Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: Vulnerabilities in LastPass Chrome and Firefox add-ons  (Read 765 times)

ejs

  • Kitizen
  • ****
  • Posts: 1315
Vulnerabilities in LastPass Chrome and Firefox add-ons
« on: March 22, 2017, 10:12:58 AM »

http://www.theregister.co.uk/2017/03/21/lastpass_vulnerabilities/

Quote
Password vault LastPass is scrambling to patch critical security flaws that malicious websites can exploit to steal millions of victims' passphrases.

Sounds unbelievably bad.

I've never used LastPass.
Logged

Chrysalis

  • Content Team
  • Kitizen
  • *
  • Posts: 4781
Re: Vulnerabilities in LastPass Chrome and Firefox add-ons
« Reply #1 on: March 22, 2017, 11:14:42 AM »

I dont use password browser addons.  Both browsers also have built in password databases.
Logged
Sky Fiber Pro - Billion 8800NL bridge & PFSense BOX running PFSense 2.4 - ECI Cab

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 3209
Re: Vulnerabilities in LastPass Chrome and Firefox add-ons
« Reply #2 on: March 22, 2017, 07:04:22 PM »

Personally, I do not willingly use password managers in any form.

Like all software, they will almost certainly one day be compromised, it is just a matter of time.  And the consequences are such a headache that that I just would never use one.
Logged

jelv

  • Helpful
  • Reg Member
  • *
  • Posts: 564
Re: Vulnerabilities in LastPass Chrome and Firefox add-ons
« Reply #3 on: March 22, 2017, 07:25:28 PM »

I have around 100 passwords stored in KeePass.

People who don't use password managers must have incredibly good memories, or use the same password for a lot of different sites (which is a worse idea than using a password manager), or have very simple lives where they don't use that many different sites on the internet.
Logged
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. Rick Cook, The Wizardry Compiled

ejs

  • Kitizen
  • ****
  • Posts: 1315
Re: Vulnerabilities in LastPass Chrome and Firefox add-ons
« Reply #4 on: March 22, 2017, 07:47:37 PM »

Or they have their own solution that works for them, which could be using their browser's built-in password storage, and/or saving the passwords to a file. Quite a lot of the passwords I wouldn't consider to be particularly important anyway.
Logged

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 3209
Re: Vulnerabilities in LastPass Chrome and Firefox add-ons
« Reply #5 on: March 22, 2017, 08:03:07 PM »

One tactic of my own is to refuse, as far as possible, to use websites that require setting up of an account, with another password to remember.

For example, I pay my utility bills via 'pay by phone', it is cumersome, but avoids yet another password.   Couple of weeks ago I bought a railcard, and did so face to face at a station ticket booth, even though it would have been less bother (and cheaper) to just set up an online account - as that would have meant another password.

Where passwords cannot be avoided then actually I believe simpler and more easily remembered passwords, even with carefully considered duplication,  are often (not always) more secure than long and complex ones, since the long and complex ones tend to need writing down - either on paper or in a password manager.
Logged

jelv

  • Helpful
  • Reg Member
  • *
  • Posts: 564
Re: Vulnerabilities in LastPass Chrome and Firefox add-ons
« Reply #6 on: March 22, 2017, 08:36:33 PM »

Or they have their own solution that works for them, which could be using their browser's built-in password storage, and/or saving the passwords to a file. Quite a lot of the passwords I wouldn't consider to be particularly important anyway.

Both of which would be way, way, way less secure than using a password manager where the whole file is encrypted!
Logged
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. Rick Cook, The Wizardry Compiled

Chrysalis

  • Content Team
  • Kitizen
  • *
  • Posts: 4781
Re: Vulnerabilities in LastPass Chrome and Firefox add-ons
« Reply #7 on: March 22, 2017, 08:39:07 PM »

keeppass is in a different league to browser based password managers.  The level of possible risk is completely on another level.

I trust browser built in password managers more than addons as the likes of google are going to be able to embed it in the browser much more efficiently than 3rd party developers and also likely have better developers. Same with mozilla. With that said, for certain sites I dont even use the browser inclusive manager, I tell it to not remember on sites like banks and paypal, for those I just use keeppass.
« Last Edit: March 22, 2017, 08:42:00 PM by Chrysalis »
Logged
Sky Fiber Pro - Billion 8800NL bridge & PFSense BOX running PFSense 2.4 - ECI Cab

jelv

  • Helpful
  • Reg Member
  • *
  • Posts: 564
Re: Vulnerabilities in LastPass Chrome and Firefox add-ons
« Reply #8 on: March 22, 2017, 08:42:09 PM »

@sevenlayermuddle

I can sympathise with the avoidance tactic!
Logged
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. Rick Cook, The Wizardry Compiled

ejs

  • Kitizen
  • ****
  • Posts: 1315
Re: Vulnerabilities in LastPass Chrome and Firefox add-ons
« Reply #9 on: March 22, 2017, 09:04:56 PM »

Both of which would be way, way, way less secure than using a password manager where the whole file is encrypted!

That's true, but it depends on what you want it to be secure against.

Firefox does have the facility to set a master password for its stored passwords.
Logged

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 3209
Re: Vulnerabilities in LastPass Chrome and Firefox add-ons
« Reply #10 on: March 22, 2017, 09:28:23 PM »

An interesting experiment is to boot from a linux cd or usb drive, and then run 'strings' on the pc's raw hard drive, grepping the output for a recently used password.     On a big disk it can take hours if not days but as often in my experience it'll show up, in plain text.   Maybe from a browser or mail client's database, or maybe from a fragment of RAM that's been written to a swap partition.

Whole disk encryption helps of course but even then I believe, you are putting your confidence in an encryption system which, like pretty much all encryption systems that have gone before it, will most probably one day be compromised.
Logged

NEXUS2345

  • Reg Member
  • ***
  • Posts: 226
Re: Vulnerabilities in LastPass Chrome and Firefox add-ons
« Reply #11 on: March 22, 2017, 09:44:01 PM »

It is worth noting that if you are logged into your Google account in Chrome, any stored passwords are encrypted using your Google account password.
Logged
Zen ADSL2+ | HG612 + TP-Link C2600 | Awaiting FTTC (build in progress)

jelv

  • Helpful
  • Reg Member
  • *
  • Posts: 564
« Last Edit: March 23, 2017, 04:18:09 PM by burakkucat »
Logged
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. Rick Cook, The Wizardry Compiled