Unfortunately another flaw in software for which we expect to have _none_, at least in security software written in ZDNet¹ post:
This just in 7/28/16 story by Cnet – http://www.cnet.com/news/big-security-bug-fixed-by-lastpass-password-manager/ Looks like Lastpass fixed another bug quickly…
Tavis Ormandy (a Google Project Zero hacker) used a couple of tweets to point out security flaws in Lastpass
LastPass is reportedly patching the problem… Forbes² seems to review more detailed problems with Lastpass as well since it looks like another hacker Mathias Karlsson also hacked Lastpass as noted in Detectify³ although Mathias’ hack was fixed.
So now what? Should we discontinue using password managers? Or how should we use our computers?
Definitely use different passwords on different sites:
Email(gmail), banks, Twitter, Facebook, LinkedIn, and many other locations ask for passwords and require us to create a unique password.
In Security one has to be aware of the news of zero day vulnerabilities, and ZDnet is #9 on our Top30 blogs to watch at our page: Security-News-Analyzed(4). The idea is to be a hawk on everything in your environment as to any potential problems so that you can watch and react if needed.
The password management problem is going to be with us until a new technology can remove this particular authentication issue.
Until then I recommend to keep several password managers and one additional “method” Use pen and paper for a few passwords. Make sure you have different passwords for all sites, and keep a few passwords ‘offline’.
Contact me to discuss how to help you protect your network even if you have Lastpass (there are ways to defend ) Tony Zafiropoulos 314-504-3974
- http://www.zdnet.com/article/lastpass-zero-day-vulnerability-remotely-compromises-user-accounts/
- http://www.forbes.com/sites/thomasbrewster/2016/07/27/lastpass-vulnerability-hacks/#36b2d2df3a65
- https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/
- http://oversitesentry.com/security-news-reviewed/