LastPass password manager gets security patch against password leakage bug

Filed Under: Data loss, Featured, Privacy, Vulnerability

When there's a database breach involving passwords, which seems to be disappointingly often these days, we usually end up advising you to change your passwords, just in case.

Stolen passwords of this sort are supposed to be salted-and-hashed, so that the actual password you chose isn't directly available to the cybercrooks.

Nevertheless, with the hashes in their possession, they're one step closer to guessing correctly.

→ Password databases shouldn't uses hashes as an excuse for poor security. That's because someone with the database can try out passwords, typically by the bazillion, and use the hashes to find out when they've guessed correctly. Password hashes are an important layer of defence, but they're only one of many layers that should be in place. Password databases shouldn't get stolen in the first place. Just to be clear.

While we're about it, we usually take the opportunity to suggest that you make your passwords reasonably complex, for example: a 14-character mix of UPPERS, lowers, d1g1t5 and \/\/@ckies (punctuation marks).

And we urge you not to choose the same password for more than one site, so that attackers don't end up with a skeleton key to all your online accounts if they manage to breach any one of them.

This advice, of course, means you might end up with a list of passwords that becomes decreasingly easy to remember, like this:

Facebook:     S01?wouldE=myP
Twitter:      Ft1,IdtutGC'sA
Webmail:      aPWDmw1oft(CA)
Cartoon site: incorrectdonkeyaccumulatorclip

As a result, we often also suggest using a password manager that can generate hard-to-guess passwords for you, and then keep them locked up with one very-well-chosen master password.

Of course, this always begs the question, "What if the password manager gets breached?"

That is a very good question, and we don't have an easy answer, because there isn't one.

(Useful ways to mitigate that risk include: don't save your really important passwords, such as those for banking and taxation, along with the rest; and insist on two-factor authentication wherever you can.)

Well worth a listen while you're here

Sophos Techknow Podcast: Two-factor Authentication Explained

(15 April 2013, duration 16'25", size 9.9MBytes)

We've invariably avoided taking sides by not explicitly recommending any particular product, but LastPass is one that regularly appears in our articles.

And, wouldn't you know it, LastPass just pushed out a update that fixes, amongst other things, a security hole that could leak your precious password secrets.

We urge you to grab that update, which came out two days ago, on the grounds that a security hole patched is, simply put, no longer a security hole.

But don't panic, as there are some palliative factors:

  • The bug affects Internet Explorer users on Windows only.
  • The bug requires an attacker to perform a memory dump of Internet Explorer.

A memory dump is where you connect from one process to another, and suck out the contents of the system memory it's using.

Apparently, until the 16 August 2013 update, a LastPass memory dump might well be found to contain unencrypted pasword strings.

This is the same sort of attack that we have written about frequently in the context of banking malware.

Stymied by data protection regulations that force financial institutions to encrypt credit card data when it is saved to disk, the crooks have taken to riffling through memory instead.

They hope to find the raw data from your card's magnetic stripe as it passes through memory on its way from the card reader onto the disk or network.

Generally, though admittedly not always, that means you need access to the victim's computer, and perhaps even administrator-level powers, which usually means getting malware onto the computer first.

And if you can do that, then most, though not necessarily all, security bets are off anyway.

So if you are confident you haven't been infected with malware since you last changed your passwords, then you're probably OK just grabbing the LastPass update and installing it as soon as you can.

On the other hand, since in cases like this we usually advise you to change your passwords anyway, just in case... may want to change your passwords anyway, just in case.

, , , ,

You might like

14 Responses to LastPass password manager gets security patch against password leakage bug

  1. I still remember wining the Porsche at a MS/RSA event in Reading they asked us to all enter our passwords into a "secure system" and they would try to break the encryption, I used my old password at the time that I no longer used and it was the most secure password entered! Password generators are pants, one of the best things you can do is use a pound sign as most programs are developed to crack American passwords and don't use obscure symbols like the pound sign by default. I still remember that with all the processing power at the MS campus in Reading in 6 hours they only managed to get 2 characters out of a 14 character password! Best thing to do is make a numberplate up and add a few special characters, numbers etc to 16 or 18 characters!

    • Anon · 776 days ago

      Just because your password is long, or contains special characters does not make is secure. The password database that I am currently using is a conglomerate of 16 different languages, and full char sets.
      I'm part of a password cracking contest (kind of), and the longest password that I have cracked thus far has been 24 characters. Without going back to my notes I believe it was full alpha numeric. I believe there was another password that was full character set, and it was 13 or 14 chars long that was cracked as well. Both of these passwords were cracked in about 6 minutes. Granted they were using a weak hash (unsalted MD5), but that shouldn't take away from my point.
      There are numerous factors that you have to take into account when generating passwords. Lack of password masking is probably one of the biggest things that is helping to speed up the process of cracking unknown passwords.

      I am unfamiliar with the MS/RSA competition. But how did they know they got 2 characters out of a 14 character password? Hashing that I know of is either a 1 or a 0. You either have guessed the password and it matches the hash, or you have not. Although it depends on the hashing algorithm used.

  2. Rich · 777 days ago

    I'm not sure LastPass has ever claimed to be resilient against local malware, and I'm not sure I'd trust a password manager that claimed otherwise.

    All that malware needs to do is keylog your password, and then decrypt the cached copy of your lastpass vault. If you don't have a local copy of your vault stored (you can disable this through account settings when you have 2 factor enabled, and you probably should), then malware would presumably need to get slightly more creative. I don't think they would need to do much more than keylog your password and then just take a memory dump as described in this exploit.

  3. jet86 · 776 days ago

    "incorrectdonkeyaccumulatorclip" has to be the greatest password ever...

    • njorl · 776 days ago

      Reasonably vulnerable to a simple, systematic, attack. The string is a list of four, common, English words. If you've anticipated people sticking together a few words to create a password, and your dictionary's coverage of sophisticated words does not greatly surpass the vocabulary exercised by the password setter, the number of tries is not exceptional.

      The following article, and the Cameron Morris utility it links, provide quite a lot of insight:

      Cameron Morris appears to consider "accumulator" an uncommon word. (Perhaps he doesn't have parents who reminisce about taking the accumulator from the wireless to be recharged.) If he considered it to be as common as he does "nightingale", the estimated time to crack (best case) would drop from around 3 years to around 3 months. (Best case: weakest hashing algorithm and most powerful hardware.)

      • Its a reference to an xkcd comic that suggested 'correct horse battery staple' as a password:

      • Deramin · 776 days ago

        This is pretty much the problem with passwords in general. At a certain point, you're not cracking the password so much as the person who made the password. And humans are terrible at randomness. There's no real middle ground between a password that's hard to break and one we have any hope at all of remembering. At best we can achieve memorable and "slightly more annoying than most to crack".

        We've got this password hammer, so we see everything as nails, but screws may be more appropriate for holding the security house together. What exactly the screw represents in that analogy is beyond me though. Maybe 2 factor authentication, but that has it's own problems.

  4. Paul · 776 days ago

    The CIA/NSA has so far failed to install a webcam in my bedroom that can read any post-its stuck under my keyboard. Just sayin'.

  5. cubsandpuppies · 776 days ago

    Sheesh! This password business is a job in itself. I just had this conversation recently about keeping one password as gatekeeper for all passwords. Nothing is safe in cyber world. I spend so much time in my little password notebook I have created with my ever-changing passwords,

  6. Steven Paligo · 776 days ago

    I have a way to safeguard your passwords even if LastPass is breached. Imagine a password that is broken up into two parts. The first part is generated by LastPass and stored by it. The second is a suffix you can easily generate when you visit the site. For example, reversing the first 5 letters of the domain name. Using this system, you can have LastPass auto-fill your password on a site and then type in the suffix to complete it. All you have to do is remember the scheme for generating a suffix and you're in!

    Granted this won't protect against local malware, but it will help if your LastPass master password is leaked.

  7. smithargus72 · 776 days ago

    aha, xkcd reference :D

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog