Yesterday, at ShmooCon, security researcher Sean Cassidy announced a vulnerability in the popular LastPass password manager. He demonstrated a way that an attacker could send a user a phishing email, redirecting them to a specially crafted web page which logged them out of LastPass and presenting a “pixel perfect” copy of the LastPass login screen where the user could then enter their user name, master password and two factor authentication code. This information would be sent to the attacker, who would then have access to all of the user’s passwords.
Key to this evil plan was a “cross site request forgery” (CSRF) vulnerability in LastPass, which allowed the attacker to force the user to log out of the password manager. This vulnerability has been fixed in the latest version of the application, so this particular attack will not work today and LastPass users should not panic.
I have been a proponent of password managers in general and LastPass in particular and still think that LastPass, DashLane, Keepass and the like are great solutions for protecting your online accounts. In my opinion, the extra security you achieve by having unique long, strong passwords for each of your accounts outweighs the risks posed by using a password manager.
One of the debates around LassPass and its online brethren is whether their practice of storing encrypted versions of passwords in the cloud to allow them to be shared amongst devices and browsers presents too much of a security risk. Many people prefer to use offline password managers like Keepass which store the encrypted passwords locally. I can see the case for either choice, but I feel that for most people, the ease of use of a synchronized solution like LastPass or DashLane makes it more likely that they will use long, strong, unique passwords for all sites. In particular, the ability to use these programs with both mobile and desktop devices is important – non synchronized password managers can be a pain to use and keep up to date on mobile devices, where we are increasingly leading much of our online lives.
I did take this opportunity, however, to look at LastPass’ main competitors, Dashlane and was quite impressed with it from an ease of use point of view. It definitely gives a superior user experience on the mobile platform, but it does not seem to allow you to store attachments in Secure Notes, which is a LastPass feature I like and use. Dashlane is more expensive than LastPass ($39 per year versus LastPass’ $12 price tag). Dashlane seems to be easier to configure for the non technical user and uses the device itself as a second form of authentication, obviating the need for a separate authorization code. Of course, this means that a stolen phone or iPad could give an attacker access to your passwords, but you can specify a PIN or use the iPhone’s fingerprint reader to control access. I was able to import my LastPass data into Dashlane really easily and they provide a 30 day trial of their premium features, which I am currently taking advantage of. I’ll let you know how it goes.
To summarize, this vulnerability points out how seemingly innocuous vulnerabilities (being able to remotely log someone out of a website or tool) can be leveraged by malicious miscreants for their nefarious purposes. However, it is not a show stopper for LastPass and they seem to have responded in a timely fashion. Password managers are still a great security solution.
So, the risk management mavens for the City of Portland, Oregon have provided us all with an object lesson in how not to make risk based decisions. It seems that one of the local young rowdies had the audacity to