Hacker News new | past | comments | ask | show | jobs | submit login
LastPass RCE vulnerability fixed (chromium.org)
249 points by sp332 on March 21, 2017 | hide | past | favorite | 182 comments

This made me laugh:

"They also said they couldn't get my exploit to work, but I checked my apache access logs and they were using a Mac. Naturally, calc.exe will not appear on a Mac."

That is honestly embarrassing. I'm glad I don't use LastPass.

My girlfriend was wondering why programmers are so pedantic, and my primary response was "because they can never be wrong", and as a corollary it becomes important to always be right and develop a culture that points out every flaw in competence.

Its a pretty bad trait we should do something about that and just continue striving for peer reviewable code and implementations.

I know what you mean, but it's also despicable when companies which are based around security don't take the extra care they should to protect their users. I don't respect that, and I think they deserve every ounce of criticism.

With that said, I definitely agree on things that aren't security related.

I do. What else does auto form fills based on urls, client side encryption, and runs in chrome, IE and Safari?

1Password, and it's been awesome. If you use the non-hosted version you control the whole thing. LAN only sync, or Dropbox, Rsync, however you want to sync it if it matters. Otherwise they've got a hosted version which can also give you web access in a pinch and handle all the syncing for you. I have been with them for long enough that my only option was a non-hosted version and I keep in sync with Dropbox and it works wonderfully.

The Mac client is very nice to use. The Windows client works well but isn't as nice looking. The browser extension is awesome- AND you can put MFA keys in there as well.

EDIT: And I forgot to mention the main reason I chose 1Password so long ago. Their iOS app is awesome and their mobile Safari integration works quite well.

But no linux support.

No direct Linux support but you can absolutely run the windows version 4 in Wine. It's not without a few crashy glitches but for just using stored passwords it works fine.

It would be very nice if they did support Linux and people have been asking for it, but there is a passable workaround- and frankly one I'm willing to work with because it works so great everywhere else.

That only works if you store your vault yourself.

When I tried it out I wanted 1password family so I could share some accounts with my partner. 1password 4 doesn't support their cloud datastore; the version that does will not run on Wine.

However, I could use the webapp on linux. It was a bit annoying but I could have dealt with it. The other complaint I had was the UX for Android. Having to switch my keyboard every time I wanted to enter a password was very annoying. Hopefully that gets better with the recently announced Autofill API for Android O.

I would suggest not using the auto fill feature of password managers. I use 1Password and the mini UI that sits in the tray is super easy to copy a password from and paste in the browser.

Why not use auto fill? I consider that a decent defense against phishing attempts. Now I always think twice before entering my name and password.

Autofill requires a browser extension. There are at least three major risks associated with this:

1. Giving code running in your browser access to your password database carries some risks. Browsers have a massive attack surface. 2. Autofill extensions use heuristics to map secrets to forms, and sometimes put secrets into fields they shouldn't. 3. Autofill extensions cause your browser to prompt for your master passphrase. Other extensions may be able to emulate this behavior or otherwise intercept your passphrase.

Anyone who isn't using a password manager should do so. A password manager with autofill is a huge step forward from nothing. But disabling autofill offers some further benefit.

1Password does not have a list of "secrets" that it draws from for all forms, it only saves the information you provide per-site; anything it submits to a site is information you've already submitted to the site previously.

1Password's extension does not prompt for my master passphrase, I have to click on it to enter it (if I haven't already). It also to don't try to fill forms on page load, I have to instruct it to do so. By default it will usually submit a form upon fill but I often turn off that setting.

As for browser vulnerabilities, I'm not familiar with any information about extensions being particularly vulnerable to browser exploits, it seems like when browsers get "pwned," anything in userland (if not the whole system) is up for grabs so avoiding the password manager's browser extension doesn't gain you anything. I'm not saying there's no risk, just that trade-off is worth it. Agilebits argues that using the extension is safer because it avoids keystroke loggers and clipboard sniffers [0]

[0] https://blog.agilebits.com/2014/08/21/watch-what-you-type-1p...

I use LastPass, and features you mentioned also apply.

LastPass also unfortunately has in-pane banner pop-ups which I do not trust at all. Blind and automatic autofill is dangerous. I'm not sure if you can enable that.

Another feature I like is the detection of compromised sites and password rotation reminders.

I don't think this is true. Keepass can do autofill without a browser extension. Or are we talking about a different feature?

Keepass can't? It can fill upon request with Ctrl+V which does <username>[TAB]<password>[Enter], but to automatically fill passwords you need the http plugin for keepass and a browser extension.

Select view source on a page where credentials are auto populated. See your password.

Now imagine you stepped away from your machine while still logged in.

Autofill is convenient, but there are negative consequences.

Has anyone used hardware-based password manager like Trezor Password Manager? [1] [2] Initially Trezor was created as a bitcoin wallet but is much more these days.

The issue with 1Password is that it's not accessible in Linux and no U2F (yubikey etc) support AFAIK...

[1] https://trezor.io/passwords/ [2] https://blog.trezor.io/satoshilabs-launches-trezor-password-...

If you install 1Password 4 in Wine it works pretty well, I've even got browser extensions working with my Linux browser.

Its not great and it crashes some, but it does work.

I've wanted to use such a thing, but the requirement to use a specific browser is always a massive bother

same with things like yubikey

It seems like it would be better to just fake a keyboard output instead? then you could have something that could work on all platforms in all situations

KeePass does this. Autofill activates the last window, finds the "input control" on the window, then tries to type in the username, tab key, password. It breaks in all the expected ways, and sometimes new and exciting ways.

That is software emulation though, which is restricted by various things (can't type across users (so breaks on Run As, and elevated windows), if a window implements a custom control, it won't work with that either since that window likely reads from the keyboard in a weird or wonderful way, some windows also just avoid any windows messaging and read the keyboard directly)

Hardware faking of the keyboard would work fine though

I use pass ( http://passwordstore.org/ ). Uses gpg, has addons for all major browsers, works on Android, is completely transparent, supports segmenting your password "tree" to use different PGP keys depending on path (e.g. all passwords in www/ encrypted to both my safe GPG key and my less safe key unique to my phone). Highly recommended.

any iOS app for it?

There are a couple: https://github.com/davidjb/pass-ios https://github.com/mssun/passforios

Passforios is being actively developed and is shaping up well.

I use password safe: https://pwsafe.org/ with a strong central password and store the safe it in my Dropbox. Even if my cloud was compromised, the safe is highly encrypted.

PasswordSafe's safe is an open source file structure and thus there are many different ways to access it with different features for each. I have PasswordSafe on both my Windows PC and android phone and I'm using PasswordSafe professionally for my organization's passwords and found that there are reliable Mac options so those with Macs can access the safe.

Seconding 1Password. It also works on Firefox and can be used from Mobile Safari and apps that implement support specifically for it, if you have an iPhone.

Keepass, although to be fair I don't think all the plugins on this page have been properly reviewed: http://keepass.info/plugins.html

Have you tried Dashlane? I've been using it for over a year and it's been great. Their mobile app is really handy as well.


The killer android support is why I still use it. Auto fill in any app.

You can do that with keepass2android as well.

Made me laugh nervously and cancel my subscription...

ROFL. Seriously considering cancelling.

Update: another vulnerability found, not patched yet. https://mobile.twitter.com/taviso/status/844312124541186048

Well. This is not a good week for lastpass.

And for all the users of password managers which use a browser extension or a cloud synced database, KeepPassXC[1] is a good alternative, because it won't come close to touching your browser or any remote server. It is cross platform so you have no excuse. It also has a mobile app which is not made by the same developers but a different company so I would be wary of the app.


Is this any better than KeePassX?

From https://keepassxc.org/docs:

>Why KeePassXC instead of KeePassX?

>KeePassX is an amazing password manager, but hasn't seen much active development for quite a while. Many good pull requests were never merged and the original project is missing some features which users can expect from a modern password manager. Hence, we decided to fork KeePassX to continue its development and provide you with everything you love about KeePassX plus many new features and bugfixes.

I'm really surprised, and disappointed, that Travis announced this publicly like this. From my understanding the Google team has a policy of giving people time to patch the bug before announcing it. I know that the technical details weren't released by by confirming there is a zero day exploit he's making it more likely to be discovered and exploited. The responsible thing would have been to notify the vendor and apply the standard policy they have in place for disclosure.

He announced it exists, though not what it is. Who knows, it might even spur some people to move away from LP.

They fixed all 3 bugs already. https://mobile.twitter.com/taviso/status/844573211278794753 I'm not moving.

I can confirm that there is unpatched exploitable vulnerabilities with high impact in the following software products:





Google Chrome

Mozilla Firefox





bonzi buddy

The test page is still vulnerable for me.


  Chrome 57.0.2987.110 (64-bit)
  Version: 4.1.42
  Built: Thu Mar 09 2017 12:40:16 GMT-0500 (EST)
  Binary Component: true (Native Messaging version 4.1.34, built Jan 11 2017 01:45:24)
Any idea why? I thought no user action was required? No custom error message for NXDOMAIN (I think?), I see the Lastpass site, then calc.exe opens.


Still works for me too. I guess I'm disabling the extension for now.

Just tried again and they've pulled down the website, so the exploit is no longer working.

Long time unhappy user of Lastpass here. Would really like to hear what alternatives people are using that have at least the following features:

1. Mac/Window/Linux support 2. Ability to control accounts from an admin account. PW/2FA reset, export/wipe of accounts etc. 3. Reasonably secure 4. Not too terrible to use for Engineers/non-techies alike.

I can't help you with #4, but I've been a pass user for a long time: https://www.passwordstore.org/

It encrypts your passwords with your GPG key and stores them in a git repository. You can of course easily extend this to do a lot of different things.

I also wrote this tool for automating password rotation:


It's easy when you're the only user. Pretty tricky when you want to share entries among different groups of users.

My password manager, hunter2 ( https://chiselapp.com/user/rkeene/repository/hunter2/ ), supports multiple users. Each user is identified by their public key and the DB is a plain text file that can be easily managed in your version control system.

I haven't used this (pass works fine for my use case), but Gopass was on HN a bit ago:


One of the claimed features is "multiple stores: Combine several work teams and your private store!"

Keyringer is a software that does exactly what I think you need, in a similar way than the parent's suggestion (gpg over git):

Keyringer: encrypted and distributed secret sharing software https://keyringer.pw/

Isn't sharing passwords a bad thing to do in general? Each user should have a separate account/identity and manage his own secrets.

There are endless online services which only allow one user per logical account. In fact I would say the majority of them do it.

So why not create multiple accounts? ToS usually advises against sharing credentials.

Because sometimes you're trying to manage a single resource.

eg I know some phone/sms services that only let one account manage a phone number or something.

Also, sometimes account licences are absurdly expensive.

There's some services that even though we have (say) 50 licenced users, they also want us to have licences for each admin. We're not spending $50k/year just so we can each login once or twice a year to fix/configure something for someone.

But then there's netflix (and probably the same problem of multiple users/one credential for hulu, hbo go, whatever else).

It's probably an afternoon project to get that functionality. Since it's just a git repo, that much is easily shared. GPG supports encrypting messages for multiple recepients. Since pass is simple and open source it should be quite easy to add what you need. Send your patches upstream, I'm sure that others would find them useful too!

Although I haven't tried it myself, it looks like pass already supports this using the PASSWORD_STORE_KEY variable in the set_gpg_recipients() function. [0]

[0] https://git.zx2c4.com/password-store/plain/src/password-stor...

Or just put key IDs in a .gpg-id file:

Initialize new password storage and use gpg-id for encryption. Multiple gpg-ids may be specified, in order to encrypt each password with multiple ids. This command must be run first before a password store can be used. If the specified gpg-id is different from the key used in any existing files, these files will be reencrypted to use the new id. Note that use of gpg-agent(1) is recommended so that the batch decryption does not require as much user intervention. If --path or -p is specified, along with an argument, a specific gpg-id or set of gpg-ids is assigned for that specific sub folder of the password store. If only one gpg-id is given, and it is an empty string, then the current .gpg-id file for the specified sub-folder (or root if unspecified) is removed.

-- https://git.zx2c4.com/password-store/about/

EDIT: Better formatting

I use it to share passwords with one other person via a suitably restricted git repo, works perfectly fine.

Edit: See sister comment by runejuhl.

KeePass recently got an Argon2 KDF and ChaCha20 as a cipher. I highly recommend it, good mobile apps, pretty simple UI, control over your own DB, sync it with your favourite tool, I use SyncThing as its Android support is excellent.

I would suggest KeePassXC, which in my opinion, looks better since uses Qt rather than mono so has a more native feel.


See also KeeWeb[0].

Also mutiplatform as KeePassXC, built on Electron. Even though it is built on JavaScript, it has 0 dependencies[1].

And the author responds well on external feedback/contributions[2].

It does support KDBX4[3].

[0]: https://keeweb.info/

[1]: https://github.com/keeweb/keeweb/blob/c651343f80f4f3d41c7d64...

[2]: https://github.com/keeweb/keeweb/issues/104

[3]: https://github.com/keeweb/keeweb/issues/326

> 0 dependencies

If bundling your devDependencies at compile time counts as "0 dependencies", nothing has any dependencies. In this case, the whole thing's built on electron - all of chrome's rendering engine is quite the dependency. The uncompressed Windows version is 137 MB on disk. Fatter than most any app should be.

I would not suggest this as KeePassXC does not support the new KDBX4 format with the upgraded cryptography - only the old Keepass format which relies on a custom AES-based key derivation function, which I cannot in good faith recommend.

Once it's implemented I may reconsider, but for now at least, I'd shy away from it.


Thanks for the info!

Edit: Looks like it's close


For OSX I have been using this native app MacPass - http://mstarke.github.io/MacPass. Actively developed from what I see on Github.

Which mobile app do you use with KeePass? I use MiniKeePass and am pretty happy with it.

I'm not the user you replied to, but that app looks like the only good app, atleast for iOS.

I use the open source Keepass2Android which is open source and supports the new crypto, has just about every utility I could want.


It's a good app but as far as I remember the integration with Dropbox wasn't working properly. I think that's the main issue with KeePass right now - getting your passwords synchronized with your phone.

SyncThing solves this quite nicely on Android at least. For iOS, I'm not sure, Apple's restrictions make proper sync near impossible in the name of battery life - even while charging or on WiFi.

> Argon2 KDF and ChaCha20 as a cipher

Are these a huge improvement from what was offered previously?

Before they were using a custom AES-based key derivation function which had not been strongly peer reviewed so Argon2 is a big improvement there in my book.

ChaCha20 over the existing AES-CBC... not as much, I feel more comfortable in that it's harder to screw up the implementation of it, but that's about it. CBC mode especially can have unexpected side effects unless used very carefully, ChaCha20 or any other strong stream cipher, even AES in CTR mode is somewhat easier to understand the side effects of.

So overall, not concretely in terms of known vulnerabilities, but in terms of predicted risks, I'd say certainly. Before this change I was erring on the side of known algorithms with solutions like LastPass at least using standardized PBKDF2. With this change, KeePass went behind or middle of the pack, cryptographically compared to competition, to the frontrunner.

Not sure about point 2, but 1Password seems to fit all the others. Really like it, personally.

1password along with seemingly every other mobile password manager slips up from time to time. Turn around time once something is disclosed is my main concern.


1Password didn't support Linux last time I checked. There are 3rd party libraries, but most of them don't support the newer keychain format. I still use it and just look up the password on my phone when I'm on a Linux system.

1password has their opvault format spec on the website and https://github.com/OblivionCloudControl/opvault can decrypt. Admittedly the UX is lacking.

I've tried that library, actually. Last time I used it, it couldn't find some passwords in the vault, including (crucially) the one I use for SSO at work. It's totally possible I was just using it wrong – it would be nice if the repository had a demo command line tool or something.

I believe 1Password only supports Windows and OS X on the desktop.

I imagine 2. works if you buy the enterprise options?

Flat text file on an encrypted volume. I use cat or vi for editing, and grep for reading. If it's ultrasensitive, I keep it on a non-networked device and type it in. Otherwise, normally, I grep and copy/paste from terminal to password field.

I do security for a living. This technique is mocked by other so-called experts, but who's laughing today? I fully understand the security model I'm using. Lastpass users--and developers--clearly did not. Other password manager users should stifle the urge to laugh if they haven't fully reviewed their entire stack.

Also, I do not keep the encrypted volume in the cloud. It's only on my trusted device. If it's important enough to secure the password, it's important enough to bring the device.

Further, I've used variations of the same password for the past two decades for >90% of my accounts, e.g., the ones where my threat model is "do not give a fuck." When I sign up, I mentally consider whether I give a fuck the account is compromised. If I do, new random password for the list. If I don't, use the 20-year-old password.

I like this approach, but I would also like to have the passwords on my phone and sync between desktop and phone. Any advice on how to do that using your approach?

It's not really friendly to mobile sync, so if you're heavily into that, it's not a full solution. I'm sure you can find a way to securely push the file to the phone as an exercise to the reader, but it would probably involve some philosophical security compromises or creativity.

If it's really ultrasensitive, it's 12+ character random ASCII string committed to muscle memory only. No horse battery stapling bullshit.

Please don't give security advice unless you know what you are talking about. It just spreads misinformation.

Please elucidate.

Misinformation like, "Always use a reputable cloud password manager, like LastPass?" Along with a trusty antivirus, am I right?

To be further contrarian, if the common man is going to use a password manager, use Chrome's built-in auto-fill, without antivirus or other 3rd-party bolt-ons, be they LastPass, KeepPass, 1password etc. You know who Tavis works for, right? Chrome's application security is best of breed, and its password manager does what it's designed for, at least.

I was responding to your nonsense advice that 12+ character random ASCII is somehow better or more secure than a "correct horse battery staple" or diceware-style password. They have identical security properties, given appropriate choice of N.

If you are going to memorize passwords, feel free to memorize ASCII gibberish if that's what you are into. Or memorize random phrases, since many (most?) humans find those easier to remember.

A 6-word diceware passphrase has more entropy than 12 characters of ASCII and is easier to memorize. In what way is that bullshit?


94^12 ~= 4.76e23 > 7776^6 ~= 2.21e23.

And typing 12 characters from muscle memory is faster than learning and typing "limbdumaslaterjuramondohalf", which is what diceware^6 just gave me.

The supposed mnemonic value of diceware is illusory. If it convinces people to use stronger passwords and it works for you, great.

You're right, I misremembered the number of rolls for diceware. I guess your passwords have an extra bit over mine. How many 12+ character passwords are you able to memorize? How long does it take you to learn a new/changed one?

> How many 12+ character passwords are you able to memorize?

As I need to enter on a regular basis. In practice, no more than half a dozen. Usually I have 3 or 4 in use. Might be work, personal, and a couple for crypto.

> How long does it take you to learn a new/changed one?

Depending on the length, 5-10 minutes of continuous training to be confident if it's one I'm going to put into immediate use.

The point is to go straight to pure muscle memory without using a mnemonic crutch. Ultimately for a password that you're typing on a multiple-times daily basis, you're going to be relying on muscle memory anyway. If you're trying to remember what came after the correct horse battery, or if the correct came first or last, you've already lost. "limbdumaslaterjuramondo" gets me no closer to login if my password is "limbdumaslaterjuramondohalf" if I've forgotten nonsensical "half" than "+D%W}B_]7|~y" gets me to login if my password is "+D%W}B_]7|~yd" and I've forgotten "d".

You're going to be typing the password with your fingers, so learn the password by typing it with your fingers until it's automatic, not by conjuring a sequence of unconnected mental images. It actually saves time.

I doubt most people type their passwords multiple times on a daily basis, so dismissing mnemonics with "just use muscle memory" doesn't look practical to me. And they're not incompatible, actually: you can eventually commit to muscle memory a diceware-like password, but in the meantime (or if it slips out of muscle memory) you got mnemonics ie. clues.

As far as I'm concerned, I've tested some diceware passwords for some months, and I would say they served me all right. I "name" my passwords by their initials (first letter of each word), so there's no risk of missing a word or swapping some.

If it works for you, great. Maybe I was being deliberately controversial calling xkcd/diceware bullshit. Kudos for raising bad password awareness and improving practices, I suppose.

But, I still contend it basically knocks down a straw man with bullshit. Yes, they correctly point out that if you're using a mnemonic method, a long passphrase is better than a short password. I'm pretty sure the PGP folks pointed that out at least a decade or two ago.

At the end of the day, if you're not using, recalling, and exercising a strong secret, you will forget it. That's how memory works. With Diceware you have three things to learn; your silly mnemonic, what it translates to, and how to type it quickly. True, you might (just might) forget the muscle memory of exactly how to type it before you forget the entire mnemonic, and then be able to recover the password from your memory of the mnemonic cues. That seems intuitive, at least, but misleadingly so.

But my years of experience has taught me that muscle memory is the most durable memory. There's nothing inherent in "correct horse battery" that's going to give you "staple" once you've forgotten it; it's gone. It was random, after all. If you're not exercising and remembering your secret, then you have to have a backup to fall upon--written down or stored somewhere? If your goal is muscle memory with minimum pain, fewer, maximally-random higher-entropy keystrokes is better.

I don't think most people sit down at their desk all day uninterrupted without leaving. I lock my terminal when I leave my keyboard and type a password to unlock when I return. I enter a password whenever I unlock an encrypted volume (e.g., to get other passwords).

You can use biometrics or tokens, but purely memorized passwords can have unique utility. In America, for instance, you generally can't be rubber-hosed to give up a memorized passphrase, and it's not generally a crime to do so. You can be compelled in a variety of settings to provide a physical token, including biometrics, or disclose their existence. There can be civil coercive techniques to pursuade you to give up a password, but at a bare minimum, in a criminal situation or where the 5th amendment applies under my current understanding you cannot be forced to give a password from memory.

Of course if you're the surveillance target of a nation-state then potentially they can do what they need to do to covertly intercept your passphrase through physical access, evil maid etc., but that's a different ballgame.

One of your point is that three things to memorize is more difficult than having just one, but sometimes it's just not the case: adding vivid images and funny/silly backstories actually makes remembering easier, as research suggested and borne out by personnal experience.

Now, it could be argued that these images/backstories could be made up for random ASCII chars too, but to me it's just easier to do so with words.

Regarding screenlocks, I tend to use relatively mediocre passwords (nothing stupid, though), since screenlocking is only useful against very casual attackers -- someone skilled and motivated will just get in if they have physical access to the box. But I agree that it's where muscle memory would work best.

A "better" password that you share between accounts is far worse than less strong passwords that are unique to each account. "+D%W}B_]7|~y" might be unfeasible to brute force, but that doesn't do much good if it turns up as plaintext in a dump and you've used it for all of your work or personal sites.

What? Where did I say I share these passwords? I don't. Go up to my top post. Passwords of any importance are unique, also random, and stored in a text file in an encrypted volume (with a unique, strong, memorized key).

The only non-unique keys I use, are also nonrandom, and used for accounts with no security consequences. Like this one.

Apologies, I misunderstood your post.

Apparently this was fixed server-side and does not require any update to the client. However the default version on addons.mozilla.org is very old for some reason, so if you are running 3.x it wouldn't hurt to download the latest. You can get it either from LastPass's website directly or from https://addons.mozilla.org/en-US/firefox/addon/lastpass-pass...

The 3.x is still updated, but they're replacing it soon. 4.x is a WebExtension, with a different UI.

See https://blog.lastpass.com/2017/03/plans-to-retire-the-lastpa... for details.

Oh you're right. I was confused and there are two bugs, only one of which has been fixed so far. The first one, which is apparently still unfixed, mentioned here https://twitter.com/taviso/status/842205051082821632 only works on 3.x on Firefox.

I've got to say, this attack looks a little too obvious; that doesn't reflect well on lastpass.

The high number of vulnerabilities that keep being found in LastPass (including some that are not publicly disclosed) forced me to jump ship a while ago.

It's always worth remembering that using something like LastPass should be compared with the status quo that it often fixes (same password for everything, post-it notes, teams emailing passwords around).

Sure. Which is why Last Pass makes you safer if you use it for the long tail of rarely used non-critical passwords. The problem is once you are using Last Pass for those, it becomes more and more tempting to use it for passwords that actually matter, and for those you really really don't want to be using an online password manager.

In fact, for the average person, I am not sure a post-it note full of passwords in their home is a bigger risk than an online password manager. Sure, if someone breaks into their house they are screwed, and that is a relatively easy attack. But on the other hand, any bulk breach leaves them unaffected. A notebook full of plain text passwords in a drawer in your home and a shared memorized prefix that must be combined with the passwords on the list to get the full password seems strictly more secure than a password manager (although slightly less convenient).

> A notebook full of plain text passwords in a drawer in your home and a shared memorized prefix that must be combined with the passwords on the list to get the full password seems strictly more secure than a password manager (although slightly less convenient).

This actually sounds pretty good; I might start recommending this to non-technical friends and family.

EDIT: phone auto-completed "non-technical" to "non-profit technical"

Why is that a relevant comparison for anyone interested in their own security? It seems to me that the comparison that matters is with my own status quo and with other options that I might consider, not with some average status quo.

Can you please provide some references to the "high number of vulnerabilities"? I've only heard of one or two, but those were promptly fixed.

They cannot because it is a fictional claim.

I've just been researching it and most of the recent vulnerabilities (before this one) have been either minor in severity or "working as intended" (like saving your master password and using PIN unlock, which they warn you is insecure, and relies on device encryption to protect your master password).

Today's issue is by far the most serious in at least the last year.

Concern about code quality is legitimate, and vulns discovered is one metric for that, but I worry that hopping to the unreviewed (and therefore lacking vuln disclosures) app is even worse. But I don't use lastpass.

Other managers have been reviewed, and found better success than LastPass. I (finally) signed up for a password manager a little while ago, and after some evaluation chose 1Password.

A big part of that decision was that they have been reviewed/audited and there were a couple vulnerabilities found, but they were all minor, which indicates to me the system is pretty secure. The nature of the bugs was also comforting in that they seemed like small oversights, compared to a lot of the LastPass bugs which seem like "holy shit how did you let this happen".

What other ones have been reviewed? I'd be interested to read the audit reports.

Agreed - I was tolerant for quite a while as the vulnerabilities seemed obscure and the handling seemed good, but they kept cropping up in more and more obvious ways. When KeePass got a crypto upgrade recently I jumped ship. I loved LastPass for the sync, but SyncThing to my phone has made it all too easy to get away without it.

I have the same concern.

same here. Trialling Dashlane, but not quite convinced yet..

If you're interested in an open source option that compares quite well to the LastPass feature-set, check out bitwarden: https://bitwarden.com/ (note: I am the lead developer).

Hi, I'm considering giving bitwarden a try. I'm curious, though - are there any 3rd party security scans for the product? And (only half-joking) can we get Tavis to review it?

There have not been any formal third-party audits done that we can document yet, however, the product is entirely open source (from the database, backend apis, to all client-side applications). https://github.com/bitwarden . Anyone is free to audit (and contribute) as much as they'd like. If you can get Travis (or any security researcher) interested in reviewing our products we would love to work with him.

Thanks. Are there any plans to have routine security audits done?

As we bring some of our revenue generating features online we hope to have the cash flow to fund regular third-party audits.

I'm not the lead developer (or involved with the project at all) and I also recommend it.

Only issues I have right now are:

- No app-fill on Android.

- No auto-fill (have to manually click the icon and select an account).

- When using Firefox the extension periodically logs out for no apparent reason.

- There's no address/wallet stuff so I actually have to pull out my credit cards.

Other than that it works pretty well.

- We released app-fill (autofill) on android last month. Make sure you are using version 1.3.0 or greater. Read more here: https://blog.bitwarden.com/android-v1-3-0-now-with-auto-fill...

- We also fixed the issue you are referring to on Firefox last week. Make sure you are using 1.10.1

- There are plans for additional "wallet" features in the future.

Woo! I just got app-fill working.

To be clear though, app-fill and auto-fill were referring to different things. What I meant by lack of "auto-fill" was that when I visit a website on desktop, my details aren't instantly filled when the page loads. I have to manually click the extension icon in my browser and select the account I want.

This is not always a bad thing. Sometimes you don't want software to automatically plunk your login credentials into appropriately named fields on a JavaScript driven web page

This is why we don't offer this feature. This feature is one of the major offenders for lastpass in the past. It's very easy to get wrong and expose vulnerabilities.

It _is_ a vulnerability!

How are you making money off of this?

bitwarden is currently sponsored by the Microsoft BizSpark program which covers many of our operation costs and allows us to offer services for free to our users. We are working to introduce enterprise features for businesses in the future (scheduled for release next month) which will allow us to monetize. In the meantime, everything is free for users.

Which of the current free-for-everyone features, if any, are you considering making available to paid accounts only? (i.e., what will your current free users lose unless they move to a paid account once you monetize?)

Everything you see today will remain free for personal users.

Perhaps you missed it at the time but I'm wondering if you can answer this https://news.ycombinator.com/item?id=13438225

Looks cool. My personal "I can't use it because it lacks X" list:

- Firefox extension

- Password generator

But I'll keep an eye on it. LastPass is far from perfect.

You need to update your user home screen then, both features have empty links saying "coming soon".

bitwarden has a Firefox extension [1], and it has a password generator.

[1] https://addons.mozilla.org/firefox/addon/bitwarden-password-...

Thanks for this comment. I switched to bitwarden from LastPass last night.

cool, thanks - I'll have a look!

It uses soo much memory and there is obvious UX mistakes everywhere like you can add new sites in client but not generate passwords. Dashlane really worried me sadly.

what is your hesitation with dashlane?

cost, and clunky yubikey support. I can enable a yubikey with some hoop-jumping but this will impact ease of use on my mobile clients. I still need to look into the team functionality. I have used Lastpass for many years privately and for my business, and it is pretty deeply stuck in everything we do, so evaluation takes time.

No Linux support might be a biggie.

No linux support seems like hard deal breaker for a linux user. His comment indicated he was questioning the security practices or some other technical reason

Looks like this was discovered by the same guy that discovered CloudFail. That dude is amazing.

One of the best vulnerability researchers in the world right now. Tavis Ormandy is a spectre of doom. He is one of the last people you want to see tweeting about your company.

Every member of Google's Project Zero team is individually more capable and productive than entire teams of consultants at the best security firms.

This is a bit disingenuous. It's almost impossible to measure the output of the other teams/consultants because their reports are never made public.

I wish that we had more opportunities available for researchers to do the work that Tavis is doing. He is very very good and highly productive, but he's not somehow orders of magnitude better at his research than others. The thing that makes him unique is that Google is paying him a full-time salary just to find bugs and post them publicly. He doesn't have to worry about only targeting stuff in bug bounty scope or working on executive-targeted write-ups and consultation reports to make ends meet.

Basically, he gets paid to spend all day, every day, finding bugs and documenting them for people to see. We need more people in those sorts of positions, but only Google is really able to bankroll it.

You make a fair point, but I don't think it's an argument against what I'm saying. If for no other reason than what you stated about being paid for such open goals, he certainly is more productive than most consulting teams. And given his practice and experience at that sort of productivity, he's likely more capable as well.

I agree that security consulting results should be more open, but incentives are not really aligned for that to be the case.

Well, this is Project Zero, the security researchers working there are highly competent, but I do agree this guy is amazing. I wonder what kind of methodology do they use to even come up with these attacks.

Having briefly interacted with a few of them, and following their work in general:

1. They have a phenomenal intuition for where developers get lazy, tired or simply incompetent in security-sensitive code,

2. They have, in aggregate, a vast knowledge and understanding of past vulnerabilities and how those might be repeated elsewhere or imperfectly patched,

3. They practice a lot and they read a lot (i.e. relevant research, etc). It might be more accurate to say that they have a lot of practice because of their work, not that they actively practice outside of work.

4. They are good at the general process of security research - long hours of mostly dull, complex research interspersed with brief eureka moments and bouts of euphoria.

They're an extraordinary team, for sure.

Natalie Silvanovich of Project Zero gave a talk at REcon last year about how she finds flash bugs, and she went into her methodology some: https://www.youtube.com/watch?v=JbvwCEOxyrA

Not that I had a high opinion of Trend Micro before, but that series of responses from them is shamefully bad.

OMG. Arbitrary code execution just from visiting a URL, and dump all the passwords?

I'll bookmark this for the next time someone recommends AV of any sort...

The guy must get tired saving the world so frequently. I hope Google literally pays him a dumptruck full of money.

He also found vulnerabilities in many more security products out there. At some point, years ago, Microsoft became very hostile toward him, but things seem to be better now.

> Microsoft became very hostile toward him

What happened?

Little of it was made public, but


"Microsoft treat vulnerability researchers with great hostility," he says.

Is it just me, or are these "cloud password managers" a terrible idea given the typical person's threat model? First, there are hackers looking to score a huge pile of accounts. Second, there could be a relatively unsophisticated person with a grudge, like an ex-partner. In a distant third, there are nation-state-level actors.

If I keep a local encrypted password file and copy it around by hand, I may have some vulnerabilities, but it's not worth a hacker's time to steal only my accounts, and I can probably protect my credentials from casual malice. On the other hand, if I put my passwords on the same service as hundreds of thousands of other people, that's a huge jackpot that attracts significant hacking interest, and the service only has to screw up once. The risk doesn't seem worth the convenience.

The biggest threat to most users is that their password on SomeRandomSite gets out (db dump, hacked, whatever) and since they use the same password everywhere, now their bank and/or their email password is out in the wild. If you are willing to carry an encrypted password file around with you, and consult it every time you need to enter a password, go for it. Yes, that is more secure than LastPass. What LastPass offers is balance between convenience and security.

Also, I believe that a hacker who gained access to LastPass's database would merely get a bunch of encrypted passwords. LastPass doesn't know your master vault password, which is needed to unlock your vault and use the passwords that are stored there. So, they are a big target, but primarily for attacks like this where an individual page might be able to hijack the plugin for users visiting the site, and not because some could hack LastPass and get everyone's passwords.

As soon as you put a Keepass encrypted database onto any cloud service (e.g. DropBox, Google Drive, etc) you've effectively just recreated LastPass.

Both use an AES-256 encrypted database encrypted using a master password which is first hashed using a modern/slow hashing algorithm.

Obviously it is imperfect that the LastPass plugin has bugs in it; and I won't defend that. But I will say that the convenience is worth the risk most of the time, but LastPass needs to be better than this if they want to maintain people's respect and trust.

If you intend to keep your encrypted password database completely offline (e.g. USB keys) then, sure, it is more secure but very few users are willing to take on such inconvenience.

Password Managers in general have resulted in less password reuse, longer passwords, and more random passwords. Last Pass in particular offers "one click" password rotation on dozens of popular services.

One click password rotation! I had no idea.

It is neat but only on a select list of popular sites, you can see the list at the bottom of this page:


Not necessarily a terrible idea, but you are right - they're good for some time and then the economies of scale do tip. That said, these things are very convenient.

This is why we need a mirror method for postMessage to securely receive cross origin messages https://medium.com/@homakov/why-we-need-getmessage-too-a7411...

Note that this issue references another (not yet public) issue which is apparently for LastPass on firefox. I expect we'll see a LastPass + Firefox issue in the near future.

> (Please note, issue 1188 which affects LastPass on firefox is not fixed, and still works)

Brilliant find by taviso. So simple yet thousands of others passed over it. It takes a relentless mind to comb through all this code and actually find such an issue.

> So simple yet thousands of others passed over it.

is that true? how do you know?

LastPas has been in the spotlight for quite some time now, and repeatedly critized by the security community. I've also read various articles about alleged security flaws with LastPass (which were quickly resolved by the team).

How would this theoretically affect a user with password re-prompt on for all of their accounts?

Most of the reported issues I've seen have been caused by browser extensions. It seems like uninstalling the extensions and just using the web app directly in a separate browser might go a long way towards avoiding these kinds of issues.

This doesn't seem to me like it compromised the passwords though. Am I missing something?

> Therefore, this allows complete access to internal privileged LastPass RPC commands. There are hundreds of internal LastPass RPCs, but the obviously bad ones are things copying and filling in passwords (copypass, fillform, etc). If you install the binary component (https://lastpass.com/support.php?cmd=showfaq&id=5576), you can also use "openattach" to run arbitrary code.

Any lastpass RPC was able to be called, which does mean that it compromised the passwords. Now, the worse part is that any code (any .bat file, which on windows is similar to a bash script) could be run on the host computer, which means they can effectively take over the host computer.


Personal attacks are not allowed on HN. We ban accounts that do this, so please don't do it again.

Unfortunately, your comment history has plenty of uncivil and unsubstantive comments. It also has some really good ones, so we aren't banning you, but if you keep doing this, we'll have to, so please fix it.

We detached this subthread from https://news.ycombinator.com/item?id=13927087 and marked it off-topic.

I want to be a positive contributor.

I should have used a gentler tone. Sorry for rankling.

It's not like Tavis is creating these bugs. He's merely pointing out that the emperor has no clothes. Quite a socially awkward situation for town folk who've been living as if the clothes are wonderful.

Additionally, in general and as is the case here, the bugs aren't in some nice kid's hobby project. It's not like he's pointing out that grandma's blog has XSS vulnerabilities. These are security products, which often seem like snake oil instead. If anything we need more stigma against people and products who claim strong security but turn out to be shams, providing only security theater.

Some things just need much more expertise to do than others. You wouldn't want a hobbyist designing your local nuclear reactor, nor performing your heart surgery. Similar standards should be in place for computer security. Accepting security systems that were hacked together like another CMS will lead to our digital lives being on a foundation of straw.

I don't think I'd call them a 'sham'. They're not advertising something they don't do. I think they do everything that they say they do[1]. If this was a case where someone was able to get plaintext passwords from lastpass's server, you'd be right.

The first thing I think people should realize is that there are vulnerabilities in every software, and addressing that fact goes a long way. I doubt that they weren't following standards, and they do have a good track record of security although they get flak for being a extension based password manager (which is a very bad idea, something I've come to realize not long ago. I think it was at the time of lastpass's last vulnerability[2])

If you don't mind, I'm interested in know what you'd consider products with 'strong security'?



LastPass has a bit to go until I'd call them a sham. I was talking in general. There have been much worse examples before.

Yes there are vulnerabilities in every software. Even if your code is perfect the compiler will generate bugged code. Even if you fix that, the CPU still has bugs. These are certainly hard problems. However there's a difference between a subtle bug caused by a typo and complete lack of understanding of fundamentals. [1]

As for what products I consider having strong security, the crypto part of the Go standard library is good. Among large projects Chrome is good. Neither of them are perfect.


[1] I especially like the case of CryptoCat, a chat program that generated random crypto keys by concatenating strings of digits. https://tobtu.com/decryptocat.php

>> There is a concept called an "unreliable narrator." Tavis has a documented track record of poor interpersonal behavior. It's time that people stopped focusing exclusively on the quality of his discoveries and started to ask if his behavior is one we want to implement.

I have seen many security bugs reported by Tavis show up here on HN. I haven't seen Tavis behave poorly in either explaining these issues or reviewing the fixes. On the contrary, his comments in the issue discussions have almost always given a benefit of doubt to the product and its developers when it comes to the way they have handled the security issues.

Tavis has a documented track record of poor interpersonal behavior. It's time that people stopped focusing exclusively on the quality of his discoveries and started to ask if his behavior is one we want to implement.

Given what he does, the quality of his discoveries are really the only important thing. Do you really think that "form over function" is important in the context of what he does?

That's a pretty serious claim to make about someone, and you haven't backed it up.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact