Flaws In Password Manager LastPass Expose Users' Passwords

Don't panic, but security researchers found several ways to expose users passwords attacking LastPass.

|
Nov 20 2015, 5:54pm

Image: Christiaan Colen/Flickr

On the internet, nothing is unhackable.

That's the main takeaway from new research showing that the popular password manager LastPass, which is generally considered secure, actually has a series of flaws that could expose users' passwords.

Two security researchers detailed a series of questionable security practices and design flaws in LastPass in a presentation last week at the security conference Black Hat in Europe.

Martin Vigo and Alberto Garcia Illera, two researchers working for Salesforce, found a way for an attacker with access to the victim's computer to obtain a key needed to decrypt the password vault, bypass two-factor authentication, and abuse the "account recovery" feature, which allows an attacker to access the victim's vault even without knowing the master password or go through the two-factor authentication process.

Vigo and Illera also showed that it's theoretically possible for LastPass to steal the passwords stored inside a user's vault if the company wanted to, or was forced to do so by a police or spy agency.

Despite all this, the two researchers noted that LastPass is "still a solid tool," and a better option than reusing passwords (a big no-no) or storing them in a text file or document on your computer. The two also noted that even though they only looked at LastPass, it's possible that similar issues exist in other password managers.

"There is no bug-free software and any future research on other password managers would likely have similar results."

"There is no bug-free software and any future research on other password managers would likely have similar results," Vigo wrote in a blog post explaining the research.

Moreover, the two researchers contacted LastPass to report their findings, and the company responded by fixing "a lot of the issues," according to Vigo.

On Wednesday LastPass announced that it has implemented new security measures in response to the research. It gave users a series of recommendations on how to harden their LastPass account, following some of the tips the researchers themselves offered.

"Though we continue to do everything in our power to fortify LastPass," a spokesperson wrote in a blog post, "we also believe helping LastPass users better understand not only the security options we offer, but also how they can best protect their devices from malware and other threats."

If you have LastPass, you should avoid using the "remember master password" feature, use the binary version of LastPass, turn on two-factor, and use SMS recovery, among other best practices, detailed by the company in its blog post.

And before panicking and thinking of abandoning LastPass, remember, no software is perfect. Another security researcher recently showed that it was possible to steal the user passwords from another manager, KeePass, which doesn't upload anything to the cloud.

As security expert Bob Covello pointed out in a blog post in response to the researchers' findings, "LastPass is still safe," and "any password manager is safer than the current password practices used by most folks."