Sign in with
Sign up | Sign in

Security Flaws Found in Five Password Managers

By - Source: Tom's Guide US | B 4 comments
Tags :

Multiple security flaws have been discovered in five often-used Web-based password managers: LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword. Most of the discovered flaws have already been patched but nevertheless, the researchers who discovered them described the attacks as "severe."

The flaws stem from a variety of causes, including one-time passwords, bookmarklets (scripts used in browsers) and password-sharing, leading the researchers who discovered them to drop a"Pride and Prejudice" reference into their research paper disclosing the issues:  "It is a truth universally acknowledged, that password-based authentication on the Web is insecure." 

MORE: Best Antivirus Software 2014

The most significant of the researchers' findings was that, in four of the five examined password managers, attackers could discover users' passwords for various websites.

The flaws found in LastPass, RoboForm, My1Login and PDasswordBox have all been patched, and the researchers say these companies responded within a week of being contacted about the issues. NeedMyPassword, however, never responded to the researchers' original messages, and the flaws found on its service have not been patched.

The paper describing the flaws was coauthored by four researchers from the University of California, Berkeley: Zhiwei Li, Warren He, Devdatta Akhawe and Dawn Song. The paper, entitled "The Emperor's New Password Manager: Security Analysis of Web-based Password Mangers," will be presented at the USENIX Security conference in San Diego this August.

For its part, LastPass says it waited until now to disclose its own flaws in order to let Li finish and publish the paper. 

The four researchers said they will create a tool for automating the detection of security flaws in password managers. They also plan to create a new password manager of their own that will be "secure-by-construction." 

LastPass responds

LastPass responded to the research over the weekend, saying that the flaws in its Web-based software had already been patched. The company claimed the flaws were minor to begin with.

LastPass said it addressed the two flaws that pertained to it "immediately" after learning about them last August, and has no evidence that attackers exploited these flaws in the wild before they were patched.

"If you are concerned that you've used bookmarklets before September 2013 on non-trustworthy sites, you may consider changing your master password and generating new passwords, though we don't think it's necessary," LastPass noted in its blog post on the issue.

The first LastPass flaw, a bookmarklet flaw, could only be exploited if a LastPass user visited a malicious website that contained code specifically crafted to target the flaw, LastPass said.

Bookmarklets are scripts that are only used in contexts where the regular LastPass plugin isn't compatible, such as on mobile browsers. LastPass says that less than 1 percent of its users regularly used bookmarklets.

The other flaw, in LastPass's One Time Password feature, can only be exploited if the attacker knows the individual targeted LastPass user's last name.

"The attacker would still not have the key to decrypt user data," LastPass noted in its blog posting.

LastPass users can check the status of their One Time Passwords on the service's website.

Email jscharr@tomsguide.com or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.

Discuss
Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
  • -2 Hide
    toastybatch565 , July 14, 2014 2:32 PM
    What idiot uses password managers... Just write it all on a sticky note and stick it to your monitor, or put a virtual sticky note on your phone...
  • 0 Hide
    bluemax2006 , July 15, 2014 6:46 AM
    Glad to hear these seems like somewhat minor issues that were fixed. I guess I am the idiot who uses Roboform which has been very nice for my work. I switch between my work computer, home computer and a few other devices. For my particular work having Roboform saves me time getting between the websites I use. I also travel considerably and like having a digital way of keeping track of things as opposed to sticky notes on a screen. Roboform is also a pretty secure, despite the issues above, way of keeping track of things. Its a convenience with I consider worthwhile.
  • 0 Hide
    bluemax2006 , July 15, 2014 6:47 AM
    Sorry for double post, it looked like my first comment did not get uploaded.
  • Display all 4 comments.
  • 0 Hide
    Roboform , August 1, 2014 12:23 PM
    Full disclosure, Team RoboForm here! We just wanted to say that we were aware of the paper and we have already fixed the potential issue within our Bookmarklet. If anyone would like more information, you can visit our blog post about it here: http://bit.ly/1pMHKnm Thanks!
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter