Jump to content

LastPass failed to provide the security to safeguard a user’s passwords “as advertised”.

TheWarlock

How long till AI will be used to unlock this? , because people way of thinking is so similar , an AI could take patterns and reduce that neeed of brute force :( im scared. 

Case: Corsair 760T  |  Psu: Evga  650w p2 | Cpu-Cooler : Noctua Nh-d15 | Cpu : 8600k  | Gpu: Gygabyte 1070 g1 | Ram: 2x8gb Gskill Trident-Z 3000mhz |  Mobo : Aorus GA-Z370 Gaming K3 | Storage : Ocz 120gb sata ssd , sandisk 480gb ssd , wd 1gb hdd | Keyboard : Corsair k95 rgb plat. | Mouse : Razer deathadder elite | Monitor: Dell s2417DG (1440p 165hz gsync) & a crappy hp 24' ips 1080p | Audio: Schiit stack + Akg k712pro + Blue yeti.

Link to comment
Share on other sites

Link to post
Share on other sites

Don't put your passwords on any internet service, period. Memorize your passwords...

download.jpg.a8095ee510b0e9e003412139c199a6c8.jpg

 

Main Rig: cpu: Intel 6600k OC @ 4.5Ghz; gpu: Gigabyte Gaming OC RTX 2080 (OC'd); mb: Gigabyte GA-Z170X-UD3; ram: 16 GB (2x8GB) 3000 G.Skill Ripjaws V; psu: EVGA 650BQ; storage: 500GB Samsung 850 evo, 2TB WD Black; case: Cooler Master HAF 912; cooling: Cooler Master Hyper 212 Evo, Lots of fans, Air!; display: 4k Samsung 42" TV, Asus MX259H 1080p audio: Schiit Audio Magni Amp w/ Audio Technica M50x

Link to comment
Share on other sites

Link to post
Share on other sites

There is also "Bitwarden" which is highly regarded password manager and since it's not mentioned, it's probably not affected? It recently also passed independent security review. Basically it's the same as LastPass, but Premium plan is cheaper and allows self hosting. You may want to check it out as it also has un unrestricted Free plan with a bit less features (like no OTP).

Link to comment
Share on other sites

Link to post
Share on other sites

This is why you need to completely stop the process of your password manager when done (or use the browser extension) and add 2fa to your account.  Also doesn't hurt to do a malware scan once in a while to make sure nothings infected since it seems a Trojan is the most likely way someone could access your ram remotely. 

"Hyper Demon" Build: 

Case: NZXT H440 Hyper Beast.  CPU: AMD R9 3900x (cooled by a KrakeX62).  GPU: AMD XFX RX 6900XT Merc 319 Black.  RAM: G.Skill Trident Z RGB DDR4 32GB ram @3600mhz.  Mobo: Asus Crosshair VI hero. PSU: Corsair RM850x.  Boot drive: Samsung 960 evo 500gb nvme ssd.  Game storage: Samsung 860 evo 1TB SATA SSD.  Bulk storage: WD Black 2TB.  

Link to comment
Share on other sites

Link to post
Share on other sites

3 hours ago, RejZoR said:

There is also "Bitwarden" which is highly regarded password manager and since it's not mentioned, it's probably not affected? It recently also passed independent security review. Basically it's the same as LastPass, but Premium plan is cheaper and allows self hosting. You may want to check it out as it also has un unrestricted Free plan with a bit less features (like no OTP).

All the password managers that they checked were vulnerable, but Bitwarden wasn't included in the checks, just 1Password, KeePass, Dashlane and LastPass.

HTTP/2 203

Link to comment
Share on other sites

Link to post
Share on other sites

5 minutes ago, colonel_mortis said:

All the password managers that they checked were vulnerable, but Bitwarden wasn't included in the checks, just 1Password, KeePass, Dashlane and LastPass.

To be fair I can't imagine any password manager is immune from this while running in the background, unlocked... how can it possibly stay unlocked without having the password in working memory?

Don't ask to ask, just ask... please 🤨

sudo chmod -R 000 /*

Link to comment
Share on other sites

Link to post
Share on other sites

39 minutes ago, Sauron said:

To be fair I can't imagine any password manager is immune from this while running in the background, unlocked... how can it possibly stay unlocked without having the password in working memory?

The security definition that the article was aiming for is

Quote

In this “running, unlocked state” the password manager should guarantee: 

  • It should not be possible to extract the master password from memory, either directly or in any form that allows the original master password to be recovered. 
  • For those stored passwords that have not been displayed/copied/accessed by the user since the password manager was unlocked, it should not be possible to extract those unencrypted passwords from memory. 

Knowing usability constraints that affect password managers, we concede that: 

  • It may be possible to extract those passwords from memory that were displayed/copied/accessed in the current unlocked session. 
  • It may be possible to extract cryptographic information derived from the master password sufficient to decrypt other stored passwords, but not the master password itself. 

But yeah, if you can decrypt the password manager's passwords (and you must* be able to do so given the information in memory), knowing the master password isn't much worse.

 

*Using a HSM, such as the secure context built into modern processors (Intel SGX) would in theory allow for more security guarantees in terms of what is accessible in memory. However, although I don't know enough about their design to know for sure, the password manager would need to be able to query the HSM to retrieve the passwords, and any process with root privileges would presumably be able to make the same queries, so while it might be better (requiring an online rather than offline attack), I'm not sure how much practical additional security it would be able to provide.

HTTP/2 203

Link to comment
Share on other sites

Link to post
Share on other sites

8 hours ago, EarthWormJM2 said:

Don't put your passwords on any internet service, period. Memorize your passwords...

download.jpg.a8095ee510b0e9e003412139c199a6c8.jpg

Whaaaat? If you're not using any "Internet services" (e.g. Gmail), then what's the point of remembering (or noting down) passwords?

CPU: Intel Core i7-950 Motherboard: Gigabyte GA-X58A-UD3R CPU Cooler: NZXT HAVIK 140 RAM: Corsair Dominator DDR3-1600 (1x2GB), Crucial DDR3-1600 (2x4GB), Crucial Ballistix Sport DDR3-1600 (1x4GB) GPU: ASUS GeForce GTX 770 DirectCU II 2GB SSD: Samsung 860 EVO 2.5" 1TB HDDs: WD Green 3.5" 1TB, WD Blue 3.5" 1TB PSU: Corsair AX860i & CableMod ModFlex Cables Case: Fractal Design Meshify C TG (White) Fans: 2x Dynamic X2 GP-12 Monitors: LG 24GL600F, Samsung S24D390 Keyboard: Logitech G710+ Mouse: Logitech G502 Proteus Spectrum Mouse Pad: Steelseries QcK Audio: Bose SoundSport In-Ear Headphones

Link to comment
Share on other sites

Link to post
Share on other sites

Well, one way of solving this is by securing your environment. If threats are not present on the system, it doesn't matter of certain parts might be vulnerable. Because you need a local keylogger or trojan to do those operations (of stealing passwords from memory).

Link to comment
Share on other sites

Link to post
Share on other sites

On 2/20/2019 at 9:57 AM, SansVarnic said:

Anytime you give up sensitive information to another party you increase your risk of losing control of your stuff.

I dont care what kind of promise of security they offer. 

I know I'm 4 pages deep but I want to emphasize the validity of this statement. The only person you can trust to handle your security is you 

i7-8700k @ 4.8Ghz | EVGA CLC 280mm | Aorus Z370 Gaming 5 | 16GB G-Skill DDR4-3000 C15 | EVGA RTX 2080 | Corsair RM650x | NZXT S340 Elite | Zowie XL2730 

Link to comment
Share on other sites

Link to post
Share on other sites

On 2/20/2019 at 7:57 PM, brwainer said:

The article says this affects KeePass too.

 

Comment taken from Keepass forum discussion:

"This paper is nothing but a big headline.
the attack requires the ability to dump the memory as soon as KeePass is closed and relies on arbitrary copies that KeePass is unaware of.
this is out of scope and a windows issue more than a KeePass one."

 

https://sourceforge.net/p/keepass/discussion/329220/thread/6efa568699/

 

Thats a fucking loooong road from keepass is unsafe and useless headlines to "windows sucks and makes memory copies the program cant access".

I would obviously expect the master password is kept in memory at least for a second as i type it out before opening any db. Unless it can immediately encrypt any keyboard input without windows getting that input and send the data directly into db opening algorithm which is not how it works from what i know.

 

I hate these kind of threads where the OP is lazy AF and only does a low effort click bait. You have to dig deeper when such bad news comes out and see if the article is right or not.

Link to comment
Share on other sites

Link to post
Share on other sites

I would recommend EnPass. Has desktop and mobile application, syncs with your cloud and file is stored as encrypted.

CPU: AMD Ryzen 7 3800X Motherboard: MSI B550 Tomahawk RAM: Kingston HyperX Predator RGB 32 GB (4x8GB) DDR4 GPU: EVGA RTX3090 FTW3 SSD: ADATA XPG SX8200 Pro 512 GB NVME | Samsung QVO 1TB SSD  HDD: Seagate Barracuda 4TB | Seagate Barracuda 8TB Case: Phanteks ECLIPSE P600S PSU: Corsair RM850x

 

 

 

 

I am a gamer, not because I don't have a life, but because I choose to have many.

 

Link to comment
Share on other sites

Link to post
Share on other sites

On 2/20/2019 at 5:53 PM, kuddlesworth9419 said:

It's called paper and pencil. It's the most secure way or documenting your passwords as far as I care. If you are storing your passwords on your PC you are doing something wrong.

Yeah. Really secure.. Anyone can access your files if they are willing to without sweat. For storing passwords on your PC. It's safe, unless you're accessing stupid sites and downloading dodgy stuff. 

CPU: AMD Ryzen 5 5600X | CPU Cooler: Stock AMD Cooler | Motherboard: Asus ROG STRIX B550-F GAMING (WI-FI) | RAM: Corsair Vengeance LPX 16 GB (2 x 8 GB) DDR4-3000 CL16 | GPU: Nvidia GTX 1060 6GB Zotac Mini | Case: K280 Case | PSU: Cooler Master B600 Power supply | SSD: 1TB  | HDDs: 1x 250GB & 1x 1TB WD Blue | Monitors: 24" Acer S240HLBID + 24" Samsung  | OS: Win 10 Pro

 

Audio: Behringer Q802USB Xenyx 8 Input Mixer |  U-PHORIA UMC204HD | Behringer XM8500 Dynamic Cardioid Vocal Microphone | Sound Blaster Audigy Fx PCI-E card.

 

Home Lab:  Lenovo ThinkCenter M82 ESXi 6.7 | Lenovo M93 Tiny Exchange 2019 | TP-LINK TL-SG1024D 24-Port Gigabit | Cisco ASA 5506 firewall  | Cisco Catalyst 3750 Gigabit Switch | Cisco 2960C-LL | HP MicroServer G8 NAS | Custom built SCCM Server.

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

7 hours ago, yian88 said:

 

Comment taken from Keepass forum discussion:

"This paper is nothing but a big headline.
the attack requires the ability to dump the memory as soon as KeePass is closed and relies on arbitrary copies that KeePass is unaware of.
this is out of scope and a windows issue more than a KeePass one."

 

https://sourceforge.net/p/keepass/discussion/329220/thread/6efa568699/

 

Thats a fucking loooong road from keepass is unsafe and useless headlines to "windows sucks and makes memory copies the program cant access".

I would obviously expect the master password is kept in memory at least for a second as i type it out before opening any db. Unless it can immediately encrypt any keyboard input without windows getting that input and send the data directly into db opening algorithm which is not how it works from what i know.

 

I hate these kind of threads where the OP is lazy AF and only does a low effort click bait. You have to dig deeper when such bad news comes out and see if the article is right or not.

Your point is 100% correct, however everything you said also applies to all the other password managers they tested (and likely many mor ethey didn’t test). The reason I has posted “KeePass is also affected” is that it appeared someone had read the OP here and not read the article to see it was more than LastPass.

Looking to buy GTX690, other multi-GPU cards, or single-slot graphics cards: 

 

Link to comment
Share on other sites

Link to post
Share on other sites

7 hours ago, DaRk0 said:

I would recommend EnPass. Has desktop and mobile application, syncs with your cloud and file is stored as encrypted.

The file may be stored as encrypted but that isn’t the issue here. In order to use the passwords you have to decrypt using the master password, and on current computer systems that means the master password has to be somewhere in RAM at some point. The point the researchers were trying to make, if you read the actual paper and its conclusion, is that while there will always be a small window of attack inherent in the fact that we had to decrypt, the 4 password managers they tested did not do everything possible to minimize that attack surface. Just because a password manager wasn’t tested here doesn’t mean it is safe - I would actually argue that if EnPass isn’t big enough for these researchers to test then it isn’t as likely to get attention from bug bounty hunters and other white or grey hat security researchers who would be looking for other ways the software isn’t secure.

Looking to buy GTX690, other multi-GPU cards, or single-slot graphics cards: 

 

Link to comment
Share on other sites

Link to post
Share on other sites

On 2/20/2019 at 12:48 PM, TheWarlock said:

“no more secure than saving passwords in a text file"

Looks like maybe the best way is a password protected text file lol

Link to comment
Share on other sites

Link to post
Share on other sites

Any mention of Kaspersky Password Manager? 

Cor Caeruleus Reborn v6

Spoiler

CPU: Intel - Core i7-8700K

CPU Cooler: be quiet! - PURE ROCK 
Thermal Compound: Arctic Silver - 5 High-Density Polysynthetic Silver 3.5g Thermal Paste 
Motherboard: ASRock Z370 Extreme4
Memory: G.Skill TridentZ RGB 2x8GB 3200/14
Storage: Samsung - 850 EVO-Series 500GB 2.5" Solid State Drive 
Storage: Samsung - 960 EVO 500GB M.2-2280 Solid State Drive
Storage: Western Digital - Blue 2TB 3.5" 5400RPM Internal Hard Drive
Storage: Western Digital - BLACK SERIES 3TB 3.5" 7200RPM Internal Hard Drive
Video Card: EVGA - 970 SSC ACX (1080 is in RMA)
Case: Fractal Design - Define R5 w/Window (Black) ATX Mid Tower Case
Power Supply: EVGA - SuperNOVA P2 750W with CableMod blue/black Pro Series
Optical Drive: LG - WH16NS40 Blu-Ray/DVD/CD Writer 
Operating System: Microsoft - Windows 10 Pro OEM 64-bit and Linux Mint Serena
Keyboard: Logitech - G910 Orion Spectrum RGB Wired Gaming Keyboard
Mouse: Logitech - G502 Wired Optical Mouse
Headphones: Logitech - G430 7.1 Channel  Headset
Speakers: Logitech - Z506 155W 5.1ch Speakers

 

Link to comment
Share on other sites

Link to post
Share on other sites

On 2/20/2019 at 10:04 AM, aezakmi said:

Avoid using password managers.

This. I still dont understand why people use them. From the first one I saw I thought it was a terrible idea. And then these password keeping company is started getting hacked.. oops.

Link to comment
Share on other sites

Link to post
Share on other sites

On 2/24/2019 at 5:00 AM, corsairian said:

This. I still dont understand why people use them. From the first one I saw I thought it was a terrible idea. And then these password keeping company is started getting hacked.. oops.

Most people just let Chrome or Firefox save them so it's certainly more secure than that. There is no perfect way to store passwords. And also these companies weren't 'hacked'.

Link to comment
Share on other sites

Link to post
Share on other sites

7 minutes ago, ZacoAttaco said:

Most people just let Chrome or Firefox save them so it's certainly more secure than that. There is no perfect way to store passwords. And also these companies weren't 'hacked'.

Even storing them in chrome is pretty safe so long as they don't have your user password.

On 2/23/2019 at 7:00 PM, corsairian said:

This. I still dont understand why people use them. From the first one I saw I thought it was a terrible idea. And then these password keeping company is started getting hacked.. oops.

Did you even read the news? Nobody got hacked here, this is just a vulnerability that was found in the client, and most of these don't upload your passwords anywhere so there is literally nothing to "hack" the company for.

Don't ask to ask, just ask... please 🤨

sudo chmod -R 000 /*

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×