Millions of people count on password managers to safeguard their accounts and help them keep track of their passwords. By serving as a sort of master-key for their accounts, password managers can encourage good digital hygiene, such as using long, complex and unique passwords.
But a major vulnerability in one of the most popular password managers, LastPass, shows how even the tactics users hope will protect them online can still leave them vulnerable - and how just hard it is to keep up with what technology to trust.
Tavis Ormandy, a member of a Google team that hunts for unknown software bugs, discovered the LastPass problem Tuesday - calling it a "complete remote compromise." A distant attacker could potentially take over users' LastPass accounts and gain access to their troves of passwords - at least, if they visited a website designed to exploit the vulnerability while using the LastPass browser extension with Firefox, according to a blog post from LastPass.
LastPass pushed out an update Wednesday fixing the problem. At the same time, it also acknowledged an issue that similarly exposed user passwords and was disclosed to LastPass by security researcher Mathias Karlsson last year.
The company fixed the problem Karlsson discovered back when he told them about it, but it wasn't made public until Wednesday when Karlsson published a blog post explaining the bug. Industry best practice is for researchers to wait until after problems have been fixed to talk about them, but companies don't always publicly announce when they've made major fixes.
This isn't the first time password managers have had security problems. Back in 2014, researchers uncovered security problems in LastPass and four other password managers. Just last year, researchers were able to sneak a malicious program into the Apple App Store that could steal passwords from iOS and OSX's built-in Keychain password management tool, as well as from popular password manager 1Password.
Earlier this week, a government agency also waved developers away from another common account security strategy: Using SMS text messages to deliver two-factor authentication codes. Two-factor authentication is one of the best, basic steps people can take to secure their accounts - it works by having a user verify their identity by using another method beyond a password, most often by entering a unique code sent to them via text message.
But new draft guidance from the National Institute of Standards and Technology argues using SMS texts for two-factor authentication shouldn't be considered secure because the number associated with an account might change hands or the code might be intercepted if sent to a number registered through an online service, including Skype or Google Voice. Instead, the guidance suggests alternatives such as using secure apps for two-factor authentication, a method already offered through Google and some other services.
Both the LastPass issues and the government's concerns about SMS texts for two-factor authentication show why it's so hard for people to stay on top of their online security: Best practices are always changing, and what was once considered the gold standard can quickly become obsolete.
The Washington Post
Fri Jul 29 2016
A distant attacker could potentially take over users' LastPass accounts and gain access to their troves of passwords
AWANI Ringkas: Protest bertembung dengan kumpulan pro-Israel
Ikuti rangkuman berita utama yang menjadi tumpuan sepanjang hari di Astro AWANI menerusi AWANI Ringkas.
Banyak usaha Kerajaan Perpaduan bantu masyarakat India - Fahmi
Menteri Komunikasi Fahmi Fadzil berkata banyak usaha dilakukan Kerajaan Perpaduan untuk membantu masyarakat India.
Kemalangan dua treler di lebuh raya, semua lorong arah utara terhalang
Susulan kemalangan itu menyebabkan semua lorong arah utara terhalang dan trafik dilencongkan ke Plaza Tol Kuala Kangsar.
Ketegangan terus memuncak di kampus A.S
Penunjuk perasaan terus berkumpul di kampus Universiti California Los Angeles (UCLA) selepas ketegangan memuncak di kampus A.S apabila penyokong pro-Israel menyerang perkhemahan penunjuk perasaan pro-Palestin pada Rabu.
Pelaburan Microsoft AS$2.2 bilion: Bukti keyakinan global kepada Malaysia - PM
Jumlah tersebut merupakan pelaburan terbesar pada satu-satu masa oleh Microsoft setelah 32 tahun bertapak di Malaysia.
[TERKINI] Pelaburan Microsoft jadikan Malaysia hab digital serantau
Kementerian Pelaburan, Perdagangan Dan Industri (MITI) dalam satu kenyataan menyambut baik pengumuman pelaburan oleh Microsoft.
Katanya, pelaburan itu bakal mempercepatkan transformasi digital negara seiring komitmen 'Bersama Malaysia' yang dilaksanakan Microsoft sejak tahun 2021.
Katanya, pelaburan itu bakal mempercepatkan transformasi digital negara seiring komitmen 'Bersama Malaysia' yang dilaksanakan Microsoft sejak tahun 2021.
[TERKINI] Microsoft umum pelaburan AI, awan bernilai USD2.2 bilion di Malaysia
Microsoft mengumumkan pelaburan 2.2 bilion dolar Amerika atau 10.48 bilion ringgit dalam Kecerdasan Buatan (AI) dan pembangunan infrastruktur awan di Malaysia.
Perkara itu diumumkan Pengerusi dan Ketua Pegawai Eksekutif (CEO) Microsoft Satya Nadella ketika memberi ucaptama mengenai era baharu Kecerdasan Buatan (AI) di Kuala Lumpur pada Khamis.
Perkara itu diumumkan Pengerusi dan Ketua Pegawai Eksekutif (CEO) Microsoft Satya Nadella ketika memberi ucaptama mengenai era baharu Kecerdasan Buatan (AI) di Kuala Lumpur pada Khamis.
Microsoft umum pelaburan AI, infrastruktur awan AS$2.2 bilion di Malaysia
Microsoft mengumumkan untuk melabur AS$2.2 bilion (RM10.48 bilion) dalam kecerdasan buatan (AI) dan pembangunan infrastruktur awan di Malaysia.
Tourism Malaysia jalin kerjasama dengan MAG bagi perkukuh misi TMM 2026
Tourism Malaysia memeterai Memorandum Persefahaman (MoU) dengan Malaysia Aviation Group (MAG) yang akan berlanjutan selama tiga tahun bagi mempromosikan Malaysia sebagai pilihan utama destinasi pelancongan dalam ekonomi global sempena Tahun Melawat Malaysia (TMM) 2026.
Tourism Malaysia laksana tiga strategi teras, tarik 35.6 juta pelancong
Tourism Malaysia melaksanakan tiga strategi teras bagi mempromosikan negara di peringkat antarabangsa serta domestik sempena Tahun Melawat Malaysia (TMM) 2026 merangkumi kewujudan permintaan, meningkatkan trafik dan mengutamakan pasaran sasaran.
#GempakSpot: Instagram removes 'Following' tab
Now you no longer have to get into petty fights with your significant other.
Sekat berita palsu, mesej WhatsApp hanya boleh di'forward' kepada 5 individu
Hal ini demikian bagi mengelak maklumat yang salah dan khabar angin tersebar secara berleluasa.
Beli-belah guna Ringgit Malaysia di aplikasi Amazon
Syarikat Amazon melancarkan ciri terbaru dalam aplikasi untuk pengguna membeli-belah sebanyak 45 juta barangan yang boleh dihantar ke satu dunia dihantar ke seluruh dunia melalui peranti mudah alih.
Aplikasi baharu AirAsia jamin pengalaman penerbangan lebih selesa
Penumpang AirAsia kini boleh menikmati pengalaman penerbangan yang lebih lancar dengan aplikasi mudah alih terbaru AirAsia.