Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: Vulnerabilities in LastPass Chrome and Firefox add-ons  (Read 5230 times)

ejs

  • Kitizen
  • ****
  • Posts: 2078
Vulnerabilities in LastPass Chrome and Firefox add-ons
« on: March 22, 2017, 10:12:58 AM »

http://www.theregister.co.uk/2017/03/21/lastpass_vulnerabilities/

Quote
Password vault LastPass is scrambling to patch critical security flaws that malicious websites can exploit to steal millions of victims' passphrases.

Sounds unbelievably bad.

I've never used LastPass.
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: Vulnerabilities in LastPass Chrome and Firefox add-ons
« Reply #1 on: March 22, 2017, 11:14:42 AM »

I dont use password browser addons.  Both browsers also have built in password databases.
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: Vulnerabilities in LastPass Chrome and Firefox add-ons
« Reply #2 on: March 22, 2017, 07:04:22 PM »

Personally, I do not willingly use password managers in any form.

Like all software, they will almost certainly one day be compromised, it is just a matter of time.  And the consequences are such a headache that that I just would never use one.
Logged

jelv

  • Helpful
  • Kitizen
  • *
  • Posts: 2054
Re: Vulnerabilities in LastPass Chrome and Firefox add-ons
« Reply #3 on: March 22, 2017, 07:25:28 PM »

I have around 100 passwords stored in KeePass.

People who don't use password managers must have incredibly good memories, or use the same password for a lot of different sites (which is a worse idea than using a password manager), or have very simple lives where they don't use that many different sites on the internet.
Logged
Broadband and Line rental: Zen Unlimited Fibre 2, Mobile: Vodaphone
Router: Fritz!Box 7530

ejs

  • Kitizen
  • ****
  • Posts: 2078
Re: Vulnerabilities in LastPass Chrome and Firefox add-ons
« Reply #4 on: March 22, 2017, 07:47:37 PM »

Or they have their own solution that works for them, which could be using their browser's built-in password storage, and/or saving the passwords to a file. Quite a lot of the passwords I wouldn't consider to be particularly important anyway.
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: Vulnerabilities in LastPass Chrome and Firefox add-ons
« Reply #5 on: March 22, 2017, 08:03:07 PM »

One tactic of my own is to refuse, as far as possible, to use websites that require setting up of an account, with another password to remember.

For example, I pay my utility bills via 'pay by phone', it is cumersome, but avoids yet another password.   Couple of weeks ago I bought a railcard, and did so face to face at a station ticket booth, even though it would have been less bother (and cheaper) to just set up an online account - as that would have meant another password.

Where passwords cannot be avoided then actually I believe simpler and more easily remembered passwords, even with carefully considered duplication,  are often (not always) more secure than long and complex ones, since the long and complex ones tend to need writing down - either on paper or in a password manager.
Logged

jelv

  • Helpful
  • Kitizen
  • *
  • Posts: 2054
Re: Vulnerabilities in LastPass Chrome and Firefox add-ons
« Reply #6 on: March 22, 2017, 08:36:33 PM »

Or they have their own solution that works for them, which could be using their browser's built-in password storage, and/or saving the passwords to a file. Quite a lot of the passwords I wouldn't consider to be particularly important anyway.

Both of which would be way, way, way less secure than using a password manager where the whole file is encrypted!
Logged
Broadband and Line rental: Zen Unlimited Fibre 2, Mobile: Vodaphone
Router: Fritz!Box 7530

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: Vulnerabilities in LastPass Chrome and Firefox add-ons
« Reply #7 on: March 22, 2017, 08:39:07 PM »

keeppass is in a different league to browser based password managers.  The level of possible risk is completely on another level.

I trust browser built in password managers more than addons as the likes of google are going to be able to embed it in the browser much more efficiently than 3rd party developers and also likely have better developers. Same with mozilla. With that said, for certain sites I dont even use the browser inclusive manager, I tell it to not remember on sites like banks and paypal, for those I just use keeppass.
« Last Edit: March 22, 2017, 08:42:00 PM by Chrysalis »
Logged

jelv

  • Helpful
  • Kitizen
  • *
  • Posts: 2054
Re: Vulnerabilities in LastPass Chrome and Firefox add-ons
« Reply #8 on: March 22, 2017, 08:42:09 PM »

@sevenlayermuddle

I can sympathise with the avoidance tactic!
Logged
Broadband and Line rental: Zen Unlimited Fibre 2, Mobile: Vodaphone
Router: Fritz!Box 7530

ejs

  • Kitizen
  • ****
  • Posts: 2078
Re: Vulnerabilities in LastPass Chrome and Firefox add-ons
« Reply #9 on: March 22, 2017, 09:04:56 PM »

Both of which would be way, way, way less secure than using a password manager where the whole file is encrypted!

That's true, but it depends on what you want it to be secure against.

Firefox does have the facility to set a master password for its stored passwords.
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: Vulnerabilities in LastPass Chrome and Firefox add-ons
« Reply #10 on: March 22, 2017, 09:28:23 PM »

An interesting experiment is to boot from a linux cd or usb drive, and then run 'strings' on the pc's raw hard drive, grepping the output for a recently used password.     On a big disk it can take hours if not days but as often in my experience it'll show up, in plain text.   Maybe from a browser or mail client's database, or maybe from a fragment of RAM that's been written to a swap partition.

Whole disk encryption helps of course but even then I believe, you are putting your confidence in an encryption system which, like pretty much all encryption systems that have gone before it, will most probably one day be compromised.
Logged

NEXUS2345

  • Reg Member
  • ***
  • Posts: 235
Re: Vulnerabilities in LastPass Chrome and Firefox add-ons
« Reply #11 on: March 22, 2017, 09:44:01 PM »

It is worth noting that if you are logged into your Google account in Chrome, any stored passwords are encrypted using your Google account password.
Logged
Security improvement and remediation consultant with infrastructure specialisation

IDNet Openreach FTTP 1000/115 + Asus RT-AX92U | Virgin Media 200 + SuperHub 3 + Synology MR2200ac mesh | Sky 80/20 with WiFi Guarantee on Huawei 288 cabinet

jelv

  • Helpful
  • Kitizen
  • *
  • Posts: 2054
« Last Edit: March 23, 2017, 04:18:09 PM by burakkucat »
Logged
Broadband and Line rental: Zen Unlimited Fibre 2, Mobile: Vodaphone
Router: Fritz!Box 7530
 

anything