{Warning}: Vulnerabilities found on password manager LassPass

[Baofeng]

Google's project Zero recently revealed that anyone using LassPass is prone to vulnerabilites.



https://twitter.com/taviso/status/1173401754257375232

Good thing though, the people behind LassPass fixed the bug as confirmed here:

https://blog.lastpass.com/2019/09/lastpass-bug-reported-resolved.html/

Our team recently investigated and resolved a bug affecting certain LastPass extensions. Tavis Ormandy, a security researcher from Google’s Project Zero, responsibly disclosed the issue to us. His report revealed a limited set of circumstances on specific browser extensions that could potentially allow an attacker to create a clickjacking scenario.

We have now resolved this bug; no user action is required and your LastPass browser extension will update automatically.  

Additionally, while any potential exposure due to the bug was limited to specific browsers (Chrome and Opera), as a precaution, we’ve deployed the update to all browsers.

https://blog.lastpass.com/2019/09/lastpass-bug-reported-resolved.html/

Anyways for those LassPass users here who haven't heard about the potential exploit, it's better if you could change your password as a precaution. No need to update though, everything is automatic as per LassPass. But as I have said, better take a look at it and take safety measures.

Edit: Chrome and Opera are the only browsers being affected as per article.

[1715082405]

1715082405

[OmegaStarScream]

Anyways for those LassPass users here who haven't heard about the potential exploit, it's better if you could change your password as a precaution. No need to update though, everything is automatic as per LassPass. But as I have said, better take a look at it and take safety measures.

Edit: Chrome and Opera are the only browsers being affected as per article.

Or, as a better solution, we can all stop using online services to store our passwords and use something like KeePass instead.

[GreatArkansas]

Or, as a better solution, we can all stop using online services to store our passwords and use something like KeePass instead.

And Password Safe also which open-sourced password manager same as KeePass.
I created a short tutorial/information before on KeePass password manager here and for Password Safe here.

If we really don't need a password manager or not really required then much better to avoid it, it is really risky especially when you are using those have subscription fees.

[gentlemand]

Is it unfashionable to say I don't trust any password manager?

There are only a handful of services where I need proper security and in that case they all have proper passwords that I've memorised. I couldn't care less about all the other ones.

[TryNinja]

Is it unfashionable to say I don't trust any password manager?

There are only a handful of services where I need proper security and in that case they all have proper passwords that I've memorised. I couldn't care less about all the other ones.

So you just repeat your passwords in most websites? This doesn’t seem like the best solution.

Just don’t use any web cloud hosted password manager. Keepass - as suggested above - is pretty good (open source, offline, old enough, etc). If anything, memorize your handful of services and use the password manager for those you don’t care. You don’t care anyways, but at least maintain some security.

[bitmover]

Lastapss was hacked already at least twice. I don't know why they still have so much support from big companies and so many people still use it.
https://www.cnet.com/forums/discussions/last-pass-hacked-again/


It is even bad for password managers in general. The most used one is hacked all the time, so it is natural that users think"I will just use none password manager, at least I will not be hacked and lose all my passwords at once."

[gentlemand]

So you just repeat your passwords in most websites? This doesn’t seem like the best solution.

Just don’t use any web cloud hosted password manager. Keepass - as suggested above - is pretty good (open source, offline, old enough, etc). If anything, memorize your handful of services and use the password manager for those you don’t care. You don’t care anyways, but at least maintain some security.

Yup. There's no information of note on any of the said sites so I couldn't care less what happens to them.

One of the increasingly prevalent things that's pissing me off is the inability to access services from whatever machinery I'm using. I want to be able to log in from anywhere using anything, not have to download a program or receive a confirmation email to an address I can't get into without another confirmation email from elsewhere.

That'll do for the important stuff, not the junk.

[Harlot]

Is it unfashionable to say I don't trust any password manager?

There are only a handful of services where I need proper security and in that case they all have proper passwords that I've memorised. I couldn't care less about all the other ones.

To be honest you really don't need to store all your passwords in a software. I would understand it if you have a spare offline desktop/laptop where you can store an offline password manager but keeping an online one especially those browser extension password managers is like keeping a list of your accounts in Google Keeps, its really not that safe. I would rather write my passwords in a notebook and hide it somewhere good like in our mini library where I store my past highschool and college notes.

[Stedsm]

Why not simply use the in-built password manager in any browser like Chrome or Firefox? Do we really need a password managing software here? I save all my passwords generally in Chrome's password manager not just to save my time like gentlemand but most of my saved passwords are from websites where 2fa is required and I don't need the hassle of remembering the password every single time I login there.

My strongest advice here to newbies:
You should never, hear me with fully open ears, never ever go for passwords provided by these password managers because there you are prone to losing almost everything as if they know what you have used (if they don't keep them saved as encrypted with themselves, they can easily know that). I would never prefer any such services where such suggestions are given, but would rather stick to my old techniques.

[Kyraishi]

Don't use online password generators/holders, it's like the same argument of centralization vs decentralization again, where Lastpass is an application that has all of your information, and could randomly go bust one day and start hacking into their customer's accounts (because we all know they can do that). Using another system that is offline, or even going super old school and generating your old password and writing it down on a piece of paper gives you control over everything and is the safest, and is the bet I'd recommend most people to go with.

To be honest, just make your own passwords by mashing the keyboard (eg 087asf*)&G), and then write it down a piece of paper, that's 100 percent the safer bet.

Lastapss was hacked already at least twice. I don't know why they still have so much support from big companies and so many people still use it.
https://www.cnet.com/forums/discussions/last-pass-hacked-again/


It is even bad for password managers in general. The most used one is hacked all the time, so it is natural that users think"I will just use none password manager, at least I will not be hacked and lose all my passwords at once."

Because people don't like change and are sometimes oblivious to the news, I doubt that over half of the people that use lastpass knew that they got hacked, and the people that did know, probably couldn't bother moving all their passwords.

Why not simply use the in-built password manager in any browser like Chrome or Firefox? Do we really need a password managing software here? I save all my passwords generally in Chrome's password manager not just to save my time like gentlemand but most of my saved passwords are from websites where 2fa is required and I don't need the hassle of remembering the password every single time I login there.

Because Chrome and Firefox password savers are the same as giving out your information to LastPass, they still have access to your information, and lastpass works better then chrome, and has a lot more features then them.

[TwitchySeal]

Lastapss was hacked already at least twice. I don't know why they still have so much support from big companies and so many people still use it.
https://www.cnet.com/forums/discussions/last-pass-hacked-again/


It is even bad for password managers in general. The most used one is hacked all the time, so it is natural that users think"I will just use none password manager, at least I will not be hacked and lose all my passwords at once."

It's a pretty good product for non-technical people that don't need to worry about protecting private keys but want to have strong unique passwords for each site, across multiple devices, without much hassle.


And they really don't get hacked all the time.  They have a decent bug bounty program and report whenever a vulnerability is brought to their attention (after it's patched).  To my knowledge, none of the vulnerabilities have ever been exploited. (edit: I guess someone got hold of a bunch of salted hashes back in 2015, so that's a hack)

To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times. This exploit may result in the last site credentials filled by LastPass to be exposed.

Of course, if you're using a device to move more than a little bit of any cryptocurrency it would be silly to trust a web based password manager.

[Stedsm]

Why not simply use the in-built password manager in any browser like Chrome or Firefox? Do we really need a password managing software here? I save all my passwords generally in Chrome's password manager not just to save my time like gentlemand but most of my saved passwords are from websites where 2fa is required and I don't need the hassle of remembering the password every single time I login there.

Because Chrome and Firefox password savers are the same as giving out your information to LastPass, they still have access to your information, and lastpass works better then chrome, and has a lot more features then them.

Well then, that remains the case with all types of password managers even if they provide better features because if they don't know your password, how will they engage with the website and pass your password ahead from their database.

http://techgenix.com/are-password-managers-security/

An article I read, said that in 2018, two of the most popular password managers OneLogin and LastPass (which OP alerted about) were hacked and sensitive data of customers got leaked due to the same. I know that browsers are more vulnerable to attacks in comparison to these managers, but now I'd rather choose to save my username and passwords in either Notepad or create a table/sheet in Microsoft Word/Excel and save it there and keep the document saved in a USB rather than keeping in a PC which remains connected to internet.

[DarkStar_]

I'd rather choose to save my username and passwords in either Notepad or create a table/sheet in Microsoft Word/Excel and save it there and keep the document saved in a USB rather than keeping in a PC which remains connected to internet.

That's even worse as there's no encryption. If someone finds your USB, say goodbye to all of your logins. You're also plugging the USB into a internet connected computer most likely when you need to login. The LastPass vulnerability was most likely never used until it was patched and it still required a very specific situation.

Is it unfashionable to say I don't trust any password manager?

There are only a handful of services where I need proper security and in that case they all have proper passwords that I've memorised. I couldn't care less about all the other ones.

Even one which is Free and Open Source?

Keepass is a good one that was already mentioned. I personally use Bitwarden, and I haven't had any complaints there.

[Stedsm]

I'd rather choose to save my username and passwords in either Notepad or create a table/sheet in Microsoft Word/Excel and save it there and keep the document saved in a USB rather than keeping in a PC which remains connected to internet.

That's even worse as there's no encryption. If someone finds your USB, say goodbye to all of your logins. You're also plugging the USB into a internet connected computer most likely when you need to login. The LastPass vulnerability was most likely never used until it was patched and it still required a very specific situation.

If it is of a specific brand that enables encryption of data by allowing us to put up a password before any of the data of that USB be used, and the password is an extremely complex one, will it still be possible for someone getting my USB to crack that password and/or encryption and take away all the data in that USB?

[DarkStar_]

I'd rather choose to save my username and passwords in either Notepad or create a table/sheet in Microsoft Word/Excel and save it there and keep the document saved in a USB rather than keeping in a PC which remains connected to internet.

That's even worse as there's no encryption. If someone finds your USB, say goodbye to all of your logins. You're also plugging the USB into a internet connected computer most likely when you need to login. The LastPass vulnerability was most likely never used until it was patched and it still required a very specific situation.

If it is of a specific brand that enables encryption of data by allowing us to put up a password before any of the data of that USB be used, and the password is an extremely complex one, will it still be possible for someone getting my USB to crack that password and/or encryption and take away all the data in that USB?

It depends. Is it open source software that uses a tried and true method of encryption, or does it use a proprietary algorithm?

Keep in mind that a USB is also inconvenient. If you're using a non personal computer and needed to access your accounts, you likely wouldn't be able to connect the USB to your phone to find your passwords. Most password managers have apps that you can use.

[slaman29]

Well, I personally think most open source projects are fine to use. People find bugs and vulnerabilities in coding all the time. That's good. And when they're open source they get fixed very quickly and that's also good.

I do worry when things like these happen though and someone manages to get my data in the few hours the vulnerabilities aren't fixed.

[LuckyBtc]

How about using Trezor's password manager? Is it any good? Anyone using it here? I'm thinking of buying another device to use it as password manager as well keep small amount of Bitcoin for spending.

[gentlemand]

How about using Trezor's password manager? Is it any good? Anyone using it here? I'm thinking of buying another device to use it as password manager as well keep small amount of Bitcoin for spending.

Weird how rarely it's mentioned.

In some ways it would be more convenient, others less. I don't fancy having to haul it around every time I wanted to access something but at least it would be more secure than downloading some program to every computer I wanted to access sites through.

[OmegaStarScream]

How about using Trezor's password manager? Is it any good? Anyone using it here? I'm thinking of buying another device to use it as password manager as well keep small amount of Bitcoin for spending.

In terms of security, Trezor might be better than KeePass but I find TPM to be inconvenient because:

1. The software is only available for Chrome/chromium-based browsers.
2. You can't use it offline, and you need a Google Drive/Dropbox account.

It should be possible to create your offline password manager (to communicate with your Trezor) though, as the format for password storage is available, but that's clearly not something the average user would be able to do.

[Kyraishi]

Why not simply use the in-built password manager in any browser like Chrome or Firefox? Do we really need a password managing software here? I save all my passwords generally in Chrome's password manager not just to save my time like gentlemand but most of my saved passwords are from websites where 2fa is required and I don't need the hassle of remembering the password every single time I login there.

Because Chrome and Firefox password savers are the same as giving out your information to LastPass, they still have access to your information, and lastpass works better then chrome, and has a lot more features then them.

Well then, that remains the case with all types of password managers even if they provide better features because if they don't know your password, how will they engage with the website and pass your password ahead from their database.

http://techgenix.com/are-password-managers-security/

An article I read, said that in 2018, two of the most popular password managers OneLogin and LastPass (which OP alerted about) were hacked and sensitive data of customers got leaked due to the same. I know that browsers are more vulnerable to attacks in comparison to these managers, but now I'd rather choose to save my username and passwords in either Notepad or create a table/sheet in Microsoft Word/Excel and save it there and keep the document saved in a USB rather than keeping in a PC which remains connected to internet.

Yep. My point exactly. Most password managers I know like Onelogin, Lastpass, Google password manager, Firefox password manager are all ticking time bombs and for each of these services the company behind it has full access to your passwords, what sites you want to use the passwords on, and could probably also bypass 2-fa (Lastpass has a 2-fa generator, but I'm assuming it goes through their services and they could avoid that if they wanted to as well).

Saving your passwords in a digital form is probably worse than using any of those password managers. The chance of your PC getting hacked via a RAT or something is way higher then a million-dollar company getting hacked and it's a ticking time bomb, and a roadmap to your identify if your PC ever get hacked.

Use an offline password manager, or write down your passwords on a piece of paper and stick it behind your desk, out of sight. Keeping things offline is way better than using notepad or a password manager.