Kitz Forum

Computer Software => Security => Topic started by: ejs on March 22, 2017, 10:12:58 AM

Title: Vulnerabilities in LastPass Chrome and Firefox add-ons
Post by: ejs on March 22, 2017, 10:12:58 AM

http://www.theregister.co.uk/2017/03/21/lastpass_vulnerabilities/

Quote

Password vault LastPass is scrambling to patch critical security flaws that malicious websites can exploit to steal millions of victims' passphrases.

Sounds unbelievably bad.

I've never used LastPass.

Title: Re: Vulnerabilities in LastPass Chrome and Firefox add-ons
Post by: Chrysalis on March 22, 2017, 11:14:42 AM

I dont use password browser addons.  Both browsers also have built in password databases.

Title: Re: Vulnerabilities in LastPass Chrome and Firefox add-ons
Post by: sevenlayermuddle on March 22, 2017, 07:04:22 PM

Personally, I do not willingly use password managers in any form.

Like all software, they will almost certainly one day be compromised, it is just a matter of time.  And the consequences are such a headache that that I just would never use one.

Title: Re: Vulnerabilities in LastPass Chrome and Firefox add-ons
Post by: jelv on March 22, 2017, 07:25:28 PM

I have around 100 passwords stored in KeePass.

People who don't use password managers must have incredibly good memories, or use the same password for a lot of different sites (which is a worse idea than using a password manager), or have very simple lives where they don't use that many different sites on the internet.

Title: Re: Vulnerabilities in LastPass Chrome and Firefox add-ons
Post by: ejs on March 22, 2017, 07:47:37 PM

Or they have their own solution that works for them, which could be using their browser's built-in password storage, and/or saving the passwords to a file. Quite a lot of the passwords I wouldn't consider to be particularly important anyway.

Title: Re: Vulnerabilities in LastPass Chrome and Firefox add-ons
Post by: sevenlayermuddle on March 22, 2017, 08:03:07 PM

One tactic of my own is to refuse, as far as possible, to use websites that require setting up of an account, with another password to remember.

For example, I pay my utility bills via 'pay by phone', it is cumersome, but avoids yet another password.   Couple of weeks ago I bought a railcard, and did so face to face at a station ticket booth, even though it would have been less bother (and cheaper) to just set up an online account - as that would have meant another password.

Where passwords cannot be avoided then actually I believe simpler and more easily remembered passwords, even with carefully considered duplication,  are often (not always) more secure than long and complex ones, since the long and complex ones tend to need writing down - either on paper or in a password manager.

Title: Re: Vulnerabilities in LastPass Chrome and Firefox add-ons
Post by: jelv on March 22, 2017, 08:36:33 PM

Quote from: ejs on March 22, 2017, 07:47:37 PM

Or they have their own solution that works for them, which could be using their browser's built-in password storage, and/or saving the passwords to a file. Quite a lot of the passwords I wouldn't consider to be particularly important anyway.

Both of which would be way, way, way less secure than using a password manager where the whole file is encrypted!

Title: Re: Vulnerabilities in LastPass Chrome and Firefox add-ons
Post by: Chrysalis on March 22, 2017, 08:39:07 PM

keeppass is in a different league to browser based password managers.  The level of possible risk is completely on another level.

I trust browser built in password managers more than addons as the likes of google are going to be able to embed it in the browser much more efficiently than 3rd party developers and also likely have better developers. Same with mozilla. With that said, for certain sites I dont even use the browser inclusive manager, I tell it to not remember on sites like banks and paypal, for those I just use keeppass.

Title: Re: Vulnerabilities in LastPass Chrome and Firefox add-ons
Post by: jelv on March 22, 2017, 08:42:09 PM

@sevenlayermuddle

I can sympathise with the avoidance tactic!

Title: Re: Vulnerabilities in LastPass Chrome and Firefox add-ons
Post by: ejs on March 22, 2017, 09:04:56 PM

Quote from: jelv on March 22, 2017, 08:36:33 PM

Both of which would be way, way, way less secure than using a password manager where the whole file is encrypted!

That's true, but it depends on what you want it to be secure against.

Firefox does have the facility to set a master password for its stored passwords.

Title: Re: Vulnerabilities in LastPass Chrome and Firefox add-ons
Post by: sevenlayermuddle on March 22, 2017, 09:28:23 PM

An interesting experiment is to boot from a linux cd or usb drive, and then run 'strings' on the pc's raw hard drive, grepping the output for a recently used password.     On a big disk it can take hours if not days but as often in my experience it'll show up, in plain text.   Maybe from a browser or mail client's database, or maybe from a fragment of RAM that's been written to a swap partition.

Whole disk encryption helps of course but even then I believe, you are putting your confidence in an encryption system which, like pretty much all encryption systems that have gone before it, will most probably one day be compromised.

Title: Re: Vulnerabilities in LastPass Chrome and Firefox add-ons
Post by: NEXUS2345 on March 22, 2017, 09:44:01 PM

It is worth noting that if you are logged into your Google account in Chrome, any stored passwords are encrypted using your Google account password.

Title: Re: Vulnerabilities in LastPass Chrome and Firefox add-ons
Post by: jelv on March 23, 2017, 02:24:30 PM

https://www.thurrott.com/cloud/107565/lastpass-quickly-fixes-new-vulnerabilities

[Moderator edited to adjust the URL.]