LastPass Hacked! Change Master Password Now!
And enable the recommended two-factor authentication immediately. See article Hack of cloud-based LastPass exposes hashed master passwords. I received the notification email this evening, though on...
Forum Discussion
Only tested the open source KeePass and LastPass. If I'm not mistaken, does RoboForm integrate in the browser, and thus able to bypass the clipboard? If so, it'll likely fair as well as using Firefox integrated password manager? Except for how the master password is input, potentially vunerable if not done so using a secure method, such as Windows Secure Desktop. In which case, could be game over for any app should hackers capture the master password, and get ahold of the database.
Personally, I don't use Firefox master password option, which is used by the browser for providing basic encryption for stored passwords. Instead, using open passwords which can be read by the user. But since Firefox profile is separately encrypted using strong encryption, requiring master password input through Secure Desktop, no one without the key would be able to even load Firefox in the first place. So no access to the passwords.
Of course, concerns of captured passwords would only be an issue if a system was infected with keylogger malware, which the user may very well not even be aware of a breach. In which case, even the traditional pen and paper method would be insecure, as you need to input the data into the browser. And a good practice to routinely scan your system to insure no such keylogger rootkits exist, which have apparently been the gateway for hackers to breach highly publicized customer accounts such as Target.
Personally, I don't use Firefox master password option, which is used by the browser for providing basic encryption for stored passwords. Instead, using open passwords which can be read by the user. But since Firefox profile is separately encrypted using strong encryption, requiring master password input through Secure Desktop, no one without the key would be able to even load Firefox in the first place. So no access to the passwords.
Of course, concerns of captured passwords would only be an issue if a system was infected with keylogger malware, which the user may very well not even be aware of a breach. In which case, even the traditional pen and paper method would be insecure, as you need to input the data into the browser. And a good practice to routinely scan your system to insure no such keylogger rootkits exist, which have apparently been the gateway for hackers to breach highly publicized customer accounts such as Target.
