News LastPass, 1Password and other password managers can be hacked: What to do now

Mar 25, 2020
1
1
15
0
Saying that a password manager is at risk to phishing is really saying that some users are at risk to phishing. It's not something that can be fixed. Users have to be vigilant.

If a password manager fails to fill in a form due to phishing, it won't prevent someone from opening the password manager and copying and pasting credentials after not knowing why the manager failed to do it on its own.

Anybody who tried to steal a password through phishing won't be targeting people who use password managers, but people in general. They will be relying on people reusing credentials across websites, which is something that won't happen to users of password managers.

It's not surprising that it's a low priority. It would be a lot harder to get people to install a rogue Gmail app than to simply try 12345 and seeing if it works.
 
Reactions: StuartHalliday

aleghart

Distinguished
Dec 5, 2008
1
1
18,515
0
Why is this being published as "new"? Did anyone from Tom's Guide read the research? The LastPass version was 4.1.60, released July 6, 2017.

The posting date of research is less relevant than what's inside the research.

This is old information, and should be removed. Otherwise, Tom's Guide is causing public panic for the sake of cllick-bait metrics.
 
Reactions: StuartHalliday
Mar 25, 2020
1
0
10
0
This is old information, and should be removed. Otherwise, Tom's Guide is causing public panic for the sake of cllick-bait metrics.
Absolutely.
Seems very Clickbait actually. It's really full of old and redundant information. Needs all that old stuff removed.
 
Mar 27, 2020
9
0
10
0
Saying that a password manager is at risk to phishing is really saying that some users are at risk to phishing. It's not something that can be fixed. Users have to be vigilant.

If a password manager fails to fill in a form due to phishing, it won't prevent someone from opening the password manager and copying and pasting credentials after not knowing why the manager failed to do it on its own.

Anybody who tried to steal a password through phishing won't be targeting people who use password managers, but people in general. They will be relying on people reusing credentials across websites, which is something that won't happen to users of password managers.

It's not surprising that it's a low priority. It would be a lot harder to get people to install a rogue Gmail app than to simply try 12345 and seeing if it works.
The real issue is that LastPass and 1Password used only an app's APK name -- eg. com.google.com -- to verify its authenticity. That meant that any app that used the same name could trick the password managers into autofilling the credentials for the real app into the fake app. If it was done properly, the user would not even notice.
 
Mar 27, 2020
9
0
10
0
Why is this being published as "new"? Did anyone from Tom's Guide read the research? The LastPass version was 4.1.60, released July 6, 2017.

The posting date of research is less relevant than what's inside the research.

This is old information, and should be removed. Otherwise, Tom's Guide is causing public panic for the sake of cllick-bait metrics.
I disagree, obviously. I don't know why the study authors waited so long to publish, but all of the vulnerabilities mentioned have NOT been patched.

Some of this "old" information is unfortunately still very relevant. One vendor is currently patching the flaws mentioned in the study as a result of the study, and this story, being published.

Before we ran the article, I sent each vendor a link to the study, asked each vendor detailed questions about the vulnerabilities mentioned, and gave each one 24 hours to respond with answers about which vulns had been patched, and which hadn't, and if not, why not.

Some of the vendors were very forthcoming and gave detailed answers. Some weren't, but all of them did respond, and their answers all made it into the original version of the story. You can see a point-by-point rundown of each flaw, and what each vendor is doing or has done about it, right in the body of the story.
 
Mar 27, 2020
9
0
10
0
Why is this being published as "new"? Did anyone from Tom's Guide read the research? The LastPass version was 4.1.60, released July 6, 2017.

The posting date of research is less relevant than what's inside the research.

This is old information, and should be removed. Otherwise, Tom's Guide is causing public panic for the sake of cllick-bait metrics.
Please see my response to the comment above. In short, the publication of this academic study, and our report on it, is making at least one vendor patch the reported vulnerabilities now. Not in 2017, or in 2019, but right now.
 
Thread starter Similar threads Forum Replies Date
admin Article Commentary 0
admin Article Commentary 0
admin Article Commentary 0
admin Article Commentary 0
admin Article Commentary 0
admin Article Commentary 0
admin Article Commentary 0
admin Article Commentary 0
admin Article Commentary 0
admin Article Commentary 0
admin Article Commentary 0
admin Article Commentary 0
admin Article Commentary 0
admin Article Commentary 0
admin Article Commentary 2
admin Article Commentary 0
admin Article Commentary 0
admin Article Commentary 0
admin Article Commentary 0
admin Article Commentary 0

ASK THE COMMUNITY

TRENDING THREADS