LastPass password manager vulnerable to phishing attack

[mnorian]

"The popular password manager LastPass is vulnerable to a phishing attack that takes advantage of the way messages are displayed to users of the service." Said ghacks.net this weekend.

It seems Sean Cassidy, CTO at Praesidio; a cybersecurity company; made up his own duplicate of the LastPass log in screen; and says it could be used by nefarious individuals to get your passwords to all kinds of personal information. It seems to me; disingenuous of him to publish this; with the code available; too.

With all the passwords needed to navigate the web; a password manager is essential; I know I would hate to try to rely on memory or a notebook and pen. Anybody got a solution to this problem or any thoughts?

Here is Cassidy's reasons for doing this.
https://www.seancassidy.me/lostpass.html


.

 

[paul1149]

It's an interesting hack, but protection against it is quite simple as well, as detailed in the original ghacks article.

As for Cassidy, he did alert LP to the problem "last year", according to ghacks, so perhaps he thought they weren't being responsive enough. LP is now owned by LogMeIn.

 

[mnorian]

It's an interesting hack, but protection against it is quite simple as well, as detailed in the original ghacks article.

As for Cassidy, he did alert LP to the problem "last year", according to ghacks, so perhaps he thought they weren't being responsive enough. LP is now owned by LogMeIn.

As LastPasses own answer to this hack is a little more complicated then ghacks; I didn't show ghacks article; but here is part of LP's post; with a call for Google to fix notifications so they go outside Chrome's DOM:

"A point that was only briefly raised in Cassidy’s research was the role that the browser itself plays in this attack. LastPass has encouraged Google for years to provide a way to avoid using the browser viewport for notifications. As a true solution to this threat, Google should release infobars in Chrome that give extensions the capability to do proper notifications outside the DOM. You can see our plea for this back in January 2012 with still no resolution; please star this issue to help us raise awareness.

We hope that future improvements to the browser will help us go even further to protect users from these types of attacks. In lieu of that possibility right now, though, we have taken other steps to strengthen LastPass."

And LP's whole article:

https://lastpass.com/support.php?cmd=showfaq&id=10072


.

 

[paul1149]

I'm not clear on that. I use Gmail Checker + on Slimjet (Chromium), and it is able to form a desktop notification.

 

[elytron]

I prefer to keep my passwords off-line. Using password managers like KeePassX for Linux, and KeePass for Windows. Both are free and open source. If you have multiple computers, you could keep your password database on a thumb drive or something. Though I haven't tried LastPass, is probably more convenient.

 

[dysert]

I prefer to keep my passwords off-line. Using password managers like KeePassX for Linux, and KeePass for Windows. Both are free and open source. If you have multiple computers, you could keep your password database on a thumb drive or something. Though I haven't tried LastPass, is probably more convenient.

I echo this strategy and have used a variant of it for years. I use KeePass (Windows) and have the KeePass database on my local machine. When I change it, I temporarily send it to Dropbox so that when I get home I can retrieve it from Dropbox and update my home machine. So my exposure is only limited to the time it takes from when I send it to Dropbox until the time I get home to get it off. That, plus Dropbox's security, plus KeePass's built-in security makes me feel safer than the LastPass alternative, whose database is always exposed to hackers. If I wanted to be super secure I'd just replace Dropbox with a thumbdrive and sneakernet the database home.

 

[mnorian]

I'm not clear on that. I use Gmail Checker + on Slimjet (Chromium), and it is able to form a desktop notification.

As I started using SJ due in part to your recommendation; and had no problems with it till I tried to configure SJ's QuickFill password manager and you gave me this advice in my "Chrome...Your opinion" thread (http://www.christianforums.com/threads/chrome-your-opinion-please.7890908/page-4):

I use and recommend LastPass, which is cross-browser, so I have no experience with this.

Have you changed your password manager; as I was able to get Quickfill working; but have wondered how much like LastPass it is and how vulnerable to similar phishing expeditions?

 

[paul1149]

I've never used the built-in PW manager. Chrome's historically didn't even have a master password, so it was out of the question. I assume that's changed now. I've been using LP for several years, and like it very much, though it's not perfect.

 

[Soyeong]

Long passwords that are a string of words can be easier to remember and as secure as a shorter password that consists of random letter, numbers, or symbols, such as Iwenttothestoretodaytopickupsomepotatoes, unless you go and tell a whole forum that's your password.

 

[mnorian]

I've never used the built-in PW manager. Chrome's historically didn't even have a master password, so it was out of the question. I assume that's changed now. I've been using LP for several years, and like it very much, though it's not perfect.

I'm not clear on that. I use Gmail Checker + on Slimjet (Chromium), and it is able to form a desktop notification

Am I missing something here (probably) but is gmail checker + a password manager?

 

[mnorian]

I prefer to keep my passwords off-line. Using password managers like KeePassX for Linux, and KeePass for Windows. Both are free and open source. If you have multiple computers, you could keep your password database on a thumb drive or something. Though I haven't tried LastPass, is probably more convenient.

I used to use a note pad (the paper kind;remember them-lol) till I lost it one day. That to me; could happen to any offline USB device or somebody could find or get into your HD or where ever you keep it.

I like SlimJet's QuickFill; it works and has off DOM notification.

 

[paul1149]

No, I was just making the point that extensions can create desktop windows. I have friends that still use notepads and loose papers stuck under the desk blotter. I just spent three hours tidying up the lost passwords and site accesses of one of them who lost them.

 

[mnorian]

No, I was just making the point that extensions can create desktop windows. I have friends that still use notepads and loose papers stuck under the desk blotter. I just spent three hours tidying up the lost passwords and site accesses of one of them who lost them.

That made me laugh! Did you get them to go to some PW manager if not LP maybe QuickFill if they're on SJ?

 

[paul1149]

Yes, she's on SJ. Actually she uses LP, at my insistence, along with the longhand stuff, and it was the LP pw she lost. Couldn't get into her backup mail address, and the second LP backup mail address belonged to another friend who had been helping her. So over three days I went back and forth between her in the hospital, the other friend, and yahoo to get the account recovery done. Finally I got in, and I set the LP pw to a memorable passphrase, as Soyeong suggested above. One thing people should always do with LP is keep a hardcopy of the account somewhere, just in case. It was like an episode of I Love Lucy.

 

[mnorian]

Yes, she's on SJ. Actually she uses LP, at my insistence, along with the longhand stuff, and it was the LP pw she lost. Couldn't get into her backup mail address, and the second LP backup mail address belonged to another friend who had been helping her. So over three days I went back and forth between her in the hospital, the other friend, and yahoo to get the account recovery done. Finally I got in, and I set the LP pw to a memorable passphrase, as Soyeong suggested above. One thing people should always do with LP is keep a hardcopy of the account somewhere, just in case. It was like an episode of I Love Lucy.

Oh boy! that sounds like a lot of fun, not! I went through something like this about 3-4 years ago only the back-up email was Microsoft's live.com when it was changing to outlook.com and I wasn't using it except to get into my Photobucket account.

Well I lost my password cause it was in MS's password manager and had forgotten the master password. When I tried more then 3 times they wouldn't (MS) let me try any more and the back-up email wouldn't work nor the back-up phone number.

Thinking I had lost my pictures on PB; I just forgot it for most of a year; then decided to set up another MS outlook.com account with a slightly different name and was able to get my password back and my PB account usable. Since then, I too, as Soyeong; made sure the master password is an easily remembered one.

 

[elytron]

I do worry about losing my KeePass file, and keep some backups of it. Feel safe from hackers, but not from disaster or theft. Would be a nightmare to lose all copies of it. I did set a strong master pass though, so I doubt someone is going to be able to gain access. I am going to take another look at LastPass as an option.