LastPass has sold out. But there are alternatives. Critical bugs have been identified in the LastPass password manager, extensions for Chrome and Firefox Lastpass for muck
Back in the summer of 2016, Google Project Zero specialist Tavis Ormandy sincerely said: “Do people really use this LastPass thing?” Then Ormandy discovered a vulnerability in the code of the LastPass add-on for Firefox 0-day, which made it possible to remotely compromise all user passwords.
Now, almost a year later, the expert again decided to test LastPass's security, and, unfortunately, it cannot be said that the application passed this test. Ormandy writes that he discovered a problem in the official LastPass extension for Chrome browser. According to the researcher, the extension's content_scrip contains a vulnerability that, if attacked, could lead to the compromise of all credentials stored in the application. Moreover, to carry out an attack, the attacker only needs to lure the user to a malicious site.
The researcher explains that the script is only used to access a specific domain on lastpass.com, and if you take a closer look at how it works, it looks like this:
Here, as Ormandy notes, lies the mistake. The script proxies unauthenticated window messages to the extension, which can be dangerous because anyone can do the following:
This will give the attacker full access and will force LastPass to execute RPC commands, of which there can be hundreds, but the most dangerous, of course, is the ability to copy and fill passwords. In some cases, this can even lead to the execution of arbitrary code on the user's machine, through the exploitation of openattach. As an example, Ormandy demonstrates running a regular calculator (calc.exe).
LasPass developers, apparently, have already fixed the problem in the Chrome extension by disabling 1min-ui-prod.service.lastpass.com. However, some users note that the server is still running for them, and the vulnerability is still relevant. Users of LastPass for Chrome should probably disable the extension for now and wait for a full patch to be released, as version 4.1.42, dated March 14, 2017, was still vulnerable.
It is worth noting that last week Tavis Ormandy found another very similar bug in the LastPass add-on for Firefox. The vulnerability also allows you to extract all user passwords if he visits a malicious site.
This problem has not yet been fixed. The LastPass developers have already prepared a patch, but the corrected version 3.3.2 is still being reviewed by Mozilla specialists. The LastPass authors also emphasized that the 3.x branch is still considered obsolete, and users are recommended to switch to the more secure 4.x branch.
But LastPass's problems don't end there. Today, March 22, 2017, Tavis Ormandy warned that the LastPass add-on for Firefox contains another bug that allows you to steal other people's passwords for any domain. Moreover, this time the more modern and secure version 4.1.35 is vulnerable. The expert promises to publish the details in the near future.
I found another bug in LastPass 4.1.35 (unpatched), allows stealing passwords for any domain. Full report will be on the way shortly. pic.twitter.com/9VkV7R3vud
About upcoming significant changes in the system Firefox add-ons. To ensure cross-browser compatibility, the developers of Firefox and other browsers have adopted a common API called WebExtensions. Supporting a common API will help reduce the cost of cross-platform development for companies like ours that have to produce and support extensions for multiple browsers. While migrating to WebExtensions provides a number of benefits for developers, browsers, and users, we want to prepare LastPass users for the transition from the previous Firefox add-on to the new one.
We've been supporting two versions of LastPass for Firefox for over a year now. Stable version 3.x published in the store Firefox extensions, and version 4.x in development has been published on the LastPass.com website.
While this created some confusion for LastPass users, we maintained the "legacy" version to maintain the Firefox-like user experience that our users preferred. In the meantime, we continued to develop version 4.x in accordance with the changes that Mozilla implements. But with the recent news that Mozilla will be moving entirely to WebExtensions by the end of 2017, we have to say goodbye to LastPass version 3.x for Firefox.
We will release the newest version of the add-on on March 31, 2017. The latest version of the add-on is expected to be rolled out to all users of version 3.3.2 within a few days after review by Mozilla. You can manually update the Firefox add-on now or wait automatic update in April. After this, only version 4.x will be available on both addons.mozilla.org and LastPass.com. For Firefox add-on users version 3.x, this update brings all the latest improvements we've made to the core logic and performance of LastPass, as well as latest interface user. Based on user feedback, we also recommend checking out the tile and list views in the 4.x interface to see which view is best for you.
LastPass 3.x Interface
LastPass 4.x Interface
In addition to implementing the changes made by Mozilla, we believe that the new version of our Firefox add-on is overall much easier to use. We know that change is not always pleasant. We're listening to your feedback and making thoughtful, informed changes while unifying the LastPass experience across all browsers and platforms.
Of course, the transition to new version The add-ons will not affect your LastPass account or any data in your storage. You will still have full access to your account at any time from any browser and from any device.
As always, you can contact our support team if you have any questions or concerns regarding this transition.
Meet LastPass, one of the... best programs for storing passwords, distributed as a single plugin installer for Internet Explorer, Google Chrome, Mozilla Firefox, Opera and Apple Safari, developed by LastPass. Passwords in LastPass are protected by a master password, stored locally, and can be synced with any other browser. LastPass also has a form filler that lets you automate entering passwords and filling out forms. The plugin supports generating passwords, sharing data, logging site logins, creating secure notes, and much more. Download LastPass possible below.
One master password (the motto on the site is “The last password you should remember!”).
Browser synchronization.
Generating strong passwords.
Password encryption.
Online form filler.
Import passwords from other password managers, as well as export.
Passwords are stored in the lastpass.com cloud service in encrypted form (AES-256).
The LastPass master password is stored in your head and when you enter it, all passwords are decrypted from the database (AES-256).
Passwords are transmitted over a secure (https) connection.
LastPass creates a hash of your username and password, which is the key to the AES algorithm.
For authorization, the LastPass service uses a double hash, which is sent to the server and is the verification key for authorization.
Names of groups, accounts and data are transmitted in encrypted form, https is used everywhere.
LastPass collects passwords that other password managers don't see, including many AJAX forms, and makes it easy to create strong passwords.
You will be able to import and export data from many well-known password storage systems (such as: RoboForm, 1Password, KeePass, Password Safe, MyPasswordSafe, Sxipper, TurboPasswords, Passpack, Firefox and Internet Explorer and many others). Passwords in LastPass are protected by a master password and stored locally and can be synced with any other browser.
LastPass uses strong cryptography on the client side - passwords leave the computer already encrypted, and only the user can decrypt them. And even if someone gets this data, the encrypted data is basically useless.
What I like most is that all data is stored on a computer and a secure service, periodically synchronized, and access is available from any computer where LastPass is installed. In addition, it has a very convenient function for creating protected notes and other equally useful functions.Almost everything. The program does everything itself. It will offer to save your login and password, enter them into the fields the next time you visit the page, or even log in to it yourself (if you want). At the same time, it generates passwords that you do not need to remember at all, and they will be different for each resource. This greatly increases the security of protected access.
If you want, your secrets can always be with you, no matter where you work and no matter what computer you use. To do this, you can use the local version (LastPass Pocket) for a flash drive (for this, it is advisable to first export your data from your LastPass account to a file on disk, so that you can open it later portable version anywhere, without installing the main program). Everything works without any restrictions on the amount of data saved, time of use, free and in Russian. Although there is a paid version, with slightly more advanced features, we are not talking about it.
The procedure for installing the program and registering a LastPass account is quite simple, you just need to agree with the default settings, and the installer will offer to disable password managers in installed browsers due to their unreliability. Creating a master password is also very simple (here you will be given options and shown how resistant your master password is to hacking). We also recommend that you change your Master Password periodically to prevent unauthorized access to your LastPass account. The LastPass service itself does not have access to your confidential data, which they honestly warn about. That is, if you forget or lose your master password, you will only be sent a password recovery prompt (and not your passwords, logins, etc.), or you will have to use account recovery.
The big advantage of LastPass, in my opinion, is that if you already have an existing LastPass account (and a learned master password, of course, to log into your account), you have absolutely nothing to fear from “falling” or reinstalling the system, you just need to reinstall it LastPass and log into your account, then the program will work for you. It goes without saying that all your passwords, websites, forums, secure notes, in general, everything that you saved will be restored on the new computer. The developers do not sleep, constantly updating LastPass, strengthening it (and your security) and improving the program, and in browsers, LastPass extensions are updated in background without interfering with work.
This is a description of the capabilities of LastPass, far from complete, I hope you like the program. In the end, I note that having tried many password managers, paid and free, I long ago decided on LastPass because of its simplicity and reliability. The program is updated quite often, both on the official website and services Google extensions, Firefox, Opera and Safari, there is detailed online help and videos on setting up and using the program.
Developer: Joe Siegrist
License: FreeWare
Language: Multi + Russian
Size: 59 MB
OS:Windows
Download:A separate menu section is responsible. However, it is not convenient for all users - without synchronization enabled, this data is saved locally, and if HDD will become unusable, irreparable problems will arise with operating system, it is easy to lose the saved authorization data without the possibility of recovery. In addition, even with synchronization enabled, the user is tied to a specific browser. Third-party tools allow you to avoid all these inconveniences while keeping your personal data safe. This particularly applies to LastPass, an add-on with a proven track record and useful features.
The main purpose of this add-on is to store all the passwords that you enter when logging into websites in the cloud. Thanks to this, it is not at all necessary to be tied to one browser - just install the extension on another device, log in under the same account and easily access any sites for which passwords have already been saved previously. Creating your LastPass account is very simple:
- Install the extension from Firefox Browser Add-ons using the site search or the link below.
- Confirm the installation with the appropriate button.
- After that, you will need to register in it: click on the LastPass icon that will appear to the right of the address bar, and click on the button "Accept".
- Will open new page in your web browser, where you need to go through the registration process. To begin, please provide a valid email address. Address Email must be truly working so that if you lose your LastPass password, you can recover it.
- The service requires a complex password: from 12 characters, containing at least 1 lowercase and 1 capital letter, as well as at least 1 number. Be sure to include a hint that will help you recover the key if you forget it.
Once your account is created, you will need to make your first save. It works like this: Open the site whose account password you want to save in LastPass. Pass standard procedure authorization. The extension will ask for permission to save the password, confirm this with the button "Add".
As an experiment, log out of your account on this site, and you will see that even if you do not remember the password in Mozilla Firefox itself, the login information will be substituted. If you have several accounts from one site, click on the button in the login or password input field and select the desired option. Different authorization data from accounts will become available only after you log in to them one by one.
Local encryption
The peculiarity of this extension is that all encryption that occurs in LastPass is carried out locally using a unique key, which is why passwords, even in encrypted form, are not transferred to the company’s server. In this case, AES-256 and PBKDF2 SHA-256 technologies are used. Thanks to this, the user does not have to worry about entering confidential information into the add-on’s memory: unauthorized persons will not be able to recognize it. Additionally, each important action requires you to re-enter your password - this helps protect personal data from other users who are at the computer in your absence.
Personal Vault
Each registered user is given a profile in which he can manage various functions. To do this, click on the extension button and go to "Open my Vault".
The most important thing is that here you can view all the passwords you have ever saved in LastPass, sorting them and distributing them into folders.
For each password, if you click on the wrench button in the tile with it, you can configure several additional options: view login, password, add a note, folder, the need to enter a master password before substituting the password in the authorization form, enable automatic login to the site with this data, disabling autofill (this particular login and password will not be automatically entered into the appropriate fields on the login page Personal Area this site). It is even possible to add a password to your favorites and send it to a person you trust by mail.
Despite the name, in addition to the passwords themselves, this extension allows you to store some other data. Namely: notes, addresses/phone numbers, payment cards, bank accounts. This way, you can quickly access any of this confidential information using your computer, mobile device or Apple Watch, where the LastPass app is available. The same goes for them: notes, credit card numbers, etc. can be easily viewed, sorted, distributed. All this is also easy to edit and delete when some information turns out to be changed or outdated.
Here it is also proposed to take advantage of secondary features, which we will not dwell on, but will partially consider further (since they are part of the extension menu), and make some basic account settings. Unfortunately, there is no Russian interface language here.
View recently used login passwords
This item and others are called up through the menu, which can be opened by clicking on the extension icon, as we said above. Therefore, we will not dwell on this in the future, but simply indicate the names of the points. Now we'll talk O "Recently Used".
Here you will see a list of the latest logins and passwords that were used to log into the sites. This, by the way, is a convenient thing not only for the account owner himself, but also for privacy purposes. Data from here cannot be erased, unlike browser history, so if someone was at your computer and entered sites without your knowledge by looking in "Recently Used" you will definitely know about this, even if your web browser browsing history has been cleared.
By clicking on any item, you can either go to the site itself, edit authorization data, or completely remove the login/password combination from LastPass.
Viewing personal information
Previously, we clarified that in addition to passwords, notes, card numbers and other data are entered into the extension. Via point "All Items" you can not only quickly view them, but also add a new item. This is convenient because there is no need to go to your personal account. In the future, all this information can be used to quickly register on websites, pay for some purchases, and invoices without having to manually enter payment information.
Adding personal information
This very personal data can be easily entered into the extension by going through the menu to the section "Add item". Here you can choose from several thematic templates, where you enter the necessary information. Some of them are not applicable to our country, but in general the fields are relevant to fill out, and thus you can enter information about health insurance, driver's license, passport, etc. All this is subsequently available for viewing through your personal account.
Generating a complex password
The extension invites users to create complex passwords that cannot be cracked by attackers. Going to "Generate Secure Password", you are asked to set the length of the future key, indicate its type (easy to pronounce, easy to read, with uppercase, lowercase letters, numbers and symbols). If you don’t like the result, change its parameters or simply generate it again.
Additional account options
Apart from all these features, there are also a few technical and non-essential features that some may find useful. In the menu section "Account Options" you will find the following additional options:
To sum it up, LastPass is quite functional extension, which has no analogues in its benefits for all those who actively work with sites on the Internet. LastPass is not very suitable for beginners who do not want to understand its functions and are not going to pay for the provision of advanced features. After registration, you receive 30 days of premium use as a gift, after which you will have to purchase the PRO version according to the prices of the service (look at the list of options that open when you purchase Premium - you probably simply do not need them). However, for normal storage LastPass passwords is also successfully used: using it, you can easily use different browsers and on different devices, automatically receiving and managing authorization data wherever this add-on is installed.
The first and simplest option is the standard manager Chrome passwords, Firefox, Opera or Vivaldi. Almost all modern browsers can save and automatically insert logins and passwords into the required fields. Yes, this option cannot be called very functional, since it lacks some additional features such as a generator of reliable combinations and protected notes. But you can use it completely free, and there is synchronization between various devices, which works, of course, only if you use the same browser everywhere.
Simplicity, accessibility, free. Synchronization between different devices.
− Low functionality and security.1Password
1Password has been around for over eight years, but has always been overshadowed by LastPass due to its fairly high cost. It can store passwords, data bank cards, software licenses and other confidential information in secure virtual storage. This storage can be located on remote server or local device. It is possible to synchronize via Wi-Fi, Apple iCloud or Dropbox. The developers paid special attention to security and encryption algorithms, thanks to which this service was not noticed in high-profile scandals.
Reliability, cross-platform, functionality, synchronization.
− High price.KeepPass
If you are looking for a free solution and are not afraid of difficulties, then be sure to try KeePass. This is a completely open source project created by independent developers. It has a huge number of possibilities thanks to the presence of a whole arsenal of various add-ons, plugins and auxiliary utilities. However, in return you will have to come to terms with the typical disadvantages of free software in the form of high complexity of development and instability of some elements.
The password database created in KeePass is stored in the form of a single file, which can be placed on your hard drive or in some cloud service. In the latter case, you can implement data synchronization between different devices. There are plugins for popular browsers that, with varying degrees of success, provide substitution of logins and passwords on the desired pages. In addition, KeePass is also available on mobile devices.
Free, functional, secure.
− A solution for geeks who can select and correctly configure all the necessary components.Dashlane
This password storage service appeared relatively recently, but has already proven itself with positive side. Dashlane has a pleasant appearance, good functionality and ease of use. The password database is stored in the cloud in encrypted form, and there is synchronization between clients for different platforms (Mac, PC, iOS and Android). Among the additional features, it is necessary to highlight the function of automatically filling out forms, a password generator, the ability to change passwords in one click, and convenient tools for online shopping. But all this splendor may fade for you if you want to use data synchronization between different devices. To do this, you will have to buy an annual subscription costing $39.99, which, you see, is quite a lot.
Appearance, reliability, cross-platform, digital wallet.
− High cost, lack of local password storage.Which password manager will you choose if LastPass does become paid?