Notably, in late 2022, user data, billing information, and vaults (with some fields encrypted and others not) were breached, leading many security professionals to call for users to change all their passwords and switch to other password managers. LastPass suffered significant security incidents between 20. On December 14, 2021, GoTo announced that LastPass would be made into a separate company and accelerate its release timeline. GoTo (formerly LogMeIn Inc.) acquired LastPass in October 2015. It also includes support for bookmarklets. The standard version of LastPass comes with a web interface, but also includes plugins for various web browsers and apps for many smartphones. But until then, avoid browser extension password managers.LastPass is a password manager distributed in subscription form as well as a freemium model with limited functionality. We need less of the "military grade encryption" marketing from them and more transparency around how often their code is audited, the results, and how they've fixed the vulnerabilities. However, the increased risk of password manager browser extensions makes these vulnerabilities severe. TeamSIK's excellent work into finding Android password manager bugs shows that the lack of security isn't necessarily limited to browser extensions, but is rather a systemic issue in the password manager ecosystem. Many of them are for-profit companies that obviously have not invested a lot of resources in an in-depth audit of their source code because of the trivial bugs that are found by researchers in an hour. The risk of having an attacker be able to directly interact with them is just too high. I don't know if these browser extension password managers will ever improve enough for me to recommend them. And if they've compromised your machine, you have bigger things to worry about. That cannot be done by efficient attackers at scale. Think of how it would be compromised: Someone would need to get at least user-level access to your computer and then either read it when it's temporarily unencrypted, or wait for you to unencrypt it. Literally anything elseĪn encrypted text file on your computer is safer than a browser extension password manager. I recommend non-technical users use the built-in password managers because they're easy to use and plenty secure. Firefox's Password Manager along with a good master password.Chrome's Password Manager along with a good sync password.Since two-factor authentication is not available for these, use a very strong and unique passphrase. All of them also offer mobile sync so you can have your passwords on the go. These are a nice choice if you dislike copying and pasting passwords into websites. Built-in browser password managersĮvery major browser now has a well-designed, built-in password manager that is easy to use. If you get all your passwords stolen by a new bug, you'll never even know, and you'll have little to no recourse. If you accidentally paste one password in the wrong place, it is easy to change. If they're reluctant, maybe you should be reluctant to put the crown jewels of your company in their hands.Ĭopying and pasting passwords into the wrong place is not a large enough risk to use a risky browser password manager extension. If you are buying a password manager from a company, you should ask to see the details of their latest source code security review. I use pass because it's simple to understand for technical folks, but I have many friends who use KeePass. Copy and paste the passwords from the app into your browser. If you do use one, do not install the browser extensions. There are many choices to choose from in this category, and none of them suffers from the direct-access-via-JavaScript risk category. What password managers should you use instead?ĭoes this mean you should give up and not use a password manager at all? No, but the choice is trickier than these companies' marketing would leave you to believe.Īny program that is not resident in your browser is safer than one that is. If you think criminals aren't mining LastPass and others for bugs right now, you're naive. If you're using it in a corporate environment to share passwords, now only one user of many needs to be attacked to steal all of your passwords via a previously undisclosed bug. Your password manager extension de jour might not be as bug ridden as LastPass, but it suffers from the same risk vector if it's a browser extension. Desktop-based password managers have no such access, as they require compromising the local machine first, which is much harder than visiting a webpage. That's how LostPass worked, and it's how many of the new attacks work, too. When you use a browser extension password manager, you give attackers an API to interact with your password manager via JavaScript or the DOM.
0 Comments
Leave a Reply. |