The bug the article is detailing is in the Authenticator application, not the Password Manager application, which wasn't very clear to me on my first read.
This flaw is that the fingerprint/PIN auth for their TOTP authenticator app can be bypassed by manually launching one of the app's activities. This is a separate auth layer over the phone's screen lock. The first exploit path here is thus that if a malicious user gets access to your unlocked phone, they could install one of these activity opener utilities and access this app's TOTP code screen. That gets them the current TOTP codes, but not the secret for generating them. Note that this is currently the security level that Google's Authenticator app already has.
The other, which I'm a little less clear on, is that a malicious app gets installed somehow, it launches the activity, and manipulates the UI to hit the buttons and read the screen to get your current TOTP codes. I think Android apps' abilities along these lines have changed around several times between Android versions, and I'm not sure which version does what, but I think the current version requires the user to set a special checkbox in settings for an app to be able to do these things. If you can get a user to do that for your malicious app, it can do all sorts of bad things.
In both cases, the attacker would be getting current codes, not the secret, which would still be locked away safely in the app's storage. So while this flaw is kind of bad and should be fixed, it doesn't have me running for the hills, esp. since I don't even use this app.
I can authorize someone to do something. I authenticate that a person is who he or she claims to be.
I happen to be familiar so I can read "LastPass Authenticator app" and know it is referring to their 2F/Google Authenticator competitor. But in the general sense Lastpass "Authenticator" could be the name of their password manager for all people know.
It could be titled e.g. "Lastpass's two factor authenticator app is insecure." Still accurate but also less vague for people unfamiliar with Lastpass's different apps.
https://news.ycombinator.com/item?id=15756044
This was just over a month ago, and published only here.
So many better designed, more secure options out there. KeePass, Bitwarden, or 1Password to name a few.
They also have some nice crypto features: For instance, I forgot my master password, and they have a one time password reset protocol that lets them send you an unlock code that only works on previously logged in devices.
Also, it has rock-solid offsite backup built in.
Moving away has been on my TODO list for a long time.
I like a number of features in LastPass. The auto fill, the auto password change feature, password sharing, etc.
They've started to dump crap into the Lastpass Vault. First it was adverts and then they modified the search bar to search the web rather than only your saved passwords/notes. Both attempts at gaining advertising/referral revenue and in my opinion at the cost of security.
I've disabled the idiotic search and was paying for Lastpass Premium before so don't see the ads but it is the principle that the company now places minor revenue over what I consider security which I cannot stand.
Plus I had issues with LogMeIn's business practices previously and moved to a competitor. Only to now have them follow me by buying Lastpass. I am in the early stages of looking at moving away from Lastpass (after four years).
1) Folders don't get migrated over to tags into 1P. You need to use this pearl script to do so. (google it)
2) Autofill is well umm different. It took some getting used to, but you now have to hit Cmd+\ to autofill intsead of using the mouse. It's more secure and it ends up being more "clean" I've noticed.
1Password has ignored every other platform other than the fruit company ecosystem for a really long time now.
Bitwarden comes close. OSS, polished, and seemingly with a business model. After checking on Firefox (on Linux), iOS, and Android apps when I wanted to install it on my Mac I found out its Safari extension doesn't exist and the Github issue is clear that they will not be working on that anytime soon [0]. Also, I read a reddit comment that there is only one full time developer and this was just few weeks ago[1]. Now I know it's an open source project but I want to use a service that is really ready to be used for my password management while I want to pay for it.
LastPass is everywhere - Windows, Linux, Mac, Chrome, Ff, Safari, IE, iOS, Android. You name it. And it has been on these various platforms since long. Sync, client side encryption, easy import from other apps, good extensions, decent support ticket TATs (even for free accounts), continuous development (however I must add that they have started to add bloat and useless gloss after the sale) - have really been consistent. This is what makes it a favourite option.
So when you say "better designed" I assume you mean better security architecture/design and yes the reason for its popularity is indeed ease of use with acceptable security for the most. I have really tried all other apps out there and for some reason or the other I keep coming back to LastPass.
[0] https://github.com/bitwarden/browser/issues/17
[1] https://www.reddit.com/r/Bitwarden/comments/7htswv/how_many_...
1Password royally ignored every other platform other than the fruit company ecosystem for a really long time.
See, I am not speaking as a fanboy, I am not one. Just a satisfied user - I have really tried all other apps out there and for some reason or the other I kept coming back to LastPass.
Bitwarden came close to make me switch. OSS, polished, and seemingly with a business model. After checking on Elementary Firefox, iOS, Android apps when I went find its Safari extension (that's where I do my personal browsing) - it didn't exist, it still doesn't and the Github issue is clear that they will not be working on that [0] anytime soon. Also, I read a reddit comment that there was only one full time developer and this was few weeks ago[1]. Now I know it's an open source project but I want to use a service that is really ready to be used for my password management.
LastPass - it's not really entirely browser based, it's actually available everywhere - Windows, Linux, Mac, Chrome, Ff, Safari, IE, iOS, Android. You name it. And it has been on these various platforms since long. Sync, client side encryption, easy import from other apps, good extensions, decent support ticket TATs (even for free accounts), continuous development (however I must add that they have started to add bloat and useless gloss after the sale) - have really been consistent. This is what makes it a favourite option.
So when you say "better designed" I assume you mean better security architecture designed and yes it is ease of use with acceptable security for the most.
[0] https://github.com/bitwarden/browser/issues/17
[1] https://www.reddit.com/r/Bitwarden/comments/7htswv/how_many_...
Lastpass seems to lack a fair amount of usability polish, but it’s all relative maybe no one is better.
For example, why when adding new sites, it likes retain even super long useless query param strings that clutter the interface. Without going into detail, this is in no way technically necessary for most cases.
Also, they already have the ability to pre-associate common login sites, yet won’t do it for many popular domains. For example, there are a few stack exchange sites with different domains but that use the same credentials. Why should I have to manually set this up for a site that’s not far from the top 100 in traffic on the planet? It’s been requested, they won’t do it. Pay a damn intern to pre-associate the top 500 domains at least when needed.
There are many other practical examples.
But again, maybe the bar just isn’t that high in this category of software.
Edit: What didn’t you like about bitwardem? Haven’t had a chance to try it yet.
I'm hoping the Autofill API in Android Oreo can bring more competition.
The mobile experience lacks polish on iOS with KeePass but the control and security might end up winning out for me.
I ditched 1Password because their Windows app is a catastrophe and their forcing users off to their sync service was really badly handled.
I consider the other products listed as actual competitors of Lastpass, I don't even rank iCloud Keychain that high, it lacks even basic features.
Well, for one, the very first sentence of the article here.
Lastpass Authenticator is not their password manager. It is a Google Authenticator competitor...
Surely you're joking.
SIK-2016-038: Subdomain Password Leakage in 1Password Internal Browser SIK-2016-039: Https downgrade to http URL by default in 1Password Internal Browser SIK-2016-040: Titles and URLs Not Encrypted in 1Password Database SIK-2016-041: Read Private Data From App Folder in 1Password Manager SIK-2016-042: Privacy Issue, Information Leaked to Vendor 1Password Manager
The tradition with this company is not a serious (as in mission-critical serious) approach to security and the amount of FUD that they spread anytime they take real criticism from the community speaks volumes. They had more vulnerabilities disclosed last year than any of their competitors.
Just because you like it doesn't mean that it's secure software.
In this case, the name is important too. It's easy to remember and it explains the product as well. The only alternative with a better name is 1password
Are you ready?
You log in to their support forums and online community with the same password you decrypt your vault with.
[0]: https://neosmart.net/blog/2017/a-free-lastpass-to-1password-...
EDIT:
To answer some of the comments, since understandably not everyone is a security expert:
What happens if LastPass’s web forum is compromised and all their additional security counts for nothing?
Even if not: you have no problem with people being conditioned to enter the password securing all their passwords repeatedly into random pages for random content not related in any way, shape, or form to their vault in a web browser?
Containment is the name of the game. It’s hard enough making one app secure enough to enter your password into. Then extending that with an SSO, relying on The security of none other than notoriously crappy phpBB, vulnerable to upstream code injections, XSS, phishing attacks, and god knows what else, and you still think you can trust them to keep your master password secure?
LastPass is such a juicy target and this is such an easy attack vector that I can virtually guarantee at some point phpBB - or, more accurately, their abuse of it - will be a massive liability and the source of a huge catastrophe for them, if it hasn’t secretly already.
Of course they know to treat changes to their authentication apps very carefully and code review each and every syllable added or removed (well, I hope so). But do they review upstream patches to the forum software they use? What about the third party template they have installed? Do they hold off on patches after a security bug is discovered in phpBB so they can review the code changes? Do they even upgrade their forums? What about a vulnerability in PHP itself? Do they secure the server hosting their authentication apps in the same manner as the server hosting their forums? Do their web developers undergo the same background checks and scrutiny their core developers undergo? How many sysadmins have access to the website? Do they provide the same access monitoring to people managing an ancillary feature like their forum software?
The list just goes on forever. You’re as secure as the weakest link. All anyone that want to break into LastPass has to do is get some code into phpBB or the random phpBB themes and plugins they use and it’s game over for millions of LP users and billions of credentials worldwide.
See the problem?
Every time we bring someone on and try to share folders or credentials with them, we end up needing a multi-hour support ticket to get everything resolved correctly.
This shouldn't happen. It raises big alarms for me.
Obviously there's no 100% secure approach, but at least this makes me sleep better knowing that if LastPass were comprimized, my stored gmail, bank, paypal, work, etc. passwords wouldn't work.
I think the biggest security failure is session cookies that expire too quickly or too eagerly. Having people need to enter their password so often is more dangerous than keeping them logged in (from the same IP) for a longer period of time.
If my bank would keep me authorized for basic access (review transactions, pay bills, transfer money between own accounts) without logging in each time, but required a password to add a payee or make changes to the account, I’d keep the password in a journal in a safe.
I'm not saying it's the wrong way to go but if electronic password managers "never made sense" then I feel like you don't have the entire picture.
In that moment I realised that I still had an active subscription with them and cancelled promptly.
what's the issue with that? maybe they have some SSO system
It's also really dumb, because the whole point of the product is to make it easy to not reuse passwords. They could have even had the signup process automatically create those accounts for you and insert the passwords into your vault, and it would have been just as easy for the user.
1.) LastPass login page hashes MasterPassword on the login page to produce a hash
2.) Hash is sent to the forums, and is checked against the same hash as the vault system
3.) Hash is confirmed, and you're logged in.
1.) Later hash is grabbed by an attacker.
2.) Attacker sends the hash to get the encrypted vault
3.) Attacker gets the encrypted vault
4.) Attacker is sad, because they don't have the MasterPassword, and thus have no access to all your passwords
Note that I'm not saying that they are awesome, and/or are doing the above. But it's not immediately obvious that a MasterPassword can't hash a forum login and a vault request at the same time. I mean, that's literally what the "MasterPassword never leaves the client" is supposed to mean.
I trust you to be right, but that's so incredibly stupid it's hard to believe someone selling a password manager would do that!
Still, it's definitely a bug. They should either fix it or remove the feature so people aren't misled into thinking their two-factor codes are secure when they're not.
All I get from the article is that the user might be able to see the OTA codes in a roundabout way. If that's the entire problem, why is it a problem?
Maybe I am misunderstanding, but it really does not seem like much of a big deal, as someone would need to have your phone in hand as well as your lock screen passcode.
The title seems pretty dishonest, if my interpretation of this issue is correct.
But no follow-up via email? Maybe it's time to start looking at other options.
I will never trust my passwords all being in one place other than my brain.
Is my solution secure? No. Using a bad password for hundreds of sites is definitely not secure - but the quality of a password only needs to be proportional to the sensitivity of what it protects.
It was very rare that the extra 30 seconds to add a new entry password manager wasn't justified after asking myself that question.
I think it all comes down to ease. Yes, some secure passwords is better than none, but it's just soooo easy I'd just say go with the PM
I use abbreviations of several different long sentences with random characters added in random positions.
To me this is far more secure than trusting a single authoritative source with 10 different random character strings that I have no real ownership of, and can all easily be stolen (or lost) at once.
And 1Password supports syncing via services other than their own and each device acts as its own backup too, so you’re really only relying on their service to shuttle around an encrypted keystore to your new devices.
Are we really concerned about an exploit that requires somebody to have unlocked access to your phone?
It's not for me, personally.
And yes, because the scariest aspect of password managers is the fact that you have basically shifted the responsibility of "I use the same password everywhere" to a different party.
The reality seems more like that even if anybody can look at the code, auditing security code well is damn hard, very few people can do it well, and those people basically never audit open-source projects in their spare time. How secure something is depends more on how battle-tested it is, how good the people who wrote it are, and how well and often it's been tested for security flaws by experts.
