Skip to main content
PW

Are Password Managers Worth It?

 

Regardless of who you ask, password strength is an overwhelmingly important element of cyber security and although there is some resistance, many have taken the route of simply downloading a password manager, rather than having to remember multiple passwords.

What is a password manager?

Password manager applications keep your login information for the different websites you use and encrypt the password database with a master password – which then becomes the only one you have to remember, which until now felt like a huge relief.

Even if there was a website breach and user passwords were exposed in their cryptographically protected status, the ability to crack these passwords are far lower than a plaintext password.

Unfortunately, Google Project Zero, the security analysts found over 30 vulnerabilities in Apples iPhone’s operating system between 2016 and 2018. One of them being a flaw in one of the most widely used password managers, LastPass.

What’s the vulnerability?

Developers of LastPass have had to patch a flaw that made it possible for hackers to steal credentials for the last account that users logged into on either Chrome or Opera. The vulnerability, discovered in September by a Google Project Zero researcher was passed on (mind the pun) to LastPass privately and published this past week.

 Why did it happen?

Applications dedicated entirely to security should theoretically have a better track record when it comes to patches. However, when you have an industry that relies on third party pop ups and advertising, something is bound to go wrong. The flaw originated from the way the extension generates pop-up windows and iframes. When Lastpass was making popups, they were unexpectedly opening with the most recently used password, the cached password.  

This meant that with a little bit of handy clickjacking, passwords for the previous site could be leaked. Ormandy, the Google Project Zero researcher also described three other weaknesses he found in the extensions:The handle hotkey wasn’t checking for trusted events, which allowed sites to manufacture random hotkey events.  There was a bug giving hackers the ability to disable several security checks by inserting "https://login.streetscape.com" in the code.

The Response

LastPass stated that they have fixed all the bugs and claimed that the set of circumstances required for these vulnerabilities to be used are actually very limited. The LastPass bug was fixed in version 4.33.0 but if you are using it be sure to enable automatic updates, even if you aren’t on Chrome or Opera.  

Key Takeaway

LassPass offers a genuine and important solution to password issues and make it harder for hackers to simply guess. Password managers also create much stronger passwords in general since no one needs to memorize them.  The LastPass weakness shows us that nothing is foolproof, even something specifically designed to improve security.