LastPass password manager gets security patch against password leakage bug

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Don't forget you can subscribe to the SophosLabs YouTube channel to find all our latest videos.

Hi there! If you're new here, you might want to subscribe to our RSS feed for updates.

Already using Google+? Find us on Google+ for the latest security news.

On LinkedIn? Join the Naked Security discussion group and connect with your peers in the security industry.

Sorry, something happened and we couldn't sign you up. Please come back later and try again.

Congratulations, you've successfully signed up for our daily news! Check your inbox soon, we've sent you an email.

Sorry, we won't accept that email address. Please try a different address.

We're adding your address to our list...

Join thousands of others, and sign up for Naked Security's newsletter

by Paul Ducklin on August 18, 2013 | 3 Comments

Filed Under: Data loss, Featured, Privacy, Vulnerability

When there's a database breach involving passwords, which seems to be disappointingly often these days, we usually end up advising you to change your passwords, just in case.
Stolen passwords of this sort are supposed to be salted-and-hashed, so that the actual password you chose isn't directly available to the cybercrooks.
Nevertheless, with the hashes in their possession, they're one step closer to guessing correctly.

→ Password databases shouldn't uses hashes as an excuse for poor security. That's because someone with the database can try out passwords, typically by the bazillion, and use the hashes to find out when they've guessed correctly. Password hashes are an important layer of defence, but they're only one of many layers that should be in place. Password databases shouldn't get stolen in the first place. Just to be clear.

While we're about it, we usually take the opportunity to suggest that you make your passwords reasonably complex, for example: a 14-character mix of UPPERS, lowers, d1g1t5 and \/\/@ckies (punctuation marks).

And we urge you not to choose the same password for more than one site, so that attackers don't end up with a skeleton key to all your online accounts if they manage to breach any one of them.
This advice, of course, means you might end up with a list of passwords that becomes decreasingly easy to remember, like this:

Facebook:     S01?wouldE=myP
Twitter:      Ft1,IdtutGC'sA
Webmail:      aPWDmw1oft(CA)
Cartoon site: incorrectdonkeyaccumulatorclip

As a result, we often also suggest using a password manager that can generate hard-to-guess passwords for you, and then keep them locked up with one very-well-chosen master password.
Of course, this always begs the question, "What if the password manager gets breached?"
That is a very good question, and we don't have an easy answer, because there isn't one.
(Useful ways to mitigate that risk include: don't save your really important passwords, such as those for banking and taxation, along with the rest; and insist on two-factor authentication wherever you can.)

Well worth a listen while you're here

Sophos Techknow Podcast: Two-factor Authentication Explained

(15 April 2013, duration 16'25", size 9.9MBytes)

We've invariably avoided taking sides by not explicitly recommending any particular product, but LastPass is one that regularly appears in our articles.

And, wouldn't you know it, LastPass just pushed out a update that fixes, amongst other things, a security hole that could leak your precious password secrets.
We urge you to grab that update, which came out two days ago, on the grounds that a security hole patched is, simply put, no longer a security hole.
But don't panic, as there are some palliative factors:

• The bug affects Internet Explorer users on Windows only.
• The bug requires an attacker to perform a memory dump of Internet Explorer.

A memory dump is where you connect from one process to another, and suck out the contents of the system memory it's using.
Apparently, until the 16 August 2013 update, a LastPass memory dump might well be found to contain unencrypted pasword strings.
This is the same sort of attack that we have written about frequently in the context of banking malware.
Stymied by data protection regulations that force financial institutions to encrypt credit card data when it is saved to disk, the crooks have taken to riffling through memory instead.
They hope to find the raw data from your card's magnetic stripe as it passes through memory on its way from the card reader onto the disk or network.
Generally, though admittedly not always, that means you need access to the victim's computer, and perhaps even administrator-level powers, which usually means getting malware onto the computer first.
And if you can do that, then most, though not necessarily all, security bets are off anyway.
So if you are confident you haven't been infected with malware since you last changed your passwords, then you're probably OK just grabbing the LastPass update and installing it as soon as you can.
On the other hand, since in cases like this we usually advise you to change your passwords anyway, just in case...
...you may want to change your passwords anyway, just in case.