Back in the summer of 2016, Google Project Zero specialist Tavis Ormandy is sincere: "Do people really use this LastPass thing?" Then Ormandy discovered a vulnerability in the code of the LastPass add-on for Firefox 0-day, which allowed him to remotely compromise all user passwords.
Now, almost a year later, the expert has decided to put the security of LastPass to the test, and, unfortunately, the application cannot be said to have passed this test. Ormandy writes that he found an issue in the official LastPass extension for chrome browser... According to the researcher, the content_scrip extension contains a vulnerability, an attack on which could lead to the compromise of all credentials stored in the application. Moreover, to implement an attack, an attacker only needs to lure the user to a malicious site.
The researcher explains that the script is only used to access a specific domain on lastpass.com, and if you take a closer look at how it works, it looks like this:
Here, as Ormandy notes, lies the mistake. The script proxies unauthenticated window messages to the extension, which can be dangerous, because anyone can do the following:
This will give the attacker full access and force LastPass to execute RPC commands, of which there can be hundreds, but the most dangerous, of course, is the ability to copy and populate passwords. In some cases, this can even lead to the execution of arbitrary code on the user's machine, through the operation of openattach. As an example, Ormandy demonstrates launching a regular calculator (calc.exe).
The LasPass developers, apparently, have already fixed the problem in the Chrome extension by disabling 1min-ui-prod.service.lastpass.com. However, some users note that the server is still running for them, and the vulnerability is still relevant. LastPass for Chrome users should probably disable the extension for now and wait for the full fix, as version 4.1.42, dated March 14, 2017, was still vulnerable.
It's worth noting that Tavis Ormandy found another very similar bug in the LastPass Firefox addon last week. The vulnerability in the same way allows you to extract all user passwords if he visits a malicious site.
This problem has not been fixed yet. The LastPass developers have already prepared a patch, but the revised version 3.3.2 is still under review by Mozilla specialists. Also, the authors of LastPass emphasized that the 3.x branch is still considered outdated, and users are encouraged to move to the safer 4.x branch.
But LastPass's problems don't even end there. Today, March 22, 2017, Tavis Ormandy warned that the LastPass Firefox addon contains another bug that allows you to steal other people's passwords for any domain. Moreover, this time the more modern and secure version 4.1.35 is vulnerable. The expert promises to publish the details in the near future.
I found another bug in LastPass 4.1.35 (unpatched), allows stealing passwords for any domain. Full report will be on the way shortly. pic.twitter.com/9VkV7R3vud
Meet LastPass, one of best programs for storing passwords, distributed as a single plugin installer for Internet Explorer, Google Chrome, Mozilla Firefox, Opera and Apple Safari developed by LastPass. Passwords in LastPass are protected by a master password, are stored locally, and can be synced to any other browser. LastPass also has a form filler that allows you to automate password entry and form filling. The plugin supports generating passwords, sharing data, logging site logins, creating secure notes, and much more. Download LastPass below.
One master password (the motto on the site is "The last password you must remember!").
Synchronization of browsers.
Generating strong passwords.
Encrypting passwords.
Online form filler.
Import passwords from other password managers, as well as export.
Passwords are stored in the cloud service lastpass.com in encrypted form (AES-256).
The LastPass Master Password is stored in your head and when you enter it, all passwords are decrypted from the database (AES-256).
Passwords are transmitted over a secure (https) connection.
LastPass creates a hash of your username and password, which is the key to the AES algorithm.
For authorization, the LastPass service uses a double hash, it is he who is sent to the server and is the verification key for authorization.
The names of groups, accounts and data are transmitted encrypted, https is used everywhere.
LastPass collects passwords that other password managers don't see, including many AJAX forms, and makes it easy to create strong passwords.
You will be able to import and export data from many well-known password storage systems (such as: RoboForm, 1Password, KeePass, Password Safe, MyPasswordSafe, Sxipper, TurboPasswords, Passpack, Firefox and Internet Explorer and many others). Passwords in LastPass are protected by a master password and are stored locally and can be synced to any other browser.
LastPass uses strong client-side cryptography - passwords leave the computer already encrypted, and only the user can decrypt them. And even if someone gets this data, then the encrypted data is basically useless.
What I like most is that all data is stored on a computer and a secure service, periodically synchronized, and can be accessed from any computer where LastPass is installed. In addition, it has a very convenient function for creating secure notes and other equally useful functions.Almost everything. The program does everything by itself. He will offer to save the login - password, enter them in the fields when you next visit the page, or even enter it herself (if you want). At the same time, it generates passwords that you do not need to remember at all, and they will be different for each resource. This greatly increases the security of secure access.
If you want, your secrets can always be with you, wherever you work and whatever computer you use. To do this, you can use the local version (LastPass Pocket) for a flash drive (for this, it is advisable to first export your data from your LastPass account to a file on disk, so that you can later open it with a portable version anywhere, without installing the main program). Everything works without any restrictions on the amount of stored data, time of use, free and in Russian. Although there is a paid version, with slightly more advanced features, we are not talking about it.
The procedure for installing the program and registering a LastPass account is quite simple, you just need to agree with the default settings, and the installer will offer to disable password managers in installed browsers due to their unreliability. It is also very easy to create a master password (here you will be presented with options and shown the resistance of your master password to cracking). In addition, the developers recommend changing your Master Password periodically to prevent unauthorized access to your LastPass account. At the very lastPass service there is no access to your confidential data, which they honestly warn about. That is, if you forget or lose your master password, you will only be sent a hint to recover the password (and not your passwords, logins, etc.), or you will have to use account recovery.
A big plus of LastPass, in my opinion, is that if you have an existing LastPass account (well, a learned master password, of course, to log into your account), you have absolutely nothing to be afraid of "falling" or reinstalling the system, you just need to install it again LastPass and log into your account, then the program will work for you. It goes without saying that all your passwords, websites, forums, protected notes, in general, everything that you saved will be restored on the new computer. The developers are on the alert, constantly updating LastPass, strengthening it (and your security) and improving the program, and in browsers, the LastPass extensions are updated backgroundwithout interfering with work.
Such is the description of the LastPass features turned out, far from complete, I hope you like the program. In the end, I note that after trying many password managers, paid and free, I have long opted for LastPass because of its simplicity and reliability. The program is updated quite often, both on the official website and services google extensions, Firefox, Opera and Safari, there is detailed online help and video on setting up and using the program.
Developer: Joe Siegrist
License: FreeWare
Tongue: Multi + Russian
The size: 59 MB
OS: Windows
Download:Upcoming significant changes in the system firefox add-ons... For the sake of compatibility between browsers, the developers of Firefox and other browsers have adopted a common API called WebExtensions. Supporting a common API will help reduce the cost of cross-platform development for companies like ours that have to release and maintain extensions for multiple browsers. While the transition to WebExtensions brings a number of benefits to developers, browsers, and users, we want to prepare LastPass users to migrate from the previous Firefox add-on to the new one.
We've been supporting two versions of LastPass for Firefox for over a year now. Stable version 3.x published in the store firefox extensionsand the 4.x version in development is published on the LastPass.com website.
While this created some confusion for LastPass users, we maintained the “old” version to preserve the Firefox user interface that our users preferred. In the meantime, we have continued to develop version 4.x in line with the changes that Mozilla is implementing. But in light of recent news that Mozilla will fully switch to WebExtensions by the end of 2017, we must say goodbye to LastPass version 3.x for Firefox.
We will release the latest version of the add-on on March 31, 2017. Deployment of the latest version of the add-on to all users of version 3.3.2 is expected within a few days after being reviewed by Mozilla. You can manually update the Firefox add-on now or wait automatic update in April. After that, only version 4.x will be available, both on addons.mozilla.org and LastPass.com. For Firefox 3.x add-on users, this update will bring all the latest improvements to the core logic and performance of LastPass that we've made, as well as latest interface user. Based on user feedback, we also recommend that you familiarize yourself with the tile and list views in the 4.x interface to help you choose the best view for you.
LastPass 3.x Interface
LastPass 4.x Interface
In addition to implementing the changes made by Mozilla, we are confident that the new version of our Firefox add-on is much easier to use overall. We know that changes are not always pleasant. We listen to your feedback and make thoughtful and informed changes while maintaining a consistent LastPass experience across all browsers and platforms.
Of course the transition to new version the add-ons will not affect your LastPass account or any data in your vault in any way. You will still have full access to your account at any time from any browser and from any device.
As always, you can contact our support team if you have any questions or concerns regarding this transition.
The first and easiest option is the default password manager for Chrome, Firefox, Opera, or Vivaldi. Almost all modern browsers are able to save and automatically insert logins and passwords into the required fields. Yes, this option cannot be called too functional, since it lacks some additional features such as a generator of reliable combinations and protected notes. But you can use it completely free of charge, and there is synchronization between different devices, which works, of course, only if you use the same browser everywhere.
Simplicity, availability, free of charge. Synchronization between different devices.
- Low functionality and security.1Password
1Password has been around for over eight years, but has always been overshadowed by LastPass due to its relatively high cost. He knows how to store passwords, data bank cards, software licenses and other confidential information in a secure virtual storage. This storage can be located on a remote server or local device. It is possible to sync via Wi-Fi, Apple iCloud or Dropbox. The developers paid special attention to security and encryption algorithms, thanks to which this service was not noticed in high-profile scandals.
Reliability, cross-platform, functionality, synchronization.
- High price.KeePass
If you are looking for a free solution and are not afraid of difficulties, then you should definitely try KeePass. This is a completely open source project created by independent developers. It has a huge number of possibilities thanks to the presence of a whole arsenal of various add-ons, plugins and auxiliary utilities. However, in return, you will have to come to terms with the typical disadvantages of free software in the form of high complexity of development and instability of some elements.
The password database created in KeePass is stored as a single file, which can be placed on a hard drive or in any cloud service. In the latter case, you can implement data synchronization between different devices... There are plugins for popular browsers that, with varying degrees of success, provide login and password substitution on the desired pages. Additionally, KeePass is available on mobile devices.
Free, functionality, security.
- A solution for geeks who can select and correctly configure all the necessary components.Dashlane
This service for storing passwords appeared relatively recently, but has already managed to prove itself on the positive side. Dashlane is pleasant appearance, good functionality and ease of use. The password database is stored here in the cloud in an encrypted form, there is synchronization between clients for different platforms (Mac, PC, iOS and Android). Among additional opportunities it is necessary to highlight the function of automatic filling of forms, a password generator, the ability to change passwords in one click and convenient tools for online shopping. But all this splendor can fade for you if you want to use data synchronization between different devices. To do this, you will have to buy an annual subscription for $ 39.99, which is quite a lot.
Appearance, reliability, cross-platform, digital wallet.
- High cost, inability to store passwords locally.What password manager would you choose if LastPass did go for a paid subscription?