DBSA:2014-0012
Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.
Contents
Digibase Security Advisory - Online Password Managers Deemed Insecure
Keywords: LastPass, RoboForm, My1Login, PasswordBox, NeedMyPassword, Passwords, Vulnerability, Information Disclosure
DBSA ID: 2014-0012
Regarding: Online Password Managers Deemed Insecure
Writeup: Kradorex Xeron (talk) 00:24, 15 July 2014 (EDT)
Date: 2014 07 15
Last Modified: 20140714233750 by Kradorex Xeron
Who should take note: Everyone
Classification
Priority: HIGH
Rationale: Immediate action is necessary to keep information secured against third party threats.
Severity: HIGH
Rationale: Vulnerabilities can disclose passwords for other services, to which there often is no solid mitigations a user can perform.
Spread of Issue: MULTI-PLATFORM MODERATE
Rationale: Services provide browser extensions on multiple platforms, there are substantial number of users of these services.
Description
Multiple password management solutions have been evaluated and revealed to contain web-based exploits that may result in passwords for third party services being revealed. Among these services evaluated are LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword. These services however are not the only online unified credential management services that could contain these issues.
The issue at hand specifically is that an attacker may utilize weaknesses in the services' software or the like to leverage access into passwords for services, including email passwords, online shopping and banking passwords, workplace credentials for remote access, identities, among other services that users value.
Mitigation/Solution
Users of these online password manager services are advised to remove all information from the services and discontinue use of these services if at all possible and to treat similar services as potential risks. Passwords should be memorized to maximize security but in the absence of such memorization it is advised to use local password managers that do not use an online account or storage of any kind. The preferred secure method to manage a password database is to maintain a text file that is encrypted and when the database is in use and is unencrypted to ensure there is not a third party observing the database.
Password entry should not be automatic and should require manual use to enter passwords to avoid attempts by attackers to trick automatic entry for phishing purposes.