reset them.

To expand on the issue, LastPass also put up a post today, in which they made it clear that a fix is being worked on. The client side vulnerability discovered over the weekend allows for an attack that is "unique and highly sophisticated". As such, the firm declined to disclose anything specific about either the vulnerability or the patch, until everything is said and done. The reasoning given is that doing so could "reveal anything to less sophisticated but nefarious parties", which is of course not the intention.

 

[Bandalo]

I'm not really worried about "unique and highly sophisticated" attacks on LastPass, and I'm a regular user. I think the benefits far outweigh the risks.

 

[lollerwaffle]

On the password manager side I would like to bring up one solution that is working well for me.

'KeePass' can store login information in an encrypted file. You can set up the software in a way that a token or a passphrase needs to be given before that file ever gets decrypted to memory or any login information made available.
The token can be a file, probably other things. The password can also be a key file.

This integrates with KeeFox for FireFox osers, I don't know about other browsers. KeeFox can activate the software and fill login information in on web sites. This may be phishable but you don't have to do this at all. Skip KeeFox and copy/paste passwords out of KeePass if you forgot them.

Lastly, KeePass has a lot of plugins, one of them to sync the key file to a google drive. You can use this to seamlessly use the key file on multiple devices and keep them all up-to-date.

It takes a little work setting up but it seems that you can make this solution as secure as you wish, or add conveniences that also may lower security. And it's free.

 

[magnetik]

2FA Lastpass with Yubikey works

 

[Oniigumo]

On the password manager side I would like to bring up one solution that is working well for me.

'KeePass' can store login information in an encrypted file. You can set up the software in a way that a token or a passphrase needs to be given before that file ever gets decrypted to memory or any login information made available.
The token can be a file, probably other things. The password can also be a key file.

This integrates with KeeFox for FireFox osers, I don't know about other browsers. KeeFox can activate the software and fill login information in on web sites. This may be phishable but you don't have to do this at all. Skip KeeFox and copy/paste passwords out of KeePass if you forgot them.

Lastly, KeePass has a lot of plugins, one of them to sync the key file to a google drive. You can use this to seamlessly use the key file on multiple devices and keep them all up-to-date.

It takes a little work setting up but it seems that you can make this solution as secure as you wish, or add conveniences that also may lower security.

I'm actually a huge fan of Keepass as well. You actually don't need any extensions to have it fill in login information. You can enable global auto-type, set the bind, then set the target window on a per password basis. A bit of a hassle at first, but it's well worth the effort, and it gives me peace of mind.

 

[Jovian]

I use keepass with a google drive extension and then sync it between my various machines. Works well for me, but isn't as convent as Lastpass, but I think is safer.

I also have toyed with a Teampass install at home that I access with VPN. This method allows nothing stored in cloud or facing the internet.

The thing I worry most about with LastPass is they are a service specifically designed to hold passwords thats accessible on the internet. If I was a hacker, thats the best bank vault of them all.

 

[Bandalo]

I use keepass with a google drive extension and then sync it between my various machines. Works well for me, but isn't as convent as Lastpass, but I think is safer.

I also have toyed with a Teampass install at home that I access with VPN. This method allows nothing stored in cloud or facing the internet.

The thing I worry most about with LastPass is they are a service specifically designed to hold passwords thats accessible on the internet. If I was a hacker, thats the best bank vault of them all.

Yeah, but their security is pretty damn good. Plus since each user's data is individually encrypted and decrypted only on the local end, it's not like they get everything even if they get access to the servers.

 

[Deleted member 184142]

I use keepass with a google drive extension and then sync it between my various machines. Works well for me, but isn't as convent as Lastpass, but I think is safer.

I also have toyed with a Teampass install at home that I access with VPN. This method allows nothing stored in cloud or facing the internet.

The thing I worry most about with LastPass is they are a service specifically designed to hold passwords thats accessible on the internet. If I was a hacker, thats the best bank vault of them all.

Not really, considering lastpass does not store passwords, but hashes only, which are all encrypted and salted. "Hackers" on that scale are about low hanging fruit, brute forcing that kind of hash to access a single password is not one of them.

 

[BigJayDogg3]

Not really, considering lastpass does not store passwords, but hashes only, which are all encrypted and salted. "Hackers" on that scale are about low hanging fruit, brute forcing that kind of hash to access a single password is not one of them.

Pretty much. The database is encrypted with your username, which is in turn encrypted with your password. I'm not really worried.

On the other hand, because Lastpass will auto-fill sites with my credentials, if Lastpass fails to fill the fields, I get a bit of a tip-off that something's not quite right.

I'd rather have 200+ long psuedo-random passwords managed with a single easy to use manager vs 5 or 6 that get recycled across several sites.

 

[Jagger100]

I thought they had 90 days before Google would go public. Over the weekend is not 90 days even if it was similar. Nothing to do with google having a competing initiative, I'm sure.

 

[nilepez]

I'm actually a huge fan of Keepass as well. You actually don't need any extensions to have it fill in login information. You can enable global auto-type, set the bind, then set the target window on a per password basis. A bit of a hassle at first, but it's well worth the effort, and it gives me peace of mind.

Thumbs up on keepass. What is this assigning it to a target window? Is that something I can do in the app? For me, it always goes to the window that had focus before keepass.

 

[Oniigumo]

Have to pick one of your entries and choose edit, then up top choose the tab auto-type, choose enable auto-type if it isn't, then click add on the right hand side. In the new window that pops up will be a box that says target window, which will list the windows you currently have open to choose from. From there on out it'll pick the correct user/password combo based on the window that was active when you press your global combo. After you have EVERYTHING set up on all your sites, you can just do what I do. Click login, click the Username box so I can type there, hit my bind (CTR+ALT+A), and it fills in the blanks. I can do some quick screenshots for you if that was a bit hard to follow.

 

[ZLoth]

I use both LastPass and KeePass. KeePass is my master password file, while LastPass contains a small subset of those passwords.

The thing I like about Lastpass is that they are extremely quick to acknowledge issues and post fixes.

 

[nilepez]

Have to pick one of your entries and choose edit, then up top choose the tab auto-type, choose enable auto-type if it isn't, then click add on the right hand side. In the new window that pops up will be a box that says target window, which will list the windows you currently have open to choose from. From there on out it'll pick the correct user/password combo based on the window that was active when you press your global combo. After you have EVERYTHING set up on all your sites, you can just do what I do. Click login, click the Username box so I can type there, hit my bind (CTR+ALT+A), and it fills in the blanks. I can do some quick screenshots for you if that was a bit hard to follow.

Thanks! I'll have to check this out. Not sure it matters that much for most of my passwords (since they mostly go to a web browser that I was just in), but I'm sure I'll find some other apps to use this feature.

 

[entropism]

'KeePass' can store login information in an encrypted file. You can set up the software in a way that a token or a passphrase needs to be given before that file ever gets decrypted to memory or any login information made available.
The token can be a file, probably other things. The password can also be a key file.

My issue with Keepass (and it IS, objectively, the most secure solution) is that the Android and iPhone versions of it are downright awful, while the Lastpass apps are one of the best. I'd say Dashlane has the best mobile apps. Another issue is the whole issue of having to install the program, vs just installing an extension. Keeping it extension based allows me to use LastPass on a work computer, where I don't have rights to install any actual programs.

 

[Galvin]

I tried lastpass, but some websites wouldn't work with it. The 3 dot icons would not appear in the name and password fields. So its a no go. Need one where it doesn't need to intergrate into the website so it be more compatible

 

[Bandalo]

I tried lastpass, but some websites wouldn't work with it. The 3 dot icons would not appear in the name and password fields. So its a no go. Need one where it doesn't need to intergrate into the website so it be more compatible

For the sites like that, you can use the extention's options to manually make it "autofill".

What websites were giving you trouble?

 

[steakman1971]

I used KeePass for several years - but am now using 1Password. It simply has a much nicer mobile app, Windows support, and good Mac support. Yeah, yeah, I know Mac's are not popular on this board. I spend most of my day job using one so it's a must for me.

 

[Galvin]

For the sites like that, you can use the extention's options to manually make it "autofill".

What websites were giving you trouble?

https://www.poloniex.com/login

 

[Uncle]

https://www.poloniex.com/login

Nope, I had no trouble logging into your account.

 

[Galvin]

Nope, I had no trouble logging into your account.

Sweet!, least someone can use it

 

[SvenBent]

and people called me crazy when i decide to got with opensource keepass with nothing cloud based...

 

[Prisoner849]

Been using Keepass myself for a few years, the key file synced with Dropbox. It's not the most convenient n some ways and yes, the Android version is far from ideal, but I believe it is the most secure.

 

[daglesj]

List of written passwords in a book. At least I have full respect for the hacker than actually physically breaks into my home to get them rather than harvesting mine and thousands of others due to shitty lazy code.

 

[Bandalo]

Nope, I had no trouble logging into your account.

I don't have an account, but I just checked and Lastpass seems to autofill on that site just fine.

 

[ppilot]

Passwordsafe with database file stored on two-factor protected Dropbox has worked pretty well for me over multiple platforms and devices

 

[grtitan]

I am torn between keepass and lastpass.

The main issue is the convenience in multi platform usage.

Since I use all 3 platforms (Linux, OSX and winblows), it became very tedious to manage all with keypass and the required keepassx, instead of only one (lastpass).

 

[Stanley Pain]

I'm not really worried about "unique and highly sophisticated" attacks on LastPass, and I'm a regular user. I think the benefits far outweigh the risks.

You should be worried. A lot of attacks against LastPass are not that sophisticated and some of them allow the attacker to gain full API control (meaning they can silently download ALL your passwords completely bypassing 2FA). I've been a long time LastPass user but the last couple of weeks have led me to export all my passwords and delete my LastPass account. Searching for a good alternative now

 

[Deleted member 184142]

You should be worried. A lot of attacks against LastPass are not that sophisticated and some of them allow the attacker to gain full API control (meaning they can silently download ALL your passwords completely bypassing 2FA). I've been a long time LastPass user but the last couple of weeks have led me to export all my passwords and delete my LastPass account. Searching for a good alternative now

One of them only dealt with really old versions of FF and old LastPass extension for that version (new version doesn't work with it). So talking about security and at the same time running an old and unpatched FF AND LastPass is quite stupid, all of this also required you to use a malicious website. It also only exposed the single login for the site it was trying to mask as a trusted party.

 

[Stanley Pain]

One of them only dealt with really old versions of FF and old LastPass extension for that version (new version doesn't work with it). So talking about security and at the same time running an old and unpatched FF AND LastPass is quite stupid, all of this also required you to use a malicious website. It also only exposed the single login for the site it was trying to mask as a trusted party.

Worked in Chrome as well.


This one was scarier:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1209


It's not just the fact that LastPass is being exploited recently that has made me drop them. It's the way they've handled some of the exploits when pressed about them. It's pretty obvious they've lost some core talent there. It's unfortunate because no one else beats them on the usability side of things.

 

[Bandalo]

You should be worried. A lot of attacks against LastPass are not that sophisticated and some of them allow the attacker to gain full API control (meaning they can silently download ALL your passwords completely bypassing 2FA). I've been a long time LastPass user but the last couple of weeks have led me to export all my passwords and delete my LastPass account. Searching for a good alternative now

I'm not worried about attacks, I'm worried about successful attacks.

There is no completely secure answer. If a determined hacker wants your data, they're probably going to get it. LastPass makes is MUCH harder than almost any other solution. It's not perfect, but it's pretty damn good IMO.

That being said, I don't keep bank account login info anywhere but my head. If someone DID get my LastPass, they'd be able to post as me on forums and Reddit, and that's about it. Anything else that effects my finances (Amazon, Paypal, Steam) has two-factor authentication)

 

[entropism]

Look into Dashlane and Enpass.io. Enpass gets some flack because they have some shady marketing schemes (like posing as customers on Reddit/forums) but the tech is spot on. That keeps a local file and syncs with services like Drive and Dropbox.

Dashlane is arguably the best, but it's expensive as fuck. $50/year is RIDICULOUS, but they offer 6 months free for every referral you make. A bunch of throwaway emails later, and I have 7 years of free service. *cough* Just saying...

I've been a paid user of Lastpass for the past year, and I've explored almost every option out there. Not sure if I'm going to move on or not, but the thought has defintiely crossed my mind.

I am torn between keepass and lastpass.

The main issue is the convenience in multi platform usage.

Since I use all 3 platforms (Linux, OSX and winblows), it became very tedious to manage all with keypass and the required keepassx, instead of only one (lastpass).

 

[grtitan]

Look into Dashlane and Enpass.io. Enpass gets some flack because they have some shady marketing schemes (like posing as customers on Reddit/forums) but the tech is spot on. That keeps a local file and syncs with services like Drive and Dropbox.

Dashlane is arguably the best, but it's expensive as fuck. $50/year is RIDICULOUS, but they offer 6 months free for every referral you make. A bunch of throwaway emails later, and I have 7 years of free service. *cough* Just saying...

I've been a paid user of Lastpass for the past year, and I've explored almost every option out there. Not sure if I'm going to move on or not, but the thought has defintiely crossed my mind.

Awesome tips, thanks.

I played a bit with Dashlane and really liked their interface, but found it hard keeping it synced among several systems without using their cloud service.

They should offer their program as stand alone purchase, because there is no way in hell that i am going to pay 50 a year just to sync passwords.

Edit, NEver heard of Enpass and I dont know, something in there is fishy, everything is free...Maybe a CIA front

 

[entropism]

Enpass isn't free for mobile, and it's an indian based outfit. I think it's like $5-10 per app, one time purchase.

As for Dashlane, the cloud portion is awesome.

Edit: $10 for mobile platforms, I got mine for $5 a while back. Free for desktops though.

 

[grtitan]

Enpass isn't free for mobile, and it's an indian based outfit. I think it's like $5-10 per app, one time purchase.

As for Dashlane, the cloud portion is awesome.

Edit: $10 for mobile platforms, I got mine for $5 a while back. Free for desktops though.

Hmm, I will check the desktop version out. I dont much need of a password manager in my mobile device.

 

[hmz]

Passwordsafe with database file stored on two-factor protected Dropbox has worked pretty well for me over multiple platforms and devices

+1.

Have been using the Passwordsafe for years. Glad I am not the only one ;-)

 

[kandor]

2FA Lastpass with Yubikey works

I've used lastpass for years with 2fa and yubikey, also can only login from canada, also auto logs out any devices when I login anywhere, also timesout. So thumbs up!

 

[Shmee]

On the password manager side I would like to bring up one solution that is working well for me.

'KeePass' can store login information in an encrypted file. You can set up the software in a way that a token or a passphrase needs to be given before that file ever gets decrypted to memory or any login information made available.
The token can be a file, probably other things. The password can also be a key file.

This integrates with KeeFox for FireFox osers, I don't know about other browsers. KeeFox can activate the software and fill login information in on web sites. This may be phishable but you don't have to do this at all. Skip KeeFox and copy/paste passwords out of KeePass if you forgot them.

Lastly, KeePass has a lot of plugins, one of them to sync the key file to a google drive. You can use this to seamlessly use the key file on multiple devices and keep them all up-to-date.

It takes a little work setting up but it seems that you can make this solution as secure as you wish, or add conveniences that also may lower security. And it's free.

I love KeyPass. As a Sys Admin I use it at home and at work, and I get to choose where the file lives.