One Problem After Another
A recent spate of security issues has sent LastPass engineers and developers scrambling to patch vulnerabilities – serious flaws in LastPass’ ability to keep your passwords from being stolen right out of the “vault.” A recent article in The Guardian reveals yet another in a growing list of security holes discovered by Google engineer Tavis Ormandy. Ormandy has been busy lately. He has found security issues in dozens, if not hundreds, of security products. However, he has been particularly busy ripping through LastPass’ browser plugins.
The main issue is how LastPass (and other password managers) store passwords and auto-fill usernames and passwords on websites. The plugins load and read the webpage your browser is on, compares the URL to those stored in the vault and locate the appropriate elements to fill those fields. The problems stem from the way that the plugin loads and reads that page. By injecting malicious code or carefully crafted malformed strings, an attacker can gain access to the entire unencrypted password vault. In one exploit, Ormandy found that if the binary plugin was installed, an attacker could even gain access to the user’s desktop and execute code with the logged in user’s security privileges. Since most users run as administrator, there is little an attacker could not do.
These are serious security flaws. The whole point of a password manager is that you don’t reuse the same password on every site that you need a login for. It also allows the user to keep very strong passwords – long, random and complicated – that are difficult or impossible to remember – especially if there are dozens for different passwords. For example, I have no idea what my bank and credit card passwords are. I don’t know what my twitter or facebook passwords are. I change them often and I don’t even see them. If a website is hacked, I change the password(s) as soon as the breach is fixed. Since that username and password combination is unique to each website, there’s no danger of a hacker accessing any other website with the same credentials.
The problem, then, is that I have hundreds of logins. If my password manager is compromised, I have hours and days of work ahead of me changing every single password. With financially sensitive websites – banks, credit cards, and any site that stores my personal and financial information, I also have to consider changing the username (often an email address) as well. This is a laborious and time consuming process – the very thing I use a password manager for. That begs the question: how do I trust LastPass to help in this process?
And there’s the rub. Trust is the cornerstone of security. The deadbolt on your front door comes with a certain level of trust. It prevents an intruder from simply walking in, but there are vulnerabilities. The door can be forced open through other weaknesses or brute force. If you find out that your lock can be circumvented with a “bump key,” or can easily be picked, your trust in that lock is diminished and you start looking for alternatives that don’t have that same vulnerability. Something you can trust.
For the moment, LastPass has been working closely with Ormandy and patching the holes as soon as they’re reported. That’s a good thing. Ormandy is a responsible, ethical hacker, and allows the company ample time to patch the flaw before revealing the extent of the exploit(s). LastPass’ quick response and action shores up my trust, but hardly mitigates the damage to that trust.
Should I Make the Change?
The next question is “do I make the switch?” Over the past couple of weeks I have had to give this serious and deliberate thought. At the time of this writing, Dashlane is looking like a solid alternative and I am in the process of reviewing and researching the product. So far, Dashlane is looking pretty good. Next to RoboForm, Dashlane has been around for a long time. I used Dashlane of old for awhile, until Passwordbox came out and beat Dashlane in both price and functionality. Then Intel (McAfee) bought Passwordbox and gutted it into near uselessness. That’s when I made the switch to LastPass. What is slowing me down from making a change is that I know those security holes existed all this time and none were exploited. On the other hand, with the news coming out with such frequency, hackers are salivating over the prospects – and likely trying to come up with viable ways to breach password manager security (not just LastPass) on a large scale. Gleaning a couple hundred unique users is hardly worth the effort – there are larger prey – like Yahoo and GMail. However, that doesn’t mean that hackers won’t rise to the occasion and try their hand at a challenge.
From there I move on to the same logic that I apply when deciding to buy an electronic product that has been refurbished. Most “refurbs” were either returned after buyer’s remorse set in, or there was a problem with the product. Either way, that product has (usually) undergone extensive testing before being released for sale. My logic is that a new product, then, is more likely to present a fault, and the refurbished one is less likely to. There are obvious flaws in that logic, but it has worked well for me over the years. In the same way I look at LastPass. Exploits are found, then promptly patched. Those flaws already existed in the product before being discovered, and now they don’t. Also, with such a rash of discoveries, accompanied by bad press, LastPass is scrambling to stem the tide and locate holes on their own. In the end, they will have an extensively secure product.
Switching to Dashlane is not a big deal – something I learned from migrating from Intel True Key to LastPass. It just takes a few minutes to do, and a couple of hours to change the most sensitive logins. While Dashlane is considerably more expensive ($39 compared to LastPass at $12), $40 isn’t that much for something I use all day long – every day of the year. There’s an old adage that I subscribe to: good security is never convenient. Wherever possible, I use 2-factor authentication; this mitigates a lot of the problems with my username and password being exposed.
For now, I am going to stay with LastPass, but keep a weathered eye on the horizon. I like LastPass. It has worked quite well for me and does what I want it to do.
Keeping It Secure
There are certain factors to a couple of the exploits that wouldn’t affect me even if I visited a malicious website. Most notably, I don’t allow any password manager to autofill username and password. I have to initiate the password form fill. I also use 2-factor authentication to start the browser plugin, and I do not use the “Remember for 30 Days” setting. It takes a few seconds to type in a 6-digit authentication code. I change the master password twice per year, and any time there might be an issue of compromise. I’ll keep looking at Dashlane, but I think I’ll stay put for a little while longer.