LastPass failed to provide the security to safeguard a user’s passwords “as advertised”.

[wANKER]

Is there a more, techy, explanation of this flaw?

 

Rather than 'the master password occasionally sits in memory'

 

[TheWarlock]

2 minutes ago, wANKER said:

Is there a more, techy, explanation of this flaw?

 

Rather than 'the master password occasionally sits in memory'

 

You can check out the original report by ISE here:

https://www.securityevaluators.com/casestudies/password-manager-hacking/

[Guest]

28 minutes ago, solonovamax said:

yes, but the cpu does also need to access programs on my hard disk. These are read off the disk. I don't think it would be that hard to do something like that (on the other hand, I can't entirely say for sure, as I don't fully know how they work and/or are coded)

It goes CPU > Registers (Like cache) > RAM > Drive. The processor fetches data from this hierarchy if I remember correctly. 

[2FA]

45 minutes ago, imreloadin said:

Considering this has to do with having the application open in the background so your master password is stored actively in your RAM all you have to do is not use anything with a browser extension and just close out of the application when you're done. I use KeePass and it's not that hard to do, just launch it when I need to enter a password, copy/paste it into the website, and close out of KeePass. Seriously though this is just basic computer usage information, if I type something in it's obviously stored in the RAM of your computer while that application is open.

It's not even the LastPass browser extension that's affected, it's the separate "LastPass for Applications" that you download and install on your PC, and is only available to premium users.

 

This:

[Dylanc1500]

1 hour ago, SansVarnic said:

All my passwords are on a secured word document kept in a thumbdrive.

 

 

Anytime you give up sensitive information to another party you increase your risk of losing control of your stuff.

I dont care what kind of promise of security they offer. 

Call me "old school", but I have mine on tape along with other confidential documents. Then that is kept on my person or in a safe.

[bowrilla]

At least the cited paper doesn't blow this story up to misleading point like the Forbes article or the OP. 

 

Fact 1: everything your computer does goes through RAM. EVERYTHING! There's no way around it. No matter what you type into it, it will at some point be stored in RAM. 

 

Fact 2: if someone has access to your unlocked system or gains physical access to your computer's internals, you're doomed and your security is done for good.

 

Fact 3: using encryption doesn't mean you can take a dump at common sense. Accessing the memory addresses of another program requires a lot (!) of privileges, in fact this requires you basically root/admin privileges and in some cases that's not even enough (talking about Kernel-level access). If there's malware installed on your system that was able to run with root/admin privileges, then you screwed yourself over hard - shotgun level hard and afterwards pulling the trigger. 

 

The original paper states that attempts were made to sanitize memory entries after use. Some residues somehow stayed behind even after being freed. The question now is: how did this happen. This could have many reasons but to exploit these leaks an attacker needs to have already access to your system. At that point you're already done.

 

You can bet that the developers will look into this and fix the issues by maybe switching frameworks, using different libraries or whatever.

 

This isn't as big as Forbes is trying to make it look like.

[Taf the Ghost]

This is mostly a hard Fake News/Clickbait. If you have READ access to the memory, you can easily just keylog someone's computer.  This is interesting for the NSA/CIA/Pick your 3 letter agency, but there'll be some minor upgrades to a few programs to address a weakness. The fact KeePass showed up in their discussions means losing your passwords is the least of your problems.

[WereCatf]

4 minutes ago, bowrilla said:

You can bet that the developers will look into this and fix the issues by maybe switching frameworks, using different libraries or whatever.

It's not really possible to fix it: all the passwords in the database are encrypted, so the manager needs to have the key to decrypt them with. Either the manager would have to keep asking for the key every single fricking time you want to access any of the usernames/passwords in the database, or it just has to remain like it is. Can't have it both ways.

[bowrilla]

1 minute ago, WereCatf said:

It's not really possible to fix it: all the passwords in the database are encrypted, so the manager needs to have the key to decrypt them with. Either the manager would have to keep asking for the key every single fricking time you want to access any of the usernames/passwords in the database, or it just has to remain like it is. Can't have it both ways.

The issue are memory leaks that persist even after the program was terminated. There were attempts to prevent this but some leaks persist. This can be fixed. Whe your database is unlocked it is unlocked. Most password managers lock themselves after a certain period of time of inactivity. 

[colonel_mortis]

The claim that it's no more secure than a plain text file is very much false. All that was found in the research was that your passwords can sometimes exist in your computer's RAM, which would require administrator privileges for an attacker to extract. That is a valid attack case against a password manager, but that is not remotely the same as having a plaintext file that exists on the file system.

 

The gold standard that the researchers are proposing is that a password is only loaded into memory when needed for autofilling, and it is immediately overwritten with bogus data once the fill is complete. According to the article, LastPass, and several of the other password managers, do attempt to do this, but miss some cases.

1 hour ago, SansVarnic said:

All my passwords are on a secured word document kept in a thumbdrive.

 

 

Anytime you give up sensitive information to another party you increase your risk of losing control of your stuff.

I dont care what kind of promise of security they offer. 

While not insecure, that is less secure against this particular attack than the password managers surveyed in this study, because all of your passwords will be present in memory for the duration that Word is open. I don't know about how Word handles it, but I suspect that the memory isn't scrubbed at all either, and it almost certainly uses fewer than 100,000 iterations of PBKDF2 to convert the password to an encryption key (100,000 iterations is a lot, but that is what LastPass and 1Password use).

Moreover, to use your passwords, you will use the clipboard, and any process can read the clipboard and get your password.

 

The point of my post is that while this is an issue that should be addressed, password managers are still significantly better than the alternatives, and many of those alternatives, such as using an encrypted word document, still offer a good level of security.

A password manager is still several orders of magnitude better than using the same password or set of passwords everywhere.

[Chett_Manly]

I'm a Last Pass user, not worried at all about this. If someone is managing to pull data from my computer's RAM, I got bigger problems to deal with then that they might get my Last Pass master password!  

 

I rate this a 0.5/10 security threat. 

[Curufinwe_wins]

4 hours ago, Sauron said:

I'm sorry, but having a physical, unencrypted piece of paper with your passwords on it is the single worst and least secure way of remembering them. Using a proper, local password storage solution with adequate cryptography is both secure and convenient. The issue detailed in the article is most definitely not the same as having your passwords in a plain text file and the issue is non existent if you close the password manager when you're done with it - it never crossed my mind to leave it running in the background, and even then at the very least an attacker would require my user password and physical or remote access to my pc to abuse this vulnerability.

Uhh hyperbole a little bit. Physical unencrypted piece of paper that is offline and within a location that is, at least in theory, secured, is dramatically less bad or less secure than a number of other methods you could use. Including these programs in their current implementation (at least from non-targeted attacks, which make up the hyper majority of data theft these days).

 

In fact, the requirements for physical access to your computer and physical access to the password locker in both cases are then nearly identical.

25 minutes ago, Chett_Manly said:

I'm a Last Pass user, not worried at all about this. If someone is managing to pull data from my computer's RAM, I got bigger problems to deal with then that they might get my Last Pass master password!  

 

I rate this a 0.5/10 security threat. 

It in and of itself it isn't an big issue, but recent vulnerabilities with manipulating speculation (and further seeming to indicate that almost all methods of speculative execution are vulnerable to attack in some way or another) to access other parts of system ram, even without administrative privileges makes it one. With that said. Just through this publicity forcing the companies to address the loophole is a good thing and benefits everyone. Just like most discovered vulnerabilities these days haven't been seen in the wild before they are identified as weaknesses (and hopefully patched as well before that point.)

[Sauron]

3 minutes ago, Curufinwe_wins said:

Uhh hyperbole a little bit. Physical unencrypted piece of paper that is offline and within a location that is, at least in theory, secured, is dramatically less bad or less secure than a number of other methods you could use. Including these programs in their current implementation (at least from non-targeted attacks, which make up the hyper majority of data theft these days).

Right, I suppose posting them on facebook is worse. The piece of paper won't be in a safe though, it will be in your pocket if you want to remember your passwords outside of your house.

 

No, these programs aren't nearly as bad as that. In fact, I'd argue that they're perfectly safe, and this vulnerability is completely negated if you close the password manager when you're done with it. An easy fix is to just remove the background service function. A targeted attack is necessary to exploit it though; you need physical or remote access to the computer with your user account.

7 minutes ago, Curufinwe_wins said:

recent vulnerabilities with manipulating speculation (and further seeming to indicate that almost all methods of speculative execution are vulnerable to attack in some way or another) to access other parts of system ram, even without administrative privileges makes it one.

Speculative execution vulnerabilities make everything a vulnerability, if you get pwned by specter they could just as well keylog all your passwords (or dump your clipboard if you use that).

[jagdtigger]

Easy fix: dont be a dumb-ass and install/open anything without thinking, and use noscript and adblock* on your browser....

 

(* "But that is like stealing and yada yada yada...." I dont care, if ad companies wont return to reality with their practices [no flashing, moving, loud, etc ads] and fix their sh!t security ASAP they deserve to be blocked.)

[desertcomputer]

5 hours ago, kuddlesworth9419 said:

It's called paper and pencil. It's the most secure way or documenting your passwords as far as I care. If you are storing your passwords on your PC you are doing something wrong.

Lmao, do you put this paper in a safe? This is actually the worst possible way to record password.

[Curufinwe_wins]

25 minutes ago, Sauron said:

Right, I suppose posting them on facebook is worse. The piece of paper won't be in a safe though, it will be in your pocket if you want to remember your passwords outside of your house.

 

No, these programs aren't nearly as bad as that. In fact, I'd argue that they're perfectly safe, and this vulnerability is completely negated if you close the password manager when you're done with it. An easy fix is to just remove the background service function. A targeted attack is necessary to exploit it though; you need physical or remote access to the computer with your user account.

Speculative execution vulnerabilities make everything a vulnerability, if you get pwned by specter they could just as well keylog all your passwords (or dump your clipboard if you use that).

I'm not suggesting you move the paper out of your house, ever. Because why would you? I'm thinking about the senior citizens that keep passwords in a notebook in their house that never moves from the house, which generally speaking is better for them than these programs are (for many security reasons).

 

This vulnerability may be negated by closing the program (and forcing the ram to actually be dumped not just cached), but the same type of people who generally find themselves infiltrated by those broad spectrum non-targeted exploits (as in trying to get YOUR information, instead of trying to get the information of EVERYONE who uses the program) in the first place, are the same type of people who don't have the common sense to close shit when they are done with it. I mean lol, if people actually closed their browsers when they were done with it, banks (and the like) wouldn't bother instituting time out periods on websites with critical information etc.

 

An example of a targeted attack, by that thought process is someone breaking into YOUR home after studying your comings and goings etc. Or digitally doing the equivalent. Those attacks, particularly within digital space are still quite rare, because most people simply aren't that important or interesting.

[Sauron]

2 minutes ago, Curufinwe_wins said:

I'm not suggesting you move the paper out of your house, ever. Because why would you?

I log in to things when I'm out, don't you?

[TetraSky]

So, if your PC is already not secure by having crap on it that scans your memory, you're potentially exposing your passwords. Cool.

 

Keepass has a ton of security features that, quite frankly, should be enabled by default.

Like erasing clipboard after x second, master password on secure desktop and closing itself automatically after x seconds/minutes of idling.

Anyone who care about safety has those enabled (plus many other options...).

So honestly, as a Keepass user, I'm not worried.

Your passwords are only as secure as you make them to be. 

 

Also, this has been known for a long time for Keepass.
https://keepass.info/help/base/security.html#secmemprot

[Curufinwe_wins]

3 minutes ago, Sauron said:

I log in to things when I'm out, don't you?

If I can't remember a password for something when I'm out and about... I simply do without. Honestly.

 

But no, I don't personally store passwords this way, I just think cold local storage (a prime example of security through obscurity in the digital space) is a far better method than most people give credit. Particularly with targeted crime being so relatively low.

[Sauron]

1 minute ago, Curufinwe_wins said:

If I can't remember a password for something when I'm out and about... I simply do without. Honestly.

Good for you, I for one need it sometimes.

2 minutes ago, Curufinwe_wins said:

But no, I don't personally store passwords this way, I just think cold local storage (a prime example of security through obscurity in the digital space) is a far better method than most people give credit. Particularly with targeted crime being so relatively low.

What about cold local storage, but the file is also encrypted? That's what KeePass is. At worst, using this vulnerability they would know your master password for KP, and at that point it's as good as a text file - but that's pretty unlikely.

[Curufinwe_wins]

8 minutes ago, Sauron said:

Good for you, I for one need it sometimes.

What about cold local storage, but the file is also encrypted? That's what KeePass is. At worst, using this vulnerability they would know your master password for KP, and at that point it's as good as a text file - but that's pretty unlikely.

Of course, encrypting your cold storage is better than not encrypting it, but most encryption methods fall in the 'keep your younger brother from snooping' not in the 'keep someone that actually cares/knows what they are doing from spying'. 

 

Since I would also argue targeted attacks (which are the only ones that fall in the second bin) are rare enough to not generally concern yourself about, I do actually think it's generally safe enough (for most people at least) to use physically recorded non-encrypted storage.

 

Also KeePass isn't really cold storage, unless you have a separate non-connected device that holds the repository. In which case, bravo.

[Jtalk4456]

i just remember passwords in my head...

[Sauron]

16 minutes ago, Curufinwe_wins said:

Of course, encrypting your cold storage is better than not encrypting it, but most encryption methods fall in the 'keep your younger brother from snooping' not in the 'keep someone that actually cares/knows what they are doing from spying'.

Not really, AES 512 is currently completely unbreakable. It doesn't matter who targets you, they can't decrypt that without the password.

19 minutes ago, Curufinwe_wins said:

Since I would also argue targeted attacks (which are the only ones that fall in the second bin) are rare enough to not generally concern yourself about, I do actually think it's generally safe enough (for most people at least) to use physically recorded non-encrypted storage.

I disagree, "most people" are likely to end up losing that storage or leave it unattended. People use their passwords at work and in general outside their home, losing it is a real concern. If it's just a text file, losing it means giving away your passwords to whomever finds it. If it's properly encrypted, that's not a problem.

[The Benjamins]

6 hours ago, TheWarlock said:

Came across this article today on forbes.com and was recently thinking about signing up for LastPass to actually keep track of my passwords because I'm looking to get away from just having Google Chrome remember all of my passwords for obvious reasons, is there anyway to really keep track of your passwords securely?

 

what are these obvious reasons to note use the save passwords on chrome? its stored by google.

[Arika]

18 minutes ago, Jtalk4456 said:

i just remember passwords in my head...

mine are all in a journal in a drawer next to my desk just in case i forget . but otherwise, yes it's all in my head.