The bug the article is detailing is in the Authenticator application, not the Password Manager application, which wasn't very clear to me on my first read.
This flaw is that the fingerprint/PIN auth for their TOTP authenticator app can be bypassed by manually launching one of the app's activities. This is a separate auth layer over the phone's screen lock. The first exploit path here is thus that if a malicious user gets access to your unlocked phone, they could install one of these activity opener utilities and access this app's TOTP code screen. That gets them the current TOTP codes, but not the secret for generating them. Note that this is currently the security level that Google's Authenticator app already has.
The other, which I'm a little less clear on, is that a malicious app gets installed somehow, it launches the activity, and manipulates the UI to hit the buttons and read the screen to get your current TOTP codes. I think Android apps' abilities along these lines have changed around several times between Android versions, and I'm not sure which version does what, but I think the current version requires the user to set a special checkbox in settings for an app to be able to do these things. If you can get a user to do that for your malicious app, it can do all sorts of bad things.
In both cases, the attacker would be getting current codes, not the secret, which would still be locked away safely in the app's storage. So while this flaw is kind of bad and should be fixed, it doesn't have me running for the hills, esp. since I don't even use this app.
I happen to be familiar so I can read "LastPass Authenticator app" and know it is referring to their 2F/Google Authenticator competitor. But in the general sense Lastpass "Authenticator" could be the name of their password manager for all people know.
It could be titled e.g. "Lastpass's two factor authenticator app is insecure." Still accurate but also less vague for people unfamiliar with Lastpass's different apps.
https://news.ycombinator.com/item?id=15756044
This was just over a month ago, and published only here.
So many better designed, more secure options out there. KeePass, Bitwarden, or 1Password to name a few.
They also have some nice crypto features: For instance, I forgot my master password, and they have a one time password reset protocol that lets them send you an unlock code that only works on previously logged in devices.
Also, it has rock-solid offsite backup built in.
Moving away has been on my TODO list for a long time.
I like a number of features in LastPass. The auto fill, the auto password change feature, password sharing, etc.
1) Folders don't get migrated over to tags into 1P. You need to use this pearl script to do so. (google it)
2) Autofill is well umm different. It took some getting used to, but you now have to hit Cmd+\ to autofill intsead of using the mouse. It's more secure and it ends up being more "clean" I've noticed.
1Password has ignored every other platform other than the fruit company ecosystem for a really long time now.
Bitwarden comes close. OSS, polished, and seemingly with a business model. After checking on Firefox (on Linux), iOS, and Android apps when I wanted to install it on my Mac I found out its Safari extension doesn't exist and the Github issue is clear that they will not be working on that anytime soon [0]. Also, I read a reddit comment that there is only one full time developer and this was just few weeks ago[1]. Now I know it's an open source project but I want to use a service that is really ready to be used for my password management while I want to pay for it.
LastPass is everywhere - Windows, Linux, Mac, Chrome, Ff, Safari, IE, iOS, Android. You name it. And it has been on these various platforms since long. Sync, client side encryption, easy import from other apps, good extensions, decent support ticket TATs (even for free accounts), continuous development (however I must add that they have started to add bloat and useless gloss after the sale) - have really been consistent. This is what makes it a favourite option.
So when you say "better designed" I assume you mean better security architecture/design and yes the reason for its popularity is indeed ease of use with acceptable security for the most. I have really tried all other apps out there and for some reason or the other I keep coming back to LastPass.
[0] https://github.com/bitwarden/browser/issues/17
[1] https://www.reddit.com/r/Bitwarden/comments/7htswv/how_many_...
1Password royally ignored every other platform other than the fruit company ecosystem for a really long time.
See, I am not speaking as a fanboy, I am not one. Just a satisfied user - I have really tried all other apps out there and for some reason or the other I kept coming back to LastPass.
Bitwarden came close to make me switch. OSS, polished, and seemingly with a business model. After checking on Elementary Firefox, iOS, Android apps when I went find its Safari extension (that's where I do my personal browsing) - it didn't exist, it still doesn't and the Github issue is clear that they will not be working on that [0] anytime soon. Also, I read a reddit comment that there was only one full time developer and this was few weeks ago[1]. Now I know it's an open source project but I want to use a service that is really ready to be used for my password management.
LastPass - it's not really entirely browser based, it's actually available everywhere - Windows, Linux, Mac, Chrome, Ff, Safari, IE, iOS, Android. You name it. And it has been on these various platforms since long. Sync, client side encryption, easy import from other apps, good extensions, decent support ticket TATs (even for free accounts), continuous development (however I must add that they have started to add bloat and useless gloss after the sale) - have really been consistent. This is what makes it a favourite option.
So when you say "better designed" I assume you mean better security architecture designed and yes it is ease of use with acceptable security for the most.
[0] https://github.com/bitwarden/browser/issues/17
[1] https://www.reddit.com/r/Bitwarden/comments/7htswv/how_many_...
Lastpass seems to lack a fair amount of usability polish, but it’s all relative maybe no one is better.
For example, why when adding new sites, it likes retain even super long useless query param strings that clutter the interface. Without going into detail, this is in no way technically necessary for most cases.
Also, they already have the ability to pre-associate common login sites, yet won’t do it for many popular domains. For example, there are a few stack exchange sites with different domains but that use the same credentials. Why should I have to manually set this up for a site that’s not far from the top 100 in traffic on the planet? It’s been requested, they won’t do it. Pay a damn intern to pre-associate the top 500 domains at least when needed.
There are many other practical examples.
But again, maybe the bar just isn’t that high in this category of software.
Edit: What didn’t you like about bitwardem? Haven’t had a chance to try it yet.
I'm hoping the Autofill API in Android Oreo can bring more competition.
The mobile experience lacks polish on iOS with KeePass but the control and security might end up winning out for me.
I ditched 1Password because their Windows app is a catastrophe and their forcing users off to their sync service was really badly handled.
Well, for one, the very first sentence of the article here.
I also find their apps to be ugly as sin, but that’s a personal preference.
Surely you're joking.
SIK-2016-038: Subdomain Password Leakage in 1Password Internal Browser SIK-2016-039: Https downgrade to http URL by default in 1Password Internal Browser SIK-2016-040: Titles and URLs Not Encrypted in 1Password Database SIK-2016-041: Read Private Data From App Folder in 1Password Manager SIK-2016-042: Privacy Issue, Information Leaked to Vendor 1Password Manager
The tradition with this company is not a serious (as in mission-critical serious) approach to security and the amount of FUD that they spread anytime they take real criticism from the community speaks volumes. They had more vulnerabilities disclosed last year than any of their competitors.
Just because you like it doesn't mean that it's secure software.
In this case, the name is important too. It's easy to remember and it explains the product as well. The only alternative with a better name is 1password
Are you ready?
You log in to their support forums and online community with the same password you decrypt your vault with.
[0]: https://neosmart.net/blog/2017/a-free-lastpass-to-1password-...
EDIT:
To answer some of the comments, since understandably not everyone is a security expert:
What happens if LastPass’s web forum is compromised and all their additional security counts for nothing?
Even if not: you have no problem with people being conditioned to enter the password securing all their passwords repeatedly into random pages for random content not related in any way, shape, or form to their vault in a web browser?
Containment is the name of the game. It’s hard enough making one app secure enough to enter your password into. Then extending that with an SSO, relying on The security of none other than notoriously crappy phpBB, vulnerable to upstream code injections, XSS, phishing attacks, and god knows what else, and you still think you can trust them to keep your master password secure?
LastPass is such a juicy target and this is such an easy attack vector that I can virtually guarantee at some point phpBB - or, more accurately, their abuse of it - will be a massive liability and the source of a huge catastrophe for them, if it hasn’t secretly already.
Of course they know to treat changes to their authentication apps very carefully and code review each and every syllable added or removed (well, I hope so). But do they review upstream patches to the forum software they use? What about the third party template they have installed? Do they hold off on patches after a security bug is discovered in phpBB so they can review the code changes? Do they even upgrade their forums? What about a vulnerability in PHP itself? Do they secure the server hosting their authentication apps in the same manner as the server hosting their forums? Do their web developers undergo the same background checks and scrutiny their core developers undergo? How many sysadmins have access to the website? Do they provide the same access monitoring to people managing an ancillary feature like their forum software?
The list just goes on forever. You’re as secure as the weakest link. All anyone that want to break into LastPass has to do is get some code into phpBB or the random phpBB themes and plugins they use and it’s game over for millions of LP users and billions of credentials worldwide.
See the problem?
Every time we bring someone on and try to share folders or credentials with them, we end up needing a multi-hour support ticket to get everything resolved correctly.
This shouldn't happen. It raises big alarms for me.
Obviously there's no 100% secure approach, but at least this makes me sleep better knowing that if LastPass were comprimized, my stored gmail, bank, paypal, work, etc. passwords wouldn't work.
I think the biggest security failure is session cookies that expire too quickly or too eagerly. Having people need to enter their password so often is more dangerous than keeping them logged in (from the same IP) for a longer period of time.
If my bank would keep me authorized for basic access (review transactions, pay bills, transfer money between own accounts) without logging in each time, but required a password to add a payee or make changes to the account, I’d keep the password in a journal in a safe.
I'm not saying it's the wrong way to go but if electronic password managers "never made sense" then I feel like you don't have the entire picture.
In that moment I realised that I still had an active subscription with them and cancelled promptly.
what's the issue with that? maybe they have some SSO system
I trust you to be right, but that's so incredibly stupid it's hard to believe someone selling a password manager would do that!
Still, it's definitely a bug. They should either fix it or remove the feature so people aren't misled into thinking their two-factor codes are secure when they're not.
All I get from the article is that the user might be able to see the OTA codes in a roundabout way. If that's the entire problem, why is it a problem?
Maybe I am misunderstanding, but it really does not seem like much of a big deal, as someone would need to have your phone in hand as well as your lock screen passcode.
The title seems pretty dishonest, if my interpretation of this issue is correct.
But no follow-up via email? Maybe it's time to start looking at other options.
I will never trust my passwords all being in one place other than my brain.
Is my solution secure? No. Using a bad password for hundreds of sites is definitely not secure - but the quality of a password only needs to be proportional to the sensitivity of what it protects.
I use abbreviations of several different long sentences with random characters added in random positions.
To me this is far more secure than trusting a single authoritative source with 10 different random character strings that I have no real ownership of, and can all easily be stolen (or lost) at once.
Are we really concerned about an exploit that requires somebody to have unlocked access to your phone?
It's not for me, personally.
And yes, because the scariest aspect of password managers is the fact that you have basically shifted the responsibility of "I use the same password everywhere" to a different party.
