Oops... Popular Password Managers Are Not As Secure As You Think
2014-07-15, 01:30 PM,
#1
[Image: password-manager-security.jpg]

Quote:Just few days ago, we reported about two critical vulnerability in mobile version of the most popular password manager application from a popular Password management company RoboForm, which manages your passwords for different websites.

Now, researchers have published a detailed explanation on the security vulnerabilities discovered in five different and popular password managers, including RoboForm, that could allow cybercriminals to grab your credentials.

The serious security holes were found and reported by the University of California Berkeley researchers named: Zhiwei Li, Warren He, Devdatta Akhawe and Dawn Song. The critical vulnerabilities were discovered in the popular password managers that includes RoboForm, LastPass, My1Login, PasswordBox and NeedMyPassword.

"Our attacks are severe: in four out of the five password managers we studied, an attacker can learn a user’s credentials for arbitrary websites," Researchers wrote in the paper (PDF) titled as The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers.

"We find vulnerabilities in diverse features like one-time passwords, bookmarklets, and shared passwords. The root-causes of the vulnerabilities are also diverse: ranging from logic and authorisation mistakes to misunderstandings about the web security model, in addition to the typical vulnerabilities like CSRF (cross site request forgery) and XSS (cross site scripting)."

There is no doubt that unless we are a human supercomputer, remembering password is not an easy task and that too, if you have a different password for every different site. But luckily to make the whole process very easy, there is a growing market out there for password managers and lockers, which provides the extra layers of protection. But, where to go?

LastPass is a popular and an award-winning password manager service available on phones, tablets and desktops for all the major operating systems and browsers. LastPass bookmarklet option, that permits ad-hoc integration with the most popular iOS browser Safari, was found vulnerable if any cyber criminal tricked users into running the Java code on their malicious site.

Moreover, another critical CSRF vulnerabilities were found in LastPass and RoboForm, whereas NeedMyPassword contains both CSRF as well as XSS vulnerabilities.

The XSS vulnerabilities in NeedMyPassword could allow attackers to completely take over users’ account, while the CSRF vulnerabilities in LastPass and RoboForm could allow an attacker to update, delete, and add arbitrary credentials to a user’s credential database as well as to get the entire master password-encrypted vault for later brute-forcing, and to erase any stored website password.

LastPass has respond to the recent disclosure and issued a statement assuring that the company had pushed out the fix in September last year that addresses the vulnerabilities affecting its Java bookmarklets and one time passwords.

"If you are concerned that you’ve used bookmarklets before September 2013 on non-trustworthy sites, you may consider changing your master password and generating new passwords, though we don’t think it is necessary," chief information officer Joe Siegrist.

"The OTP attack is a 'targeted attack' requiring an attacker to know the user’s username to potentially exploit it, and serve that custom attack [for each] user [which is] activity which we have not seen. "Even if this was exploited, the attacker would still not have the key to decrypt user data."

The combined work of the researchers is a wake-up call for developers of web-based password managers, so that they try to develop a more secure and principled Password manager for their users.

"Widespread adoption of insecure password managers could make things worse: adding a new, untested single point of failure to the web authentication ecosystem," wrote the researchers, adding that “we believe developing a secure web-based password manager entails a systematic, defense-in-depth approach.”

Source
Reply
2014-07-16, 12:18 AM,
#2
I hope they'll improve LastPass security because I've been using it for quite a while now
Reply
2014-07-16, 01:03 AM,
#3
They better get it together over there :P
Reply
2014-07-16, 03:05 AM,
#4
I dont even get why people are using these kinds of software to store their passwords in..
Nothing is fully secured, There's always a way for hackers to exploit the software.

Any questions related to CPA belong here.
Before posting, make sure you are in the correct section.

I am temporarily absent due to family circumstances.

Reply
2014-07-16, 03:13 AM,
#5
(2014-07-16, 03:05 AM)DutchPride Wrote: I dont even get why people are using these kinds of software to store their passwords in..
Nothing is fully secured, There's always a way for hackers to exploit the software.

When you have a lot of email accounts (i personally have 5) + accounts on different websites and forums (and I am talking about a serious number) you want to have a different password for each one and it's pretty much impossible to remember all the passwords, especially when you're trying to access a website that you haven't visited for ages - this is where a program such as last pass comes in and does the easy thing for you. I have no billions in my paypal accounts (got about 32 cents tho) so I am not worried about any hackers lol
Reply
2014-07-16, 03:33 AM,
#6
(2014-07-16, 03:13 AM)Fridge Wrote:
(2014-07-16, 03:05 AM)DutchPride Wrote: I dont even get why people are using these kinds of software to store their passwords in..
Nothing is fully secured, There's always a way for hackers to exploit the software.

When you have a lot of email accounts (i personally have 5) + accounts on different websites and forums (and I am talking about a serious number) you want to have a different password for each one and it's pretty much impossible to remember all the passwords, especially when you're trying to access a website that you haven't visited for ages - this is where a program such as last pass comes in and does the easy thing for you. I have no billions in my paypal accounts (got about 32 cents tho) so I am not worried about any hackers lol

That's true, But then if i were you i would keep them somewhere written down..
Just make sure if your house gets broken into, it's not easy to find.

Any questions related to CPA belong here.
Before posting, make sure you are in the correct section.

I am temporarily absent due to family circumstances.

Reply
2014-07-16, 03:41 AM,
#7
(2014-07-16, 03:33 AM)DutchPride Wrote:
(2014-07-16, 03:13 AM)Fridge Wrote:
(2014-07-16, 03:05 AM)DutchPride Wrote: I dont even get why people are using these kinds of software to store their passwords in..
Nothing is fully secured, There's always a way for hackers to exploit the software.

When you have a lot of email accounts (i personally have 5) + accounts on different websites and forums (and I am talking about a serious number) you want to have a different password for each one and it's pretty much impossible to remember all the passwords, especially when you're trying to access a website that you haven't visited for ages - this is where a program such as last pass comes in and does the easy thing for you. I have no billions in my paypal accounts (got about 32 cents tho) so I am not worried about any hackers lol

That's true, But then if i were you i would keep them somewhere written down..
Just make sure if your house gets broken into, it's not easy to find.


Before downloading last pass (which was about 1 year ago) I used a notepad actually but the thing is that I was always not finding that notepad somehow, and after all, last pass is a much faster alternative and what I love about it is that if I reinstall my windows I just have to download the chrome extension - log into my account and bang, when I visit a website where I am registered at Last Pass starts doing its job.

Of course, if my name would be Donald Trump I would not trust something like Last Pass but unfortunately it's not the case lol
Reply
2014-07-16, 03:51 AM,
#8
(2014-07-16, 03:33 AM)DutchPride Wrote:
(2014-07-16, 03:13 AM)Fridge Wrote:
(2014-07-16, 03:05 AM)DutchPride Wrote: I dont even get why people are using these kinds of software to store their passwords in..
Nothing is fully secured, There's always a way for hackers to exploit the software.

When you have a lot of email accounts (i personally have 5) + accounts on different websites and forums (and I am talking about a serious number) you want to have a different password for each one and it's pretty much impossible to remember all the passwords, especially when you're trying to access a website that you haven't visited for ages - this is where a program such as last pass comes in and does the easy thing for you. I have no billions in my paypal accounts (got about 32 cents tho) so I am not worried about any hackers lol

That's true, But then if i were you i would keep them somewhere written down..
Just make sure if your house gets broken into, it's not easy to find.

lmao if i broke into a house i wouldnt be searching your computer for passwrods hahaha i would be taking it xD
Latest Thanks - View all

Fridge(2014-07-16 03:53 AM) 
Reply
2014-07-16, 02:22 PM,
#9
I don't use any programs or websites to hold my passwords. I just write them down to my note book and I'm sure, that nobody will get my passwords Smile

I'M GONNA BE RICH
Reply
2014-07-16, 02:29 PM,
#10
I use forgot password feature hahahahah. :)

Join The Best Network Today And Earn REAL Money! The secret to success lies here.

[Image: jqE21u3.gif]
Reply


Possibly Related Threads...
Thread Author Replies Views Last Post
  [CLOUDFLARE] Server bug leaks user data for thousands of popular websites JoeSpirit 5 270 2017-03-01, 12:39 AM
Last Post: johnvaugan
  Apple ID Password reset FAIL pepeneo 2 603 2015-12-11, 10:00 PM
Last Post: DutchPride
  Windows 10: Secure Your Privacy & Stop the Spying | The Basics HawkEye 0 327 2015-09-03, 03:27 PM
Last Post: HawkEye
  Affiliate Managers, need your help dzep 2 281 2015-03-23, 02:10 AM
Last Post: dzep
  How popular were Don williams & Kenny Rogers? dess 0 210 2015-02-23, 01:21 PM
Last Post: dess




About Us | Contact Us | CPA Elites | Advertise | Stats | Staff Team

© 2013-2017 CPA Elites Ltd
Enhanced by MyBB and WallBB
Return to top