CLOUD: LASTPASS earns confidence

A Note from LastPass
41 LastPass : The last password you’ll have to remember by Amber Gott / 1d // keep unread // hide
FacebookShare on Google PlusTwitterHootsuiteLinkedInHootsuiteBufferCustom Sharing Tool
save for laterEvernoteSend to readabilityOneNoteAdd to InstapaperPocket +TAG
LastPass is in part able to achieve the highest level of security for our users by looking to our community to challenge our technology.

In August 2013, a security researcher at UC Berkeley, Zhiwei Li, contacted us to responsibly disclose novel vulnerabilities with the LastPass bookmarklets (actively used by less than 1% of the user base) and One Time Passwords (OTPs). Zhiwei discovered one issue that could be exploited if a LastPass user utilized the bookmarklet on an attacking site, and another issue if the LastPass user went to an attacking site while logged into LastPass, and used their username to potentially create a bogus OTP.

Zhiwei only tested these exploits on dummy accounts at LastPass and we don’t have any evidence they were exploited by anyone beyond himself and his research team. The reported issues were addressed immediately, as confirmed by their team, and we let them publish their research before discussing it.

If you are concerned that you’ve used bookmarklets before September 2013 on non-trustworthy sites, you may consider changing your master password and generating new passwords, though we don’t think it is necessary.

Regarding the OTP attack, it is a “targeted attack”, requiring an attacker to know the user’s username to potentially exploit it, and serve that custom attack per user, activity which we have not seen. Even if this was exploited, the attacker would still not have the key to decrypt user data. If you’d like to check your current OTPs you can do so here: https://lastpass.com/otp.php

We appreciate that, as the most popular password manager in the world, we have an active, dedicated community that challenges us to be better and is committed to helping us improve the security of our service. Again, we thank Zhiwei and his team for their important research.

Regards,
Joe & The LastPass Team

# – # – # – # – #   

I trust them.

BUT, (and there is always a BIG butt), …

… no one has my bank password.

# – # – # – # – #   

One Response to CLOUD: LASTPASS earns confidence

  1. I know nothing about Last Pass beyond what you’ve written here John, but I *can* think of at least one thing in its favor: I’m sure many folks who use Google Chrome have routinely checked off the little boxes asking “Would you like Chrome to remember your password for this site?” and assumed that the passwords were being stored securely on your computers.

    Welllll… they are … but only sorta. They’re nice ‘n tight on your computer, but if you go over into your Chrome menu area (that little icon with the three horizontal lines on the top right of your screen) and then proceed through about four or five easy little “click on the menu item ” steps, you’ll suddenly get to a quite easily accessible page where ALL of your passwords are sitting right out there in plain view with no encryption or special password needed to get at them AT ALL!

    (I just found out about this recently… heck, might’ve even been from HERE, in which case I’m hauling coal to Newcastle.)

    So something like Last Pass may actually be a lot *more* secure in some ways than what many folks may currently be unthinkingly using.

    – MJM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 1,060 other followers

%d bloggers like this: