LastPass is still secure.
Should you stop using it? No. In fact, let me be a little more clear: Hell No! Keep using LastPass.
I remain a strong believer in LastPass. The recently disclosed vulnerabilities – which indeed have been fixed – only affected a small percentage of users. Furthermore, there’s absolutely no evidence that the vulnerabilities were ever actually used to compromise anything.
Rather than say nothing at all, LastPass chose to be open about the discovery. I don’t want panicked over-reaction to punish them for doing the right thing.
There were two vulnerabilities reported by a researcher to LastPass last August. LastPass immediately fixed them.
The first was an issue with LastPass “bookmarklets” – a feature used by less than 1% of users, according to LastPass. I had to look up exactly what they were, as I’m one of the 99%. You can read more about them here, but the important take-away is that if you don’t even know what they are, then you probably haven’t been using them, and you haven’t been vulnerable.
The second vulnerability was related to One Time Passwords (OTPs). To be exploited, the attacker would have had to know your LastPass username, and you would have had to have visited a web page specifically designed to exploit this vulnerability. According to LastPass “Even if this was exploited, the attacker would still not have the key to decrypt user data”.
And again, there’s no evidence – none whatsoever – that either of these vulnerabilities were ever actually exploited in the wild.
In my opinion, LastPass did exactly the right thing by disclosing that these issues had existed, and had been fixed.
My concern is that too many people will focus on the vulnerabilities over the actions taken by LastPass in light of their discovery.
In my opinion LastPass did everything right:
- They listened to the input from the researcher who discovered the issue.
- They resolved the issues immediately.
- They disclosed publicly that there had been issues.
They even waited to disclose the vulnerabilities until after the researcher had published his own work.
But … but … they had a vulnerability!
Yes they did.
I’ve said it before and I’ll say it again: all software has bugs. No exceptions.
There are two things that matter when it comes to software defects:
- the impact of the defect
- the response to defect’s being discovered
In this case the impact of the vulnerabilities appears to be extremely limited: nonexistent in the real world, and very limited in application.
The response to their discovery, as I said, was appropriate. Quickly acknowledged, fixed and eventually even publicised.
The hypocrisy of wanting openness
On one hand many companies take heat, and often a lot of it, for being secretive about their software – what they fix and what was broken that required a fix.
On the other hand, when companies like LastPass are open about exactly those kinds of issues, they get punished for it as well. (A previous example: no, they were not hacked some years ago, and yet I still hear from people who are convinced they were – simply because they erred on the side of caution in disclosing something they observed.)
It frustrates me, because you can’t have it both ways. That’s a classic definition of hypocrisy.
I much prefer the LastPass approach.
I wish more companies were as open.
I continue to use LastPass. I see absolutely no reason to abandon it.