Pinterest Stumbleupon Whatsapp
Advertisement

Password managers are great How Password Managers Keep Your Passwords Safe How Password Managers Keep Your Passwords Safe Passwords that are hard to crack are also hard to remember. Want to be safe? You need a password manager. Here's how they work and how they keep you safe. Read More , at least on paper. Unfortunately, things can go wrong from time to time, as LastPass is currently finding out. After having survived one security scare a couple of weeks ago, LastPass is now in the middle of another one. And this one looks a whole lot trickier to fix.

Google security researcher Tavis Ormandy recently discovered a LastPass vulnerability. He promptly informed LastPass of the problem, and the company is already working on a fix. However, users are intentionally being kept in the dark for obvious reasons. So, should you be worried?

Google Zero Finds LastPass Wanting

On Saturday (March 25), Ormandy, who works for Google’s Project Zero, tweeted that he’d discovered a client-side vulnerability in the LastPass browser extension. He obviously didn’t divulge the details, instead notifying the company of the issue and giving LastPass the standard 90 days to fix it.

On Monday (March 27), LastPass published a blog post acknowledging the problem, revealing that “this attack is unique and highly sophisticated”. LastPass obviously isn’t revealing the nature of the problem, but promises that it’s now “actively addressing the vulnerability”.

In the meantime, LastPass suggests users launch websites directly from the LastPass vault, enable two-factor authentication anywhere and everywhere, and be extra vigilant against phishing attacks New Phishing Techniques To Be Aware of: Vishing and Smishing New Phishing Techniques To Be Aware of: Vishing and Smishing Vishing and smishing are dangerous new phishing variants. What should you be looking out for? How will you know a vishing or smishing attempt when it arrives? And are you likely to be a target? Read More . This is all good advice, but there is always the option to stop using LastPass altogether.

If you’re using LastPass you should, at the very least, change the way you’re using it in the ways LastPass itself recommends. And, given the nature of this vulnerability, you may want to stop using LastPass altogether until after the fix is in. There are, after all, plenty of LastPass alternatives 5 Best LastPass Alternatives to Manage Your Passwords 5 Best LastPass Alternatives to Manage Your Passwords Many people consider LastPass to be the king of password managers; it's packed with features and boasts more users than any of its competitors -- but it's far from being the only option! Read More .

LastPass Scares Easily

As previously mentioned, this is the second security scare in as many weeks. Which should worry the average LastPass user. The previous vulnerabilities were quickly patched, but, according to Ormandy, this one is “a major architectural problem”. Which means it will take rather longer to fix.

Do you use LastPass? Are you worried about this vulnerability? Are you going to follow the advice of LastPass? Or stop using the browser extension altogether? How do you feel about password managers in general? Please let us know in the comments below!

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. dextroz
    April 4, 2017 at 10:18 am

    What an irresponsible article written by someone who has no clue about security by suggesting that LastPass users do something that will completely jeopardize their online accounts.

  2. dextroz
    April 4, 2017 at 10:17 am

    What an irresponsible article with the message from someone who has no clue about security and mitigating risks.

  3. Robert
    April 2, 2017 at 9:03 pm

    About a month ago when I tried to log in to LastPass I got the message that I had entered the wrong vault password - but I can assure you that nor I, nor my cat has changed it. Of course I have a good antivirus program and a good firewall (Norton Internet Security) which always is updated, and I didn't leave "the door open", i.e. I logged out from LastPass when I didn't use it.

    As a result I got a lot of fake bills - we're talking about thousands and thousand of dollars...Obviously, it was to late to contact my banks, credit card companies, PayPal etc, as soon as I found out what had happened.

    Moreover, I, of course, lost most of my passwords, including those I knew by heart and all files on Onedrive and Google Drive are gone (Microsoft and Google were very unwilling to help me, but they informed me that I had zero files on their "secure" costly cloud storage solutions). Before I had my precious family photos, family videos and a lot of very important documents there, including a book, which I fortunately at least partly has on paper.

    I thought it was secure enough to use LastPass and have to set of backups (one on Onedrive and one on Google Drive), but obviously I was wrong... By the way, I DID have 2FA when logging in to Google mail, but that didn't help. I won't bore you by explaining why.

    When I contacted LastPass, they in a rude manner "taught" me that what I hadn't experienced what I had in fact had experienced, since it is "impossible", and their "help" consisted in giving me the clue to the the main password to LastPass - i.e. the password, which I explained to them isn't valid anymore...

    Has anyone of you some advice? What should I do? I haven't slept properly since this began, and I have no idea how to proceed. I mean, I can't PROVE that I didn't forgot the main password, deleted all my stuff on Onedrive and Google Drive, and so on.

    I would be extremely grateful if you would give me just a little piece of advice. By the way, I live in Europe, in Sweden, which maybe makes it even harder to deal with LastPass (and together with the stress, anxiety and lack of sleep explains my bad English. Please, excuse me.) Than you SO much in advance!

  4. Geoff
    March 30, 2017 at 7:23 am

    All programs have security vulnerabilities. The important thing is how the vendor responds when they are discovered. LastPass has a track record of responding positively and quickly, fixing the holes and being honest about the problems.

    If you use any software (other password managers or anything else) and you don't hear about security issues from time to time, there are two possibilities: either the vulnerabilities are there but the vendor doesn't know about them, or the vulnerabilities are there but the vendor is not being honest about them.

    I'm pretty comfortable sticking with LastPass. Changing to another password manager would be a massive hassle *and probably wouldn't be any more secure*, and switching to no password manager would be even worse.

  5. Tuanta
    March 30, 2017 at 4:34 am

    It's pretty simple. Don't leave yourself logged into LastPass. Login when you need to access a site, then log out. You wouldn't leave the front door to your home open while you're home... But sure, sensationalize the issue for ratings, everyone else does. Drama>Facts

  6. Warren
    March 30, 2017 at 1:21 am

    Dumped LastPass and went to KeePass.

  7. Federico Guzmán
    March 29, 2017 at 9:44 pm

    I got 3 e-mails today from LastPass letting me know that someone logged into my account from 3 different locations in Russia. The thing is that I don't actually see that activity in LastPass' log. Either way I enabled 2-Factor through Google Authenticator, but something is happening over there, I think...

  8. David Lemler
    March 29, 2017 at 9:32 pm

    I think I'll still keep using LastPass. I usually am very careful about what files I run, and I usually sign out (I'm pretty sure this vulnerability wouldn't affect when you're signed out) when I'm going to be away.

  9. carnufex
    March 29, 2017 at 5:01 pm

    I ditched LastPass after the last issue. I am none the worst as I use my phone's password manager and 2FA. I think I will keep it out of my browser especially since privacy, in the US, is nonexistent .

  10. Zeke
    March 29, 2017 at 4:45 pm

    Easier said than done to just stop using Lastpass altogether.

    Do they really expect users to launch every major website they have a password for on lastpass, everyday indefinitely.

    Seems like they've had a few of these over just the past few years though.

  11. Colin
    March 29, 2017 at 3:26 pm

    Can anybody tell if this is a problem with Lastpass on Windows, or are other OSs involved?

  12. RoyDG
    March 29, 2017 at 2:50 pm

    It's been a year when I found LastPass.
    I only used it with my android device.
    I will be keeping in touch for further news and info.

  13. DontIUnderstand
    March 29, 2017 at 2:19 pm

    you should never reduce ALL of your password to ONE..
    so there would never be sense in using a password manager

    • m-p{3}
      March 29, 2017 at 3:04 pm

      Security is about balancing security and convenience and mitigating the risks of that decision.

      A password manager isn't bulletproof, but it's already miles ahead what the average user does: reusing the same passwords on multiple websites.

      Until 2FA is ubiquitous, this is the best we currently have to secure our digital lives.

    • Toni Peji?
      March 29, 2017 at 3:39 pm

      Sure, but nobody will create and remember over 100 different and complex passwords, without a password manager people usually reuse passswords, which is a lot more unsafe.

    • carnufex
      March 29, 2017 at 5:03 pm

      What's your email address? chuckle