{Warning}: Vulnerabilities found on password manager LassPass

dunfida

legendary

Activity: 3122

Merit: 1140

Quote from: Stedsm on September 19, 2019, 11:09:15 PM

Quote from: DarkStar_ on September 19, 2019, 12:12:31 AM

It depends. Is it open source software that uses a tried and true method of encryption, or does it use a proprietary algorithm?

Keep in mind that a USB is also inconvenient. If you're using a non personal computer and needed to access your accounts, you likely wouldn't be able to connect the USB to your phone to find your passwords. Most password managers have apps that you can use.

Sorry for the late response.
Actually, I use Kingston's DT Locker+ G3 Secure USB Flash Drive with Cloud Backup which gives me top-notch security with their DataVault Security password protection software where, once set, you cannot derive the data without entering the password because it encrypts all the data inside the USB and only allows you to see it if you know the password. The only catch is that you need to remember the password because if you lose it, you lose the entire data as if you try to set up a new password (and even if someone who stole your USB tries to do it), it will immediately wipe off all the data inside and open the USB with a completely new session for the sake of maintaining security of the data in USB.

This might be an old response but i would like to thank you about on sharing this up.I didnt expect that Kingston do have this kind of USB drive which do had that kind of feature.
Unluckily i havent able to find this usb on my local marketplace.This is what im looking for in regards with extra security where i do love that auto-wipe feature when someone do tend to bruteforce it out.

judeafante

sr. member

Activity: 2254

Merit: 258

After finding this, I ask my friend if he is ok with his LastPass account and he told me that everything works find he is using two anti virus to make sure that nothing gets in his computer, LastPass has a huge subscribers I don't think they will neglect or become irresponsible in securing their clients security I hope everything is ok now but this update is good I'm sure those Lastpass holders will read this issue about Lastpass.

Stedsm

legendary

Activity: 3052

Merit: 1273

Quote from: DarkStar_ on September 19, 2019, 12:12:31 AM

It depends. Is it open source software that uses a tried and true method of encryption, or does it use a proprietary algorithm?

Keep in mind that a USB is also inconvenient. If you're using a non personal computer and needed to access your accounts, you likely wouldn't be able to connect the USB to your phone to find your passwords. Most password managers have apps that you can use.

Sorry for the late response.
Actually, I use Kingston's DT Locker+ G3 Secure USB Flash Drive with Cloud Backup which gives me top-notch security with their DataVault Security password protection software where, once set, you cannot derive the data without entering the password because it encrypts all the data inside the USB and only allows you to see it if you know the password. The only catch is that you need to remember the password because if you lose it, you lose the entire data as if you try to set up a new password (and even if someone who stole your USB tries to do it), it will immediately wipe off all the data inside and open the USB with a completely new session for the sake of maintaining security of the data in USB.

magneto

hero member

Activity: 1666

Merit: 753

Quote

Don't use online password generators/holders, it's like the same argument of centralization vs decentralization again, where Lastpass is an application that has all of your information, and could randomly go bust one day and start hacking into their customer's accounts (because we all know they can do that). Using another system that is offline, or even going super old school and generating your old password and writing it down on a piece of paper gives you control over everything and is the safest, and is the bet I'd recommend most people to go with.

To be honest, just make your own passwords by mashing the keyboard (eg 087asf*)&G), and then write it down a piece of paper, that's 100 percent the safer bet.

I wouldn't say mashing the keyboard and then writing it down is necessarily the best way, given the fact that it's prone to physical theft and flood/fire damage. At that point, if that does happen, then you'd have no chance of recourse. Leaving yourself exposed to having no backups for the sake of "security" simply isn't worth it.

It depends on the situation. I wouldn't discount these password managers completely if you are just using them for relatively benign tasks without much at stake, like gaming or stuff like that.

If it's sensitive financial information, then you'd probably have to reconsider for sure.

bitmover

legendary

Activity: 2352

Merit: 6089

bitcoindata.science

Quote from: DarkStar_ on September 19, 2019, 12:12:31 AM

Quote from: Stedsm on September 19, 2019, 12:02:13 AM

If it is of a specific brand that enables encryption of data by allowing us to put up a password before any of the data of that USB be used, and the password is an extremely complex one, will it still be possible for someone getting my USB to crack that password and/or encryption and take away all the data in that USB?

It depends. Is it open source software that uses a tried and true method of encryption, or does it use a proprietary algorithm?

Keep in mind that a USB is also inconvenient. If you're using a non personal computer and needed to access your accounts, you likely wouldn't be able to connect the USB to your phone to find your passwords. Most password managers have apps that you can use.

For me, being able to sync my passwords with my phone and computer is very important. Additionally, if you manage your passwords in a Notepad or USd or whatever, you are not going to be able to generate new passwords for every website.

The main problem of repeating passwords through websites is that if one website is hacked and passwords leaked, your other accounts may also be compromised.

This is why password managers are good, because they can generate good and unique passwords with a single click.

For years I have used Firefox password manager, but it lacks this feature. Therefore, I am now moving to Bitwarden (the best option for me, because I need my passwords on the cloud).

I read somewhere something very interesting: The only password that you should know is the password of your password manager. All others should be automatically generated. To prevent losing more than one account if a service is hacked.

Kyraishi

hero member

Activity: 952

Merit: 513

Quote from: Stedsm on September 18, 2019, 10:21:18 PM

Quote from: Kyraishi on September 18, 2019, 07:08:59 PM

Quote from: Stedsm on September 18, 2019, 12:20:38 PM

Why not simply use the in-built password manager in any browser like Chrome or Firefox? Do we really need a password managing software here? I save all my passwords generally in Chrome's password manager not just to save my time like gentlemand but most of my saved passwords are from websites where 2fa is required and I don't need the hassle of remembering the password every single time I login there.

Because Chrome and Firefox password savers are the same as giving out your information to LastPass, they still have access to your information, and lastpass works better then chrome, and has a lot more features then them.

Well then, that remains the case with all types of password managers even if they provide better features because if they don't know your password, how will they engage with the website and pass your password ahead from their database.

http://techgenix.com/are-password-managers-security/

An article I read, said that in 2018, two of the most popular password managers OneLogin and LastPass (which OP alerted about) were hacked and sensitive data of customers got leaked due to the same. I know that browsers are more vulnerable to attacks in comparison to these managers, but now I'd rather choose to save my username and passwords in either Notepad or create a table/sheet in Microsoft Word/Excel and save it there and keep the document saved in a USB rather than keeping in a PC which remains connected to internet.

Yep. My point exactly. Most password managers I know like Onelogin, Lastpass, Google password manager, Firefox password manager are all ticking time bombs and for each of these services the company behind it has full access to your passwords, what sites you want to use the passwords on, and could probably also bypass 2-fa (Lastpass has a 2-fa generator, but I'm assuming it goes through their services and they could avoid that if they wanted to as well).

Saving your passwords in a digital form is probably worse than using any of those password managers. The chance of your PC getting hacked via a RAT or something is way higher then a million-dollar company getting hacked and it's a ticking time bomb, and a roadmap to your identify if your PC ever get hacked.

Use an offline password manager, or write down your passwords on a piece of paper and stick it behind your desk, out of sight. Keeping things offline is way better than using notepad or a password manager.

OmegaStarScream

staff

Activity: 3500

Merit: 6152

Quote from: LuckyBtc on September 19, 2019, 02:16:17 AM

How about using Trezor's password manager? Is it any good? Anyone using it here? I'm thinking of buying another device to use it as password manager as well keep small amount of Bitcoin for spending.

In terms of security, Trezor might be better than KeePass but I find TPM to be inconvenient because:

1. The software is only available for Chrome/chromium-based browsers.
2. You can't use it offline, and you need a Google Drive/Dropbox account.

It should be possible to create your offline password manager (to communicate with your Trezor) though, as the format for password storage is available, but that's clearly not something the average user would be able to do.

gentlemand

legendary

Activity: 2590

Merit: 3015

Welt Am Draht

Quote from: LuckyBtc on September 19, 2019, 02:16:17 AM

How about using Trezor's password manager? Is it any good? Anyone using it here? I'm thinking of buying another device to use it as password manager as well keep small amount of Bitcoin for spending.

Weird how rarely it's mentioned.

In some ways it would be more convenient, others less. I don't fancy having to haul it around every time I wanted to access something but at least it would be more secure than downloading some program to every computer I wanted to access sites through.

LuckyBtc

legendary

Activity: 1288

Merit: 1012

How about using Trezor's password manager? Is it any good? Anyone using it here? I'm thinking of buying another device to use it as password manager as well keep small amount of Bitcoin for spending.

slaman29

legendary

Activity: 2674

Merit: 1226

Livecasino, 20% cashback, no fuss payouts.

Well, I personally think most open source projects are fine to use. People find bugs and vulnerabilities in coding all the time. That's good. And when they're open source they get fixed very quickly and that's also good.

I do worry when things like these happen though and someone manages to get my data in the few hours the vulnerabilities aren't fixed.

DarkStar_

legendary

Activity: 2772

Merit: 3284

Quote from: Stedsm on September 19, 2019, 12:02:13 AM

Quote from: DarkStar_ on September 18, 2019, 11:47:47 PM

Quote from: Stedsm on September 18, 2019, 10:21:18 PM

I'd rather choose to save my username and passwords in either Notepad or create a table/sheet in Microsoft Word/Excel and save it there and keep the document saved in a USB rather than keeping in a PC which remains connected to internet.

That's even worse as there's no encryption. If someone finds your USB, say goodbye to all of your logins. You're also plugging the USB into a internet connected computer most likely when you need to login. The LastPass vulnerability was most likely never used until it was patched and it still required a very specific situation.

If it is of a specific brand that enables encryption of data by allowing us to put up a password before any of the data of that USB be used, and the password is an extremely complex one, will it still be possible for someone getting my USB to crack that password and/or encryption and take away all the data in that USB?

It depends. Is it open source software that uses a tried and true method of encryption, or does it use a proprietary algorithm?

Keep in mind that a USB is also inconvenient. If you're using a non personal computer and needed to access your accounts, you likely wouldn't be able to connect the USB to your phone to find your passwords. Most password managers have apps that you can use.

Stedsm

legendary

Activity: 3052

Merit: 1273

Quote from: DarkStar_ on September 18, 2019, 11:47:47 PM

Quote from: Stedsm on September 18, 2019, 10:21:18 PM

I'd rather choose to save my username and passwords in either Notepad or create a table/sheet in Microsoft Word/Excel and save it there and keep the document saved in a USB rather than keeping in a PC which remains connected to internet.

That's even worse as there's no encryption. If someone finds your USB, say goodbye to all of your logins. You're also plugging the USB into a internet connected computer most likely when you need to login. The LastPass vulnerability was most likely never used until it was patched and it still required a very specific situation.

If it is of a specific brand that enables encryption of data by allowing us to put up a password before any of the data of that USB be used, and the password is an extremely complex one, will it still be possible for someone getting my USB to crack that password and/or encryption and take away all the data in that USB?

DarkStar_

legendary

Activity: 2772

Merit: 3284

Quote from: Stedsm on September 18, 2019, 10:21:18 PM

I'd rather choose to save my username and passwords in either Notepad or create a table/sheet in Microsoft Word/Excel and save it there and keep the document saved in a USB rather than keeping in a PC which remains connected to internet.

That's even worse as there's no encryption. If someone finds your USB, say goodbye to all of your logins. You're also plugging the USB into a internet connected computer most likely when you need to login. The LastPass vulnerability was most likely never used until it was patched and it still required a very specific situation.

Quote from: ?? on ??

Quote from: gentlemand on September 18, 2019, 04:11:31 AM

Is it unfashionable to say I don't trust any password manager?

There are only a handful of services where I need proper security and in that case they all have proper passwords that I've memorised. I couldn't care less about all the other ones.

Even one which is Free and Open Source?

Keepass is a good one that was already mentioned. I personally use Bitwarden, and I haven't had any complaints there.

Stedsm

legendary

Activity: 3052

Merit: 1273

Quote from: Kyraishi on September 18, 2019, 07:08:59 PM

Quote from: Stedsm on September 18, 2019, 12:20:38 PM

Why not simply use the in-built password manager in any browser like Chrome or Firefox? Do we really need a password managing software here? I save all my passwords generally in Chrome's password manager not just to save my time like gentlemand but most of my saved passwords are from websites where 2fa is required and I don't need the hassle of remembering the password every single time I login there.

Because Chrome and Firefox password savers are the same as giving out your information to LastPass, they still have access to your information, and lastpass works better then chrome, and has a lot more features then them.

Well then, that remains the case with all types of password managers even if they provide better features because if they don't know your password, how will they engage with the website and pass your password ahead from their database.

http://techgenix.com/are-password-managers-security/

An article I read, said that in 2018, two of the most popular password managers OneLogin and LastPass (which OP alerted about) were hacked and sensitive data of customers got leaked due to the same. I know that browsers are more vulnerable to attacks in comparison to these managers, but now I'd rather choose to save my username and passwords in either Notepad or create a table/sheet in Microsoft Word/Excel and save it there and keep the document saved in a USB rather than keeping in a PC which remains connected to internet.

TwitchySeal

legendary

Activity: 2716

Merit: 2093

Join the world-leading crypto sportsbook NOW!

Quote from: bitmover on September 18, 2019, 10:53:13 AM

Lastapss was hacked already at least twice. I don't know why they still have so much support from big companies and so many people still use it.
https://www.cnet.com/forums/discussions/last-pass-hacked-again/

It is even bad for password managers in general. The most used one is hacked all the time, so it is natural that users think"I will just use none password manager, at least I will not be hacked and lose all my passwords at once."

It's a pretty good product for non-technical people that don't need to worry about protecting private keys but want to have strong unique passwords for each site, across multiple devices, without much hassle.

And they really don't get hacked all the time. They have a decent bug bounty program and report whenever a vulnerability is brought to their attention (after it's patched). To my knowledge, none of the vulnerabilities have ever been exploited. (edit: I guess someone got hold of a bunch of salted hashes back in 2015, so that's a hack)

Quote

To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times. This exploit may result in the last site credentials filled by LastPass to be exposed.

Of course, if you're using a device to move more than a little bit of any cryptocurrency it would be silly to trust a web based password manager.

Kyraishi

hero member

Activity: 952

Merit: 513

Don't use online password generators/holders, it's like the same argument of centralization vs decentralization again, where Lastpass is an application that has all of your information, and could randomly go bust one day and start hacking into their customer's accounts (because we all know they can do that). Using another system that is offline, or even going super old school and generating your old password and writing it down on a piece of paper gives you control over everything and is the safest, and is the bet I'd recommend most people to go with.

To be honest, just make your own passwords by mashing the keyboard (eg 087asf*)&G), and then write it down a piece of paper, that's 100 percent the safer bet.

Quote from: bitmover on September 18, 2019, 10:53:13 AM

Lastapss was hacked already at least twice. I don't know why they still have so much support from big companies and so many people still use it.
https://www.cnet.com/forums/discussions/last-pass-hacked-again/

It is even bad for password managers in general. The most used one is hacked all the time, so it is natural that users think"I will just use none password manager, at least I will not be hacked and lose all my passwords at once."

Because people don't like change and are sometimes oblivious to the news, I doubt that over half of the people that use lastpass knew that they got hacked, and the people that did know, probably couldn't bother moving all their passwords.

Quote from: Stedsm on September 18, 2019, 12:20:38 PM

Why not simply use the in-built password manager in any browser like Chrome or Firefox? Do we really need a password managing software here? I save all my passwords generally in Chrome's password manager not just to save my time like gentlemand but most of my saved passwords are from websites where 2fa is required and I don't need the hassle of remembering the password every single time I login there.

Because Chrome and Firefox password savers are the same as giving out your information to LastPass, they still have access to your information, and lastpass works better then chrome, and has a lot more features then them.

Stedsm

legendary

Activity: 3052

Merit: 1273

Why not simply use the in-built password manager in any browser like Chrome or Firefox? Do we really need a password managing software here? I save all my passwords generally in Chrome's password manager not just to save my time like gentlemand but most of my saved passwords are from websites where 2fa is required and I don't need the hassle of remembering the password every single time I login there.

My strongest advice here to newbies:
You should never, hear me with fully open ears, never ever go for passwords provided by these password managers because there you are prone to losing almost everything as if they know what you have used (if they don't keep them saved as encrypted with themselves, they can easily know that). I would never prefer any such services where such suggestions are given, but would rather stick to my old techniques.

Harlot

hero member

Activity: 1806

Merit: 672

Quote from: gentlemand on September 18, 2019, 04:11:31 AM

Is it unfashionable to say I don't trust any password manager?

There are only a handful of services where I need proper security and in that case they all have proper passwords that I've memorised. I couldn't care less about all the other ones.

To be honest you really don't need to store all your passwords in a software. I would understand it if you have a spare offline desktop/laptop where you can store an offline password manager but keeping an online one especially those browser extension password managers is like keeping a list of your accounts in Google Keeps, its really not that safe. I would rather write my passwords in a notebook and hide it somewhere good like in our mini library where I store my past highschool and college notes.

gentlemand

legendary

Activity: 2590

Merit: 3015

Welt Am Draht

Quote from: TryNinja on September 18, 2019, 04:48:14 AM

So you just repeat your passwords in most websites? This doesn’t seem like the best solution.

Just don’t use any web cloud hosted password manager. Keepass - as suggested above - is pretty good (open source, offline, old enough, etc). If anything, memorize your handful of services and use the password manager for those you don’t care. You don’t care anyways, but at least maintain some security.

Yup. There's no information of note on any of the said sites so I couldn't care less what happens to them.

One of the increasingly prevalent things that's pissing me off is the inability to access services from whatever machinery I'm using. I want to be able to log in from anywhere using anything, not have to download a program or receive a confirmation email to an address I can't get into without another confirmation email from elsewhere.

That'll do for the important stuff, not the junk.

bitmover

legendary

Activity: 2352

Merit: 6089

bitcoindata.science

Lastapss was hacked already at least twice. I don't know why they still have so much support from big companies and so many people still use it.
https://www.cnet.com/forums/discussions/last-pass-hacked-again/

It is even bad for password managers in general. The most used one is hacked all the time, so it is natural that users think"I will just use none password manager, at least I will not be hacked and lose all my passwords at once."

Topic: {Warning}: Vulnerabilities found on password manager LassPass (Read 426 times)