[ComputerGuru]

The code, tech, and mindset behind LastPass is a joke. They started just after the “dark ages” of security but don’t seem to have upgraded their mental model of security since. I’ll share with you the moment I discovered something that made me cancel my schedule for the day, research alternatives, write a LastPass to 1Password converter [0], and cancel my LastPass account and subscription.

Are you ready?

You log in to their support forums and online community with the same password you decrypt your vault with.

[0]: https://neosmart.net/blog/2017/a-free-lastpass-to-1password-...

EDIT:

To answer some of the comments, since understandably not everyone is a security expert:

What happens if LastPass’s web forum is compromised and all their additional security counts for nothing?

Even if not: you have no problem with people being conditioned to enter the password securing all their passwords repeatedly into random pages for random content not related in any way, shape, or form to their vault in a web browser?

Containment is the name of the game. It’s hard enough making one app secure enough to enter your password into. Then extending that with an SSO, relying on The security of none other than notoriously crappy phpBB, vulnerable to upstream code injections, XSS, phishing attacks, and god knows what else, and you still think you can trust them to keep your master password secure?

LastPass is such a juicy target and this is such an easy attack vector that I can virtually guarantee at some point phpBB - or, more accurately, their abuse of it - will be a massive liability and the source of a huge catastrophe for them, if it hasn’t secretly already.

Of course they know to treat changes to their authentication apps very carefully and code review each and every syllable added or removed (well, I hope so). But do they review upstream patches to the forum software they use? What about the third party template they have installed? Do they hold off on patches after a security bug is discovered in phpBB so they can review the code changes? Do they even upgrade their forums? What about a vulnerability in PHP itself? Do they secure the server hosting their authentication apps in the same manner as the server hosting their forums? Do their web developers undergo the same background checks and scrutiny their core developers undergo? How many sysadmins have access to the website? Do they provide the same access monitoring to people managing an ancillary feature like their forum software?

The list just goes on forever. You’re as secure as the weakest link. All anyone that want to break into LastPass has to do is get some code into phpBB or the random phpBB themes and plugins they use and it’s game over for millions of LP users and billions of credentials worldwide.

See the problem?

[busterarm]

My biggest gripe/concern with LastPass Enterprise (we use it) is that sharing/access control _never_ works properly.

Every time we bring someone on and try to share folders or credentials with them, we end up needing a multi-hour support ticket to get everything resolved correctly.

This shouldn't happen. It raises big alarms for me.

[ComputerGuru]

Do they ask you to confirm your master password over the phone so they can check on their end and see if they can reproduce the issue?

[BearGoesChirp]

Electronic password managers never made sense to me. While you can do more to secure a single target, it is a more valuable target and one mistake costs you all your passwords. For me a physical password journal is best. While it does make you vulnerable to physical attackers, the cost invest to target someone physically is so much higher that if I have to deal with that threat level I'm already a goner. Just have to hide it from the kids.

[jXCw1N0jtH3]

My approach for anything remotely sensitive, or that could be used to gain access to other accounts, is to generate a LastPass password and to memorize a handful of short "salts" that I add to each sensitive password manually + using 2FA wherever it's available.

Obviously there's no 100% secure approach, but at least this makes me sleep better knowing that if LastPass were comprimized, my stored gmail, bank, paypal, work, etc. passwords wouldn't work.

[Too]

Thanks for that tip. I was always worried a lost vault could leak all my accounts in one go but with this trick I think I'm confident enough to start using a password manager.

[ComputerGuru]

The only drawback to that is the difficulty of logging in while out of the house (I understand making priority accounts “on site access only” but what about others?) and the fact that you’re deincentivized from making more secure passwords because (even if only subconsciously) you’re going to have to type in all those characters and symbols each time you want to log in.

I think the biggest security failure is session cookies that expire too quickly or too eagerly. Having people need to enter their password so often is more dangerous than keeping them logged in (from the same IP) for a longer period of time.

If my bank would keep me authorized for basic access (review transactions, pay bills, transfer money between own accounts) without logging in each time, but required a password to add a payee or make changes to the account, I’d keep the password in a journal in a safe.

[derimagia]

Does make it more vulnerable to things like keylogging - electronic managers skip typing completely. Also it makes people create simpler passwords than they would if it was electronic and becomes pretty unmanageable with a large amount of passwords.

I'm not saying it's the wrong way to go but if electronic password managers "never made sense" then I feel like you don't have the entire picture.

[ComputerGuru]

I think the threat from keyloggers is not as severe as the threat from clipboard scrapers. Apple and Google absolutely need to make a secure password transport mechanism to allow one app to fill a field in a web browser or field in another app that does not rely on the clipboard because even just expiring it after n seconds is not secure enough.

[slig]

Couple of days ago they sent an newsletter email to all their subscribers telling something about "enterprise accounts". Anyway, they sent that to everyone, when obviously they meant to send to their enterprise customers.

In that moment I realised that I still had an active subscription with them and cancelled promptly.

[gruez]

>You log in to their support forums and online community with the same password you decrypt your vault with.

what's the issue with that? maybe they have some SSO system

[dasil003]

They issue is that your vault key must never be available to their system, otherwise when they get hacked with the most trivial XSS now your vault is pwned. Password vaults are a hugely valuable target, worth potentially thousands of dollars on the black market, you absolutely should not be using a service that has the ability or can acquire the ability to decrypt your vault. You're better off with a plaintext file in a nondescript location on your hard drive.

[mistercow]

Just to clarify this, because it took me a second, the point (if I understand you) is that your password is available to them at the point when you log in to their support forums. Particularly bad, because it's a site that hosts a ton of user content.

It's also really dumb, because the whole point of the product is to make it easy to not reuse passwords. They could have even had the signup process automatically create those accounts for you and insert the passwords into your vault, and it would have been just as easy for the user.

[defen]

Someone who hacks the support forum (notoriously soft targets) now has access to all your passwords for everything.

[MBCook]

It means if someone hacks into their forums and gets credentials then all your passwords are open to them.

[dsp1234]

Why?

1.) LastPass login page hashes MasterPassword on the login page to produce a hash

2.) Hash is sent to the forums, and is checked against the same hash as the vault system

3.) Hash is confirmed, and you're logged in.

1.) Later hash is grabbed by an attacker.

2.) Attacker sends the hash to get the encrypted vault

3.) Attacker gets the encrypted vault

4.) Attacker is sad, because they don't have the MasterPassword, and thus have no access to all your passwords

Note that I'm not saying that they are awesome, and/or are doing the above. But it's not immediately obvious that a MasterPassword can't hash a forum login and a vault request at the same time. I mean, that's literally what the "MasterPassword never leaves the client" is supposed to mean.

[0] - https://lastpass.com/support.php?cmd=showfaq&id=6926

[nodja]

1.) Find exploit in forum software/server.

2.) Modify login.php to send form username/password to attackers server.

[scarhill]

Except there is no forum login page, just a SAML redirect to their SSO login.

[corobo]

Modify login page to have a login form

[ComputerGuru]

And that link can be changed.

[dasil003]

0.) LastPass login page is hacked with a skimmer.

1.) Game over.

[mickronome]

Oh my god, they really do that?

I trust you to be right, but that's so incredibly stupid it's hard to believe someone selling a password manager would do that!