Researchers to reveal critical LastPass issues in November 2015

[Batu69]

Password managers are great as they store a virtually unlimited number of important information, accounts, passwords, credit card numbers and other sensitive data. They keep you from having to memorize unique strong passwords, or use other means to remember them such as writing them down.

All the data is protected by a single master password, and, if supported, by additional means of protection such as two-factor authentication.

Security of the password manager and its database is of utmost importance, considering that attackers would gain access to all the data stored by a user if they somehow managed to gain access to the account.

That single access would give the attacker access to most of the accounts of that user and even data that is not linked directly to the Internet if it has been added to the vault as well.

Security researchers Alberto Garcia and Martin Vigo will demonstrate attacks on the popular online password management service LastPass at the Blackhat Europe 2015 conference in November.

Here is what they will demonstrate:

1. How to steal and decrypt the LastPass master password.
2. How to abuse password recovery to obtain the encryption key for the vault.
3. How to bypass 2-factor authentication used by LastPass to improve security of accounts.

The methods that they will use to do so are not revealed in the briefing but the researchers mention that that have reversed LastPass plugins and discovered several attack vectors in doing so. It is likely that they mean browser extensions by plugins but it is not clear from the briefing.

While it is too early to tell how effective and applicable these attack forms are, it is certainly something that LastPass users should keep a close eye on.

The attacks could for instance require a modified browser extension or other components that need to run on a computer system to be effective. This would obviously be less of an issue than something that could be exploited right away on systems running official plugins and extensions.

LastPass users will have to wait almost two months before the attacks are revealed on the conference. Cautious users may want to disable extensions in the meantime to avoid harm since it is unclear how these attacks are carried out. (via Caschy)

Source

[dcs18]

Here is what they will demonstrate:

1. How to steal and decrypt the LastPass master password.
2. How to abuse password recovery to obtain the encryption key for the vault.
3. How to bypass 2-factor authentication used by LastPass to improve security of accounts.

That demonstration will serve absolutely no purpose . . . . . . . . . loyal Users of LastPass, at nSane will make sympathetic clucking sounds but refuse to as much as even acknowledge the vulnerability (leave aside the breach) — what they will do though is, hurl bricks at you if you try to pursue the matter more passionately. :lol:

[Ponting]

https://forums.lastpass.com/viewtopic.php?f=6&t=182615

[dcs18]

A look into LastPass

[elJay]

IMO anyone using an online password management service deserves what ever happens to them. Same goes for users of the "cloud"; any cloud. :doh:

[straycat19]

That particular issue is only present if the user has remember password checked, which is not recommended and the person has to click through a warning before enabling.

Then it seems to logical thing to do is take out the remember password since most users are happy to click thru warnings not really knowing what they are doing.

IMO anyone using an online password management service deserves what ever happens to them. Same goes for users of the "cloud"; any cloud.

I have used keepass for years and the database is kept in my dropbox folder. So not only would you have to know my dropbox login, you would have to know the keepass password. Hell you can't even get my location correct with all these little web bots that people add to their posts to supposedly show your IP and ISP. The closest one has come is 2000 miles from my home. Hint: I live in California.

[Cereberus]

keepass, local password management. storage and security own responsibility.

risk - security settings in keepass, and where you store your keepass database. backup is very very...very important because if your thing is gone, then good bye to all your passwords.

lastpass, cloud pass management. security settings own responsibility.

risk - it's in the cloud. if lastpass gets breached, or hackers find exploits to decrypt or gain access especially to your master password, it's game over. all your passwords and logins in a neat table laid out just nicely for them. before where passwords were likely to be 1 password used on all sites you visit, now they know which sites you visit precisely o_o; ontop knowing your complicated password.

the fact of the matter is, using 1 single password everywhere you go is a bad idea. because it's bound to leak from one of the sites you use, and hackers will then check the most obvious other places you might be using. namely gmail first comes to mind.

this is why password managers are useful for storing complicated passwords not everyone is likely to remember especially when each site you have an account you have setup a complicated password (i use strongpassword generator 18+ strings lelz)

so people should at least use these things responsibly/wisely or get their asses handed to them when it does get breached :x

PS: @

Batu69

did they forward the exploit method to lastpass to get them to fix before they reveal in 2 months to the public ?