Lastpass-password stealing

I'm not posting this as a haha to a competitor, but as I hope 1Password doesn't have this issue.

http://www.zdnet.com/article/lastpass-hit-by-password-stealing-and-code-execution-vulnerabilities/

Comments

  • brentybrenty

    Team Member

    @prime: 1Password doesn't have that issue. While everyone makes mistakes, part of what makes something like that possible is the fundamental design of the extension. 1Password's browser extensions are notably pretty "dumb" in the sense that most of 1Password's saving/filling smarts is in the app. This is why for example you can't use the extension by itself. The drawback there is that it won't work on platforms where we don't have a native app for it to connect to. But the benefit is that we're not executing code on the machine from the browser. So while the 1Password extensions are limited in a few key ways, it's because they're sandboxed in the browser. This definitely reduces the attack surface, and while it might be nice to have a standalone browser extension (for example, that would work on Linux or ChromeOS), it means there are more things that can go wrong as well. It's just a matter of complexity; and complexity is the enemy of security. That's not to say that 1Password is invincible, but it reduces the attack surface, and less that could be gained by compromising the extension (since it doesn't store any of our data). So if we make a standalone extension in the future, we'll have to take great care not to make similar mistakes -- so certainly this is a lesson we can all take to heart.

  • primeprime
    edited March 2017

    @brenty That's very interesting about 1Passwords extension being sandboxed in the browser. I also never thought it as limited, it does everything I need it to do :) Sometimes going simple is the best way doing things too. Look at music; albums that are over produced are not as good (to me). There are some albums that the bands said they did it simple, even have mistakes, and are some of the albums I like best.

    I'm not here to bash LastPass, and I'm glad someone caught the issues before it became a big issue. It also says a lot when Agilebits people don't say negative things about competitors.

  • brentybrenty

    Team Member

    @prime: Thanks for the kind words. Honestly, we're in the same boat and it hurts everyone when things like this happen. I think you know how difficult is for some folks to put their trust in a password manager and/or cloud service, and stuff like this scares people away. When it comes to the 1Password extension, I too have modest needs. But a lot of novice users and power users alike prefer the idea of a standalone extension (whether or not they think of it in those terms, and certainly they have different reasons) because honestly it seems natural: "I installed 1Password in my [compatible] browser. It should work!" So from a user standpoint -- whether we're talking about "it just works" or "run everywhere" -- it would be nice to have a standalone extension. But as always there are tradeoffs.

  • @toasted I just saw that also. This isn't good for any password managers. I hope the get their stuff together soon.

  • brentybrenty

    Team Member

    Yeah... I've been following this as it's continued to develop, and it's kind of depressing. They may be our competitor, but this affects real people. I'm glad if issues are found through research, not active exploitation, and are fixed promptly, but the "tech press" and cavalier tweeting really don't help anyone, only create panic and confusion. Exhausting. :sick:

  • I agree and glad it was found though research also. Now you have the people on social media under the news articles about this: "who uses password managers", "all eggs in one basket?", "I have my brain, no one can hack that", "I put it on paper", and others. I have to bite my tongue and just let it go.

  • DanielPDanielP

    Team Member

    Zero days will always exist, this is not surprising unfortunately.

This discussion has been closed.