Password Manager Discussion.

Discussion in 'other software & services' started by Mayahana, Jan 28, 2015.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    34,723
    Seems to be a back-end fix:
    3.x is the release version, and 4.x the development version. But soon (April 2017) they will only offer 4.x in the Mozilla Addon-On Library and on the Lastpass-website (to cause less confusion for some LastPass users):
     
  2. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,588
    Location:
    .
    Enpass free desktop version.
     
  3. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    740
    Location:
    United States
  4. Cohen

    Cohen Registered Member

    Joined:
    Jul 29, 2016
    Posts:
    15
    Location:
    /
    https://blog.lastpass.com/2017/03/plans-to-retire-the-lastpass-3-3-2-firefox-add-on.html/
     
  5. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    This seems already fixed. All free of charge for lastpass, go go Travis...:thumb:

    https://twitter.com/taviso/status/844574176165822465

    https://blog.lastpass.com/2017/03/important-security-updates-for-our-users.html/?utm_source=TWITTER&utm_medium=social&utm_term=Customer Serviced-tAnswering CS&utm_content=20170322d-t20170322152929
     
    Last edited: Mar 22, 2017
  6. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    4,479
    Is it any good?
     
  7. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    5,911
    Location:
    USA
    Agreed, LastPass is one of the most responsive vendors of any kind where security issues are concerned. All of the others have issues too, everyone does. This all reminds me, it's time to renew my subscription with them... :eek:
     
  8. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    56,320
    Location:
    U.S.A.
     
  9. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,588
    Location:
    .
    Last edited: Mar 22, 2017
  10. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    4,479
  11. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    740
    Location:
    United States
    None of the exploits were 'in the wild' and LastPass's response times were impressive. He's basically helping to lock down LP.

    The only other time I've seen him say he was impressed with the response time were for Kaspersky.

    This below was at noon eastern time today.

     
    Last edited: Mar 24, 2017
  12. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,049
    Location:
    USA
    Agreed. There has only been one significant attack against LastPass in the years I've been using it; their response was fast and professional, and I feel that's the most important thing. The time to run the other way is when security vendors deny the breaches and the vulnerabilities in their products :thumbd:
     
    Last edited: Mar 23, 2017
  13. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,152
    Location:
    Among the gum trees
    Firefox LastPass just updated on my machine to 3.3.4.
     
  14. Gandalf_The_Grey

    Gandalf_The_Grey Registered Member

    Joined:
    Jan 31, 2012
    Posts:
    707
    Location:
    The Netherlands
    That should contain the latest fixes:
    https://blog.lastpass.com/2017/03/important-security-updates-for-our-users.html/
     
  15. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    5,911
    Location:
    USA
    Unfortunately they seem to have broken the Firefox plugin. I can't get it to install, either from their installer or the website. The only place I can get it is from the Firefox addon site, and it is version 3.3.4 as stated above.
     
  16. Gandalf_The_Grey

    Gandalf_The_Grey Registered Member

    Joined:
    Jan 31, 2012
    Posts:
    707
    Location:
    The Netherlands
    You could install the development version 4.1.36a from the Firefox addon site.
    It is the same xpi that you get from their website.
     
  17. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    5,911
    Location:
    USA
    Actually what I ended up doing was going to the LastPass site with IE, downloaded the Firefox .xpi file and saving it with IE, then I dropped it into a running Firefox window. Sadly that works where trying to download it directly with Firefox does not.
     
  18. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,163
    Location:
    Under a bushel ...
    Downloading the dev version within Firefox worked for me.
     
  19. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,865
    https://palant.de/2017/03/23/lastpass-security-done-wrong

     
  20. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,049
    Location:
    USA
    Don't you think there would be reports from users if there had been data loss? Sooner or later breaches become public.
     
  21. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,865
    Perhaps later? ;) But seriously, the point that Palant rightly made was that there is no way that Lastpass could know if data loss has really happened (as their servers are not affected) - altough they give that impression.

    But the probably even more important point is: Palant is undoubtedly a very experienced add-on author who knows what he's doing. So if he critisized design flaws in the Lastpass add-on months ago - exactly the ones which were later found as vulnerabilities by Tavis Ormandy - this should have been taken seriously. But obviously nothing happened. So this raises the question: Didn't the Lastpass guys read what Palant wrote - or don't they know what they are doing?

    I've been a long-time (paying!) Lastpass user and still am. It's still installed in my browser but I'm using Keepass now. I seriously consider to completely get rid of Lastpass altough I've always defended them in the past.
     
    Last edited: Mar 24, 2017
  22. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,049
    Location:
    USA
    I don't know why LastPass didn't take a serious look at Palant's analysis. At least they responded Tavis Ormandy. I agree that it doesn't inspire confidence when LastPass gives assurances regarding an exploit that doesn't impact their servers. It's a balancing act for security vendors because whenever they admit even the smallest vulnerability some people go nuts and abandon them. I've been using LastPass premium for a long time too, but if they ever start denying and refusing to fix vulnerabilities I will drop them in a heartbeat.
     
  23. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
  24. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,865
    Again - he critisized the design after some other vulnerabilities were reported but before the latest vulnerabilities were detected. Read his blog post from Sept. 2016. His conclusion:
    Indeed. So his critical remarks are absolutely legitimate.
     
  25. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    To clarify: I mean he is transparent about been a developer of a competing password manager :). If he wanted honestly to improve lastpass then he should have done like Travis (and the others). Develop a working PoC demonstrating the bug and then reporting it to the manufacturer. Please correct me if I am wrong but I have not seen any concrete PoC in his blog post or reports about having been in contact with lastpass to help fixing the issue.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.