In September, Black Hat Europe announced an interesting talk that entitled “Even the LastPass will be stolen, deal with it”. As reported in an earlier article, it was anticipated (based on the description on the conference announcement) that the “Remember Password” option was the likely attack vector. The presentation was delivered last week, and as reported on the French news site 01net.com, the attack was actually based on various mechanisms within the account reset feature rather than the remember password option. Of course, the compromise of a password manager raises a big question: Is LastPass safe? I am confident that not only is LastPass still safe to use but more importantly, I submit to you that any password manager is safer than the current password practices used by most folks. If you store your passwords in a file on your computer, they are at greater risk of being discovered through a cursory search without the special technical skills required to compromise a password manager. Go ahead and try it. Fire up the search tool and search for any of the following terms within the files: pw (the abbreviation for password), u: (as in username), or the name of any popular social website. Chances are that a standard file search tool will reveal your entire password list, even though you put all of them in a spreadsheet that you cleverly named “Air Miles.xlsx” to throw off the hackers. Please do not demonstrate this on the machines of your friends and family, as they will hate if you show them how easily their secret file is found. Suggest that they try it on their own. The attack on the password manager also required full access to the target machine. As with most of the popular computer crimes, social engineering would come into play in this scenario. Once you fall prey to a social engineering scam, you have little protection against the theft of most of the information stored on your machine. However, this story has a happy ending. When notified of the vulnerabilities and the proof of concept that those vulnerabilities could be exploited, the people at LastPass not only responded rapidly, but they had the vulnerabilities patched within 72 hours. That is quite an impressive response. It would seem that even the worst password manager is better than the most common method in use by folks. The researchers who revealed the LastPass vulnerabilities also agreed that using a password manager is still better than keeping the files stored in a spreadsheet. Password managers are not without their own problems, but the current methods that most folks use cause nothing but problems.
About the Author: Bob Covello (@BobCovello) is a 20-year technology veteran and InfoSec analyst with a passion for security topics. He is also a volunteer for various organizations focused on advocating for and advising others about staying safe and secure online. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. Title image courtesy of ShutterStock
