Password Manager Discussion.

AutoCascade · Jan 18, 2016

Pretty good return time on an answer.

You're running this in Windows?

bjm_ · Jan 18, 2016

AutoCascade said: ↑

Pretty good return time on an answer. You're running this in Windows?
Click to expand...

Yes, good turn around. W8.1 + FF43.0.4x64

dogbite · Mar 8, 2016

Has anybody tried masterpasswordapp?

http://masterpasswordapp.com/

Rasheed187 · Mar 8, 2016

dogbite said: ↑

Has anybody tried masterpasswordapp?

http://masterpasswordapp.com/
Click to expand...

LOL, it's using Java for the desktop, no thanks.

dogbite · Jun 6, 2016

Bad news about Keepass.

http://www.engadget.com/2016/06/04/keepass-wont-fix-security-hole-due-to-ads/

Rules · Jun 6, 2016

dogbite said: ↑

Bad news about Keepass.

http://www.engadget.com/2016/06/04/keepass-wont-fix-security-hole-due-to-ads/
Click to expand...

Thanks dogbite, interesting, i am on Keepass 1.x but it may have the same issue i think.

Rules.

TairikuOkami · Jun 6, 2016

I never let apps autoupdate. This is not the first, nor the last case.

http://news.softpedia.com/news/asus...s-over-http-with-no-verification-504880.shtml
http://news.softpedia.com/news/leno...rator-app-amid-security-concerns-504810.shtml

Robin A. · Jun 6, 2016

TairikuOkami said: ↑

I never let apps autoupdate. This is not the first, nor the last case.

http://news.softpedia.com/news/asus...s-over-http-with-no-verification-504880.shtml
http://news.softpedia.com/news/leno...rator-app-amid-security-concerns-504810.shtml
Click to expand...

KeePass doesn´t autoupdate.
http://keepass.info/help/kb/sec_issues.html#updsig

bjm_ · Jun 6, 2016

Robin A. said: ↑

KeePass doesn´t autoupdate.
http://keepass.info/help/kb/sec_issues.html#updsig
Click to expand...

Thanks

AutoCascade · Jul 26, 2016

Looks like LastPass has some issues.

Tavis Ormandy‏@taviso
Are people really using this lastpass thing? I took a quick look and can see a bunch of obvious critical problems. I'll send a report asap.

Tavis Ormandy ‏@taviso 3h3 hours ago
OK OK, I get it, lots of people use LastPass. If you work there, please contact me ASAP and let's get this fixed.
Click to expand...

TheWindBringeth · Jul 26, 2016

EC to audit Apache HTTP Server and Keepass
https://joinup.ec.europa.eu/node/153614

The European Commission is preparing a software source code security audit on two software solutions, Apache HTTP server and Keepass, a password manager. The source code will be analysed and tested for potential security problems, and the results will be shared with the software developers. The audits will start in the coming weeks.
Click to expand...

Victek · Jul 26, 2016

AutoCascade said: ↑

Looks like LastPass has some issues.
Click to expand...

Can you say more about what the issues are?

AutoCascade · Jul 27, 2016

Tavis Ormandy ‏@taviso 3h3 hours ago
Full report sent to LastPass, they're working on it now. Yes, it's a complete remote compromise. Yes, I promise I'll look at 1Password.
Click to expand...

AutoCascade · Jul 27, 2016

Victek said: ↑

Can you say more about what the issues are?
Click to expand...

http://www.theregister.co.uk/2016/0..._millions_of_lastpass_users_who_visit_a_site/

Zero day hole can pwn millions of LastPass users, all that's needed is a malicious site
Remote 'complete account compromise' possible, Google hacker finds

A dangerous zero-day vulnerability has been found in popular cloud password vault LastPass, which The Register has been told can completely compromise user accounts.

Many millions of users can right now be compromised by merely visiting a malicious website, we understand.

This allows attackers complete access to user accounts in which hundreds and thousands of passwords are stored.

Little else is known of the flaw, found by proven and prolific white hat security researcher Tavis Ormandy, but the Google Project Zero hacker has form; he has torn apart every major antivirus platform finding horrific bugs including a zero-interation remote code execution and wormable hole in Symantec kit, vulnerabilities in Avast offerings, server-side pain in Malwarebytes, and failures in Comodo, Kasperksy, and Bromium.

Are people really using this lastpass thing? I took a quick look and can see a bunch of obvious critical problems. I'll send a report asap.

— Tavis Ormandy (@taviso) July 26, 2016
The bug will still need to be replayed by LastPass before patches are brewed.

There is no news yet of in-the-wild attacks.

Ormandy will set sights on popular password vault Password1 after this audit. ®
Click to expand...

korben · Jul 27, 2016

What now?

My master pass on lastPass is really strong, but...

Just now I added multi authentification by means of Authenticator.

Exported and imported my accounts to :
https://keepersecurity.com/en_GB/user-guides/guide-browser-extensions.html

Am I missing an important element here?

fax · Jul 27, 2016

Victek said: ↑

Can you say more about what the issues are?
Click to expand...

LastPass details the problem and fix: https://blog.lastpass.com/2016/07/lastpass-security-updates.html/
This is limited to lastpass add-on for Firefox.

fax · Jul 27, 2016

AutoCascade said: ↑

https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/

Click to expand...

Already addressed by lastpass one year ago... Read the link in my previous post

EDIT: Ooops, I see that AutoCascade post is gone now....

bjm_ · Jul 27, 2016

fax said: ↑

LastPass details the problem and fix: https://blog.lastpass.com/2016/07/lastpass-security-updates.html/
This is limited to lastpass add-on for Firefox.
Click to expand...

Thanks!

AutoCascade · Jul 27, 2016

fax said: ↑

Already addressed by lastpass one year ago... Read the link in my previous post

EDIT: Ooops, I see the AutoCascade removed the post....
Click to expand...

I didn't realize the 2nd report was a year ago. The author didn't share that part unfortunately.

The report by Taviso though was just a day or so ago and LastPass responded quickly but it also doesn't mean he's done finding holes in it.

TonyW · Jul 27, 2016

This is a good example of how responsible disclosure should work. By the time you hear about the vulnerability, the issue is already fixed by the vendor. So kudos to Ormandy and the LastPass team.

AutoCascade · Jul 27, 2016

TonyW said: ↑

This is a good example of how responsible disclosure should work. By the time you hear about the vulnerability, the issue is already fixed by the vendor. So kudos to Ormandy and the LastPass team.
Click to expand...

+1

WildByDesign · Jul 27, 2016

LastPass bug report details: https://bugs.chromium.org/p/project-zero/issues/detail?id=884

WildByDesign · Aug 1, 2016

Potentially some 1Password vulns to come next?
Link: https://twitter.com/taviso/status/760231214812844032

Rasheed187 · Aug 2, 2016

fax said: ↑

LastPass details the problem and fix: https://blog.lastpass.com/2016/07/lastpass-security-updates.html/
This is limited to lastpass add-on for Firefox.
Click to expand...

This is another eye opener, it's probably best not to use any extensions for password managing.

Victek · Aug 2, 2016

Rasheed187 said: ↑

This is another eye opener, it's probably best not to use any extensions for password managing.
Click to expand...

The LastPass extension has already been updated to address the issue.

Log in or Sign up

Password Manager Discussion.

AutoCascade Registered Member

bjm_ Registered Member

dogbite Registered Member

Rasheed187 Registered Member

dogbite Registered Member

Rules Registered Member

TairikuOkami Registered Member

Robin A. Registered Member

bjm_ Registered Member

AutoCascade Registered Member

TheWindBringeth Registered Member

Victek Registered Member

AutoCascade Registered Member

AutoCascade Registered Member

korben Registered Member

fax Registered Member

fax Registered Member

bjm_ Registered Member

AutoCascade Registered Member

TonyW Registered Member

AutoCascade Registered Member

WildByDesign Registered Member

WildByDesign Registered Member

Rasheed187 Registered Member

Victek Registered Member

Log in or Sign up

Password Manager Discussion.

AutoCascade Registered Member

bjm_ Registered Member

dogbite Registered Member

Rasheed187 Registered Member

dogbite Registered Member

Rules Registered Member

TairikuOkami Registered Member

Robin A. Registered Member

bjm_ Registered Member

AutoCascade Registered Member

TheWindBringeth Registered Member

Victek Registered Member

AutoCascade Registered Member

AutoCascade Registered Member

korben Registered Member

fax Registered Member

fax Registered Member

bjm_ Registered Member

AutoCascade Registered Member

TonyW Registered Member

AutoCascade Registered Member

WildByDesign Registered Member

WildByDesign Registered Member

Rasheed187 Registered Member

Victek Registered Member

Useful Searches