It took them 4 days to patch it after notification, and it was not a minor fix-- they had to rewrite their DOM. They said they worked night and day, and I find that believable. Drive-by exploits are existential threats for password managers.
From cursory reading their explanation, the fact that it had autocompletion of passwords using a plugin was the vulnerability.
Being in the cloud was the issue when they were hacked a few years ago, or was that one of the other cloud based password suites.
I’m impressed at how they handled this situation and went on and subscribed for one year. And I agree with rei, password manager has to be handled by professionals, not just indie shops.
I mean their servers were hacked a few years ago but because they do client side de/encryption there’s not much they can do with that data.
Is LastPass and cloud-based password managers a perfect solution?
No. And there will never be a perfect solution.
Is it better than what the vast majority of Internet users use (“Password” or “12345”)? Orders of magnitude better. Especially coupled with 2FA and shit like keeping all your software updated with the latest security updates.
That’s way more than good enough in this game. The vast majority of cybercriminals will settle for the low-hanging fruit. Will LastPass protect you from a nation-state that’s out to get into your stuff? No. But not much will get in the way if a nation-state focuses its vast resources against you.
I often thought going open source, such as KeePass, will be a better solution and I do use a combination of both. How secure is KeePass even?
You are absolutely right on using a password manager is way better than using generic, repeatable password that could be easily hacked.
I’ve used LastPass for the last 6 to 8 months - and while it may not be perfect, it has definitely improved my personal security posture. Being able to use different, randomly generated passwords for each site I visit helps minimize any damage done when a site is compromised, that’s for sure.
Keepass had an issue recently when the main dev wouldn’t use HTTPS for auto-update until users protested.
Here is KeePass’ full list of “security” issues.
http://keepass.info/help/kb/sec_issues.html#updsig
On “Auto-Update”:
The version information file is downloaded from the KeePass website over HTTP. Thus a man in the middle (someone who can intercept your connection to the KeePass website) could have returned an incorrect version information file, possibly making KeePass display a notification that a new KeePass version is available. However, the next steps (downloading and installing the new version) must be carried out by the user manually, and here users who check the digital signature will notice the attack.
Resolution. In order to prevent a man in the middle from making KeePass display incorrect version information (even though this does not imply a successful attack, see above), the version information file is now digitally signed (using RSA-4096 and SHA-512). KeePass 2.34 and higher only accept such a digitally signed version information file. Furthermore, the version information file is now downloaded over HTTPS.
D’oh!
I should not have any cause for alarm because Last Pass encrypts Password in my client PC/phone before sending the information to be stored in the cloud. Right? Right???
Yes, that’s right. It looks like onelogin had some way to decrypt user data, which is a huuuuuuge problem.
The solution, as always, is KeePass.
Surely it isn’t too much of a hassle to manually insert your passwords. The benefit that they are then kept safe in your possession and not some “Cloud” service you know nothing about.
Just make sure you keep a USB key with a backup in case your computer gets xCrypted.
What happens if you lose the key?
I feel 1Password is secure using Dropbox, maybe I am fooling myself? Having to manually enter passwords is a huge drawback. If I am using random strings of 20 characters, I don’t want to have to enter that by hand.
I always thought that part of the protection of using a password manager is not having to type the password is half the battle (so it cannot be captured).
BTW, does anyone use Keyscrambler (anti keylogging)?
He means a copy of the file on a USB drive, I think.
And if you do use a key file (plus password) with KeePass, just make a key file that you can reconstruct if you ever lose it.
It is too much of a hassle. If Lastpass was actually insecure, I would make that tradeoff. But it isn’t. Passwords are decrypted clientside.
You type a password to open the vault when you start the app locally.
Then you doubleclick on the site you want to visit, and it is opened in the browser, then you doubleclick on the password and paste it into the password field.
Or you use one of the client-side plugins to have it done automatically.
I think it’s pretty secure. AgileBits has written white papers on how it works, but basically, even if a hacker has your Dropbox account and downloaded your 1Password data vault files, those files cannot be decrypted without your secret key (randomly generated and stored locally on your device or PC) and master password (created by you and stored in your brain).
You should have 2FA turned on with Dropbox anyway, as extra precaution.