I shattered my iPhone a couple weeks ago hiking in the snow, but insurance sent me a new one, and I took the opportunity to switch from Google Authenticator to LastPass Authenticator. So now if I’m browsing on my laptop/desktop and need to verify a login, I don’t have to look up and punch in the 6 digits. Instead, it just sends an authorization screen to my phone, and I tap it. Seamless.
Hmm. Didn’t realize that was an option. I may have to do that.
I’m using Authy since it backs up with a password.
heads up. Looks like LastPass vulnerability found by a research group.
Lastpass goes over it in their blog:
Well crap. Good thing I use 2FA like everywhere I can.
Still no problems with KeePass.
it doesn’t use a browser plugin.
Cut and paste password, which it clears after a few seconds.
Hmmm, I wonder if it’ll be difficult to import lastpass stuff into keepass.
Will having two factor on lasspass help keep me safe?
I’m not switching off LastPass.
I’m not either. This is a vulnerability that isn’t known out in the wild. There are most likely more vulnerabilities which have yet to be discovered, which is normal - but LastPass is recommending a few things on their blog:
- Use the LastPass Vault as a launch pad – Launch sites directly from the LastPass vault. This is the safest way to access your credentials and sites until this vulnerability is resolved.
- Two-Factor Authentication on any service that offers it – Whenever possible, turn on two-factor authentication with your accounts; many websites now offer this option for added security.
I’m not 100% on what this means. Does this mean don’t like, open/edit the credential information? Just launch directly from the thing?
Ohhh, alright, that makes a lot more sense. Thanks!
Yeah, it’s a fairly sophisticated attack. The Google researcher expects that LastPass will need to do extensive work to fix it, but that doesn’t mean it’s a gaping hole.
As someone on Ars said, not using a password manager because of something like this is like refusing to lock your house because locks can be picked.
Unfortunately no, in this case it won’t. Browse carefully until it’s fixed. I wouldn’t be too concerned as the vulnerability was responsibly disclosed and is not out in the wild.
Thanks!
Patch is out. As the exploit is now publicly exposed, it will begin to be seen in the wild-- update now.
This is why I don’t use smaller, unheardof password solutions. What’s the same guarantee they have as many developers working on fixes?
Well,
Not using a cloud based password manager, and not having it autocomplete passwords based on what it thinks is the legit site, would keep your passwords safe-ish. until they take the key file from your computer and get access to all your passwords, that is.
I would guess that a good malware would first infect your computer (probably through a web page that has ads), identify password manager applications locally, or in the browser, wait for you to launch the app/site and capture keystrokes + the extract any local key-files it sees the application open (or based on file name extension) and send those off.
Be right back, just moving my key file off my computer and onto a USB stick or two :)
Not being in the cloud and turning off autocomplete wouldn’t help in this case, the problem was the DOM model used in the extension.
Everything will have vulnerabilities, what matters is how fast they respond.
Lastpass handled this one incredibly well, I thought. My browser extension had already updated itself by the time I read that blog post, and that was what…a day after the news came out?