LastPass Working on Yet Another Security Fix

Zarathustra[H]

Fully [H]
Joined
Oct 29, 2000
Messages
30,843
It seems like the last couple of weeks have been pretty rough for LastPass. Tavis Ormandy at Googles Project Zero team apparently had a shower epiphany, and found yet another vulnerability in LastPass resulting in arbitrary code execution. That's quite a lot accomplished before putting your pants on on a Saturday morning.

This is why I have some discomfort when it comes to password managers. If you get phished or otherwise exploited on a site by site basis, you lose one password. If your password manager gets compromised you lose them all. Because of this, I personally keep all my passwords in my noggin. It's not easy though, and I often forget and have to reset them.

To expand on the issue, LastPass also put up a post today, in which they made it clear that a fix is being worked on. The client side vulnerability discovered over the weekend allows for an attack that is "unique and highly sophisticated". As such, the firm declined to disclose anything specific about either the vulnerability or the patch, until everything is said and done. The reasoning given is that doing so could "reveal anything to less sophisticated but nefarious parties", which is of course not the intention.
 
Joined
Feb 3, 2008
Messages
665
On the password manager side I would like to bring up one solution that is working well for me.

'KeePass' can store login information in an encrypted file. You can set up the software in a way that a token or a passphrase needs to be given before that file ever gets decrypted to memory or any login information made available.
The token can be a file, probably other things. The password can also be a key file.

This integrates with KeeFox for FireFox osers, I don't know about other browsers. KeeFox can activate the software and fill login information in on web sites. This may be phishable but you don't have to do this at all. Skip KeeFox and copy/paste passwords out of KeePass if you forgot them.

Lastly, KeePass has a lot of plugins, one of them to sync the key file to a google drive. You can use this to seamlessly use the key file on multiple devices and keep them all up-to-date.

It takes a little work setting up but it seems that you can make this solution as secure as you wish, or add conveniences that also may lower security. And it's free.
 

Oniigumo

Limp Gawd
Joined
Sep 25, 2007
Messages
289
On the password manager side I would like to bring up one solution that is working well for me.

'KeePass' can store login information in an encrypted file. You can set up the software in a way that a token or a passphrase needs to be given before that file ever gets decrypted to memory or any login information made available.
The token can be a file, probably other things. The password can also be a key file.

This integrates with KeeFox for FireFox osers, I don't know about other browsers. KeeFox can activate the software and fill login information in on web sites. This may be phishable but you don't have to do this at all. Skip KeeFox and copy/paste passwords out of KeePass if you forgot them.

Lastly, KeePass has a lot of plugins, one of them to sync the key file to a google drive. You can use this to seamlessly use the key file on multiple devices and keep them all up-to-date.

It takes a little work setting up but it seems that you can make this solution as secure as you wish, or add conveniences that also may lower security.

I'm actually a huge fan of Keepass as well. You actually don't need any extensions to have it fill in login information. You can enable global auto-type, set the bind, then set the target window on a per password basis. A bit of a hassle at first, but it's well worth the effort, and it gives me peace of mind.
 

Jovian

Limp Gawd
Joined
Jun 8, 2004
Messages
362
I use keepass with a google drive extension and then sync it between my various machines. Works well for me, but isn't as convent as Lastpass, but I think is safer.

I also have toyed with a Teampass install at home that I access with VPN. This method allows nothing stored in cloud or facing the internet.

The thing I worry most about with LastPass is they are a service specifically designed to hold passwords thats accessible on the internet. If I was a hacker, thats the best bank vault of them all.
 

Bandalo

2[H]4U
Joined
Dec 15, 2010
Messages
2,660
I use keepass with a google drive extension and then sync it between my various machines. Works well for me, but isn't as convent as Lastpass, but I think is safer.

I also have toyed with a Teampass install at home that I access with VPN. This method allows nothing stored in cloud or facing the internet.

The thing I worry most about with LastPass is they are a service specifically designed to hold passwords thats accessible on the internet. If I was a hacker, thats the best bank vault of them all.

Yeah, but their security is pretty damn good. Plus since each user's data is individually encrypted and decrypted only on the local end, it's not like they get everything even if they get access to the servers.
 
Last edited:
D

Deleted member 184142

Guest
I use keepass with a google drive extension and then sync it between my various machines. Works well for me, but isn't as convent as Lastpass, but I think is safer.

I also have toyed with a Teampass install at home that I access with VPN. This method allows nothing stored in cloud or facing the internet.

The thing I worry most about with LastPass is they are a service specifically designed to hold passwords thats accessible on the internet. If I was a hacker, thats the best bank vault of them all.

Not really, considering lastpass does not store passwords, but hashes only, which are all encrypted and salted. "Hackers" on that scale are about low hanging fruit, brute forcing that kind of hash to access a single password is not one of them.
 
  • Like
Reactions: Uncle
like this

BigJayDogg3

[H]ard|Gawd
Joined
Jul 21, 2009
Messages
1,674
Not really, considering lastpass does not store passwords, but hashes only, which are all encrypted and salted. "Hackers" on that scale are about low hanging fruit, brute forcing that kind of hash to access a single password is not one of them.
Pretty much. The database is encrypted with your username, which is in turn encrypted with your password. I'm not really worried.

On the other hand, because Lastpass will auto-fill sites with my credentials, if Lastpass fails to fill the fields, I get a bit of a tip-off that something's not quite right.

I'd rather have 200+ long psuedo-random passwords managed with a single easy to use manager vs 5 or 6 that get recycled across several sites.
 

Jagger100

Supreme [H]ardness
Joined
Oct 31, 2004
Messages
7,620
I thought they had 90 days before Google would go public. Over the weekend is not 90 days even if it was similar. Nothing to do with google having a competing initiative, I'm sure.
 

nilepez

[H]F Junkie
Joined
Jan 21, 2005
Messages
11,700
I'm actually a huge fan of Keepass as well. You actually don't need any extensions to have it fill in login information. You can enable global auto-type, set the bind, then set the target window on a per password basis. A bit of a hassle at first, but it's well worth the effort, and it gives me peace of mind.
Thumbs up on keepass. What is this assigning it to a target window? Is that something I can do in the app? For me, it always goes to the window that had focus before keepass.
 

Oniigumo

Limp Gawd
Joined
Sep 25, 2007
Messages
289
Have to pick one of your entries and choose edit, then up top choose the tab auto-type, choose enable auto-type if it isn't, then click add on the right hand side. In the new window that pops up will be a box that says target window, which will list the windows you currently have open to choose from. From there on out it'll pick the correct user/password combo based on the window that was active when you press your global combo. After you have EVERYTHING set up on all your sites, you can just do what I do. Click login, click the Username box so I can type there, hit my bind (CTR+ALT+A), and it fills in the blanks. I can do some quick screenshots for you if that was a bit hard to follow.
 

ZLoth

Gawd
Joined
Apr 13, 2010
Messages
854
I use both LastPass and KeePass. KeePass is my master password file, while LastPass contains a small subset of those passwords.

The thing I like about Lastpass is that they are extremely quick to acknowledge issues and post fixes.
LastPass_(@LastPass)__Twitter_-_Google_Chrome 2017-03-27 14-54-15.png LastPass_-_Google_Chrome 2017-03-27 14-57-18.png
 

nilepez

[H]F Junkie
Joined
Jan 21, 2005
Messages
11,700
Have to pick one of your entries and choose edit, then up top choose the tab auto-type, choose enable auto-type if it isn't, then click add on the right hand side. In the new window that pops up will be a box that says target window, which will list the windows you currently have open to choose from. From there on out it'll pick the correct user/password combo based on the window that was active when you press your global combo. After you have EVERYTHING set up on all your sites, you can just do what I do. Click login, click the Username box so I can type there, hit my bind (CTR+ALT+A), and it fills in the blanks. I can do some quick screenshots for you if that was a bit hard to follow.
Thanks! I'll have to check this out. Not sure it matters that much for most of my passwords (since they mostly go to a web browser that I was just in), but I'm sure I'll find some other apps to use this feature.
 

entropism

2[H]4U
Joined
Dec 23, 2004
Messages
3,640
'KeePass' can store login information in an encrypted file. You can set up the software in a way that a token or a passphrase needs to be given before that file ever gets decrypted to memory or any login information made available.
The token can be a file, probably other things. The password can also be a key file.

My issue with Keepass (and it IS, objectively, the most secure solution) is that the Android and iPhone versions of it are downright awful, while the Lastpass apps are one of the best. I'd say Dashlane has the best mobile apps. Another issue is the whole issue of having to install the program, vs just installing an extension. Keeping it extension based allows me to use LastPass on a work computer, where I don't have rights to install any actual programs.
 

Galvin

2[H]4U
Joined
Jan 22, 2002
Messages
2,697
I tried lastpass, but some websites wouldn't work with it. The 3 dot icons would not appear in the name and password fields. So its a no go. Need one where it doesn't need to intergrate into the website so it be more compatible
 

Bandalo

2[H]4U
Joined
Dec 15, 2010
Messages
2,660
I tried lastpass, but some websites wouldn't work with it. The 3 dot icons would not appear in the name and password fields. So its a no go. Need one where it doesn't need to intergrate into the website so it be more compatible

For the sites like that, you can use the extention's options to manually make it "autofill".

What websites were giving you trouble?
 

steakman1971

2[H]4U
Joined
Nov 22, 2005
Messages
2,433
I used KeePass for several years - but am now using 1Password. It simply has a much nicer mobile app, Windows support, and good Mac support. Yeah, yeah, I know Mac's are not popular on this board. I spend most of my day job using one so it's a must for me.
 

SvenBent

2[H]4U
Joined
Sep 13, 2008
Messages
3,181
and people called me crazy when i decide to got with opensource keepass with nothing cloud based...
 
Joined
May 5, 2016
Messages
682
Been using Keepass myself for a few years, the key file synced with Dropbox. It's not the most convenient n some ways and yes, the Android version is far from ideal, but I believe it is the most secure.
 

daglesj

Supreme [H]ardness
Joined
May 7, 2005
Messages
5,287
List of written passwords in a book. At least I have full respect for the hacker than actually physically breaks into my home to get them rather than harvesting mine and thousands of others due to shitty lazy code.
 

ppilot

Weaksauce
Joined
Feb 1, 2003
Messages
99
Passwordsafe with database file stored on two-factor protected Dropbox has worked pretty well for me over multiple platforms and devices
 

grtitan

Telemetry is Spying on ME!
Joined
Mar 18, 2011
Messages
1,266
I am torn between keepass and lastpass.

The main issue is the convenience in multi platform usage.

Since I use all 3 platforms (Linux, OSX and winblows), it became very tedious to manage all with keypass and the required keepassx, instead of only one (lastpass).
 

Stanley Pain

2[H]4U
Joined
Apr 5, 2001
Messages
2,486
I'm not really worried about "unique and highly sophisticated" attacks on LastPass, and I'm a regular user. I think the benefits far outweigh the risks.

You should be worried. A lot of attacks against LastPass are not that sophisticated and some of them allow the attacker to gain full API control (meaning they can silently download ALL your passwords completely bypassing 2FA). I've been a long time LastPass user but the last couple of weeks have led me to export all my passwords and delete my LastPass account. Searching for a good alternative now :(
 
D

Deleted member 184142

Guest
You should be worried. A lot of attacks against LastPass are not that sophisticated and some of them allow the attacker to gain full API control (meaning they can silently download ALL your passwords completely bypassing 2FA). I've been a long time LastPass user but the last couple of weeks have led me to export all my passwords and delete my LastPass account. Searching for a good alternative now :(

One of them only dealt with really old versions of FF and old LastPass extension for that version (new version doesn't work with it). So talking about security and at the same time running an old and unpatched FF AND LastPass is quite stupid, all of this also required you to use a malicious website. It also only exposed the single login for the site it was trying to mask as a trusted party.
 

Stanley Pain

2[H]4U
Joined
Apr 5, 2001
Messages
2,486
One of them only dealt with really old versions of FF and old LastPass extension for that version (new version doesn't work with it). So talking about security and at the same time running an old and unpatched FF AND LastPass is quite stupid, all of this also required you to use a malicious website. It also only exposed the single login for the site it was trying to mask as a trusted party.

Worked in Chrome as well.


This one was scarier:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1209


It's not just the fact that LastPass is being exploited recently that has made me drop them. It's the way they've handled some of the exploits when pressed about them. It's pretty obvious they've lost some core talent there. It's unfortunate because no one else beats them on the usability side of things.
 

Bandalo

2[H]4U
Joined
Dec 15, 2010
Messages
2,660
You should be worried. A lot of attacks against LastPass are not that sophisticated and some of them allow the attacker to gain full API control (meaning they can silently download ALL your passwords completely bypassing 2FA). I've been a long time LastPass user but the last couple of weeks have led me to export all my passwords and delete my LastPass account. Searching for a good alternative now :(

I'm not worried about attacks, I'm worried about successful attacks.

There is no completely secure answer. If a determined hacker wants your data, they're probably going to get it. LastPass makes is MUCH harder than almost any other solution. It's not perfect, but it's pretty damn good IMO.

That being said, I don't keep bank account login info anywhere but my head. If someone DID get my LastPass, they'd be able to post as me on forums and Reddit, and that's about it. Anything else that effects my finances (Amazon, Paypal, Steam) has two-factor authentication)
 

entropism

2[H]4U
Joined
Dec 23, 2004
Messages
3,640
Look into Dashlane and Enpass.io. Enpass gets some flack because they have some shady marketing schemes (like posing as customers on Reddit/forums) but the tech is spot on. That keeps a local file and syncs with services like Drive and Dropbox.

Dashlane is arguably the best, but it's expensive as fuck. $50/year is RIDICULOUS, but they offer 6 months free for every referral you make. A bunch of throwaway emails later, and I have 7 years of free service. *cough* Just saying...

I've been a paid user of Lastpass for the past year, and I've explored almost every option out there. Not sure if I'm going to move on or not, but the thought has defintiely crossed my mind.

I am torn between keepass and lastpass.

The main issue is the convenience in multi platform usage.

Since I use all 3 platforms (Linux, OSX and winblows), it became very tedious to manage all with keypass and the required keepassx, instead of only one (lastpass).
 

grtitan

Telemetry is Spying on ME!
Joined
Mar 18, 2011
Messages
1,266
Look into Dashlane and Enpass.io. Enpass gets some flack because they have some shady marketing schemes (like posing as customers on Reddit/forums) but the tech is spot on. That keeps a local file and syncs with services like Drive and Dropbox.

Dashlane is arguably the best, but it's expensive as fuck. $50/year is RIDICULOUS, but they offer 6 months free for every referral you make. A bunch of throwaway emails later, and I have 7 years of free service. *cough* Just saying...

I've been a paid user of Lastpass for the past year, and I've explored almost every option out there. Not sure if I'm going to move on or not, but the thought has defintiely crossed my mind.
Awesome tips, thanks.

I played a bit with Dashlane and really liked their interface, but found it hard keeping it synced among several systems without using their cloud service.

They should offer their program as stand alone purchase, because there is no way in hell that i am going to pay 50 a year just to sync passwords.

Edit, NEver heard of Enpass and I dont know, something in there is fishy, everything is free...Maybe a CIA front :)
 

entropism

2[H]4U
Joined
Dec 23, 2004
Messages
3,640
Enpass isn't free for mobile, and it's an indian based outfit. I think it's like $5-10 per app, one time purchase.

As for Dashlane, the cloud portion is awesome.

Edit: $10 for mobile platforms, I got mine for $5 a while back. Free for desktops though.
 
Last edited:

grtitan

Telemetry is Spying on ME!
Joined
Mar 18, 2011
Messages
1,266
Enpass isn't free for mobile, and it's an indian based outfit. I think it's like $5-10 per app, one time purchase.

As for Dashlane, the cloud portion is awesome.

Edit: $10 for mobile platforms, I got mine for $5 a while back. Free for desktops though.
Hmm, I will check the desktop version out. I dont much need of a password manager in my mobile device.
 

hmz

2[H]4U
Joined
Jul 26, 2005
Messages
3,115
Passwordsafe with database file stored on two-factor protected Dropbox has worked pretty well for me over multiple platforms and devices

+1.

Have been using the Passwordsafe for years. Glad I am not the only one ;-)
 

Shmee

[H]ard|Gawd
Joined
Sep 12, 2014
Messages
1,148
On the password manager side I would like to bring up one solution that is working well for me.

'KeePass' can store login information in an encrypted file. You can set up the software in a way that a token or a passphrase needs to be given before that file ever gets decrypted to memory or any login information made available.
The token can be a file, probably other things. The password can also be a key file.

This integrates with KeeFox for FireFox osers, I don't know about other browsers. KeeFox can activate the software and fill login information in on web sites. This may be phishable but you don't have to do this at all. Skip KeeFox and copy/paste passwords out of KeePass if you forgot them.

Lastly, KeePass has a lot of plugins, one of them to sync the key file to a google drive. You can use this to seamlessly use the key file on multiple devices and keep them all up-to-date.

It takes a little work setting up but it seems that you can make this solution as secure as you wish, or add conveniences that also may lower security. And it's free.

I love KeyPass. As a Sys Admin I use it at home and at work, and I get to choose where the file lives.
 
Top