Bitcoin Forum
December 11, 2019, 03:32:27 AM *
News: Latest Bitcoin Core release: 0.19.0.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: {Warning}: Vulnerabilities found on password manager LassPass  (Read 284 times)
Baofeng
Hero Member
*****
Offline Offline

Activity: 980
Merit: 660


View Profile
September 18, 2019, 07:00:14 AM
 #1

Google's project Zero recently revealed that anyone using LassPass is prone to vulnerabilites.



https://twitter.com/taviso/status/1173401754257375232

Good thing though, the people behind LassPass fixed the bug as confirmed here:

https://blog.lastpass.com/2019/09/lastpass-bug-reported-resolved.html/

Quote

Our team recently investigated and resolved a bug affecting certain LastPass extensions. Tavis Ormandy, a security researcher from Google’s Project Zero, responsibly disclosed the issue to us. His report revealed a limited set of circumstances on specific browser extensions that could potentially allow an attacker to create a clickjacking scenario.

We have now resolved this bug; no user action is required and your LastPass browser extension will update automatically.  

Additionally, while any potential exposure due to the bug was limited to specific browsers (Chrome and Opera), as a precaution, we’ve deployed the update to all browsers.


https://blog.lastpass.com/2019/09/lastpass-bug-reported-resolved.html/

Anyways for those LassPass users here who haven't heard about the potential exploit, it's better if you could change your password as a precaution. No need to update though, everything is automatic as per LassPass. But as I have said, better take a look at it and take safety measures.

Edit: Chrome and Opera are the only browsers being affected as per article.

..bustadice..         ▄▄████████████▄▄
     ▄▄████████▀▀▀▀████████▄▄
   ▄███████████    ███████████▄
  █████    ████▄▄▄▄████    █████
 ██████    ████████▀▀██    ██████
██████████████████   █████████████
█████████████████▌  ▐█████████████
███    ██████████   ███████    ███
███    ████████▀   ▐███████    ███
██████████████      ██████████████
██████████████      ██████████████
 ██████████████▄▄▄▄██████████████
  ▀████████████████████████████▀
                     ▄▄███████▄▄
                  ▄███████████████▄
   ███████████  ▄████▀▀       ▀▀████▄
               ████▀      ██     ▀████
 ███████████  ████        ██       ████
             ████         ██        ████
███████████  ████     ▄▄▄▄██        ████
             ████     ▀▀▀▀▀▀        ████
 ███████████  ████                 ████
               ████▄             ▄████
   ███████████  ▀████▄▄       ▄▄████▀
                  ▀███████████████▀
                     ▀▀███████▀▀
           ▄██▄
           ████
            ██
            ▀▀
 ▄██████████████████████▄
██████▀▀██████████▀▀██████
█████    ████████    █████
█████▄  ▄████████▄  ▄█████
██████████████████████████
██████████████████████████
    ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
    ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
       ████████████
......Play......
1576035147
Hero Member
*
Offline Offline

Posts: 1576035147

View Profile Personal Message (Offline)

Ignore
1576035147
Reply with quote  #2

1576035147
Report to moderator
1576035147
Hero Member
*
Offline Offline

Posts: 1576035147

View Profile Personal Message (Offline)

Ignore
1576035147
Reply with quote  #2

1576035147
Report to moderator
Best ratesfor crypto
EXCHANGE
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
OmegaStarScream
Staff
Legendary
*
Offline Offline

Activity: 1862
Merit: 1550


Exchange Bitcoin quicky--https://blockchain.com.do


View Profile
September 18, 2019, 07:06:31 AM
 #2

Anyways for those LassPass users here who haven't heard about the potential exploit, it's better if you could change your password as a precaution. No need to update though, everything is automatic as per LassPass. But as I have said, better take a look at it and take safety measures.

Edit: Chrome and Opera are the only browsers being affected as per article.

Or, as a better solution, we can all stop using online services to store our passwords and use something like KeePass instead.

GreatArkansas
Hero Member
*****
Offline Offline

Activity: 700
Merit: 741


Natural8.com - Making Poker Fun Again


View Profile WWW
September 18, 2019, 07:58:27 AM
 #3

Or, as a better solution, we can all stop using online services to store our passwords and use something like KeePass instead.
And Password Safe also which open-sourced password manager same as KeePass.
I created a short tutorial/information before on KeePass password manager here and for Password Safe here.

If we really don't need a password manager or not really required then much better to avoid it, it is really risky especially when you are using those have subscription fees.

8
♠  ────  BONUSES & PROMOTIONS  ────  ♠
.$500k.RUSH & CASH
MONTHLY
.200%.FIRST
DEPOSIT
.$150k.SHORT DECK
HOLD'EM
███
███
███
███
███
███
███
███

███

███

███

███

███
     MAKING POKER FUN AGAIN     
.
FACEBOOK   ● TWITTER
DOWNLOAD THE APP HERE
███
███
███
███
███
███
███
███

███

███

███

███

███
gentlemand
Legendary
*
Offline Offline

Activity: 2212
Merit: 2097


Your dearest bum chum


View Profile
September 18, 2019, 09:11:31 AM
 #4

Is it unfashionable to say I don't trust any password manager?

There are only a handful of services where I need proper security and in that case they all have proper passwords that I've memorised. I couldn't care less about all the other ones.

TryNinja
Legendary
*
Offline Offline

Activity: 1218
Merit: 1680



View Profile
September 18, 2019, 09:48:14 AM
 #5

Is it unfashionable to say I don't trust any password manager?

There are only a handful of services where I need proper security and in that case they all have proper passwords that I've memorised. I couldn't care less about all the other ones.
So you just repeat your passwords in most websites? This doesn’t seem like the best solution.

Just don’t use any web cloud hosted password manager. Keepass - as suggested above - is pretty good (open source, offline, old enough, etc). If anything, memorize your handful of services and use the password manager for those you don’t care. You don’t care anyways, but at least maintain some security.

bitmover
Hero Member
*****
Offline Offline

Activity: 686
Merit: 1156



View Profile
September 18, 2019, 03:53:13 PM
 #6

Lastapss was hacked already at least twice. I don't know why they still have so much support from big companies and so many people still use it.
https://www.cnet.com/forums/discussions/last-pass-hacked-again/


It is even bad for password managers in general. The most used one is hacked all the time, so it is natural that users think"I will just use none password manager, at least I will not be hacked and lose all my passwords at once."

gentlemand
Legendary
*
Offline Offline

Activity: 2212
Merit: 2097


Your dearest bum chum


View Profile
September 18, 2019, 03:56:03 PM
 #7

So you just repeat your passwords in most websites? This doesn’t seem like the best solution.

Just don’t use any web cloud hosted password manager. Keepass - as suggested above - is pretty good (open source, offline, old enough, etc). If anything, memorize your handful of services and use the password manager for those you don’t care. You don’t care anyways, but at least maintain some security.

Yup. There's no information of note on any of the said sites so I couldn't care less what happens to them.

One of the increasingly prevalent things that's pissing me off is the inability to access services from whatever machinery I'm using. I want to be able to log in from anywhere using anything, not have to download a program or receive a confirmation email to an address I can't get into without another confirmation email from elsewhere.

That'll do for the important stuff, not the junk.

Harlot
Hero Member
*****
Offline Offline

Activity: 1274
Merit: 611



View Profile
September 18, 2019, 04:35:43 PM
 #8

Is it unfashionable to say I don't trust any password manager?

There are only a handful of services where I need proper security and in that case they all have proper passwords that I've memorised. I couldn't care less about all the other ones.

To be honest you really don't need to store all your passwords in a software. I would understand it if you have a spare offline desktop/laptop where you can store an offline password manager but keeping an online one especially those browser extension password managers is like keeping a list of your accounts in Google Keeps, its really not that safe. I would rather write my passwords in a notebook and hide it somewhere good like in our mini library where I store my past highschool and college notes.

Stedsm
Legendary
*
Offline Offline

Activity: 1876
Merit: 1151


Piiiii Kaaaaaa Chuuuuuuu


View Profile
September 18, 2019, 05:20:38 PM
 #9

Why not simply use the in-built password manager in any browser like Chrome or Firefox? Do we really need a password managing software here? I save all my passwords generally in Chrome's password manager not just to save my time like gentlemand but most of my saved passwords are from websites where 2fa is required and I don't need the hassle of remembering the password every single time I login there.

My strongest advice here to newbies:
You should never, hear me with fully open ears, never ever go for passwords provided by these password managers because there you are prone to losing almost everything as if they know what you have used (if they don't keep them saved as encrypted with themselves, they can easily know that). I would never prefer any such services where such suggestions are given, but would rather stick to my old techniques.

ETFbitcoin
Legendary
*
Offline Offline

Activity: 1848
Merit: 2123

Use SegWit and enjoy lower fees.


View Profile WWW
September 18, 2019, 05:42:03 PM
 #10

Is it unfashionable to say I don't trust any password manager?

There are only a handful of services where I need proper security and in that case they all have proper passwords that I've memorised. I couldn't care less about all the other ones.

Even one which is Free and Open Source?

Lastapss was hacked already at least twice. I don't know why they still have so much support from big companies and so many people still use it.

That's because convenience always beats privacy, security and freedom Roll Eyes

Kyraishi
Hero Member
*****
Offline Offline

Activity: 672
Merit: 507

CryptoTalk.Org - Get Paid for every Post!


View Profile
September 19, 2019, 12:08:59 AM
Merited by magneto (2)
 #11

Don't use online password generators/holders, it's like the same argument of centralization vs decentralization again, where Lastpass is an application that has all of your information, and could randomly go bust one day and start hacking into their customer's accounts (because we all know they can do that). Using another system that is offline, or even going super old school and generating your old password and writing it down on a piece of paper gives you control over everything and is the safest, and is the bet I'd recommend most people to go with.

To be honest, just make your own passwords by mashing the keyboard (eg 087asf*)&G), and then write it down a piece of paper, that's 100 percent the safer bet.

Lastapss was hacked already at least twice. I don't know why they still have so much support from big companies and so many people still use it.
https://www.cnet.com/forums/discussions/last-pass-hacked-again/


It is even bad for password managers in general. The most used one is hacked all the time, so it is natural that users think"I will just use none password manager, at least I will not be hacked and lose all my passwords at once."
Because people don't like change and are sometimes oblivious to the news, I doubt that over half of the people that use lastpass knew that they got hacked, and the people that did know, probably couldn't bother moving all their passwords.

Why not simply use the in-built password manager in any browser like Chrome or Firefox? Do we really need a password managing software here? I save all my passwords generally in Chrome's password manager not just to save my time like gentlemand but most of my saved passwords are from websites where 2fa is required and I don't need the hassle of remembering the password every single time I login there.
Because Chrome and Firefox password savers are the same as giving out your information to LastPass, they still have access to your information, and lastpass works better then chrome, and has a lot more features then them.

 
                                . ██████████.
                              .████████████████.
                           .██████████████████████.
                        -█████████████████████████████
                     .██████████████████████████████████.
                  -█████████████████████████████████████████
               -███████████████████████████████████████████████
           .-█████████████████████████████████████████████████████.
        .████████████████████████████████████████████████████████████
       .██████████████████████████████████████████████████████████████.
       .██████████████████████████████████████████████████████████████.
       ..████████████████████████████████████████████████████████████..
       .   .██████████████████████████████████████████████████████.
       .      .████████████████████████████████████████████████.

       .       .██████████████████████████████████████████████
       .    ██████████████████████████████████████████████████████
       .█████████████████████████████████████████████████████████████.
        .███████████████████████████████████████████████████████████
           .█████████████████████████████████████████████████████
              .████████████████████████████████████████████████
                   ████████████████████████████████████████
                      ██████████████████████████████████
                          ██████████████████████████
                             ████████████████████
                               ████████████████
                                   █████████
.CryptoTalk.org.|.MAKE POSTS AND EARN BTC!.🏆
TwitchySeal
Hero Member
*****
Offline Offline

Activity: 980
Merit: 887



View Profile
September 19, 2019, 03:14:49 AM
Last edit: September 19, 2019, 03:46:43 AM by TwitchySeal
 #12

Lastapss was hacked already at least twice. I don't know why they still have so much support from big companies and so many people still use it.
https://www.cnet.com/forums/discussions/last-pass-hacked-again/


It is even bad for password managers in general. The most used one is hacked all the time, so it is natural that users think"I will just use none password manager, at least I will not be hacked and lose all my passwords at once."

It's a pretty good product for non-technical people that don't need to worry about protecting private keys but want to have strong unique passwords for each site, across multiple devices, without much hassle.


And they really don't get hacked all the time.  They have a decent bug bounty program and report whenever a vulnerability is brought to their attention (after it's patched).  To my knowledge, none of the vulnerabilities have ever been exploited. (edit: I guess someone got hold of a bunch of salted hashes back in 2015, so that's a hack)

Quote
To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times. This exploit may result in the last site credentials filled by LastPass to be exposed.

Of course, if you're using a device to move more than a little bit of any cryptocurrency it would be silly to trust a web based password manager.
Stedsm
Legendary
*
Offline Offline

Activity: 1876
Merit: 1151


Piiiii Kaaaaaa Chuuuuuuu


View Profile
September 19, 2019, 03:21:18 AM
 #13

Why not simply use the in-built password manager in any browser like Chrome or Firefox? Do we really need a password managing software here? I save all my passwords generally in Chrome's password manager not just to save my time like gentlemand but most of my saved passwords are from websites where 2fa is required and I don't need the hassle of remembering the password every single time I login there.
Because Chrome and Firefox password savers are the same as giving out your information to LastPass, they still have access to your information, and lastpass works better then chrome, and has a lot more features then them.

Well then, that remains the case with all types of password managers even if they provide better features because if they don't know your password, how will they engage with the website and pass your password ahead from their database.

http://techgenix.com/are-password-managers-security/

An article I read, said that in 2018, two of the most popular password managers OneLogin and LastPass (which OP alerted about) were hacked and sensitive data of customers got leaked due to the same. I know that browsers are more vulnerable to attacks in comparison to these managers, but now I'd rather choose to save my username and passwords in either Notepad or create a table/sheet in Microsoft Word/Excel and save it there and keep the document saved in a USB rather than keeping in a PC which remains connected to internet.

DarkStar_
Legendary
*
Offline Offline

Activity: 1540
Merit: 2087


https://bitcoin.watfordfc.com


View Profile WWW
September 19, 2019, 04:47:47 AM
 #14

I'd rather choose to save my username and passwords in either Notepad or create a table/sheet in Microsoft Word/Excel and save it there and keep the document saved in a USB rather than keeping in a PC which remains connected to internet.

That's even worse as there's no encryption. If someone finds your USB, say goodbye to all of your logins. You're also plugging the USB into a internet connected computer most likely when you need to login. The LastPass vulnerability was most likely never used until it was patched and it still required a very specific situation.

Is it unfashionable to say I don't trust any password manager?

There are only a handful of services where I need proper security and in that case they all have proper passwords that I've memorised. I couldn't care less about all the other ones.

Even one which is Free and Open Source?

Keepass is a good one that was already mentioned. I personally use Bitwarden, and I haven't had any complaints there.

Stedsm
Legendary
*
Offline Offline

Activity: 1876
Merit: 1151


Piiiii Kaaaaaa Chuuuuuuu


View Profile
September 19, 2019, 05:02:13 AM
 #15

I'd rather choose to save my username and passwords in either Notepad or create a table/sheet in Microsoft Word/Excel and save it there and keep the document saved in a USB rather than keeping in a PC which remains connected to internet.

That's even worse as there's no encryption. If someone finds your USB, say goodbye to all of your logins. You're also plugging the USB into a internet connected computer most likely when you need to login. The LastPass vulnerability was most likely never used until it was patched and it still required a very specific situation.

If it is of a specific brand that enables encryption of data by allowing us to put up a password before any of the data of that USB be used, and the password is an extremely complex one, will it still be possible for someone getting my USB to crack that password and/or encryption and take away all the data in that USB?

DarkStar_
Legendary
*
Offline Offline

Activity: 1540
Merit: 2087


https://bitcoin.watfordfc.com


View Profile WWW
September 19, 2019, 05:12:31 AM
 #16

I'd rather choose to save my username and passwords in either Notepad or create a table/sheet in Microsoft Word/Excel and save it there and keep the document saved in a USB rather than keeping in a PC which remains connected to internet.

That's even worse as there's no encryption. If someone finds your USB, say goodbye to all of your logins. You're also plugging the USB into a internet connected computer most likely when you need to login. The LastPass vulnerability was most likely never used until it was patched and it still required a very specific situation.

If it is of a specific brand that enables encryption of data by allowing us to put up a password before any of the data of that USB be used, and the password is an extremely complex one, will it still be possible for someone getting my USB to crack that password and/or encryption and take away all the data in that USB?

It depends. Is it open source software that uses a tried and true method of encryption, or does it use a proprietary algorithm?

Keep in mind that a USB is also inconvenient. If you're using a non personal computer and needed to access your accounts, you likely wouldn't be able to connect the USB to your phone to find your passwords. Most password managers have apps that you can use.

slaman29
Sr. Member
****
Offline Offline

Activity: 1036
Merit: 296


Roll with the best at BitDice


View Profile
September 19, 2019, 05:16:36 AM
 #17

Well, I personally think most open source projects are fine to use. People find bugs and vulnerabilities in coding all the time. That's good. And when they're open source they get fixed very quickly and that's also good.

I do worry when things like these happen though and someone manages to get my data in the few hours the vulnerabilities aren't fixed.

BitDice[]               ▄▄███▄▄
           ▄▄██▀▀ ▄ ▀▀██▄▄
      ▄▄█ ▀▀  ▄▄█████▄▄  ▀▀ █▄▄
  ▄▄██▀▀     ▀▀ █████ ▀▀     ▀▀██▄▄
██▀▀ ▄▄██▀      ▀███▀      ▀██▄▄ ▀▀██
██  ████▄▄       ███       ▄▄████  ██
██  █▀▀████▄▄  ▄█████▄  ▄▄████▀▀█  ██
██  ▀     ▀▀▀███████████▀▀▀     ▀  ██
             ███████████
██  ▄     ▄▄▄███████████▄▄▄     ▄  ██
██  █▄▄████▀▀  ▀█████▀  ▀▀████▄▄█  ██
██  ████▀▀       ███       ▀▀████  ██
██▄▄ ▀▀██▄      ▄███▄      ▄██▀▀ ▄▄██
  ▀▀██▄▄     ▄▄ █████ ▄▄     ▄▄██▀▀
      ▀▀█ ▄▄  ▀▀█████▀▀  ▄▄ █▀▀
           ▀▀██▄▄ ▀ ▄▄██▀▀
               ▀▀███▀▀
        ▄▄███████▄▄
     ▄███████████████▄
    ████▀▀       ▀▀████
   ████▀           ▀████
   ████             ████
   ████ ▄▄▄▄▄▄▄▄▄▄▄ ████
▄█████████████████████████▄
██████████▀▀▀▀▀▀▀██████████
████                   ████
████                   ████
████                   ████
████                   ████
████                   ████
████▄                 ▄████
████████▄▄▄     ▄▄▄████████
  ▀▀▀█████████████████▀▀▀
        ▀▀▀█████▀▀▀
▄▄████████████████████████████████▄▄
██████████████████████████████████████
█████                            █████
█████                            █████
█████                            █████
█████                            █████
█████                     ▄▄▄▄▄▄▄▄▄▄
█████                   ▄█▀▀▀▀▀▀▀▀▀▀█▄
█████                   ██          ██
█████                   ██          ██
█████                   ██          ██
██████████████████▀▀███ ██          ██
 ████████████████▄  ▄██ ██          ██
   ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ██          ██
             ██████████ ██          ██
           ▄███████████ ██████▀▀██████
          █████████████  ▀████▄▄████▀
[/]
LuckyBtc
Legendary
*
Offline Offline

Activity: 1232
Merit: 1011



View Profile
September 19, 2019, 07:16:17 AM
 #18

How about using Trezor's password manager? Is it any good? Anyone using it here? I'm thinking of buying another device to use it as password manager as well keep small amount of Bitcoin for spending.

.
▄███▄       ▄▄██████▄▄     ▄▄██████▄▄     ▄▄██████▄▄
█████    ▄██████████████▄██████████████▄ █████████████▄
 ▀▀▀    ▄███████████████████████████████▄ █████████████▄
 ▄▄▄   ▄█████▀      ▀███████▀      ▀█████▄ ▀      ▀█████▄
█████  █████          █████          █████          █████
█████  █████          █████          █████          █████

█████  █████          █████          █████          █████

█████  █████          █████          █████        ▄█████▀

█████  █████          █████          ███████████████████

█████  █████          █████          █████████████████▀

 ▀▀██   ▀▀██            ▀██           ▀▀██████████▀▀
███████████████████████████████████████████████████████████████████████████████████████████
.

.IMO Ecosystem.
.
███████████████████████████████████████████████████████████████████████████████████████████
██   ██
 ██   ██
  ██   ██
   ██   ██
    ██   ██
     ██   ██
     ██   ██
    ██   ██
   ██   ██
  ██   ██
 ██   ██
██   ██
gentlemand
Legendary
*
Offline Offline

Activity: 2212
Merit: 2097


Your dearest bum chum


View Profile
September 19, 2019, 09:19:29 AM
 #19

How about using Trezor's password manager? Is it any good? Anyone using it here? I'm thinking of buying another device to use it as password manager as well keep small amount of Bitcoin for spending.

Weird how rarely it's mentioned.

In some ways it would be more convenient, others less. I don't fancy having to haul it around every time I wanted to access something but at least it would be more secure than downloading some program to every computer I wanted to access sites through.

OmegaStarScream
Staff
Legendary
*
Offline Offline

Activity: 1862
Merit: 1550


Exchange Bitcoin quicky--https://blockchain.com.do


View Profile
September 19, 2019, 09:52:37 AM
 #20

How about using Trezor's password manager? Is it any good? Anyone using it here? I'm thinking of buying another device to use it as password manager as well keep small amount of Bitcoin for spending.

In terms of security, Trezor might be better than KeePass but I find TPM to be inconvenient because:

1. The software is only available for Chrome/chromium-based browsers.
2. You can't use it offline, and you need a Google Drive/Dropbox account.

It should be possible to create your offline password manager (to communicate with your Trezor) though, as the format for password storage is available, but that's clearly not something the average user would be able to do.

Pages: [1] 2 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!