Why are you still using Lastpass? Yet another major exploit

>>59506869
Who knows social engineering is cheaper then exploit development,that why the cia will always be top dog.

File: keepass_95299.png (23KB, 200x200px) Image search: [Google]

23KB, 200x200px

>>59506869
I use something much better

>>59506869
Can someone who know their shit explain this in detail, what is the exploit here? Can people steal your password over the internet with this?

pass a best

>>59506915
The exploit is two lines of javascript. Holy fuck he's not going to actually TELL YOU what it is, because then you could use it on someone.

>>59506869
>deliberately giving all your passwords to a program
How do people fall for this?

>>59506869
I don't think it's intentionally backdoored; it's just that it's somewhere between fucking difficult and impossible to 100% secure anything.

Which is why I've never used any of these "we'll store all your passwords" services; regardless of whether they're honest or not, I just can't trust that someone else won't get a hold of them.

>>59506970
I hate morons like you with a passion
>>59506915
>Can someone who know their shit
Next time just shut your mouth you worthless waste of sperm

>>59506982
agreed when it comes to proprietary bullshit programs.

>>59506982
This
>Remembering passwords is unsafe Anon just use a password manager
>this way we know your passwords but you don't
>Oops looks like it was "accidentally" backdoored

>>59506997
Free software != secure

>>59506869
Can I use it to shitpost on 4chan?

>>59507018
i suppose so, it'd be more secure to never sign up for anything needing a password, but that's not gonna work for most.

>not writing your pass on a sticky note.

>>59506869
>Windows
Found your problem

File: ice king why.gif (471KB, 500x288px) Image search: [Google]

471KB, 500x288px

>>59506995
quality post, anon

>storing your passwords on other people's computers

File: IMG_20170321_082521.jpg (253KB, 1080x1112px) Image search: [Google]

253KB, 1080x1112px

Reminder that they still haven't fixed the previous exploit, announced over a week ago

Also Tavis Ormandy is the chief vulnerability researcher at Google so he knows his stuff. He recommends KeePass. Open source is best source

>>59507281
>google

botnet alert!!!444!

drop keepAss, use lastpass asap

>>59507281
>Google shill shills keepass in three tweets
>Doesn't even say is secure, just "seems like a reasonable design"

Thanks for this info, will remember to never use keepass. Actually I'll never be stupid enough to save my passwords on another computer

>>59507634
keepass doesn't store your passwords in "the cloud", it's all local

>>59507659
Of course it is

>>59506869
> Store passwords in text file
> Encrypt with GPG

There is literally no flaw with this system.

...except for the fact that you shouldn't store all your passwords behind one master password, you retards.

>>59508058
At least having a unique master password would take a little more effort to get through than just physically stealing a password notebook.

Speaking of password managers, is there a Firefox plug-in for keepassx?

>>59508058
People who use LastPass don't only do so for security reasons, but also for the hassle-free ease of use of a system that allows you to have long randomly-generated passwords wherever you are, without worrying about textfiles, databases, notepads, etc.

Also the fact that I only need to log in at the start of a session to be able to log into everything in a couple of clicks is pretty nice.

For example, I often find myself fapping to some video I like enough to want to download it, but to get the best quality I have to log in, so I just do so in a couple of clicks and I can easily download it without interrupting my fap.

For people who use it, simply typing/writing them down isn't a comparable alternative.

I've been using it for at least 5 years and It's very hard to switch to other systems, but I'm honestly starting to look for alternatives, because I'm getting paranoid about their ability to patch holes in time and to not decide one day to start stealing passwords.
In the meantime I'm just not using it for important things like banking (and related emails) and such, and only use it for normal websites where an intruder can't really do much damage (especially since there's 2FA on the most important ones).

>>59506915
>>59506869
>>59506949
I think what you should really be concerned about is the fact that LastPass is a proprietary password manager.

>>59507841
you can check the source and compile it yourself. you can also just monitor the application (does it make any internet connections? what file does it read/write?)

>>59508946
Has there ever been a serious audit on it?
Because the fact that it's open source alone doesn't necessarily mean that people actually went to seriously make sure it doesn't do anything sketchy.

>>59508983
You could have just typed that into Google.

https://www.ghacks.net/2016/11/22/keepass-audit-no-critical-security-vulnerabilities-found/

>>59506982
Some of them actually work. Keepass is actually really good. It stores all of the passwords in a database file that you can put wherever you want. The database file cannot be opened without the master password.

https://twitter.com/LastPass/status/844176201392504834

>LastPassVerified account @LastPass 2 hours ago

>The issue reported by Tavis Ormandy has been resolved. We will provide additional details on our blog soon.


Meanwhile freetards are still stuck with bugs from 15 years ago.

>>59506982
Because I will die, and I want my family to have easy access to certain accounts.

Can keepass fill in my passord and user accounts?

If I have to copy+paste manually then I can't be assed to use keepass.

>>59510640
This.

Lastpass gives people money for finding exploits unlike other password managers so I bet lastpass is way more secure than other managers.

>>59511204

So does Microsoft. And Oracle.

Does that mean Windows is secure? Not really. Same goes for VirtualBox.

>>59511239
It means they are more likely to find exploits and patch them unlike software like keepass which has no incentive for people to look into them other than "just for fun".

>>59511068

Yeah, just ctrl+v in the keepassx window while the right input fields are active in the browser. There are probably browser addons to improve this functionality, but I haven't investigated that.

>>59511324

Uhh, except that security audits are done by just about any serious security project and Keepass had one?

See >>59510331

But hey, I guess OpenSSL is also insecure because there's "no incentive".

>>59511068
Keepass has integrated features to ease copying your login details, but they're fairly limited. However, there are browser extensions that act as a bridge between your browser and keepass.
If you're using Firefox, Keefox allows you to fill in your passwords easily. Chrome has ChromeIPass, but it's definitely lacking in comparison to Keefox. Both use different but secure channels to enter your login data.

There are also tools out there to export the passwords saved on your browser to a keepass database, which makes moving to keepass a lot easier.

I ditched them as soon as they sold the company.

>>59507659
I store my keepass database in the cloud (drive) though :^)

Stays synced on my phone and computers

>>59508150
>Giving a pajeet-made extension for an extremely vulnerable browser access to a database with every password you control, defeating the purpose of using keepass, a local password manager, in the first place
Whew

>>59511512
>There are also tools out there to export the passwords saved on your browser to a keepass database, which makes moving to keepass a lot easier.
Wish I knew this... At least I ended up changing all my passwords during the transition anyway.

>using a password manager
The NSA has you right in their trap

>>59507077
Works on any OS dumbass.

>>59511694
They wouldn't need it

>>59507281
Actually they did fix the previous vuln. If you had the entire tweet and proceeding comments, you'd see that only the Firefox stable branch still isn't fixed because Mozilla hand checks the updates and the Firefox extension is months behind the other browsers because of it.

Unless you opt into installing it directly from Lastpass' website, the Firefox default version hosted on AMO is out of date. It was fixed in all other versions on all other browsers.

>>59510498
It's actually really dumb, I can't use it on public pcs or my phone

>>59511829
>public pcs
seems like a smart idea

>or my phone
why?

>>59511829
>I can't use it on...my phone
how shit is your phone

>>59508058
There is one flaw: you're reinventing the wheel.

sudo apt install pass

>>59506869
LOL USING SINGLE PASSWORD TO PROTECT YOUR ALL PASSWORDS

>>59511954
Problem?

>>59511962
READ MY SENTENCE AGAIN AUTISMO

kek'd

>>59511984
Yes, problem?

>>59511999
YOU ARE AUTISTIC IF YOU USE PASSWORD MANAGER

>>59512012
Problem?

File: b5914b84.jpg (59KB, 500x564px) Image search: [Google]

59KB, 500x564px

>>59511829
Considering there are multiple mobile apps for it, you are the really dumb one.

>>59512019
YOU SHOULD GO TO MENTAL HOSPITAL IF YOU USE PASSWORD MANAGER

my password manager uses gpg. has gpg been hacked?

>>59512047
Still not seeing the problem.

>>59512059
BROKEN MENTAL HEALTH IS THE PROBLEM M8

>>59506869
i dont know why anyone would use a pasword manager that uploads your passwords to someone elses server. i use keepassx and keep the database away from internet

>>59511874
how shit is keepass to not have some sort of app

>>59511841
>why?
because i have to log in to shit on my phone too but thanks for informing me that this is just a meme

>>59512101
there are multiple apps for android, dunno about ios since i'm not an ifag

>>59510976
Then write it down and leave it in a secure place. You act like that's flawless justification, it's stupid.

>>59506982
the alternative for normies would be using same password on all sites and many still do it

>>59512123
I personally use KeePass2Android

>>59511512
i would never install a browser extension for this. there will always be some way to exploit them because the browser wasnt designed to be used this way.

>>59511068
>>59511512
>>59512304
Both regular KeePass and KeePassXC have a built-in autotype feature that can autofill fields in any window without additional extensions being installed. The one disadvantage with KeePassXC is that it can only do it based on window titles, and not URLs.

What do you guys think about this:
http://masterpasswordapp.com/

>>59512363
What's better? KeePass or KeePassXC?

>>59512363
>The one disadvantage with KeePassXC is that it can only do it based on window titles, and not URLs.
There are extensions for both Firefox and Chrome to add the URL to the window title, which should help with your particular issue.

>>59512600
If you're on Windows I'd go with KeePass, it may be a bit more proprietary but it has more features as a consequence of that.

>>59512650
That's good to know, thank you. I hadn't even considered that.

There is no 2FA for KeePass? Wtf?

>>59512693
Plugins?

http://keepass.info/plugins.html#keeotp

>>59512769
Does it also work with the mobile version?

>>59512693
But there is dude.

Keyfile and password.

>>59512802

Also SID if you're on NT

>>59512790
I notice KP2A has some OTP/Challenge options for unlocking.
Haven't used them though, let alone cross-platform.

Also to the best of my knowledge all mobile versions are unofficial?
So even then compatibility might be limited (barring obvious 2FA/challenge specifications).

>>59512818
That means Mobile versions of KeePass are even less trustworthy than LastPass?

>>59512862
That's a leap in logic. Safer to say while they may hold themselves to the same standard as official, nobody else is.

anything cloud based is inherently insecure.

KeePass is the only good option. Lots of extentions and support.

>>59510640
>Meanwhile freetards are still stuck with bugs from 15 years ago.
You're using a proprietary password manager. How gullible can you possibly be? Sure, exploits may be fixed, but don't you see the problem? You're handing your passwords to a program.

>>59513252
>KeePass
Just tried it. It's fucking cancerous compared to LastPass. LastPass is 10x more comfy to use. Auto Type is a joke that doesn't always work and if I install KeeFox I can just as well install LastPass because they both suffer from the same weak points. Actually KeeFoxx is even more insecure.

>>59513383
Damn, what an argument.

>>59508058
>...except for the fact that you shouldn't store all your passwords behind one master password, you retards.

Isn't that what you are doing when you memorize them. If someone hacked your master password (your brain), they'd have plaintext access to them.

>>59507281
>Open source is best source
I agree but the more concerning part is that local password managers are infinitely better than shitty phone-home cloud browser plugins.

An unencrypted text file on a safe computer probably offers more security than fucking Lastpass

I've used keepass like since 2008 or something. Not a single problem, ever. I see no reasons to change from keepass to anything. Works on all my devices (linux, windows laptops+desktops, android tablets, android phones).

>KeePass so good they make a sequel
Is LastPass even trying?

>>59511328
>tfw it pastes your info to the wrong window

>>59506869
>binary component
It's fucking nothing.

>>59506869
Go back ti trashing AVs, Tavis.

File: IMG_20170321_202941.jpg (147KB, 1488x380px) Image search: [Google]

147KB, 1488x380px

>>59515030
You can use other RPCs to force-enable the binary component

Plus Tavis sent them a proof of concept showing his exploit causing execution of calc.exe and Lastpass said they couldn't replicate it. They didn't realise it wasn't working because they were all using Macs. Fucking iFags, how could you ever trust these morons

>>59514958
>disable autotype
>remove submit from its default template
>don't be retarded
there's a few solutions

>>59515099
sounds like bullshit my man

no one can be this retarded

Full exploit and sample demo has now been published by Taviso, as LastPass say they have fixed it in their latest version

https://lock.cmpxchg8b.com/SaiGhij5/lastpass.html

>>59511694
The issue isn't CIA or FBI or whatever government organization. The issue is using the same password multiple times. Just takes one service being compromised and all your accounts are potentially at risk.

File: 1467305966978.png (27KB, 1431x314px) Image search: [Google]

27KB, 1431x314px

>>59515135
>no one can be this retarded

File: IMG_20170321_232005.jpg (205KB, 1080x1321px) Image search: [Google]

205KB, 1080x1321px

LITERAL CAR CRASH

YET ANOTHER LASTPASS EXPLOIT FOUND

STOP USING THIS BACKDOORED SHIT IMMEDIATELY

File: 1486764582807.jpg (13KB, 216x225px) Image search: [Google]

13KB, 216x225px

>any year
>LostPass

>>59517555
but my premium membership!

>>59506995
what are you so mad about you fucking virgin

>>59518321
project harder

File: logo-gnupg-light-purple-bg.png (9KB, 356x120px) Image search: [Google]

9KB, 356x120px

>using a password manager
Is there really any reason to not just use an encrypted text file

I already stopped using LastShit eons ago. Nowadays I use KeeWeb, KeePass 2, KeePass2Android and KeePassX.

Android ; KeePass2Android
Browser/Chrome OS/Web ; KeeWeb
Linux ; KeePassX
WinShit ; KeePass 2

This is the only correct way to do/use password managers and best in choice and taste.

>>59517555
/ourguy/

>>59518401
It's inconvenient and unorganized
if you don't like big gui applications look at zx2c4 pass

How many more incompetent companies will taviso kill?

>>59518408
>Browser/Chrome OS/Web ; KeeWeb
Eh

What scenarios do you use this in?

>>59512048
2048 bit rsa is vulnerable.

>>59512600
KeePassXC

>>59506982
You can use Keepass to generate massive uncrackable passwords so in case the website db is stolen you will never be cracked

>>59507478
>keepAss
kek
how come /g/ays can fuck up a program name so quick so efficiently?

File: engineering.jpg (84KB, 1920x1080px) Image search: [Google]

84KB, 1920x1080px

KeePassX is the only acceptable password manager.