New LastPass Bugs Could Have Been Used To Steal Users' Passwords

[Lucian Armasu]

Tavis Ormandy, a security researcher from Google's Project Zero, found a new LastPass extension vulnerability that could have allowed attackers to steal users' passwords. A second vulnerability was later reported for the Firefox extension.

New LastPass Bugs Could Have Been Used To Steal Users' Passwords : Read more

 

[Dark Lord of Tech]

Tried it once , wasn't impressed.

 

[AC____]

That's why I switched to Enpass, much much safer.

 

[velocityg4]

You want a bigger bug I've mentioned to them. By default the password manager stays signed in. Rather than automatically signing out after inactivity or closing the web browser.

For the average user this negates much of the security as anyone who has access to the computer has access to the passwords. Sure you can say that they can change the settings. The average user won't think to do that. Just getting them to use it successfully is a feat.

There is a huge gulf between people that understand tech and those that don't. Most tech companies don't grasp this. What seems like a very simple concept to a technically minded person is fraught with complexity for those whom don't get it.

Leaving a huge hole in the security like this and giving them the option to fix it themselves means it will never be fixed. They may as well just leave a piece of paper taped to their wall with a list of passwords. Which I see a lot.

 

[therealduckofdeath]

By default, LastPass does not stay signed in. In fact, LastPass gives you a double pop-up "are you sure you want to do this?" question when you tick the "always signed in" box.
I've used LastPass Premium for a couple years now, and it is a really stable and truly platform agnostic service. It works as good on my Android as it does on my desktop and my Microsoft Surface. They have also been really quick with fixing issues reported, like the one in the article above.

 

[ddpruitt]

Been using LastPass for a few years. Tried KeePass but it won't do the job, I need to be able to sync across devices and LastPass does that without the extra hassle of needing to login to one app to sync keyfiles, open the updated keyfile and then finally loggin.

They're also probed regularly and have a fast security fix response time.

 

[alextheblue]

That's why I switched to Enpass, much much safer.

This black box is more secure than this other black box! Because they told me it was.

 

[dE_logics]

How 'bout you just encrypt your password file or sheet in openssl?