LastPass is still secure.
Should you stop using it? No. In fact, let me be a little more clear: Hell No! Keep using LastPass.
I remain a strong believer in LastPass. The recently disclosed vulnerabilities – which indeed have been fixed – only affected a small percentage of users. Furthermore, there’s absolutely no evidence that the vulnerabilities were ever actually used to compromise anything.
Rather than say nothing at all, LastPass chose to be open about the discovery. I don’t want panicked over-reaction to punish them for doing the right thing.
Become a Patron of Ask Leo! and go ad-free!
The vulnerabilities
There were two vulnerabilities reported by a researcher to LastPass last August. LastPass immediately fixed them.
The first was an issue with LastPass “bookmarklets” – a feature used by less than 1% of users, according to LastPass. I had to look up exactly what they were, as I’m one of the 99%. You can read more about them here, but the important take-away is that if you don’t even know what they are, then you probably haven’t been using them, and you haven’t been vulnerable.
The second vulnerability was related to One Time Passwords (OTPs). To be exploited, the attacker would have had to know your LastPass username, and you would have had to have visited a web page specifically designed to exploit this vulnerability. According to LastPass “Even if this was exploited, the attacker would still not have the key to decrypt user data”.
And again, there’s no evidence – none whatsoever – that either of these vulnerabilities were ever actually exploited in the wild.
Disclosing vulnerabilities
In my opinion, LastPass did exactly the right thing by disclosing that these issues had existed, and had been fixed.
My concern is that too many people will focus on the vulnerabilities over the actions taken by LastPass in light of their discovery.
In my opinion LastPass did everything right:
- They listened to the input from the researcher who discovered the issue.
- They resolved the issues immediately.
- They disclosed publicly that there had been issues.
They even waited to disclose the vulnerabilities until after the researcher had published his own work.
But … but … they had a vulnerability!
Yes they did.
I’ve said it before and I’ll say it again: all software has bugs. No exceptions.
There are two things that matter when it comes to software defects:
- the impact of the defect
- the response to defect’s being discovered
In this case the impact of the vulnerabilities appears to be extremely limited: nonexistent in the real world, and very limited in application.
The response to their discovery, as I said, was appropriate. Quickly acknowledged, fixed and eventually even publicised.
The hypocrisy of wanting openness
On one hand many companies take heat, and often a lot of it, for being secretive about their software – what they fix and what was broken that required a fix.
On the other hand, when companies like LastPass are open about exactly those kinds of issues, they get punished for it as well. (A previous example: no, they were not hacked some years ago, and yet I still hear from people who are convinced they were – simply because they erred on the side of caution in disclosing something they observed.)
It frustrates me, because you can’t have it both ways. That’s a classic definition of hypocrisy.
I much prefer the LastPass approach.
I wish more companies were as open.
I continue to use LastPass. I see absolutely no reason to abandon it.
I was a devoted LastPass user starting in 2009 (switched to 1Password this year), and I agree that there is no cause for alarm. I disagree, though, that it was somehow an act of openness for LastPass to wait 10 months for the researchers to disclose their findings before making this announcement. LastPass should have announced this once they fixed the vulnerabilities. I was a heavy user of the bookmarklets (it’s what I miss the most in 1Password), and I would have wanted to know immediately.
Actually, I feel LastPass needs to be more open. How is it possible to make informed decisions about the relative risk of using LastPass vs some other password management method unless they are more transparent about their security audit processes? We all know that all software has bugs, and it is almost inevitable that critical vulnerabilities will continue to be uncovered in tools like LastPass. But LastPass is trying to be the proverbial basket that holds all your eggs. They need to find a better way of mitigating this enormous risk than by taking the standard web application security measures. One obvious solution is to be not only highly proactive with their security auditing, but also highly transparent about it. Open code is only one piece of the puzzle. I made comments to this effect in their blog post about this vulnerability, maybe they will leave a substantive answer: http://blog.lastpass.com/2014/07/a-note-from-lastpass.html?showComment=1405621209544#c1603592554473250638
Since it appears that the data stolen was safely encrypted, this is more of a hypothetical question. If there really was a data breach, it seems to me that changing your LastPass password wouldn’t help. The hackers would have the database with all of your passwords encrypted with your old password. So, wouldn’t the only safe thing to do be to change all of your passwords?
As you say, and I have to emphasize: this did not happen. We’re totally hypothetical here.
IF they stole the actual database of passwords, then they would have to crack the encryption. Even having the hash of my master password (which is all they could get) would not be enough to gain entrance – it’s still a brute force attempt to crack the encryption used on the password database. It’s probably easier for them to steal that data from your machine than it is from LastPass’s master servers. This is why I like LastPass so much – there’s nothing on their servers that gives anyone a free pass into my information – it all still comes back to very strong encryption done properly.
What about now that several more vulnerabilities have been uncovered? I have seen many articles saying that LastPass should be dumped in favor of 1Password. I just don’t know who to believe or what to do anymore.
All software has vulnerabilities. If discovered vulnerabilities were a good reason to stop using a piece of software, you’d have to stop using your computer and go back to using a basic cell phone. Microsoft is constantly patching Windows vulnerabilities. Most browser and Adobe Flash updates also address vulnerabilities. The fact that LastPass addresses them quickly and honestly notifies the public about it is a plus, not a minus.
I understand that all software has issues. My concern was to do with what some commentators such as Wladimir Palant (who I realize is not a security expert) said, which was that LastPass really should have found these issues on their own. That’s my concern: That LastPass doesn’t care until someone finds a vulnerability.
Thank you for the message.
And remember that you vote with your money. If everyone insists on free software all the time then the quality of offerings will be low. It takes money and time to produce and maintain good software. Paying a fair price keeps the good guys in business.
I have been paying for LastPass Premium since at least 2009.
I don’t know that commentator, but I’ve seen a lot of sensationalism about program threats. Sensationalism, unfortunately, boosts readership. This isn’t only true about computer threats, it’s the way journalism is going now a days.
https://askleo.com/how-the-internet-is-breaking-journalism-and-what-it-means-to-you/
I’ll put it this way: I’m still using Lastpass. They’ve responded well and responsibly to the various reports.