LastPass Hackers Stole Source Code (infosecurity-magazine.com) 46
New submitter alfabravoteam writes: Password management company LastPass has published information about a security incident. "We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information," reads the official message published.
They also clarify that no user data was lost. "We never store or have knowledge of your Master Password," the firm said in an FAQ. "We utilize an industry standard Zero Knowledge architecture that ensures LastPass can never know or gain access to our customers' Master Password", they inform. Hence, no action is required to users to follow.
They also clarify that no user data was lost. "We never store or have knowledge of your Master Password," the firm said in an FAQ. "We utilize an industry standard Zero Knowledge architecture that ensures LastPass can never know or gain access to our customers' Master Password", they inform. Hence, no action is required to users to follow.
Code stolen? (Score:5, Funny)
Waiting for VeryLastPass to launch.
Re: (Score:3)
Yes, because as we all know, once source code is seen, all security is lost. You can't possibly make something secure without hiding the source code. /s
LastPass stores a blob of data that's encrypted on the client. The only realistic danger resulting from this is if someone manages to more effectively spoof their services, or gains other side-channel attacks. I won't call that insignificant, but I'm not going to lose sleep over it.
Re: (Score:3)
I just don't understand why you would bother with this. There are plenty of offline solutions, with cloud storage support if you need it. Run everything locally, outside the browser.
Re: Code stolen? (Score:5, Insightful)
Are those "solutions" point-n-click to where your parents or grandparents can handle? If not, then they are not any sort of solution that 90% of internet users can deal with.
Re: (Score:2)
Yes they are that simple.
Re: (Score:3, Insightful)
Every other solution out there I've looked at is a relative pain in the ass compared to it. Right on the webpage, where you actually have to enter your credentials, they're entered for you automatically. If you change your password, LastPass detects it. Add some new credentials? LastPass detects and stores them for you. It integrates seamlessly with 2FA.
Is it absolutely the most secure solution out there? Probably not, since integration with the browser carries some risk. Is it the most convenient so
Re: (Score:2)
Bitwarden? Recently switched and I think I like it better. Is it more of the same thing? Yeah. When it comes down to it, anybody seriously caring about security probably shouldn't store anything that sensitive in the cloud, but it works well for the lazy and non-tech-savvy. :)
Re: (Score:3)
There have been a number of security issues with LastPass. for example https://www.cpomagazine.com/cy... [cpomagazine.com]
Re: (Score:1)
Re:Code stolen? (Score:4, Interesting)
I'd be looking for holes in the client-side page parsing code. It's always the parsers.
Hop through there, grab the unlocked data. Of course you have to entice a user to go to a hostile website but most people will click on anything if you scare them.
"no action is required to users to follow" (Score:2)
Until someone feeds the source code through a set of SAST scanners, DAST scanners, and human reviews, finds vulnerabilities and starts exploiting them in the wild, for example by injecting exploits into legitimate and frequently used sites to harvest all user data client-side, in its decrypted state.
Re: (Score:2)
Are you saying Lincoln should have left Ford's Theater before the end of the play?
Password managers (Score:5, Interesting)
I use Bitwarden. Anyone who wants the source code can have it, no hacking required.
Re: (Score:3)
Yep. Closed source is a big red flag in security software. Obviously so.
Re: (Score:2)
I thought the browser extension was javascript thus you could read the source?
Re: (Score:2)
Probably obfuscated. At least I deduce from them admitting that the "source was stolen" that you cannot simply download the extension and read it. May also be another language that gets compiled to JavaScript, which usually produces the most awful unreadable mess.
Re: (Score:2)
And even if one doesn't care about FOSS... Bitwarden's UI is arguably better than that of LastPass. And the cost is lower!
Re: (Score:3)
And even if one doesn't care about FOSS... Bitwarden's UI is arguably better than that of LastPass. And the cost is lower!
Bitwarden also has its code professionally audited periodically. LastPass waits for the hackers to do it.
Re: (Score:2)
That is not "zero knowledge" (Score:5, Insightful)
That is "Kerckhoff's principle". Zero knowledge is something completely different. When they do not even get the basic cryptographic terminology right, you should probably stay far away from their stuff....
Re: (Score:2)
Bingo. LastPass sold out to a questionable company several years ago. It was a good excuse to jump to Bitwarden.
Re: (Score:2)
Re: (Score:2)
Apparently you can, thinking about switching over also.
https://bitwarden.com/help/imp... [bitwarden.com]
Re: (Score:1)
I've done it. It worked well.
Re: That is not "zero knowledge" (Score:2)
Featurewise would you say bitwarden is on par with LastPass with like browser and android integration?
Re: (Score:2)
Nice! Thanks for the link.
Re: (Score:2)
From the Wikipedia article entitled "Zero-knowledge service": "The term "zero-knowledge" was popularized by backup service SpiderOak, which later switched to using the term "no knowledge" to avoid confusion with the computer science concept of zero-knowledge proof."
Re: (Score:2)
Well, SpiderOak misusing the term before does not make it any better. At least they fixed their mistake. Incidentally, the term "zero knowledge" is not only used in connection with "proof" in cryptography. Seems that Wikipedia article was not written by a cryptography expert.
Re: (Score:2)
I've been using KeePassXC for a while and have been very happy with it. In my experience it's been better than Bitwarden and having everything Open Source is very nice as well
Re: (Score:2)
Well, there is really no sane reason to use anything closed-source and/or commercial for this task. Some people have a mistaken belief that commercial closed-source is somehow more secure though. There are always plenty of people disconnected from reality and this is just one more group.
Re: (Score:2)
Stand By for Solar Winds Part 2 (Score:2)
Ah yes, SaaS security. Biggest worst single point of failure imaginable.
Keypassxc (Score:1)
Re: (Score:1)
So what? (Score:1)
It wasn't stolen (Score:2, Funny)
Re: (Score:2)
That's a very interesting point. No mod option for "Funny,,, no, wait... clever... no... clever enough to be more funny".
If it wasn't stolen, can it be considered hacked? And if this is stolen, how is it different that the source was behind a firewall and not behind an encryption scheme?
LastPass sells your data (Score:3)
Re: (Score:3)
use "pass" instead (Score:2)
Built on GPG, works with standard text files, supports GIT to share between clients and it has a client for every O/S
"Password management should be simple and follow Unix philosophy. With pass, each password lives inside of a gpg encrypted file whose filename is the title of the website or resource that requires the password. These encrypted files may be organized into meaningful folder hierarchies, copied from computer to computer, and, in general, manipulated using standard command line file management ut
Re: (Score:2)
Nice. Thanks.