Password Managers

[ddrueding]

Not happy, but not planning an exit yet either. If this deal had happened before I bought in I wouldn't have done so. I'm still optimistic that it takes at least a year for them to damage the product or brand enough that I jump ship.

 

[Clocker]

Some are not quite so negative about it: https://www.reddit.com/r/Lastpass/comments/3oaa9k/just_bought_10_years_of_lastpass_to_lock_in_the/

 

[Clocker]

It seems to me that the weak link in a system like LP is the integration with the browser. Are there any best practices or settings that can be useed to minimize browser related vulnerabilities when using LastPass?

 

[timwhit]

I'd turn on two factor auth.

 

[Clocker]

Got that turned on, already. Thanks!

 

[mubs]

KeePass hacked. Other password managers may be at risk.

 

[Clocker]

KeePass hacked. Other password managers may be at risk.

I always thought anything goes when a computer is already compromised, like this hack requires.

 

[Handruin]

I don't understand that article or the title is misleading. So if my PC is compromised AND my password database is unlocked I'm at risk?

When it runs on a computer where a logged in user has the KeePass database unlocked, KeeFarce decrypts the entire database and writes it to a file that the hacker can easily access.

 

[Will Rickards]

My understanding is that yes they still need the keepass database open, which requires the master password.
So in order for this 'hack' to have any effect you would need to leave it open and have your machine hacked in the first place.
It uses simple dll injection, which is a process in windows where you get a running program to load your dll. Then the dll code essentially runs in the process space.
This is similar to hooking up a debugger to the process and then inspecting the memory or causing one of methods to run.

So there is nothing to see here. They just made something you could do already on a compromised machine, easier.

I believe there are things you can do to make code resistant to dll injection. But I'm not sure you can fully protect against it. It is built-in to the windows framework.

 

[ddrueding]

Yup. No news. "Vault vulnerable while door is open and intruder in room".

 

[Clocker]

Lastpass vulnerabilities discovered and fixed.

https://grahamcluley.com/2015/11/flaws-lastpass-password-manager-security-researchers/

 

[Clocker]

DD - So glad you turned me on to Lastpass. I am so loving everything it offers. It has really made managing passwords so much easier!

 

[ddrueding]

Yup. Now exploring the corporate version. Could be very useful.