Researchers to reveal critical LastPass issues in November 2015

Martin Brinkmann
Sep 15, 2015
Updated • Sep 15, 2015
Security
|
31

Password managers are great as they store a virtually unlimited number of important information, accounts, passwords, credit card numbers and other sensitive data. They keep you from having to memorize unique strong passwords, or use other means to remember them such as writing them down.

All the data is protected by a single master password, and, if supported, by additional means of protection such as two-factor authentication.

Security of the password manager and its database is of utmost importance, considering that attackers would gain access to all the data stored by a user if they somehow managed to gain access to the account.

That single access would give the attacker access to most of the accounts of that user and even data that is not linked directly to the Internet if it has been added to the vault as well.

Update: LastPass contacted us with the following clarification:

  • These reports were responsibly disclosed to our team over a year ago
  • All reports were addressed immediately at that time and do not pose an ongoing risk to LastPass users
  • Users do not need to wait to understand what the reports were about - all of them are covered in Martin's post from last year with the exception of the account recovery report, which was addressed at that time but was not covered in his original blog post
  • It's also worth noting that we explicitly warn users not to use the Remember Password option

It appears that the demonstration is indeed about the vulnerability that was disclosed last year by the researchers.

Security researchers Alberto Garcia and Martin Vigo will demonstrate attacks on the popular online password management service LastPass at the Blackhat Europe 2015 conference in November.

Here is what they will demonstrate:

  1. How to steal and decrypt the LastPass master password.
  2. How to abuse password recovery to obtain the encryption key for the vault.
  3. How to bypass 2-factor authentication used by LastPass to improve security of accounts.

The methods that they will use to do so are not revealed in the briefing but the researchers mention that that have reversed LastPass plugins and discovered several attack vectors in doing so. It is likely that they mean browser extensions by plugins but it is not clear from the briefing.

While it is too early to tell how effective and applicable these attack forms are, it is certainly something that LastPass users should keep a close eye on.

The attacks could for instance require a modified browser extension or other components that need to run on a computer system to be effective. This would obviously be less of an issue than something that could be exploited right away on systems running official plugins and extensions.

LastPass users will have to wait almost two months before the attacks are revealed on the conference. Cautious users may want to disable extensions in the meantime to avoid harm since it is unclear how these attacks are carried out. (via Caschy)

Now You: Do you use LastPass or another online password manager?

Summary
Researchers to reveal critical LastPass issues in November 2015
Article Name
Researchers to reveal critical LastPass issues in November 2015
Description
Security researchers will reveal critical LastPass security issues at the Blackhat Europe 2015 conference in November 2015.
Author
Advertisement

Previous Post: «
Next Post: «

Comments

  1. alfie69 said on September 20, 2015 at 5:15 pm
    Reply

    an overly secure option maybe..use keepass to store your lastpass master password, use passwordsafe to store your keepass master password,,use portableapps version of pwgen portable to store master pass of passwordsafe, by the time youve unlocked your needed passwrd youll most likely forgotton why you wanted it in the first place…!

  2. Derrick said on September 17, 2015 at 11:33 am
    Reply

    I use a Qwertycard for all my passwords. Its a physical “off line” password manager. https://www.qwertycards.com

  3. Tuan said on September 16, 2015 at 4:47 pm
    Reply

    What about Roboform? Is it more secure than Lastpass or KeePass?
    I’m considering buying 1 year license of Roboform Everywhere!

  4. wybo said on September 16, 2015 at 1:02 pm
    Reply

    I differentiate between really important passwords like financial institutions and personal Swiss email account and the rest.

    The rest is obviously non critical and I just use Firefox to remember those passwords. The few critical passwords I treat old school in my little black address book (Ha ha no smart phone for me!). They are all disguised as valid addresses.

  5. George P. Burdell said on September 15, 2015 at 10:47 pm
    Reply

    In the 1970’s I was responsible for maintaining some IBM System 360 and 370 mainframe software that restricted passwords to four capital letters, like HOME or JXQZ. Those were happier times, before anybody imagined that crooks might want to steal data. IBM was a bit naive.

    These days it’s Keepass for me. I agree with earlier comments about strictly avoiding on-line or third-party storage for important items, encrypted or not.

    Each sign-in of mine gets its own unique password, and there are many of them, so a password manager is a great convenience.

    Keepass is a program that I consider excellently and intelligently constructed. I use it for all but my most critical passwords. For those I have a small stack of index cards at my desk. This scheme works for me because I do not travel much. So, my top level security system is pencil and paper!

    Some passwords I use are simply random gibberish strings like a3w!*rzp29#XE. Others are constructed from memorable pass phrases, but not in plain English. Different parts of a pass phrase might be in different languages, or might use nonsense neologisms from the world of poetry and fiction, or might use deliberately misspelled words. This discourages dictionary attacks. Slithey toves, anyone?

    Also, I would like to remind folks of this post:
    https://www.ghacks.net/2012/08/23/security-tip-do-not-answer-security-questions-correctly/

    I hope I haven’t given too much away in this effort to be a {good;bad} example to others.

    “Who steals my purse steals trash.” Shakespeare’s Othello, Act 3, Scene 3

  6. Rott Weiller said on September 15, 2015 at 10:00 pm
    Reply

    i use only not important passwords there :) but i know i use it a lot

    as long as i can reset my main email account with my phone and the Y mess – all is ok

    none of those is saved to lastpass at least not as passwords just some recipes :)) that appear to contain mix data which i only know to what account they go ( ex. easy pass for an email could be R01.01.1970Bucharest! ( R name capital – birth date – location ! sign ) and to easy save it there and be pretty hard for others to understand it “RdateTown!” :) now locate the password

    ps. i have the nasty “remember my password” on last pass

  7. Robert said on September 15, 2015 at 9:34 pm
    Reply

    What sucks about Keepass is that it’s easy to loose newer passwords in the case that I have to restore a system backup. Sometimes Windows needs to be restored and sometimes Linux Mint as well. However, with Lastpass passwords being stored in the cloud, I always have all of my passwords ready not only for Windows and Linux, but also for my iPad and my Blackberry phone. Lastpass is very convenient that way.

    1. InterestedBystander said on September 16, 2015 at 2:56 am
      Reply

      If you trust KeePass encryption, then you can reasonably expect the *.kdb database to be safe to store on the cloud. Personally, I use CloudMe for that purpose, mostly because I don’t like using Microsoft, Google, or Dropbox all that much. (Non-rational prejudice.) As long as you remember TWO passwords — the one for the cloud account, and the one to decrypt the KeePass database — then you have your passwords wherever you can get online.

      Of course, you should encrypt personal info BEFORE you upload to the cloud, always.

  8. Ken said on September 15, 2015 at 7:52 pm
    Reply

    I have used LastPass since it’s inception. These things need to taken in context. Every time someone comes out with one of these reports everyone else starts buzzing about like an angry swarm of bees. The bottom line is that nothing, and I mean nothing, is totally secure and totally fool proof. There comes a point at which you need to say that you accept the risks and balance that against the convenience. I feel comfortable using LastPass. Whatever they disclose won’t change that. If I see a better service come along I’ll decide at that time if it is prudent to switch. Until then nothing changes as far as I’m concerned.

  9. Nebulus said on September 15, 2015 at 7:04 pm
    Reply

    I don’t trust any cloud based storage/service for keeping my passwords; that is why I use Keepass.

  10. clas said on September 15, 2015 at 6:31 pm
    Reply

    i use password safe and never hear of any problems. been years. i also figure that anything online can be hacked so why would i save anything to someone else’s computer.

  11. Errors said on September 15, 2015 at 6:12 pm
    Reply

    This article has some factual errors that should be pretty easy to confirm and correct by the author of this news article. These vulnerabilities were reported and fixed by LastPass in 2014.

    Also, we know exactly how the exploits work, because the researchers blogged about it a year ago (http://www.martinvigo.com/a-look-into-lastpass/) and even published the exploit code on GitHub: https://github.com/martinvigo/metasploit-framework/blob/master/modules/post/multi/gather/lastpass_creds.rb

  12. Idiot said on September 15, 2015 at 5:31 pm
    Reply

    I tried Keepass but then accidentally deleted the database that was saved in my documents folder and lost all my passwords :/

    1. Jeff said on September 16, 2015 at 7:48 pm
      Reply

      This is why we do backups.

    2. Pants said on September 15, 2015 at 10:02 pm
      Reply

      Well … that’s *one* way to secure it :)

  13. Gabriel said on September 15, 2015 at 5:27 pm
    Reply

    Martin, this may be off-topic (or maybe not): If I switch to Keepass, what happens if someone gains access to my computer? Physical or by a trojan or something? Can this person simply copy all my Keepass files and gain access to my logins? This is basically the only reason I haven’t switched to Keepass yet, since I’m not sure how this works. Thanks!

    1. Martin Brinkmann said on September 15, 2015 at 5:29 pm
      Reply

      The KeePass database is encrypted. So, while they may be able to copy it if they find it, they cannot open it unless they have the right key.

      If someone gains access to your computer while KeePass is open, they can in theory copy the information but the same is true if you are logged in to your LastPass account.

  14. Dwight Stegall said on September 15, 2015 at 4:58 pm
    Reply

    i use lastpass

  15. Troy said on September 15, 2015 at 4:51 pm
    Reply

    Yes, just don’t “save” your master password and you are safe.

    1. Gabriel said on September 15, 2015 at 5:23 pm
      Reply

      So type it in each time we open the browser? I’m asking because I made a 64 character password so this will be a pain in the butt.

      1. Jeff said on September 16, 2015 at 7:46 pm
        Reply

        You can use a free tool such as Autohotkey to type it for you via a macro.

      2. Jan said on September 15, 2015 at 5:55 pm
        Reply

        64 character is indeed a bit long…
        I myself type my master password each time I open the browser, but it’s only around 35 characters.
        I view it as “type your master password to unlock everything”

  16. Eli said on September 15, 2015 at 3:36 pm
    Reply

    This is most likely going to be the exact same “vulnerability” as the FAQ linked below. It’s the same people presenting, and the abstract sounds very similar to what they reported last year. That particular issue is only present if the user has remember password checked, which is not recommended and the person has to click through a warning before enabling.

    https://lastpass.com/support.php?cmd=showfaq&id=8376

  17. George said on September 15, 2015 at 3:11 pm
    Reply

    Well, this is unsettling. Guess it’s not clear whether they’ve already been in contact with LassPass or not. I do use it, quite a lot dare I say and just the browser extension.

    Yes, it’d be nice to check on that KeePass article by Martin.

  18. dan said on September 15, 2015 at 3:09 pm
    Reply

    I’m exhausted trying to keep up with the endless varieties of exploits against my privacy and security. Honestly, it’s a full time job unto itself. I’ve been meaning to transfer all of my passwords from LastPass to KeePass for some time now, but just never have a free day to do so… and I am sure it will cost me a full day at least. I recall Martin writing a post about how he did the same: I’ll have to find that again and carve out some time soon to tackle this. Of course as soon as I finish doing so, a glaring vulnerability in KeePass will be unveiled.

    It’s enough to make me want to unplug altogether.

    1. Jeff said on September 15, 2015 at 9:48 pm
      Reply

      “It’s enough to make me want to unplug altogether.”

      I concur. This endless parade of hacks and exploits and dire warnings is getting tiresome. It seems the only safe way to be online is to go offline.

  19. Craig said on September 15, 2015 at 3:08 pm
    Reply

    Yes i do and oh crap!!!!!!!!

  20. Anonymous said on September 15, 2015 at 3:01 pm
    Reply
  21. David said on September 15, 2015 at 2:45 pm
    Reply

    A web service that stores passwords is a target for hackers? I am shocked. SHOCKED.

  22. Petter said on September 15, 2015 at 2:41 pm
    Reply

    “LastPass users will have to wait almost two months before the attacks are revealed on the conference”

    These have been disclosed and fixed a year ago: http://www.martinvigo.com/a-look-into-lastpass/

    1. Martin Brinkmann said on September 15, 2015 at 3:14 pm
      Reply

      Hm that would be kinda strange. Wonder how they plan to demonstrate those vulnerabilities if they are already patched?

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.