LostPass Phishing Attack Against LastPass

Every few months, someone comes out with a clever attack on LastPass. In January, for example, Sean Cassidy released his LostPass phishing attack that “allows an attacker to steal a LastPass user’s email, password, and even two-factor auth code, giving full access to all passwords and documents stored in LastPass.”

LostPass is a clever phishing attack. Essentially an attacker creates a fake notice that a user’s LastPass session has expired and asks them to log in. The fake version is visually identical to the actual notice LastPass uses, and even technical users would be unable to distinguish between the real notice and a phishing attempt.

LastPass responded by removing the button in its session expiration notices (so users will, presumably, be able to better distinguish fake versions which would need to have some sort of “login” button). LastPass also now requires users to go through an email-based process to approve logins from any previously unknown device or IP address.

LastPass also points the finger at Google, saying it identified these sorts of problems with the way Chrome displays notifications, but that its complaints fell on deaf ears,

A point that was only briefly raised in Cassidy’s research was the role that the browser itself plays in this attack. LastPass has encouraged Google for years to provide a way to avoid using the browser viewport for notifications. As a true solution to this threat, Google should release infobars in Chrome that give extensions the capability to do proper notifications outside the DOM. You can see our plea for this back in January 2012 with still no resolution; please star this issue to help us raise awareness.

It is good that people like Cassidy are out there looking for ways to get around LastPass’ security, and also good that LastPass generally responds to these sort of attacks much more quickly and effectively than a lot of companies. Every time a vulnerability in LastPass is found, people I know ask me whether they should still use LastPass, and my answer so far has always been “yes.”

So far the vulnerabilities that have been found in LastPass are of the sort that I still feel far more secure using it to manage my passwords than using some other password manager or (even worse) some other method for creating and managing the passwords to the dozens of services I have credentials for.

Web-Based Password Managers

I mentioned the open source KeePass password manager the other day, but apparently there are a number of web-based password managers, including PassPack,and Clipperz. Clipperz also has an open source version of its software that you can download and then install on your own server.

I still think it’s easier and probably more secure just to use KeePass and keep the master password database on an FTP server so you can access it anywhere. Put the URL in your browser and KeePad will load it.

KeePass

A couple years ago I downloaded and tried the open source password manager KeePass, but ultimately passed on it in favor of RoboForm. The other day I decided to give it a second look since I needed something that was cross-platform.

After tinkering around with it for a few minutes I was sold. I can’t remember why I didn’t like it a couple years ago, but whatever it was they’ve certainly fixed it several times over.

What I especially like about KeePass is the cross platform nature of it. I’ve got it running on my Windows and Ubuntu PCs as well as my Blackberry. For the moment, I update my database on my home server and then upload it to an obscure directory on my dedicated web server. Then its just a matter of installing KeePass on any computer I want to use at downloading the database.

KeePass does a nice job of autotyping. Just put the cursor in the username field, press CTRL-ALT-A and it will find the correct password for the site in the database and fill in the username and password fields.

Someone has written a nice plugin for KeePass 2.x, which is still in Alpha, that will synchronize the database over the Internet (though its unclear if this will work with vanilla FTP/SFTP).