LostPass Phishing Attack Against LastPass

Every few months, someone comes out with a clever attack on LastPass. In January, for example, Sean Cassidy released his LostPass phishing attack that “allows an attacker to steal a LastPass user’s email, password, and even two-factor auth code, giving full access to all passwords and documents stored in LastPass.”

LostPass is a clever phishing attack. Essentially an attacker creates a fake notice that a user’s LastPass session has expired and asks them to log in. The fake version is visually identical to the actual notice LastPass uses, and even technical users would be unable to distinguish between the real notice and a phishing attempt.

LastPass responded by removing the button in its session expiration notices (so users will, presumably, be able to better distinguish fake versions which would need to have some sort of “login” button). LastPass also now requires users to go through an email-based process to approve logins from any previously unknown device or IP address.

LastPass also points the finger at Google, saying it identified these sorts of problems with the way Chrome displays notifications, but that its complaints fell on deaf ears,

A point that was only briefly raised in Cassidy’s research was the role that the browser itself plays in this attack. LastPass has encouraged Google for years to provide a way to avoid using the browser viewport for notifications. As a true solution to this threat, Google should release infobars in Chrome that give extensions the capability to do proper notifications outside the DOM. You can see our plea for this back in January 2012 with still no resolution; please star this issue to help us raise awareness.

It is good that people like Cassidy are out there looking for ways to get around LastPass’ security, and also good that LastPass generally responds to these sort of attacks much more quickly and effectively than a lot of companies. Every time a vulnerability in LastPass is found, people I know ask me whether they should still use LastPass, and my answer so far has always been “yes.”

So far the vulnerabilities that have been found in LastPass are of the sort that I still feel far more secure using it to manage my passwords than using some other password manager or (even worse) some other method for creating and managing the passwords to the dozens of services I have credentials for.

Are Lame Password Limits A Problem?

ArsTechnical looked at why there are all of those stupid limits on password length and, sometimes, what characters cannot be used. There is some good information there, but both the author of the piece and some of the folks interviewed seem to misunderstand one of the bigger problems with these artificial limits.

For example, here’s Microsoft’s Eric Doerr on Microsoft’s 16 character limit,

Microsoft imposes a length limit on the passwords its customers create: passwords can include a mix of upper and lower case letters, numbers, and symbols, but they can be no longer than 16 and no shorter than eight characters. Microsoft says that most attacks on accounts cannot be defended by password length, and the company adds that password cracking is hardly its biggest problem.

“Criminals attempt to victimize our customers in various ways and we’ve found the vast majority of attacks are through phishing, malware infected machines, and the reuse of passwords on third-party sites—none of which are helped by very long passwords,” a Microsoft spokesperson told Ars.

Toward the end, ArsTechnica writer Casey Johnson adds, perhaps a bit whimsically,

If nothing else, the varying password restrictions keep us from being lazy and using the same password for everything, which is itself good practice.

I suspect it’s the opposite–to the extent these arbitrary limits have any effect on overall security, it is to drive people toward reusing the same short passwords on multiple sites.

If the lowest common denominator is 8 characters with no percentage sign allowed, then many people will just make a single password that most of the services they use daily will accept and reuse that.

I prefer to use 20+ character passphrases. For the sites I use on a daily basis, its fairly easy to remember the passphrase outright. For sites I don’t use regularly, I let LastPass keep track of them and then at least when I have to manually type them in they are things that human beings can easily type rather than 7a6waz(4.

But so many sites won’t allow me to use long passphrases and it is tempting to just recycle a number of 8 character passwords I’ve used over the years.

So Doerr is right that securing passwords is hardly on the top rung of security threats, but not allowing longer passwords encourages habits that make the other attacks he’s more worried about even more likely.

The Problems with Biometrics for Authentication

The other day I came across a blog post by someone lamenting a common problem we all have these days–password management. The blog linked to an article extolling the virtues of using biometrics either as a complete substitute for passwords altogether, or as part of a two-factor authentication system.

It sounds like an awesome, appropriately futuristic idea–instead of having to remember some long password, I’ll just look into my webcam and use a retinal scan instead of a password to prove I am really who I say I am. In fact, this would be a disaster.

Consider how passwords work today. A system asks you to create a password and you dutifully tell it to use “password”. The system on the other end then creates a hash of that password. A cryptographic hash is a one-way function that transforms “password” into “7!aceldfg”. Because it is a one-way function even if I have the hash, I cannot easily determine that “7!aceldfg” is the has for “password.”

In reality, hashing is vulnerable to some attacks and so a smart website will salt the password hash. All this means is that when you type in “password” when creating an account, the website adds additional pseudo-random data to your password. So a website might convert “password” to “password12345” and then hash that. The website then stores both the hash and the salt value.

The benefit of doing this is that it increases the amount of work that an attacker is going to need to do if they compromise the website and gain access to the password file.

So imagine you create a username and password for your bank account, and the attackers gain access to the files containing the usernames and passwords of all the bank’s customers. Maybe the bank had very good security and they encrypted the password files in addition to hashing and salting the passwords.

You know what, though…just to be on the safe side the bank is going to ask you to change your password anyway. And you are once again reminded why you should never use the same password on multiple sites. Maybe you were reusing the same passwords and now you go and finally fix that so you’ve got different, secure passwords on all your accounts.


Now imagine the bank instead uses a retina or fingerprint scan. You swipe your finger or stare into a webcam, and data gets sent back to the bank which compares it to the hashed, salted version of the data it has on file for your eye or finger and then you get access to your account.

Until today when hackers managed to penetrate the bank’s security and access the user and authentication data. Now, your fingerprint or retinal scan data has been compromised. How do you propose to alter those?

As one biometrics news site sums it up,

Paradoxically, the greatest strength of biometrics is at the same time its greatest liability. It is the fact that an individual’s biometric data does not change over time: the pattern in your iris, retina or palm vein remain the same throughout your life. Unfortunately, this means that should a set of biometric data be compromised, it is compromised forever. The user only has a limited number of biometric features (one face, two hands, ten fingers, two eyes). For authentication systems based on physical tokens such as keys and badges, a compromised token can be easily canceled and the user can be assigned a new token. Similarly, user IDs and passwords can be changed as often as required. But if the biometric data are compromised, the user may quickly run out of biometric features to be used for authentication.

Password Cracking

Bruce Schneier looks at password cracking on his blog and he and his commenters have some interesting insights into password cracking and how to minimize the odds of getting cracked and hacked.

The post is in reference to an Ars Technica’s experiment where they gave three “cracking experts” a list of 16,449 passwords hashed using MD5. The least successful cracker was able to figure out 62 percent of the passwords and one of the crackers was able to obtain 90 percent of the passwords.

Essentially all three were doing sophisticated dictionary attacks to get at obvious passwords, but also to crack passwords that people think are secure for some reason, such as “k1araj0hns0n”. From my experience, the practice of sites requiring people to use at least one number or at least one special character, etc., is counterproductive in that it leads people to think that “Pass$1w0rd” becomes magically secure with the addition of the special characters, capitalization and numbers.

Schneier still endorses his scheme of using the first letters from uncommon sentences to create passwords that are secure but easy to remember,

So if you want your password to be hard to guess, you should choose something that this process will miss. My advice is to take a sentence and turn it into a password. Something like “This little piggy went to market” might become “tlpWENT2m”. That nine-character password won’t be in anyone’s dictionary. Of course, don’t use this one, because I’ve written about it. Choose your own sentence — something personal.

That would certainly work, but I have about 90 accounts I access regularly which would mean remembering 90 sentences or variants therein. And at this point you really do want to ensure every account you use has a different password. Given the rash of hacks of prominent web sites, you just need to assume that at some point a) one of the sites you use regularly is going to get hacked, b) they’re not going to have implemented effective security to protect your password, and c) hackers are quickly going to distribute your password and attempt to use it to access other accounts you control.

I prefer the following method which I think strikes a nice balance of protecting my logins while at the same time recognizing I have a life to live and want to spend as little time as possible managing passwords:

1. Use a password manager. I use LastPass, but I’ve also used other password managers. Whatever password manager you use, do make sure to read reviews to ascertain that its security is acceptable. Personally, I’m satisfied that while LastPass’s security isn’t impregnable, it is good enough and effectively balances my security and usability concerns.

2. Generate passwords with DiceWare. It sounds a bit goofy, but essentially you’re using dice as random number generators to create a list of words that you string together into a longer passphrase. A DiceWare-generated passphrase might look like “cleftcamsynodlacyyr”.

There are two advantages to using DiceWare rather than using something like LastPass to autogenerate random passwords. First, the passwords generated with DiceWare have a great deal of entropy and are not going to fall to a dictionary attack even if the attacker knows you used DiceWare to create them. Second, DiceWare passwords are much easier to type or memorize than typical randomly generated passwords in those situations where you need to manually enter the password.

3. Generate a separate password per account. I generally create a few dozen DiceWare passwords at a time and securely store the list, then grab one of the passwords as I create a new account.

Hash It! for Android

Hash It! is an Android app that replicates — and is compatible with — the Password Hasher extensions for Google Chrome and Firefox. Create a master password key, and Hash It! generates a password for each site you visit based on the master password and the URL of the site.

An interesting approach to password management, though I’m sticking with Diceware plus KeePass.