Security Flaws Found in Five Password Managers

Multiple security flaws have been discovered in five often-used Web-based password managers: LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword. Most of the discovered flaws have already been patched but nevertheless, the researchers who discovered them described the attacks as "severe."

The flaws stem from a variety of causes, including one-time passwords, bookmarklets (scripts used in browsers) and password-sharing, leading the researchers who discovered them to drop a"Pride and Prejudice" reference into their research paper disclosing the issues:  "It is a truth universally acknowledged, that password-based authentication on the Web is insecure." 

MORE: Best Antivirus Software 2014

The most significant of the researchers' findings was that, in four of the five examined password managers, attackers could discover users' passwords for various websites.

The flaws found in LastPass, RoboForm, My1Login and PDasswordBox have all been patched, and the researchers say these companies responded within a week of being contacted about the issues. NeedMyPassword, however, never responded to the researchers' original messages, and the flaws found on its service have not been patched.

The paper describing the flaws was coauthored by four researchers from the University of California, Berkeley: Zhiwei Li, Warren He, Devdatta Akhawe and Dawn Song. The paper, entitled "The Emperor's New Password Manager: Security Analysis of Web-based Password Mangers," will be presented at the USENIX Security conference in San Diego this August.

For its part, LastPass says it waited until now to disclose its own flaws in order to let Li finish and publish the paper. 

The four researchers said they will create a tool for automating the detection of security flaws in password managers. They also plan to create a new password manager of their own that will be "secure-by-construction." 

LastPass responds

LastPass responded to the research over the weekend, saying that the flaws in its Web-based software had already been patched. The company claimed the flaws were minor to begin with.

LastPass said it addressed the two flaws that pertained to it "immediately" after learning about them last August, and has no evidence that attackers exploited these flaws in the wild before they were patched.

"If you are concerned that you've used bookmarklets before September 2013 on non-trustworthy sites, you may consider changing your master password and generating new passwords, though we don't think it's necessary," LastPass noted in its blog post on the issue.

The first LastPass flaw, a bookmarklet flaw, could only be exploited if a LastPass user visited a malicious website that contained code specifically crafted to target the flaw, LastPass said.

Bookmarklets are scripts that are only used in contexts where the regular LastPass plugin isn't compatible, such as on mobile browsers. LastPass says that less than 1 percent of its users regularly used bookmarklets.

The other flaw, in LastPass's One Time Password feature, can only be exploited if the attacker knows the individual targeted LastPass user's last name.

"The attacker would still not have the key to decrypt user data," LastPass noted in its blog posting.

LastPass users can check the status of their One Time Passwords on the service's website.

Email jscharr@tomsguide.com or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.

Jill Scharr is a creative writer and narrative designer in the videogame industry. She's currently Project Lead Writer at the games studio Harebrained Schemes, and has also worked at Bungie. Prior to that she worked as a Staff Writer for Tom's Guide, covering video games, online security, 3D printing and tech innovation among many subjects.