Password Manager Discussion.

That's what he did. And Lastpass fixed specific vulnerabilities but, obviously, didn't make the general design safe enough.

 

Well, then he should have sent additional reports/PoC if he was still seeing other issues. The broad statement "lastpass design is bad" does not really help. The follow-up blog post now with "I told you" also does not help. All of this with nice disclaimer: "by the way I am developer of another password manager"

 

Well, he was rather specific in his Sept. post and, probably, in his report to Lastpass. And he has enough to do with his own products and is not a bug hunter like Ormandy - you cannot expect him to meticulously check all code changes in 3rd party products.

 

What he concretely reported was quickly fixed as acknowledged by lastpass back in September last year. Global design criticism are hard to fix, if he still believes lastpass has bugs it should report them. Otherwise it looks like a commercial to his own password manager developer skills.

There is a constant race to break lastpass and he is not the first nor the last shooting at lastpass. No surprises; lastpass is the market leader in this type of software/service.

 

Correct, but I think these kind of holes are unacceptable. It's probably best not to use extensions for password management.

 

I tend to agree. When using KeePass, an extension is simply not necessary as Auto-Type works very well. This reduces the attack surface. (I'm using KeePass on Linux with Mono.)

 

How does Auto-Type work? I assume it must hook the browser? I currently just copy and paste usernames and passwords, which is kinda unhandy. That's why I was looking into other options, but no way I'm going to install some extension. It's a bummer that none of the browsers offer a secure integrated password manager.

 

I like to see the answer to that as well. For now. I'll live with the browser plugins. What I'd really like to see is something done about the criminals trying to steal our info, rather than blaming the software developers.

 

Tavis Ormandy uncovered another LastPass exploit 4 hours before my post here. LastPass is already working on a fix.

https://twitter.com/taviso/with_replies

 

Release Notes for Enpass Windows PC Version 5.5.2 Release Date 22 Mar, 2017
https://www.enpass.io/release-notes/windowspc/

 

Dido, with two channel auto-type obfuscation enabled. I realize that obfuscation doesn't increase the difficulty terribly, but I feel better using it on sites that allow for it. Really annoying that sites like yahoo and google break up the username/email and password fields. If someone is going to capture the input, than they can at least work at it. Always push for maximum length and diversity for my logins. I've even taken to adding strings onto my usernames and disposable e-mails that I use to register accounts and I try to break up the creation scheme so if an account is breached, there isn't a discernible pattern. Even if the account is compromised, I feel better knowing that I made a conscious effort on my part to secure my accounts. I've used keepass a long time and would highly recommend it. But always nervous to see what Tavis finds next.

 

Thanks for the heads up.

 

There was a user here named Mayahana who proposed what he called "cypher salting". Basically the passwords he kept in the password manager were incomplete and he would add an additional string to complete the password at the time of entering the credentials. These posts are still available if you search. Here is the one where he describes his system:

https://www.wilderssecurity.com/threads/do-you-trust-last-pass.369448/page-3#post-2420487

This adds a fair bit of overhead to logging into sites, but could be worth it for critical services such as online banking.

 

All details are explained here. And this site for Two-Channel Auto-Type Obfuscation.

 

Another password manager, cloud synced (Azure) and open source. It's a fresh new project.

https://help.bitwarden.com/

 

http://news.softpedia.com/news/lastpass-working-on-fix-for-newly-discovered-bug-514313.shtml

 

https://blog.lastpass.com/2017/03/security-update-for-the-lastpass-extension.html/

 

https://arstechnica.com/security/20...derscores-the-dark-side-of-password-managers/

 

Yikes another security bug huh?

 

It even works after the user has logged out of the extension:

 

We're lucky @taviso is on the good guys team. He has recommended KeePass

I'm going back to my passwords on an encrypted usb which will not be plugged in except as needed & work on getting my passwords onto Keepass.

 

Agreed he seems really awesome. I can't believe I did not know of him until recently.

Not sure what I am going to do but may look into Keepass.

 

Lets all dump lastpass and move to Keepass as it is recommended by Taviso... ehm, wait... probably enough not using lastpass extension for firefox. Oh, yeah... much simpler

 

Lol!

 

Too funny.