LastPass Security Flaws Disclosed

The link below takes you to the best explanation I've seen on two recently disclosed LastPass security flaws. A few thoughts:

  1. The Bookmarklet vulnerability is the more serious of the two problems, but its exploitation would be difficult – you'd have to be on a rogue or compromised site, and then use the bookmarklet to try to log into that site. Less than 1% of LastPass users use the bookmarklet. Still, I'd venture a guess that most exploits come via compromised sites, so maybe this is a bigger problem than it seems.

  2. The One Time Password vulnerability would be unlikely to cause a problem, as someone would need to target you with your username, and even then the person would only have access to your encrypted data.

  3. Most concerning is how long it took LastPass to disclose these vulnerabilities after they were patched- about 10 months. The LastPass blog post made it sound like the company was giving the researcher a chance to publish his findings first. Sounds like PR spin to me, with the company having no choice but to discuss the fixed problem after the researcher disclosed it publicly.

I've been using 1Password since the start of the year, but I was a devoted LastPass user prior to that. I fell into the “less than 1%” of users who used the bookmarklet. In fact, the bookmarklet is what I miss the most in 1Password, as it made browsing in Safari on iOS much easier.

Despite the way LastPass seems to be downplaying this, this one is a serious stumble that should give users pause. Still, I think a password manager like LastPass is a much better alternative to the way that most people handle passwords.

LastPass security holes found by researcher, says password management firm – but no need to panic | ESET Welivesecurity Blog

1Password’s Best New Feature

1Password update

1Password’s 4.5 update for iOS introduced several improvements, including a new coat of paint to bring it more in line with the look of iOS 7. The AgileBits blog recently contained a post setting forth all of the improvements of the update, yet the update that was most important to me wasn’t listed.

READ MORE

How to Backup Your LastPass Passwords to 1Password

LastPass-to-1Password.jpg

No, LastPass fans, the title of this post doesn’t mean that you need to tell me I’m an idiot for switching. LastPass is still my favorite password manager, although I do enjoy 1Password’s user interface. I recently decided, though, that it would be prudent to have a backup of my passwords in a secure place, outside of Lastpass. I already had a license for 1Password, so that seemed like the perfect spot. Here’s how I backed up my LastPass passwords to 1Password. You could use the same method to migrate from LastPass to 1Password, too.

READ MORE

How to Survive Your Website Getting Hit With a Denial of Service Attack

Denial of service attack

Editor’s note: Today, 40Tech is pleased to present you with a guest post from Lazy Man of Lazy Man and Money.This article is intended to demonstrate one man’s thoughts on what was happening during a denial of service attack, and how he dealt with it.

The second week in February was a very bad week for me. On February 6th, I had received a legal threat from LifeVantage regarding my ProtandimScams.com site. I was still crushed by my beloved Patriots losing the Super Bowl. (Hey, I put up with their 1-15 seasons and Lisa Olsen scandals, so I’m milking the Tom Brady era for all it is worth). On the 8th, my websites stopped working. I went to my Putty window running a Unix top command to see what was the matter. The load average had spiked from its normal level of around 0.50 to 120. If you aren’t familiar with Unix, Top, or Putty, this means that either something on your site isn’t working right or Yahoo decided to feature you on its home page. Here’s what happened next.

READ MORE