On 06/13/12 16:30, Carl Bussema III wrote:
> Actually LastPass is a well-known and respected security tool, so I
> would actually trust them not to compromise the password. I actually
> tried to decipher the HTTPS session with Fiddler, but Chrome +
> LastPass detected a man-in-the-middle and wouldn't proceed.
> And because apparently some people need to be put out of their
> paranoia, I went ahead and just used my regular developer tools and
> found exactly what I suspected:
> I posted the password "asdf" to their form. I then watched the AJAX
> request (which because it happens client side is unencrypted before
> transmission) ... and you know what they are sending to their servers?
> THE HASHED PASSWORD. It's not like it's hard to SHA1 a string
> So the send the hash to the server, check the list of "known bad
> hashes" (which is what the hackers have published) and tell you if
> your password hash matches a known compromised hash.
> It's really about as safe as you can possibly imagine and a great
> tool. Yes, we should be careful about inputting passwords onto strange
> sites, but you should also do your due diligence and check if the site
> might actually be legit.
Passwords are about as fragile a thing as there is today: users
pick and display idiot pw's, and system (often) have bad security
measures in place which don't really work.
LastPass is likely an up-front honest entity, but that isn't the reason
why they shouldn't be used. Trusting another entity with your pw
increases the attack surface of the product you are testing. As
good as LastPass is, your are now trusting them to be really secure.
That they throw away the string you enter is good, but that means
that vandals know just where to look if they were trying to break
This is a philosophical thing. Minimizing the places on the net that
have pw's is a good thing.