LastPass Sucks, Always Sucked

Tavis Ormandy (WOT:nonperson) uncovered a serious security vulnerability in LastPass. Before disclosing the vulnerability to LastPass developers, Ormandy tweeted:

Are people really using this lastpass thing? I took a quick look and can see a bunch of obvious critical problems. I'll send a report asap.

Due to the number of suckers entrusting LastPass for every login, Ormandy received numerous panicked responses due to a postmortem published yesterday on a serious vulnerability that lets websites take passwords held by Lastpass at will. Peace in our time.

8 thoughts on “LastPass Sucks, Always Sucked

  1. I had a very bad experience with lastpass and just want to share this, did not know where else to put this:

    I am very very disappointed by this service. First I thought it is very nice after reading about it in different tutorials and such, but then more and more things were weird to me:

    First of all, I did not like the default settings where the master password can be recovered by clicking "forgot password" and even the two-factor authorization can be circumvented by getting an email link to disable it. If the user does not use a secure second mail address where the link to disable the two-factor authorization is sent it becomes useless.

    I felt like I could get along with this choosing the right settings, but when I actually started using lastpass it showed to be one of the most buggy pieces of software I have ever used: I imported the passwords saved in my browser and then wanted to delete duplicates one by one, but after deleting some of them and using some other passwords the deleted passwords showed up in my vault again! I am using Linux Firefox by the way. So that was annoying but it got even worse. After using lastpass for a little (few hours) longer I got the following popup message:

    >>>
    Session expiring soon:
    Ihre Session wird bald wegen Inaktivit├Ąt ablaufen.
    KlickeOperationManual
    Thanks for your purchasing our scale. It is easy to operate this scale
    Before using,please read the manual carefull.
    II.speccification parameter:^- power supply; 2 x AAA battery
    Power control: Auto power off after ,]|;.[more weird letters here]
    working temperature:10-30
    […]
    S.press[oftr] to turn the scale off
    […]
    I Turn cr1:= scaru by prissing the [on] key 3.ai thrs poin.prace the required
    […]
    This message goes on and on printing totally unrelated information in terrible English and with lots of weird symbols and letters. I have never seen something similar as this using any software, let alone security related software that I would like to trust!!!
    >>>

    I got this weird session expiring message, even though I had explicitly setup lastpass such that it was supposed to not automatically expire! Even worse, shortly after getting this message my browser crashed! I think it was intended to logout lastpass, but the brower just froze and then crashed (to be fair sometimes the logout worked, but the fd up message still showed up and the browser slowed down significantly). This happened consistently after using lastpass for a few minutes.

    I do not know who programmed this terrible terrible software but there is no way I could trust lastpass to keep my passwords safe. To be honest I have so little trust I would be concerned about installing it on my computer.

  2. by the way I am using keepass now, what a nice piece of software that is! I am syncing my pw database via dropbox and to make it more safe a master password and a security key file that I only store locally is needed to open the password database.

  3. > did not know where else to put this

    > I am syncing my pw database via

    hash(salt+domain_name) = password
    You sync the salt in your head, a piece of paper, a file, whatever.

    • Nici nu-i o metoda proasta,

      $ echo "hillary2016qntra.net" | sha512sum | base64
      MzM0ZTkyZjcxMjhkNGIyYmYzNjQ0MzZkOWVlYjJhOGNmMDM2ZTZjNzljNzAwZTE3YWZkZDQ3NDdj
      NzMzYTE2Mzc2YTg2ZDZhNzAxNjM5YzVmYjYzODE3OGUyMDFhMmU1YWViNzNhZjU1NWMxMGYyZDkz
      ZDcwODhjYWNlZmQzNWIgIC0K

      $ echo "hillary2016trilema.com" | sha512sum | base64
      OTQ2NTljOGRiMmRjOWFlYTU3MGNhZGUwZGUyZGJiNzgyMzA3ZmQ5MWU0M2E5ZTlmYmM2MTQxZjQw
      MDUwMjhlOWQ5NjYwMDA3OWVlZWRjYzZhNGMzYjQwZGVlZjc4MTkxMGJjZGE5NjJhNzUwYzE4Zjc1
      NGE1Y2U0NTY1YzRlY2YgIC0K

      Clear advantages :

      1. Ain't nobody gonna break that ;
      2. Even if they get ALL your passwords getting the salt back out is roughly speaking impossible ;
      3. Even if the website is pure shit like fetlife&friends, and stores pws in plaintext, you are unaffected ;
      4. You can absolutely never forget a password now and don't need bullshit USG tentacles to do it for you ;
      5. If the website stupidly has a maximum length for the pw, you still use this method, truncate it once it complains.

      Congrats to the winners.

    • In even more lulz, it turns out that Drepper's sha512 simplementation doesn't actually work.

      With thanks to davout, the correct command :

      $ echo -n "hillary2016qntra.net" | sha512sum | xxd -r -p | base64 –wrap=0
      42S5KotQ1F1d0eL7+xYfMDu4vmMzSzU3c343bgwlSNI4Ht7YfhhDdD2tTdIxAMmPtcOg1509EkhIsMRMLvbdaA==

      • Ok I gotta say I like this a lot. So much so that I'll even throw a bone to the fellow mactards in the audience :

        $ echo -n "putatumadrecontravex.com" | openssl dgst -sha512 | xxd -r -p | base64 – wrap=0
        /1OCucOeIPGWckEq1/+4mA3XNjbUIE2wVJ22ZR7bQOL+G1Kg/RWyZXbAlsK4g0iR0T7Wn4kX/PE6I1nkOc08bw==

        Happy hunting.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>