Flaws in password managers could have exposed credentials

Scorpus

Scorpus

Posts: 2,215   +246
Staff member

If you thought that using a software-based password manager was a safe way to remember complex, secure passwords without them being stolen, you might want to think again.

Researchers from the University of California in Berkeley discovered major flaws in the five web-based managers they tested, including the popular LastPass. Luckily, four of the five developers of the password managers have since fixed the vulnerabilities, but it just goes to show that exploits can be found in 'secure' systems.

According to the researchers, the most serious flaw was found in LastPass, where an attacker could steal plain-text passwords from any site stored in a user's database. Through a compromised site and the victim's use of the "bookmarklet" feature - which enters passwords automatically into websites - malicious code makes stealing numerous passwords quite easy.

LastPass also contained another flaw the researchers discovered, which could have given attackers a user's encrypted password database, so long as the user's email address was known to the attacker. The hackers could then attempt to decrypt the database offline, with difficulty.

That said, the same flaw allowed attackers to discover all the sites a person was using LastPass with, which could lead to the attackers attempting to compromise the site to exploit the first flaw. LastPass has since addressed all the flaws, and does not believe they have ever been exploited in the wild.

The four other web-based managers tested - PasswordBox, RoboForm, My1login, and NeedMyPassword - also contained flaws of varying degrees of severity. All developers bar NeedMyPassword responded to the researchers contacting them, and have fixed the vulnerabilities.

While the researchers didn't test another of the major password managers, 1Password, there's no indication it was inherently more secure. 

Using a password manager is still safer than using one password for all websites, as security-focused password managers are less likely to be seriously compromised than other websites that may not have as strong a focus on protecting their users. However, using a password manager does potentially expose a user to a single point of failure, which if successfully attacked could be disastrous.

Permalink to story.

https://www.techspot.com/news/57408-flaws-in-password-managers-could-have-exposed-credentials.html

 
  • Like
Reactions: misor
I think my password "n0passw0rd1234567890" is still safe since I don't use any password manager. :)

seriously, I keep on changing my passwords that I tend to forgot them. for my Microsoft accounts this year alone, I think I already changed passwords like 7x each account.
 
This is why, if you need to use a manager, it should be local. Although the chances of being compromised by an attack are low, they are even smaller if the target is exceedingly small (your machine rather than corporate servers).
 
Darth Shiv said:
It isn't an online based dictionary so that's a start. Still... if a hacker gets a hold of the file, they can attempt to decrypt offline.
Click to expand...

I usually save KeePass file on a TrueCrypt volume. But from what I've read TrueCrypt isn't save anymore.
 
I keep my passwords in a local text file encrypted with AxCrypt. Makes it a bit of a pain when I'm away from the computer and forget a password. But feels safer than trusting an online site with my passwords.
 
When I had to choose a Password Manager for myself I choose KeePass precisely because it's offline
how many times do we have to say it? NEVER TRUST THE CLOUD
 
Mieksr said:
Darth Shiv said:
It isn't an online based dictionary so that's a start. Still... if a hacker gets a hold of the file, they can attempt to decrypt offline.
Click to expand...

I usually save KeePass file on a TrueCrypt volume. But from what I've read TrueCrypt isn't save anymore.
Click to expand...
That's another conversation entirely, and I disagree that TrueCrypt isn't secure, even though the developers now claim it is.

Anyway, if I had so many passwords that I needed to store them, a text file in an encrypted TrueCrypt volume (768-bit cascading encryption, SHA-512 hash) is what I'd use. I advise everyone against using an online service to store your password, as it adds hassle and sometimes costs money, but more importantly, employs so many attackable mechanisms that you're sometimes more secure simply using a less complex password that you can remember.
 
I use 1Password and it is phenomenal. The apps are really expensive but the software and the support is great. 1Password is a local password manager (based on your PC rather than on the web) so I don't think all the flaws apply for it. That said though, there is always a risk in storing passwords on a machine.
 
KeePass is a pain in the *** to use, but with last pass you can be 100% sure all your passwords go straight to the NSA database.
 
"passwords and encryption are irrelevant. I am a machine.", says a Microsoft botnet who reads an employee email.
 
All of your comments are excellent. But who cares what you do if the servers you visit just gives them out. hahahaha. So many stupid people. Let me guess your password reset is your puppies name hahaha. Or your favorite movie. Here is a kicker for you. For added security my favorite movie is my favorite puppy but the guy on the phone told me that I can not do that. Can you believe this he tells me I can not do it but yet he lets me reset my moms password. hahaahha. Such an I D I O T.
 
You must log in or register to reply here.

Similar threads

S
Federal agents confirm LastPass breach linked to massive cryptocurrency heists
Replies
18
Views
211
DrSuess
D
midian182
More Microsoft job cuts could hit non-coding staff and middle managers
Replies
4
Views
92
toooooot
T
S
  • Locked
Subaru vulnerability exposed millions of cars to remote hacking and tracking
2
Replies
41
Views
877
Squid Surprise
Squid Surprise

Latest posts

Back