Major security flaws were found in some the the most popular, highly rated web-based password managers including LastPass and RoboForm. This according to researchers from the University of California in Berkeley. Most of the flaws have already been addressed, but unclear as to whether these flaws were exploited in the wild. I personally don't use cloud-based password managers.Read the article at Flaws in password managers could have exposed credentials.

Here's a link to a PDF of the actual study.I have used LastPass for years so this is interesting. The 2 areas the researchers identified with vulnerabilities in LastPass were in the bookmarklet feature (using a Javascript bookmarklet to enter username/password to the current site versus using the browser-specific extension) and in one-time passwords (OTP). I use neither of these features. The bookmarklet would be used for a browser that does not support extensions such as Safari or Chrome on a mobile device. Firefox and Chrome, the 2 I use, do not require the use of a bookmarklet on a desktop. The other area was when using OTP which I also don't use. I don't share access to my vault in this manner and doubt that it's a commonly used feature.We've talked a lot about security on this forum and the same issues exist with any password manager that exist for other security products - absent a full security audit whose results are made public we're reliant on the manufacturer's assurance of security.

bwanshoom wrote:Here's a link to the actual study.Just note that the link is for the PDF document of the study.

Google Search predicts the future?So I post this thread on RV.NET about three-hours ago according to the forum time-stamp. Yet, Google apparently already indexed the forum thread 15-hours earlier? :B

1492 wrote:Google Search predicts the future?So I post this thread on RV.NET about three-hours ago according to the forum time-stamp. Yet, Google apparently already indexed the forum thread 15-hours earlier? :BThey know so much about you they'd already indexed it before you wrote it. Next they'll just make your posts for you. Autonomous cars, autonomous forums - they do it all.

Another good reason why "The Cloud" isn't the be-all and end-all of software and storage. I use Roboform, but not the online storage option.

Flaws Found in Popular Web-Based Password Managers

1492
Moderator
Jul 17, 2014
TheBearAK wrote:

Not really a flaw, but if you don't set your master password in Firefox, anyone using your Firefox can easily look at your passwords that you've saved. By default, there is no master password.

I personally don't use a master password in Firefox, which acts as your key to encrypt the password database. Instead, I do what Mozilla recommends as the best protection for passwords. That is hardening the database itself by strongly encrypting(AES/256) the entire Firefox profile folder. In my case, in a Truecrypt virtual container.

But this is only effective if you dismount the encrypted container when leaving your computer unattended. In which case, I made a shortcut icon that logs off my user account, while also dismounting all Truecrypt containers(3) with one-click.
TheBearAK
Explorer
Jul 16, 2014
No related to the above, but worth saying.

Not really a flaw, but if you don't set your master password in Firefox, anyone using your Firefox can easily look at your passwords that you've saved. By default, there is no master password.

The drawback to setting it is that it will ask for it each time you launch firefox.
1492
Moderator
Jul 16, 2014
Though these flaws have been apparently fixed in both LastPass and RoboForm, what's unclear is whether they've been exploited, though no reports have surfaced that indicate such is the case.

As a precaution, I would change the master password at minimum. But a good idea to do so on a regular basis anyway.

As a side note, I did some quick testing some time ago of different methods for protecting passwords against a few software keyloggers, and found that I couldn't compromise any using the browser's built-in password manager, specifically in Firefox. Of course, this assuming no unknown flaws exist in the browser that would allow it to do so.

With LastPass, I was able to capture the login credentials, which could allow access into the user's online account containing the password database. This is not a flaw with LastPass, but should act as a warning to how dangerous keyloggers can be. Especially, since keyloggers are typically designed to operate in stealth mode, and can be very difficult to uncover. My real-time AV software couldn't detect it. Malwarebytes did.
fj12ryder
Explorer III
Jul 16, 2014
My point was that with cloud storage your password cache is at risk with these exploits. Local based storage is not.
wa8yxm
Explorer III
Jul 16, 2014
So is it safe to assume the password manager outfits have read said report and are closing the holes even as I type. if not already closed?

Sadly there is a war on,, On one side we have criminals who are trying to break in to places like the ones mentioned in this article, and your local bank, and so on,

On the other side we have security experts. SOME of which are also trying to break in but these do not even so much as a "Kiljoy was here" (I changed the name) they report to the company "We found a flaw" along with details so the company can fix it.. they also write articles like the one in the PDF linked to above.
bwanshoom
Explorer
Jul 16, 2014
These issues are not because these are cloud-based products. The bookmarklet issue is related to form-filling which Roboform supports as well, although I'm not sure if that feature is still available if you're using it in local-only mode.

The study illustrates that security and convenience are mutually exclusive, for the most part.
fj12ryder
Explorer III
Jul 16, 2014
Another good reason why "The Cloud" isn't the be-all and end-all of software and storage. I use Roboform, but not the online storage option.
bwanshoom
Explorer
Jul 16, 2014
1492 wrote:
Google Search predicts the future?

So I post this thread on RV.NET about three-hours ago according to the forum time-stamp. Yet, Google apparently already indexed the forum thread 15-hours earlier? :B
They know so much about you they'd already indexed it before you wrote it. Next they'll just make your posts for you. Autonomous cars, autonomous forums - they do it all.
1492
Moderator
Jul 16, 2014
Google Search predicts the future?

So I post this thread on RV.NET about three-hours ago according to the forum time-stamp. Yet, Google apparently already indexed the forum thread 15-hours earlier? :B
1492
Moderator
Jul 16, 2014
bwanshoom wrote:
Here's a link to the actual study.

Just note that the link is for the PDF document of the study.