Jump to content

LastPass says it fixed two-factor authentication bug related to use of Google Authenticator


Batu69

Recommended Posts

Until everybody and their dog eventually replaces passwords, the long-running log-in security feature is here to stay. That said, there are ways in which you can decrease the likelihood of your account being compromised by an attacker.

 

One way is two-factor authentication, which sends a code to a different device, a code which you need to input along with your password to log into the account. A bug related to this security feature was just revealed to have been fixed by password management service provider, LastPass.

 

Back in February, a security researcher at Salesforce, Martin Vigo, privately disclosed a bug to LastPass, via the company's bug bounty problem. The issue itself has to do with people using Google Authenticator as an extra security measure on their LastPass vaults. The server-side bug meant that if the user was logged into LastPass and was then lured to a "nefarious website", Google Authenticator could be bypassed entirely. Vigo recently detailed the process on his blog.

 

Of course, LastPass continues to recommend users stay vigilant at all times and outlines a few safe practices:

  • Beware of phishing attacks. Do not click on links from people you don’t know, or that seem out of character from your trusted contacts and companies.
  • Never reuse your LastPass master password and never disclose it to anyone, including us.
  • Use different, unique passwords for every online account.
  • Two-factor authentication remains the most effective way to protect your account. Always enable 2FA for LastPass and other services like your bank, email, Twitter, Facebook, etc.
  • Keep a clean machine by running antivirus and keeping your software up-to-date.

If you find any issues, LastPass encourages you to contact them using their bug bounty program.

 

Article source

Link to comment
Share on other sites


  • Replies 11
  • Views 920
  • Created
  • Last Reply

 

2 hours ago, Batu69 said:

Until everybody and their dog eventually replaces passwords, the long-running log-in security feature is here to stay. That said, there are ways in which you can decrease the likelihood of your account being compromised by an attacker.

 

One way is two-factor authentication, which sends a code to a different device, a code which you need to input along with your password to log into the account. A bug related to this security feature was just revealed to have been fixed by password management service provider, LastPass.

 

Back in February, a security researcher at Salesforce, Martin Vigo, privately disclosed a bug to LastPass, via the company's bug bounty problem. The issue itself has to do with people using Google Authenticator as an extra security measure on their LastPass vaults. The server-side bug meant that if the user was logged into LastPass and was then lured to a "nefarious website", Google Authenticator could be bypassed entirely. Vigo recently detailed the process on his blog.

 

Of course, LastPass continues to recommend users stay vigilant at all times and outlines a few safe practices:

  • Beware of phishing attacks. Do not click on links from people you don’t know, or that seem out of character from your trusted contacts and companies.
  • Never reuse your LastPass master password and never disclose it to anyone, including us.
  • Use different, unique passwords for every online account.
  • Two-factor authentication remains the most effective way to protect your account. Always enable 2FA for LastPass and other services like your bank, email, Twitter, Facebook, etc.
  • Keep a clean machine by running antivirus and keeping your software up-to-date.

If you find any issues, LastPass encourages you to contact them using their bug bounty program.

 

Article source

Having mucho respect for your insight and software acumen Batu69, I'd like to ask if you have an opinion on LastPass?  I've used it for a couple years and am generally happy (enough to pay the $12/yr) with it's performance and features but would be interested in hearing what you (and others) think.

Link to comment
Share on other sites


5 minutes ago, davmil said:

 

Having mucho respect for your insight and software acumen Batu69, I'd like to ask if you have an opinion on LastPass?  I've used it for a couple years and am generally happy (enough to pay the $12/yr) with it's performance and features but would be interested in hearing what you (and others) think.

 

Sorry, I'm not using LastPass or any password managers, So I can't give my opinion on this password manager. Good to you if you happy using this password manager.

Maybe others members can give their opinions about LastPass.

Link to comment
Share on other sites


@davmil

I never used LastPass... so I cannot say anything good or bad about it... But I've been using Roboform since version 6, and I'm really happy.

 

Regardless of my opinions or those of third parties, I always direct the "test and draw your own conclusions"... After all, it is you who needs to be satisfied with the results, is not it?!
Make a backup of the LastPass files in a safe place. Install Roboform and use it long enough to compare it with what you already know...
Have a great experience!!!

Link to comment
Share on other sites


How can anyone trust LastPass ?

http://lifehacker.com/lastpass-hacked-time-to-change-your-master-password-1711463571

 

Link to comment
Share on other sites


Hackers like to hammer popular OSes Apps and web services... More users.... Most damage for the buck... 

 

That is why choosing the underdogs sometimes makes sense...

 

 

 

 

 

 

 

Link to comment
Share on other sites


2 hours ago, virge said:

How can anyone trust LastPass ?


http://lifehacker.com/lastpass-hacked-time-to-change-your-master-password-1711463571

 

 Agree. That one was a big security flaw. Still using Keepass. However i'm open to alternatives that are crossplatform, but data isn't store in the cloud.

Link to comment
Share on other sites


  • Administrator

I am using it since a long time now. The encryption happens on the computer first, then it goes on the servers. For a long time I thought, do I need a internet connection password manager, as I have only two internet connected devices, one computer and one Android and as the Android version was not free for a long time, I did not use it.

 

Then, the recent hacks has made me doubt it even further. I now use it as a convenience rather than security, looking for other open source alternatives that are not internet connected and work even on multiple devices here.

Link to comment
Share on other sites


I have always used Keepass.  I keep a backup of my encrypted database inside an encrypted folder which is inside a password protected folder in my password protected dropbox account.  The actual database is kept on my 4th Gen. iPod Touch.  It is small, easy to carry and does not connect to anything, making it a secure depository for the database.  If I lose it I can wipe it remotely the first time someone attempts to turn it on and connect to wifi. After a lot of testing back in 2012 I settled on this solution.  I never went with a newer model iPod Touch because the 4th Gen is more secure.

 

Having said all of that, I have never trusted LastPass since they have had many problems in their coding over time.  It is much like windows, they fix something and that breaks something else.  

Link to comment
Share on other sites


For many years, I'm a satisfied and a happy user of Keepass. I don't think I need to look for other similar app especially most I hear were just bad news.

I use Keepass and store my (Keepass passwords) database files on an external drives.

Work related and personal info like banking passwords are stored separately and further encrypted by another app, which is stored in an password protected folder.

I never trust storing those info especially personal info in the cloud.

If it needs to be stored on a cloud for whatever reason then please encrypt your password further either by the use of an app or in a manual way.

 

Like. for example, let's take one password and encrypt it manually:

Password (as is written in Keepass along with some other info): e#rdyygh

Real Password: r$tfuuhj23

 

(The e#rdyygh is translated by their actual keyboard position where the right key next to the masked letter is the real one and adding the number 23. Jordan number. at the end of the password makes it more complicated. Of course this is not my actual manual encryption method. This is just an example. You can do better. Copy paste is useless.)

 

Just a note to some users. You are storing passwords in a database file, you are not required to remember it and it is discouraged to have meaningful passwords that has something you can relate so please stop making short catchy passwords that can easily be traced from your personal info like biodata, girlfriend's birthday in your f#ckbook, etc.

 

Update: As of typing this post @straycat19 beat me to it but he has a much better way. I will surely add it to my security measures. :D

Link to comment
Share on other sites


56 minutes ago, DKT27 said:

I am using it since a long time now. The encryption happens on the computer first, then it goes on the servers. For a long time I thought, do I need a internet connection password manager, as I have only two internet connected devices, one computer and one Android and as the Android version was not free for a long time, I did not use it.

 

Then, the recent hacks has made me doubt it even further. I now use it as a convenience rather than security, looking for other open source alternatives that are not internet connected and work even on multiple devices here.

It's gotta be cloud based or accessible as I use 6-7 computers in different facilities and use it to create and use strong, unique passwords for every website that warrants.  Their bug wasn't cool, but they got on it and got it patched and got the word out to update one's master.  In 30+ years I never heard of any software/product that didn't have a buglist; the question is does engineering have a handle on and method for prioritizing and repairing functions.

 

I do value other's experience(s) and opinions so 'thanks' to everyone that gave useful feedback.

Link to comment
Share on other sites


TrasMontano

Eventhough LastPass suffers atacks and "bugs" (which are publicely known), up until today no one has breached clients passwords, as they are encrypted, and LastPass is known to quickly solve these issues.

Nevertheless, other password managers are likely to suffer these same and other attacks/bugs but two questions remains to be answered: are they publicly known and are they solved?!

In any case, I do believe are our passwords are safe when encrypted.

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...