Password Manager May Pass All of Your Passwords to an Attacker

Most of us have many online accounts; financial, social media, exercise and diet accounts, etc. and if you are following guidance of security experts, you have a unique password for each one. If you’re like most people, remembering so many passwords can get a little daunting and therefore we look for solutions. One of them may be to use a password manager such as LastPass. Unfortunately, that can make you even more vulnerable, as security researcher Sean Cassidy proved recently.

He found that by exploiting some flaws in the way LastPass works and using a bit of social engineering, he could thwart the security measures put into place, including getting past their two-factor authentication. It came down to phishing and popup fatigue. He convinced users to visit a malicious site using phishing methods. Then he used java script to generate a popup dialogue in the browser telling users they were logged out of LastPass. The message the users see was identical to the one LastPass displays, but it prompted the user to login again and then for their 2-factor authentication code. Then, all information was sent to a separate server controlled by Cassidy, who could have been a hacker. At this point, anyone wishing to employ this tactic has all the information needed to get all of the passwords in the LastPass file.

While using such products to keep track of passwords is still generally safer than using a single password for all accounts, there are obviously still risks to it. If you get logged out of any program when you are not expecting to, start back at the beginning. Re-type a known URL into the address bar or use a previously bookmarked link that you know is safe.  Make sure to read all popup dialogue boxes. Often attackers use these as a means to do harm because they understand how often people just click a button to remove the box from their view.

LastPass has worked with Cassidy to try to fix these issues, but the reality is that if all of your passwords are in one place and stored online, it’s added risk. Once someone gets your password manager password, they have all of your passwords. So use caution when using these and consider writing them on paper and storing them out of sight. And if you are one who likes to login to other sites using your Facebook, Google, or other account, consider the risks of doing that as well. One password would give someone access to a lot of accounts and information. Instead, take the extra time to create a separate set of credentials for each site. It’s a little extra time at the moment, but could save a lot of hassle later.

© Copyright 2016 Stickley on Security