LastPass in the news. Again.

primeprime
edited April 2017 in Lounge

So 2SA isn't 100% after all I actually knew it's not 100%, but you get the point.

Again, I'm not bashing LastPass. This makes me mad because it makes ALL password managers look bad. The issue is "fixes" (so they say), but I feel that the owners of LastPass aren't as serious about thier customers.

Now I read this:

"According to Vigo's write-up, he discovered that Lastpass was using a hash of a user's password to generate the QR code that is used to set up 2FA on a user's device."

so are they using people's master password in this? And part of thier master password is used in the 2SA?

"To put it in perspective, imagine that you have a safe in your house were you keep your most valuable belongings. Do you think it is a good idea to have the same lock for the door and the safe? Should the door key open the safe as well?"

I think this answered my question, but I'm just checking :)

I know you guys can "un-nerd" this a little for me :)

This made me feel better about the secret key, because I can visually see it's not the same as my master password. And I can change it if needed.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • brentybrenty

    Team Member
    edited April 2017

    @prime: Honestly, I think that about covers it. I can't find it now, but just the other day I was reading about another site which sent the one-time password right in the URL in plain text. This is why when I see "1Password needs 2FA", I bore people by talking about threat models and implementation. Multifactor authentication can be a beneficial addition to a security strategy, but it's important to use it appropriately and effectively, otherwise it's just giving us a false sense of security.

    I don't know why this comes to mind now, but it seems to me similar to how an increase in head injuries in (American) football correlates with improvements to protective equipment. It's tempting to expose ourselves to greater risk when we think we're safer than we really are, and I do worry that some folks may think they'll be okay logging into sensitive accounts on computers at school or a public library because they have 2FA.

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member
    edited December 2017

    Let me join @brenty in emphasizing the point that 2FA may be a good thing for certain sorts of systems, but there are going to be other systems for which it is less applicable. Setting it up so that it would provide meaningful security – instead of just being security theater – for a password manager is a challenge. 2FA does not naturally lend itself to an encryption-based password manager in the same way that it might for logging into, say, a mail service.

    We really don't want to be in the security theater business. If we extend our 2FA offerings, we will try to do so in a way that is meaningful instead of just cosmetic.

  • XIIIXIII
    edited April 2017

    The researcher that reported this issue has updated his blog on April 21; he now states that while their 2FA implementation is bad, it is not exploitable:

    http://www.martinvigo.com/design-flaws-lastpass-2fa-implementation/

  • brentybrenty

    Team Member

    @XIII: Ah, thanks for that! I hadn't re-read the whole thing to notice the update added at the end. :lol:

  • Just heard about this issue with LastPass.

  • brentybrenty

    Team Member

    We often get requests for similar features, but they always need to be carefully developed and tested, and sometimes they don't end up getting a release as a result if they don't live up to the expectations we all have for 1Password.

  • Catalin1PCatalin1P
    edited April 2017

    After reading this I am sure that 1Password's Secret Key is way more secure than a random 6 digits code that is quite finite, it will end up being reused since it's consists only of numbers. The Secret Key is unique because it's alphanumerical and no matter how many times you are going to change it, it will always be unique. Reusing codes or passwords will always be risky. If the bad guys are lucky enough, let's say that it is the traditional spinny-thingy lock like you see in the movies with the dude with the stethoscope.
    If the face of the lock is numbered 1-30, and you include the rule that you can't have the same number twice in a row, there would be 3029292929*29 or 615,334,470 possibilities, so 615,224,470 to 1 against. The odds of this happening are small but you never know.

    My final thoughts are simple. I am glad I use 1Password because you take security very seriously, it is in your core and if MFA will be secure enough to be implemented without having drawbacks, you will do it.

  • BenBen AWS Team

    Team Member

    Thanks for taking the time to research this and provide your feedback, @Catalin1P. :)

    Ben

  • I came across an article today and it seems like they finally understood that autofill isn't good for a secure environment. They decided to come up with a new feature that looks similar to 1Password fill on-request. I am glad that you, 1Password have been doing that ahead of the competition. A good password manager is a few steps ahead of everyone else and is leading the way to a more secure environment on the internet. In my opinion, 1Password has become an example to other companies when it comes to password management. Keep doing what you are doing because you are doing it perfectly.

  • BenBen AWS Team

    Team Member

    I am glad that you, 1Password have been doing that ahead of the competition.

    Indeed. That is the way we've always done it. :)

    A good password manager is a few steps ahead of everyone else and is leading the way to a more secure environment on the internet. In my opinion, 1Password has become an example to other companies when it comes to password management. Keep doing what you are doing because you are doing it perfectly.

    Thanks so much for the kind words! We take everyone's privacy and security very seriously, and so even what may seem like "little things" (like this) have been given a lot of thought.

    Ben

  • Hello again dear friends!

    I remember when people were criticising 1Password (Agilebits) for their steep price. Seems like LastPass is caching up. They've doubled their price.
    What I learned from this is that you don't have to jump to conclusions too fast. After I read the last blog post "1Password 6.7 for Windows: a feature buffet" I was happy to hear that both models will stay around. I have a feeling that with 1Password I am in good hands and the team behind the product listens to the feedback they receive. I want to congratulate everyone for this.

  • brentybrenty

    Team Member

    @Catalin1P: Thanks for the kind words! Glad to hear that @bundtkate 's blog post resonated with you. Indeed, it was a big deal for us as well. We always listen to feedback, but we do need to keep some things secret until we're sure we can deliver. We'd hate to make promises we couldn't keep. That's no fun for anyone. But man it feels good to get that out there! Can't wait til we're able to release the next big thing! :chuffed:

  • Can't wait as well to get my hands on 1Password 7. Indeed it is pointless to make promises you can't keep. I also know that is not easy to keep a promise. I am happy to pay for my subscription because I want to support your efforts. I have a feeling that 1Password 7 will blow me away. I am looking forward to the future.

  • BenBen AWS Team

    Team Member

    Can't wait as well to get my hands on 1Password 7.

    Same here! :)

    I am happy to pay for my subscription because I want to support your efforts. I have a feeling that 1Password 7 will blow me away. I am looking forward to the future.

    Thank you for the kind words.

    Ben

This discussion has been closed.