
Even the LastPass Will Be Stolen - never2far
https://www.blackhat.com/eu-15/briefings.html#even-the-lastpass-will-be-stolen-deal-with-it
======
devit
It seems dubious that there is a real vulnerability here.

The authors talk a lot about how you can get everything if you compromise the
client machine, but of course if you compromise the client you can compromise
everything.

Just install a keylogger to get all typed passwords, send the decrypted hard
drive image over the network and run it in a VM proxying network traffic via
the compromised machine, no need for any targeted attack.

The fact that they focus on that rather than on an actual interesting attack
makes me believe that there is no real vulnerability whatsoever.

"We also found how it is possible to abuse account recovery to ultimately
obtain the encryption key for the vault" is really scary, but if it were
accurate they would be talking solely about that, so maybe it's just a
phishing attack.

~~~
TrevorJ
The fact that it is still a central point of failure that contains the keys to
the kingdom is worth noting.

It occurs to me as I write this that for most people compromising an email
account would be just as disastrous, given how many services rely on a simple
email for password recovery/resets.

~~~
rkuykendall-com
> The fact that it is still a central point of failure that contains the keys
> to the kingdom is worth noting.

I think the difference between someone who uses a password-manager user, and
the vast majority of people who don't, is that those who don't have HUNDREDS
of points of failure that contain the keys to the kingdom, some completely
insecure.

~~~
morsch
Hardly. "Keys to the kingdom" seems to imply that access to the key opens up a
large number of other doors. That's the case for email (via password recovery)
and password manager (via its function), but not for much else. E.g. while
access to online banking is a catastrophe in its own right, it doesn't unlock
many other accounts.

~~~
normloman
No, the point is, people without a password manager tend to use the same
password for every account. So you steal the bank password, and it opens your
email, facebook, and everything else. Hundreds of failure points. With a
password manager, there is just one.

~~~
rphlx
Human nature being what it is, a large fraction of password-manager users
probably also reuse passwords, or nearly reuse them, which is nearly as bad.
With the password manager being there for cases where some BOFH admin required
two relatively-prime numbers, plus three non-adjacent capital letters, plus at
least one special character that's not a star, plus a final character that's
not a lower case letter, plus uniqueness with respect to your previous 100
passwords, plus a length of at least 12 characters, plus a change every 14
days.

------
ejcx
Full Disclosure. I am a former LastPass employee.

This guy's research, and most research regarding password managers is way
overblown. Every lp product has a big popup that says "WHAT YOU ARE DOING IS
INSECURE" when you click "Remember Password". Having secure defaults are
something they are very mindful of.

All password managers are toast if you have someone else on your box. It's
baked in to the threat model.

~~~
conover
Doesn't LastPass encourage you to install their browser plugin though?

[https://www.dropbox.com/s/pzmdqex81tsicyk/Screenshot%202015-...](https://www.dropbox.com/s/pzmdqex81tsicyk/Screenshot%202015-09-14%2016.45.31.png?dl=0)

~~~
sp332
And this is the popup that plugin gives you when you click the button to save
the master password:
[http://i.imgur.com/s0FgRhI.jpg](http://i.imgur.com/s0FgRhI.jpg)

~~~
geofft
Sadly (?), it may be reasonable for password managers to not even offer that
option because of technically-invalid PR fiascos like this one -- people are
just going to stop using password managers otherwise.

~~~
giovannibajo1
An user moving to LastPass (or any password manager) is exponentially safer
than before, even if they choose to save the master password on their local
computer. If there's a subset of users who would drop LastPass if the password
couldn't be saved, that would be a shame, as they're much better off this way.

------
wamatt
It's probably worth noting, this exploit requires the user to save their
master password locally.

While it's not obvious from the blackhat blurb, it's stated by the author in
their more detailed blog post [1]

Additionally, this behavior is something that LastPass advises against:

 _" Are you sure you want to have LastPass remember your password? This will
significantly decrease the security of your LastPass account!"_

[1] [http://www.martinvigo.com/a-look-into-
lastpass/](http://www.martinvigo.com/a-look-into-lastpass/)

------
ufmace
Sounds rather dicey, considering that the attack apparently depends on both
the user using the "store master password" option, and the attacker having
admin/root access to the user's computer. At that point, you might as well
just install a keylogger, browser snooper, etc.

I don't think this makes any progress on any of the real nightmare scenarios,
like a bulk breach of LastPass servers plus some critical mistake allowing the
master passwords to be cracked en-mass in less than a multi-decade timespan,
or even a vulnerability allowing somebody capable of intercepting the traffic
between a device and the LastPass server to get master password or cleartext
vault data.

~~~
carterehsmith
Hmmm, I agree, based on what they claim, the above is not an "exploit", it is
more like "I forgot my master password, and I am admin, how do I get my
password back"

Like this: [https://apple.stackexchange.com/questions/56130/how-to-
retri...](https://apple.stackexchange.com/questions/56130/how-to-retrieve-the-
wi-fi-password-of-a-connected-network-on-a-mac)

So yes, if you gain root access on someone's machine, you can do nasty stuff.
That is not really news.

------
jonmarkgo
Blog post about the sploit here from the authors:
[https://news.ycombinator.com/item?id=10217551](https://news.ycombinator.com/item?id=10217551)

~~~
fuzzywalrus
From above link: "Our attack only covers users that click the “Store my
password” option though so, don’t store your master password!"

That seems a rather important detail. Thanks for the link.

~~~
misterbwong
This has me breathing a sigh of relief. That said, why is this even an
option??

~~~
fr0styMatt2
Can this be a problem on mobile?

I have a long master passphrase - too long to type on a touchscreen keyboard
in any convenient amount of time and where there's a non-trivial risk that
somebody peering over my shoulder (think - using it on the bus) could spy it.
So in that case I resort to using the fingerprint-unlock feature (which I
assume is the security equivalent of 'save master passphrase' or at least
token).

I am aware that this might open me up to other attacks - an adversary dusting
my fingerprints off my tablet, etc. Curious though as to whether this is an
attack vector for the same or a similar type of process to what the authors
are describing (haven't read their blog post, just the Black Hat description).

~~~
mahyarm
Fingerprint unlock on iOS puts something equivalent to the master password in
the iOS keychain for 1password. Only when your fingerprint is verified does
the 1password app get it.

So at the very least you still have your passwords kept in a relatively secure
keychain manager and not inside the app stored in plain text of some sort.

~~~
pstoll
About iOS fingerprint- while a judge can not compel you to type in a password,
I have heard that they _can_ compel you to swipe your fingerprint. Something
to consider when deciding whether to enable fingerprint access to your smart
phone login or other sensitive credentials (e.g. Password manager keychain
credentials).

[http://jolt.law.harvard.edu/digest/telecommunications/court-...](http://jolt.law.harvard.edu/digest/telecommunications/court-
rules-police-may-compel-suspects-to-unlock-fingerprint-protected-smartphones)

(Fwiw - I use LP, no master password saved, no iOS finger print access)

~~~
fuzzywalrus
I wish there was a way to combine a simple 4-6 digit pin with fingerprint,
it'd certainly make an attack on a physical device more cumbersome, especially
if the rejection happened after the TouchID so the error was obfuscated on
what failed.

------
sinatra
I use 1Password. To my non-security-expert eyes, the two weakest spots in how
I use 1Password are: (a) The plugin I use on the browser, (b) The fact that I
use Dropbox to sync the password keychain.

I can maybe move the keychain to an encfs encrypted folder in Dropbox. Then, I
won't be able to use 1Password mobile app. And for the plugin, perhaps I can
disable the plugin and copy-paste the password directly from the app.

Would love to get others' feedback. UPDATE: It appears I can combine sync
through encfs folder and manual sync through phone to achieve sync on all
devices.

~~~
stock_toaster
The 1password keychain is of course encrypted[1] (I think[3] that dropbox
syncing uses the older agile keychain format?). I personally sync my 1password
keychain with icloud. Apple claims[2] that iCloud data is encrypted during
transfer, as well as encrypted at rest. If I was more concerned about that
aspect of it, I would probably just sync with wifi.

I do not use the browser plugin (personal preference).

[1]: [https://support.1password.com/opvault-
overview/](https://support.1password.com/opvault-overview/)

[2]: [https://support.apple.com/en-us/HT202303](https://support.apple.com/en-
us/HT202303)

[3]: [https://support.1password.com/switch-to-
opvault/](https://support.1password.com/switch-to-opvault/)

~~~
sinatra
Yeah, the keychain is obviously encrypted, but I still feel uneasy about it
being naked on Dropbox. The reason I'm leaning towards using encfs + Dropbox
vs iCloud is that although I definitely trust Apple more with my data
(compared to Dropbox), I feel that an encryption controlled by me at client
side will be safer.

~~~
mef
The 1password keychain is encrypted locally before being transferred to
Dropbox.

------
superuser2
This attack appears to require compromise of the client machine running
LastPass. If the target were not using a password manager, it would be
relatively simple to use the same vector to deliver a keystroke logger, so
it's unclear that there is an actual security disadvantage here.

~~~
mordocai
I'd say mainly that you don't have to wait around for the user to go to the
sites you are interested and look for passwords in a long string of keys.

~~~
superuser2
True, but this is sort of academic when we're talking about protecting secrets
on an already compromised machine.

I don't think this is a reason to not use LastPass.

~~~
slg
There are some scenarios in which compromising a machine once is much easier.
A lost device is one example. Installing a keylogger won't provide any value
there, but if this exploit can recover the Lastpass master password and
disable 2FA authentication (if enabled), then they will have access to the
entire vault.

------
hackuser
Any popular password manager, especially an online one, is likely to be
compromised. Security has to make a successful attack more expensive than the
target is worth. How much is all data in all accounts of an online password
manager worth? That is a very attractive target, and generally in IT it is
much cheaper to attack than to deend.

I doubt any password manager vendor has the resources necessary to truly
protect their users. At least, if you are not paying top dollar for security,
don't expect much.

------
mathrawka
My biggest issue with LastPass is that they force you to have the _same_
password for your online account and as the master password for your vault.

To have a secure master password, you do not want to be using it to login to
their website, because now you are blindly hoping they aren't having it logged
somewhere or retained in memory that can be dumped.

------
spinchange
I used to just let Chrome remember everything, but then jumped on the LastPass
bandwagon after Heartbleed last year.

I've been happy with it. The mobile app works well and it is very convenient.
I just can't help but to have this nagging feeling since all their salts were
exposed, I am really no (or not very much) "safer" than if I let Chrome
remember them. If someone gets on my machine and knows what they're doing it
is probably all over anyway, right? (And no, I dont let LastPass remember
master PW, and I do use a system-level password so you cant easily see them in
chrome://settings/passwords unless you have that to...) So the question is who
do you trust more to protect the credentials that are synced to the cloud:
Google or Lastpass? I don't know the best answer, all things considered (local
and on the network). I would guess Google is a much harder target than
LastPass.

~~~
hallman76
I trust LastPass for 3 reasons:

1) LastPass has a history of taking ownership of vulnerabilities and taking
appropriate measures. They do this publicly and provide a level of detail that
demonstrates their expertise[1].

2) They're working under the same constraints as Google with the same caliber
of engineering strength.

3) Most importantly, their business depends on delivering a secure product.
It's in their best interest to continue providing a secure product.

[1] [https://blog.lastpass.com/2015/06/lastpass-security-
notice.h...](https://blog.lastpass.com/2015/06/lastpass-security-notice.html/)

~~~
spinchange
It isn't that I don't trust LastPass the company. It is that I'm no longer
sure if the entire model of the product/service offers enough additional (or
comparable) security over what Chrome offers, wrt to the syncing of encrypted
credentials to the cloud.

If your're only considering vulnerabilities that pertain to that, I would
think native Chrome has an inherent security advantage over a Chrome plugin. I
am happy to be wrong about this, though.

Edit/Addition: While I give them props for the full disclosure about the salts
being exposed, we don't have any evidence that this has ever happened to
Google, so setting everything else aside, we already know for certain LastPass
has been exploited in a way we don't have any evidence that Google has. That's
not intended to be a slight on LastPass or praise for Google, just that, "it
is what it is."

------
jryan49
I use [http://www.passwordstore.org/](http://www.passwordstore.org/) without
any plugins. I imagine this has to be pretty rock solid.

~~~
yuvipanda
I wish it offered using symmetric crypto - so I won't have to find ways to
secure a GPG key...

------
crivabene
I posted this last week [0] but got no traction. Nothing to worry about, but
it is the same exact URL and I thought HN was deduplicating entries. Isn't
that the case?

[0]
[https://news.ycombinator.com/item?id=10202196](https://news.ycombinator.com/item?id=10202196)

Edit: added link

~~~
crivabene
Update: Solved
[https://news.ycombinator.com/item?id=10216280](https://news.ycombinator.com/item?id=10216280)

------
r3bl
One thing I found out (well, actually, just asked them) last year is this[0].

Basically, even though they are claiming not to send your password to the
server, if you open their security check:

> Once the master password is entered on the security check page, it decrypts
> your data (login and passwords) and send the length and character to our
> server for analysis then send you the result.

So, practically, they're not sending your passwords per se, but they are
sending the length and characters used?

[0]
[https://lastpass.com/my.php?token=T1KUZTUH78P7&lpnorefresh=1](https://lastpass.com/my.php?token=T1KUZTUH78P7&lpnorefresh=1)

~~~
Oletros
Only when you perform a security check about the passwords you storesñ

------
tempestn
Well, that sounds bad.

At least they apparently need access to a local machine. Would be a lot more
concerned if a random hacker on the internet could break into anyone's vault.
Still obviously not great though!

~~~
a3n
> At least they apparently need access to a local machine.

In addition to _everyone in the building_ , the individuals in your IT
department have access to your work machine, and can install key loggers
easily. It may even be SOP at some places.

~~~
tempestn
I am my IT department, and the only other individuals in my building are my
family. ;) But in general I agree: local-only exploits are still a significant
concern. (Just not as bad as remote ones.)

------
therealmarv
After reviewing this service for password sharing among coworkers (yes it it
still necessary for a few parts on a server) I have big doubt in security of
Lastpass. Turning on 2FA did not worked most of the times and user experience
without their browser plugin is very bad. So I analyzed their page sourcecode
and saw everywhere PHP which was also failing sometimes (see the 2FA). Sorry
but I will never give trust to a password manager written in PHP (no offense
against PHP, but please not for my 100% secure passwords!)

~~~
pwman
Full Disclosure: I work at LastPass.

> "Turning on 2FA did not worked most of the times"

If you have a security issue here we'd appreciate a report at
[https://lastpass.com/security/](https://lastpass.com/security/) that said
every report of this has always been a case of someone not reading the manual
or FAQs so please checkout
[https://lastpass.com/support.php?cmd=showfaq&id=2775](https://lastpass.com/support.php?cmd=showfaq&id=2775)
first.

> "Sorry but I will never give trust to a password manager written in PHP"

The password manager is actually written in C++,Objective-C,Java,C# and
JavaScript -- depending on platform. You seem to be focused on our website
however (which only handles encrypted data with a key never get) which is
written in Hack: [http://hacklang.org/](http://hacklang.org/) actually, not
PHP.

Regarding the user experience being less without extensions installed -- yes,
that's true, we highly encourage installing those -- the extension-less access
should really be used for emergencies only -- it's safer to login to the
extensions since it's not relying on JavaScript you just downloaded, it's
always preferred.

~~~
therealmarv
Big thanks for clarifying! But it seems I'm not the main target audience
because I do not want to use Lastpass for all my passwords (personal
preference) and I also do not want to force coworkers to use browser plugins
just for exchanging passwords once in a while.

~~~
pwman
Understood -- you may want to consider a combination open source command line
version + mobile + mac apps:

[https://github.com/LastPass/lastpass-
cli](https://github.com/LastPass/lastpass-cli)

If your coworkers aren't using something they're likely reusing company
passwords, which is one of the key reasons to force using the extensions.

------
mmastrac
Sooooo... what's a good recommendation for an "offline" password manager (ie:
one that connects via USB and requires physical input to "paste" the password)

~~~
girzel
I use "pass": [http://www.passwordstore.org/](http://www.passwordstore.org/)

Everything in GPG-encrypted files, in a git repo that I sync with my server.
The GPG key is kept unlocked for an hour or so with gpg-agent, meaning I only
type my key password a few times a day.

All passwords copied and pasted from the shell, though I use Conkeror so
there's no reason I couldn't write a little bit of integration to have the
passwords pasted directly into the web forms.

~~~
warmwaffles
I do the same here, though I have not pushed my keys to anywhere external just
yet and I do not have my gpg kept unlocked for very long.

~~~
girzel
I keep the repo sync'd between two computers, and have even cloned it to my
Android phone, but I haven't yet summoned the guts to actually put my PGP key
on my phone so I can access my passwords there.

------
Spooky23
There is always a security cost for convenience.

Personally, I use a password manager that doesn't directly integrate with any
browsers or plugins. While the crypto protecting most vault files is
imperfect, there are mitigations that can lower that risk. I can't mitigate
risks from third party plugins.

~~~
jackowayed
Some of what 1password provides is a synergy of security _and_ convenience.

1password's browser integration can save you from phishing, because it can
tell g00gle.com from google.com every time and not offer to fill in your
google.com login, whereas if you're used to just copying from your password
manager, you have to make sure not to mess that up.

Lack of convenience means manual work, which means chance for error. This is
the same reason we recommend coding using trustworthy high-level crypto
constructs instead of implementing it yourself; it's more convenient _and_
harder to mess up.

------
pgrote
LastPass offers 2 options in the Chrome extension to help mitigate the issue
if you enable remember your master password:

1) Automatically Log out when all browsers are closed and Chrome has been
closed for (mins)

2) Automatically Log out after idle (mins)

------
underyx
I literally switched to using LastPass for everything over the past four hours
after meaning to do so for years. I can't believe this.

~~~
infinitone
Well on the bright side I think you can export your lastpass account to
something better, like 1pass.

~~~
jansc
I used 1password before, but several times I lost access to all my passwords
after upgrading the software. On the bright side, I was always able to restore
access to it by manually downloading 1password and reinstalling 1password.
Besides, 1password does not officially support Linux. That's why I wanted to
try Lastpass. I also find the yubikey support interesting.

Well, I guess, it's time to reinstall keepass2 again.

~~~
clarkdave
A really cool feature I love about 1Password is that you can open up the
`agilekeychain` file in a web browser and unlock it to view your passwords
right there without the application. [0]

One of the few unique passwords I remember myself is that of Dropbox, so I'm
always able to access my passwords this way from anywhere that has a web
browser.

I don't know if this would have helped your particular situation (not sure if
you can export from this stripped down interface), but it gives me peace of
mind that if the software itself ceased to function, my passwords would still
be accessible.

[0]
[https://support.1password.com/guides/mac/1passwordanywhere.h...](https://support.1password.com/guides/mac/1passwordanywhere.html)

------
amelius
A password manager would be the perfect application for a smartwatch.

------
spike021
What I try to do is use LastPass for unimportant passwords and just remember
unique but memorable passwords for important sites, like my bank's.

But nowadays this is pretty tough in general.

------
tomasien
We're going to be actively encouraging our enterprise clients to use Logrr
([http://logrr.com/](http://logrr.com/)) to eliminate their password
completely in favor of on device cryptography. It's the only way to avoid the
vulnerability of password's entirely that I've seen.

~~~
pmontra
The How does it work section of their website doesn't explain how it works and
the FAQs are empty. How did you get enough information about their technology?

~~~
tomasien
Met them in person - I'm sure they'll update the website at some point,
they're working hand in hand with their customers right now so I think
marketing materials are probably falling a bit to the wayside. It's really
quite something.

------
snehesht
Why don't people use KeePass ?

~~~
cicero
I do. It's less convenient, but I feel more secure.

------
philfrasty
black page with white text...WHY?? *headache

~~~
jamie_ca
javascript:(%28function%28%29%7Bwindow.baseUrl%3D%27
https%3A//www.readability.com%27%3Bwindow.readabilityToken %3D%27%27%3Bvar
s%3Ddocument.createElement%28%27script
%27%29%3Bs.setAttribute%28%27type%27%2C%27text/javascript
%27%29%3Bs.setAttribute%28%27charset%27%2C%27UTF-8
%27%29%3Bs.setAttribute%28%27src%27%2CbaseUrl%2B
%27/bookmarklet/read.js%27%29%3B
document.documentElement.appendChild%28s%29%3B%7D%29%28%29)

Make a bookmark out of that (all on one line, newlines added to not kill page
formatting), toss it in your browser's bookmarks bar, and click to convert.
It's crazy awesome.

~~~
borkabrak
You need to drop the space after the 'script' element up there, but otherwise
this is a great little tool. Thanks!

------
jonmarkgo
Is this vulnerability in 1Password too?

------
guard-of-terra
That's why your passwords root should lie somewhere in the basement in the
form of printed QR-code. In hopes that it will never be needed.

------
teen
well then...

------
s73v3r
Well that sucks.

------
Nadya
That is really big news, it also allows me to go find my friend and claim my
$20 from our bet that his password manager of choice would succumb to an
attack within 5 years that renders it more dangerous than not having it...

 _> We also found how it is possible to abuse account recovery to ultimately
obtain the encryption key for the vault._

If a 3rd party can help recover your information, your information is not
secure because account recovery can typically be bypassed by social
engineering.

E:

Someone posted the blog outlying more details:

 _> With all this information, we where finally able to obtain master
passwords in cleartext. Woo hoo! Our attack only covers users that click the
“Store my password” option though so, don’t store your master password!_

So it's hackable, but only if you're an idiot who stores your master password
or sets your password reminder to contain your password.

Seems my bet with my friend wages on. I'll probably be out $20 by the years'
end.

~~~
dozy
> renders it more dangerous than not having it

If I were your friend, I would tell you that this is still dubious owing to
the fact that without it, many people might use very weak passwords that never
change. You gotta weigh that and the vulnerability it presents for large-scale
remote attacks/leaks, against the likelihood of these guys getting local
access to your machine (i think?) for this exploit.

~~~
Nadya
Please allow me to elaborate a bit.

Storing multiple passwords within a single master password means your security
is only ever as strong as your master password is safe. Literally "putting all
your eggs into one basket". Same with centralized email. One should separate
accounts by email such that if a single email is compromised - not every
account is compromised.

My argument (and practice) is to have individual emails for individual
accounts. Using a dice selection method [0] they'll be as secure as any
individual master password. The issue is burden of memory.

The argument in favor of password managers is that they relieve the user of
burden of memory by exchanging a small chunk of security for a large chunk of
convenience. Which is why I use a password manager.

The actual _bet_ however is that somewhere in the implementation of password
managers there will be found something that is so insecure it allows someone
to "seize the basket" and more or less make the trade-off go from a "small
chunk of security" to "all security". Specifically, any PM that doesn't
require the device being _compromised_ ; though physical access is fine.
(Physical access allows memory attacks but the device itself is not yet
compromised.)

I hope that helped give my position some more nuance.

[0]
[http://world.std.com/~reinhold/diceware.html](http://world.std.com/~reinhold/diceware.html)

