Password managers are obviously attractive targets for cybercriminals – but they’re considered by most to be better than any alternative.
The thought of having my entire password manager vault/archive compromised was giving me cold sweats in the wee small hours. What else could I do though!?
Then LastPass’s browser plugin was repeatedly shown to be highly insecure by Google Project Zero’s Tavis Ormandy…
Are people really using this lastpass thing? I took a quick look and can see a bunch of obvious critical problems. I'll send a report asap.
— Tavis Ormandy (@taviso) July 26, 2016
Ah-ha, I had an epiphany in the shower this morning and realized how to get codeexec in LastPass 4.1.43. Full report and exploit on the way. pic.twitter.com/vQn20D9VCy
— Tavis Ormandy (@taviso) March 25, 2017
Oops, new LastPass bug that affects 4.1.42 (Chrome&FF). RCE if you use the "Binary Component", otherwise can steal pwds. Full report on way. pic.twitter.com/y92vm3Ibxd
— Tavis Ormandy (@taviso) March 20, 2017
— Tavis Ormandy (@taviso) March 16, 2017
… what other holes are there? I wasn’t going to wait to find out. Time for a new strategy!
It’s really good. No passwords are stored anywhere. You can use it on all devices (there’s even a very lightweight free app). Is there a catch?
No. Not for the average home user. I think it’s about perfect.
OK it doesn’t automatically fill out login fields, but apart from a little copy/paste hassle it’s great. And most importantly it’s very very safe and secure. Much more so than any password manager that stores reversibly encrypted passwords online – or anywhere for that matter. This system does not store passwords at all.
If you have more than one account on the same domain though, or you have a need to change a password, or you want to store someone else’s password they’ve shared with you*, it’s not great. As it stands you need to remember quite a lot for each site you want to use it for. Including remembering what username you picked, and what length password to generate. This is fine I think for most personal use but I have literally 100s of usernames – quite often with more than 1 on the same site.
Fortunately it’s open source so I’ve taken it, added to it, and made my own version of it. My version saves my domains, usernames, comments, suffixes and password lengths – so I don’t need to remember anything except the master password. I just start typing in the domain name and up pop suggestions which when clicked, populate all the other fields and so long as the master password is present and correct, my long unique and very strong password is magically conjured and a click on COPY puts it on the clipboard.
I’ve added a bunch of other features too for example automatically blanking everything (including the master password) after a timeout period and putting the whole thing behind a Google 2FA login system to protect my list of usernames.
Screenshot above. Cold sweat frequency reduced.
Now to continue my campaign to get a refund from LastPass…
@LastPass Paid 4 premium. I reported bugs. No fix offered. I request refund. You: No, because 'outside 30 days'. Bad product. Bad service!
— Aetherweb (@Aetherweb) April 17, 2017
* I have yet to come up with a way to safely store a third party’s own password.