The link below takes you to the best explanation I've seen on two recently disclosed LastPass security flaws. A few thoughts:
- The Bookmarklet vulnerability is the more serious of the two problems, but its exploitation would be difficult – you'd have to be on a rogue or compromised site, and then use the bookmarklet to try to log into that site. Less than 1% of LastPass users use the bookmarklet. Still, I'd venture a guess that most exploits come via compromised sites, so maybe this is a bigger problem than it seems.
- The One Time Password vulnerability would be unlikely to cause a problem, as someone would need to target you with your username, and even then the person would only have access to your encrypted data.
Most concerning is how long it took LastPass to disclose these vulnerabilities after they were patched- about 10 months. The LastPass blog post made it sound like the company was giving the researcher a chance to publish his findings first. Sounds like PR spin to me, with the company having no choice but to discuss the fixed problem after the researcher disclosed it publicly.
I've been using 1Password since the start of the year, but I was a devoted LastPass user prior to that. I fell into the “less than 1%” of users who used the bookmarklet. In fact, the bookmarklet is what I miss the most in 1Password, as it made browsing in Safari on iOS much easier.
Despite the way LastPass seems to be downplaying this, this one is a serious stumble that should give users pause. Still, I think a password manager like LastPass is a much better alternative to the way that most people handle passwords.
∞ LastPass security holes found by researcher, says password management firm – but no need to panic | ESET Welivesecurity Blog
1Password’s 4.5 update for iOS introduced several improvements, including a new coat of paint to bring it more in line with the look of iOS 7. The AgileBits blog recently contained a post setting forth all of the improvements of the update, yet the update that was most important to me wasn’t listed.
No, LastPass fans, the title of this post doesn’t mean that you need to tell me I’m an idiot for switching. LastPass is still my favorite password manager, although I do enjoy 1Password’s user interface. I recently decided, though, that it would be prudent to have a backup of my passwords in a secure place, outside of Lastpass. I already had a license for 1Password, so that seemed like the perfect spot. Here’s how I backed up my LastPass passwords to 1Password. You could use the same method to migrate from LastPass to 1Password, too.
It seems like every day we read of a website that has been hacked, and had its users’ login details leaked. One of my favorite services, LastPass, now offers a service to help you discover if your information was leaked by a website. The service, LastPass Sentry, uses PwnedList to monitor whether your credentials have been stolen.
If you follow tech news at all, you know of the epic hacking of Mat Honan’s digital life. His story didn’t involve weak passwords, but generally underscores how important it is for all of us to take an inventory of how secure we keep our online information. One component of this involves your passwords, and one step in password security is making sure that your passwords are strong.
Just when you think you’ve seen everything, along comes the Yellow Jacket iPhone case. If you’ve ever been bothered by the bulk of the stun gun that you carry around in your front pocket, then the Yellow Jacket might be the iPhone case for you.
The past year has seen the shattering of the myth that Macs are impervious to malware. Despite this, I don’t run resident anti-malware software on either of my Macs, opting instead for a program that scans for viruses on demand. Am I tempting fate?
Prior to the Flashback malware fiasco, Apple’s platforms had a reputation for being secure. That reputation might not have been deserved, if a report from the first quarter of 2012 is to be believed. That report, which predated the discovery of the Flashback trojan, took a look at the number of vulnerabilities that major tech vendors reported. The numbers might surprise you.
Editor’s note: Today, 40Tech is pleased to present you with a guest post from Lazy Man of Lazy Man and Money.This article is intended to demonstrate one man’s thoughts on what was happening during a denial of service attack, and how he dealt with it.
The second week in February was a very bad week for me. On February 6th, I had received a legal threat from LifeVantage regarding my ProtandimScams.com site. I was still crushed by my beloved Patriots losing the Super Bowl. (Hey, I put up with their 1-15 seasons and Lisa Olsen scandals, so I’m milking the Tom Brady era for all it is worth). On the 8th, my websites stopped working. I went to my Putty window running a Unix top command to see what was the matter. The load average had spiked from its normal level of around 0.50 to 120. If you aren’t familiar with Unix, Top, or Putty, this means that either something on your site isn’t working right or Yahoo decided to feature you on its home page. Here’s what happened next.