LastPass failed to provide the security to safeguard a user’s passwords “as advertised”.

[TheWarlock]

Came across this article today on forbes.com and was recently thinking about signing up for LastPass to actually keep track of my passwords because I'm looking to get away from just having Google Chrome remember all of my passwords for obvious reasons, is there anyway to really keep track of your passwords securely?

 

https://www.forbes.com/sites/kateoflahertyuk/2019/02/20/password-managers-have-a-security-flaw-heres-how-to-avoid-it/#457fd4a54e16

 

'So major password manager firms will be feeling the heat today after a report from Independent Security Evaluators (ISE) found fundamental flaws that expose user credentials in computer memory while locked. According to the researchers, this renders them “no more secure than saving passwords in a text file”.'

 

'The ISE evaluated 1Password, Dashlane, KeePass and LastPass, which are used by a total of 60 Million users and 93,000 Businesses globally. It found that all the products failed to provide the security to safeguard a user’s passwords “as advertised”.'

 

'the researchers found that in some circumstances, the master password was residing in the computer’s memory in a plain text readable format.'

 

The original report by ISE here:

https://www.securityevaluators.com/casestudies/password-manager-hacking/

[elfensky]

3 minutes ago, TheWarlock said:

Came across this article today on forbes.com and was recently thinking about signing up for LastPass, is there anyway to really keep track of your passwords securely?

 

https://www.forbes.com/sites/kateoflahertyuk/2019/02/20/password-managers-have-a-security-flaw-heres-how-to-avoid-it/#457fd4a54e16

 

In any case, this is fairly worrying. Lots of people use lastpass, and I think they even sporsored LTT quite a few times.

Edited February 20, 2019 by SansVarnic

[Franck]

1 minute ago, ElfenSky said:

I think they even sporsored LTT quite a few times.

they did and quite recently too.

[Alan G]

Don't know about the Forbes article but this article was referenced in today's Washington Post.  They looked at five popular password programs for vulnerabilities.  Personally I use Password Safe which is not linked to my browser.

 

EDIT:  same article that Forbes references

Edited February 20, 2019 by Alan G
Updated

[Fasauceome]

Wow, so the password is stored in my own PC's memory? What's the point then? I thought it was supposed to be remote so it was secure.

[kuddlesworth9419]

It's called paper and pencil. It's the most secure way or documenting your passwords as far as I care. If you are storing your passwords on your PC you are doing something wrong.

[BuckGup]

Yeah offline hashes is the best way and keys you remember in your brain or physically on paper somewhere secure like a lock box in a bank. Anything offline is ideal

[SansVarnic]

@TheWarlock you topic does not meet the posting guidelines. Please review and update your post.

 

Quote

When creating a thread in the News subforum, please make sure your post meets the following criteria:

• Your thread must include some original input to tell the reader why it is relevant to them, and what your personal opinion on the topic is. This needs to be MORE than just a quick, single comment to meet the posting guidelines.
• Your thread must include a link to at least one reputable source. Most of the time, this should be a respected news site.
• Your thread should also include quotes from the cited source(s). While you shouldn't just copy the entire article, your quote should give the reader a summary of the article in a way that gives the key details, but also leaves room for them to read the full article on the linked website. Please use quote tags to show that you have copied this content from another site.
• The title of your thread must be relevant to the topic and should give a reader a good idea of the contents of the thread. Copying the title of the source is permitted but absolutely not required. It should be to the point and not be done in such a way as to mislead a reader, such as clickbait, etc.
• If your article is about a product or some form of media, images are always appreciated, although they are not required.

Failure to comply may result in your thread being locked or removed without warning.

 

[yian88]

I stopped using LastPass due to government sneaky forcing backdoors and data handover to them on most services you usually find out later after months or years passed that you got rekt and your data is already in the gov filthy hands.

I recommend KeepPass database and local+ online drive storage for crossdevice access.

[brwainer]

6 minutes ago, TheWarlock said:

Came across this article today on forbes.com and was recently thinking about signing up for LastPass, is there anyway to really keep track of your passwords securely?

 

https://www.forbes.com/sites/kateoflahertyuk/2019/02/20/password-managers-have-a-security-flaw-heres-how-to-avoid-it/#457fd4a54e16

The article is very good but your post on the forum is misleading. The flaw affects all major password managers not just LastPass. But also as long as you have 2FA enabled for your password manager you are still mostly secure, which the article and researchers mention.

[brwainer]

2 minutes ago, yian88 said:

I stopped using LastPass due to government sneaky forcing backdoors and data handover to them on most services you usually find out later after months or years passed that you got rekt and your data is already in the gov filthy hands.

I recommend KeepPass database and local+ online drive storage for crossdevice access.

The article says this affects KeePass too.

[SansVarnic]

All my passwords are on a secured word document kept in a thumbdrive.

 

 

Anytime you give up sensitive information to another party you increase your risk of losing control of your stuff.

I dont care what kind of promise of security they offer. 

[imreloadin]

Considering this has to do with having the application open in the background so your master password is stored actively in your RAM all you have to do is not use anything with a browser extension and just close out of the application when you're done. I use KeePass and it's not that hard to do, just launch it when I need to enter a password, copy/paste it into the website, and close out of KeePass. Seriously though this is just basic computer usage information, if I type something in it's obviously stored in the RAM of your computer while that application is open.

[imreloadin]

Just now, brwainer said:

The article says this affects KeePass too.

Did you bother to read why it affects it? Because this will literally affect any password manager you have on your computer...It's super easy to fix to, just close out of the application when you're done retrieving your password.

[brwainer]

2 minutes ago, imreloadin said:

Did you bother to read why it affects it? Because this will literally affect any password manager you have on your computer...It's super easy to fix to, just close out of the application when you're done retrieving your password.

Yes, I have read the whole article, but your post implied to me that you had not, especially since the OP’s title and post are incomplete/misleading. No offence was meant.

 

EDIT: Sorry, I thoughtyou were the same poster I had originally replied to.

[solonovamax]

2 minutes ago, imreloadin said:

Did you bother to read why it affects it? Because this will literally affect any password manager you have on your computer...It's super easy to fix to, just close out of the application when you're done retrieving your password.

Wouldn't it behoove the devs of the password managers to have it not be stored on the ram and instead encrypt in some fashion then store it on the system drive?

[imreloadin]

Just now, solonovamax said:

Wouldn't it behoove the devs of the password managers to have it not be stored on the ram and instead encrypt in some fashion then store it on the system drive?

It has to pass through the RAM at some point...

[aezakmi]

Avoid using password managers.

[solonovamax]

2 minutes ago, imreloadin said:

It has to pass through the RAM at some point...

But, wouldn't they want to remove it from the ram afterwards? Maybe by filling it up with random junk, so it's overwritten, or just deleting it afterwards? (I'm not that sure on how ram works, but I get the general idea)

[Guest]

I use Apple Keychain (Just because it prompts me so why not) but mostly just remember the password in my head. It's not hard. 

[solonovamax]

Just now, VegetableStu said:

anything that the CPU needs, has to be taken from RAM ._. this is how calculators work, let alone computers

yes, but the cpu does also need to access programs on my hard disk. These are read off the disk. I don't think it would be that hard to do something like that (on the other hand, I can't entirely say for sure, as I don't fully know how they work and/or are coded)

[WereCatf]

At least with Keepass there's a very simple solution: simply exit Keepass when you don't actively need it. POOF -- problem gone.

[Rohith_Kumar_Sp]

17 minutes ago, SansVarnic said:

All my passwords are on a secured word document kept in a thumbdrive.

make sure you have backups, i had my drive fail on me with my entire PWD's lost, i somehow managed to recovered it after trying the drive again after a week and let the drive detect for about an hour and copied that file the first chance i got, after that incident i created a LastPass account.

[Sauron]

29 minutes ago, kuddlesworth9419 said:

It's called paper and pencil. It's the most secure way or documenting your passwords as far as I care. If you are storing your passwords on your PC you are doing something wrong.

I'm sorry, but having a physical, unencrypted piece of paper with your passwords on it is the single worst and least secure way of remembering them. Using a proper, local password storage solution with adequate cryptography is both secure and convenient. The issue detailed in the article is most definitely not the same as having your passwords in a plain text file and the issue is non existent if you close the password manager when you're done with it - it never crossed my mind to leave it running in the background, and even then at the very least an attacker would require my user password and physical or remote access to my pc to abuse this vulnerability.

[SansVarnic]

15 minutes ago, Rohith_Kumar_Sp said:

make sure you have backups, i had my drive fail on me with my entire PWD's lost, i somehow managed to recovered it after trying the drive again after a week and let the drive detect for about an hour and copied that file the first chance i got, after that incident i created a LastPass account.

Oh yeah, i have back ups...