LastPass password manager gets security patch against password leakage bug


When there’s a database breach involving passwords, which seems to be disappointingly often these days, we usually end up advising you to change your passwords, just in case.

Stolen passwords of this sort are supposed to be salted-and-hashed, so that the actual password you chose isn’t directly available to the cybercrooks.

Nevertheless, with the hashes in their possession, they’re one step closer to guessing correctly.

→ Password databases shouldn’t uses hashes as an excuse for poor security. That’s because someone with the database can try out passwords, typically by the bazillion, and use the hashes to find out when they’ve guessed correctly. Password hashes are an important layer of defence, but they’re only one of many layers that should be in place. Password databases shouldn’t get stolen in the first place. Just to be clear.

While we’re about it, we usually take the opportunity to suggest that you make your passwords reasonably complex, for example: a 14-character mix of UPPERS, lowers, d1g1t5 and \/\/@ckies (punctuation marks).

And we urge you not to choose the same password for more than one site, so that attackers don’t end up with a skeleton key to all your online accounts if they manage to breach any one of them.

This advice, of course, means you might end up with a list of passwords that becomes decreasingly easy to remember, like this:

Facebook:     S01?wouldE=myP
Twitter:      Ft1,IdtutGC'sA
Webmail:      aPWDmw1oft(CA)
Cartoon site: incorrectdonkeyaccumulatorclip

As a result, we often also suggest using a password manager that can generate hard-to-guess passwords for you, and then keep them locked up with one very-well-chosen master password.

Of course, this always begs the question, “What if the password manager gets breached?”

That is a very good question, and we don’t have an easy answer, because there isn’t one.

(Useful ways to mitigate that risk include: don’t save your really important passwords, such as those for banking and taxation, along with the rest; and insist on two-factor authentication wherever you can.)

Well worth a listen while you’re here

Sophos Techknow Podcast: Two-factor Authentication Explained

(15 April 2013, duration 16’25”, size 9.9MBytes)

We’ve invariably avoided taking sides by not explicitly recommending any particular product, but LastPass is one that regularly appears in our articles.

And, wouldn’t you know it, LastPass just pushed out a update that fixes, amongst other things, a security hole that could leak your precious password secrets.

We urge you to grab that update, which came out two days ago, on the grounds that a security hole patched is, simply put, no longer a security hole.

But don’t panic, as there are some palliative factors:

  • The bug affects Internet Explorer users on Windows only.
  • The bug requires an attacker to perform a memory dump of Internet Explorer.

A memory dump is where you connect from one process to another, and suck out the contents of the system memory it’s using.

Apparently, until the 16 August 2013 update, a LastPass memory dump might well be found to contain unencrypted pasword strings.

This is the same sort of attack that we have written about frequently in the context of banking malware.

Stymied by data protection regulations that force financial institutions to encrypt credit card data when it is saved to disk, the crooks have taken to riffling through memory instead.

They hope to find the raw data from your card’s magnetic stripe as it passes through memory on its way from the card reader onto the disk or network.

Generally, though admittedly not always, that means you need access to the victim’s computer, and perhaps even administrator-level powers, which usually means getting malware onto the computer first.

And if you can do that, then most, though not necessarily all, security bets are off anyway.

So if you are confident you haven’t been infected with malware since you last changed your passwords, then you’re probably OK just grabbing the LastPass update and installing it as soon as you can.

On the other hand, since in cases like this we usually advise you to change your passwords anyway, just in case…

…you may want to change your passwords anyway, just in case.