Become a Patron of Ask Leo! and go ad-free!
Transcript
Let’s Talk About LastPass
Let’s talk about LastPass’s most recent problem, shall we? Hi everyone! I’m Leo Notenboom for askleo.com. In recent weeks, I think it was actually the 31st of March, it was announced that vulnerabilities had been discovered in LastPass, specifically in the Chrome extension, if I’m not mistaken, but that’s actually pretty much irrelevant at this point.
The vulnerabilities allowed, potentially allowed, someone to get hacked information in your LastPass vault. It required that you actually visit a malicious site, have malware installed on your machine or visit a site that in turn itself had been infected with some kind of malicious adware so it’s not something that just happened out of the blue, it’s something that actually required that an attacker lure you to a malicious website and at which point they could try to take advantage of this vulnerability in LastPass.
It was a security researcher at Google who actually discovered this; he actually discovered a, I’ll call it a series of issues, a series of vulnerabilities with respect to LastPass. The story, as I understand it is he actually discovered these or thought about these things in the shower. I don’t know what it is about showers but a lot of good ideas seem to happen there.
At any rate, he did the right thing. He did what we call “responsible disclosure”. He let LastPass know of the details of the vulnerabilities that he had discovered and actually included his proof of concept code in that disclosure to Lastpass. Conversely, Lastpass did the right thing. They accepted that report that responsible disclosure and they then went to work on confirming the vulnerability and then moving on to fix it.
LastPass has been fixed. It’s been updated. Chances are you’re already running the updated version of it if you’ve allowed it to do it’s normal automatic updating as most of us recommend you do. The version number, I believe you want to look for is 4.1.45 or better. I believe there’s some documentation that says for 4 or better but I just happened to look at my own version number and I’m at 4.1.45.
Now, as always, some people freak out. They get very concerned that, “Oh my gosh, there’s a vulnerability in LastPass . The world is coming to an end. All our passwords are going to get stolen, yada, yada.” Well, a couple of interesting points about that: A) That hasn’t happened. It hasn’t happened this time and in fact, it hasn’t happened ever to our knowledge. LastPass hasn’t been hacked. LastPass, to my knowledge, has never been hacked. Every report that I’ve read that claims that they have been turns out to be something completely unrelated to an actual breach and this particular vulnerability never to have been exploited in the wild.
So what that means is that, yeah, there was a problem. Yeah, it’s been fixed. Everything that is supposed to have happened in these circumstances has happened. LastPass continues to be safe to use and as you might expect, I continue to use it myself. I have a lot of information in LastPass and I continue to trust it with that information for a variety of reasons, which I’ll explore in just a second.
The bottom line, of course, is that all software has bugs. Every single piece of software that you’re using today has a bug in it somewhere. Anybody that claims otherwise, either is lying because they have an agenda to promote or they just don’t understand software.
Software is, as I’m sure you can understand, incredibly complex and it’s been proven a number of different ways that there’s no way to prove that your software doesn’t have a bug. The reality of the situation is that software, all software is created by humans and humans are fallible and sometimes that fallibility makes its way into the code. That’s just the reality of the situation.
Similarly, knowing this, all software vendors perform some level of testing and checking and making sure that what they have created is as correct, as secure in this case, as is possible for them to know. As a result though, sometimes bugs still come through. What matters then is what happens when those bugs are found, when those bugs are reported. That’s in a way, the essence of responsible disclosure.
It makes the assumption that, I as a security tester, maybe have found something. I’m going to tell you, the software provider, about the problem I found in your software and give you a certain amount of time to fix it before I go public. LastPass jumped on it right away. I mean they fixed it within days and my understanding was it was no small fix.
Where I feel badly about this scenario is when there are other vendors that get this responsible disclosure and ignore it or don’t do anything about it in the timeframe that they are told about beforehand. We have definitely seen Microsoft, for example, get told of critical vulnerabilities in Internet Explorer and then ignore it for the three months that they were given to fix the problem only to fix it at the last moment after the bug, the vulnerability had been made public and in detail.
So, that’s the other end of the spectrum. LastPass , like I said, the folks that make it acted quickly and responsibly to take care of this problem before it became public knowledge. To be clear, the acknowledged receipt of the report from the security researcher. They duplicated the bug, reproduced it themselves. They were able to understand that in fact it was a vulnerability. They acknowledged that to the researcher again (I believe). They then went to work fixing it. While they did that, they were public about their having been a vulnerability discovered.
They did not detail what the vulnerability was but they did not attempt to hide the fact. They fixed the problem quickly and they updated the problem. They updated their software, again, as quickly as they could. It was, like I said, a lot of work. They then pushed the updated software to everyone that is using LastPass. Again, assuming you have connectivity and automatic updates of some sort enabled for LastPass, you should already be running the fixed software.
But more importantly, and to me, I think more responsibly, is that after everything was said and done, LastPass then said, ok, here’s the problem. Here’s what we discovered. Here’s our post mortem on the entire scenario. Here’s what was discovered. Here’s how it was exploited. Here’s what was wrong and here’s how we fixed it.
That to me, that level of transparency about how they do their software and what’s going on, to me is awesome. It really is. I mean, that’s the kind of stuff that I wish other vendors, like say Microsoft or Apple or any of the others would actually aspire to. It’s the kind of responsible reporting that I actually really appreciate out of major software vendors, especially for something as important as LastPass and LastPass’s password vault.
So there are two issues that I want to address here and the reason I’m actually coming to you on video today. One is, like I said, I really appreciate the reaction of LastPass to this particular problem. These kinds of problems are going to happen. They’re going to happen in any software. Every piece has a bug in it and chance are for something as important as a security software, yeah, there’s going to be something that may turn out to be/ a secure vulnerability, a security vulnerability.
They acted in an exactly the right manner when that bug was reported. This actually gives me greater confidence in LastPass – not less. The fact that they had a bug, to me, is inevitable. The fact that they handled as well as they did is where it makes all the difference in the world. So, like I said, I feel more confident using LastPass after this scenario than I did before.
Now, not everybody feels that way. I get it. Software is kind of magical. Security software is really important. If you feel that you need to switch to a different password vault then fine. There are plenty of good ones out there. Keypass, Roboform, One Password … there’s a bunch of others. They’re all fundamentally very good, but like I said, I have lost no confidence in LastPass. In fact, my confidence has only gotten better.
The other reaction we get is, “Oh my god, password vaults are evil” because people can get at your stuff. Again, to me that is a severe over-reaction. In my opinion, using a password vault, any of the currently secure, reputable, good password vaults like LastPass is ultimately more secure than every other alternative. I really don’t care what alternatives you might come up with are. If you’ve got an algorithm, if you’ve got a piece of paper, if you’ve got something stored in a safe somewhere, LastPass and password vaults like it allow you to do two incredibly important things.
One, is they let you use truly random, complex, hard-to-guess, long passwords and they let you use a different one on every site you visit. Every site on which you have an account. Those two characteristics of passwords are only more and more important as the world gets smarter, as more accounts happen, as hackers get more prolific.
Password vaults make it easy to do the right thing when it comes to password lengthy, password complexity and password diversity. To me, that is significantly more important and taking it easy on those three issues actually puts you at significantly greater risk, in my opinion, than does using a good password vault.
So, that’s where I’m at. I’m still using LastPass . I’m going to keep on using LastPass until something more significant, I mean if they really do drop the ball someday, I’ll be here to tell you that I’m ready to go but I’m not. LastPass did the right thing. Password vaults are still more secure than the alternatives and that’s where I’m at. Where are you at? Let me know in the comments down below.
As always with my videos, this video will be on askleo.com. Here’s a link to it. You’ll find it out there, that’s where all the comments are read, all the comments are moderated to keep the YouTube trolls out and I’d love to hear what you have to say. Until next time, I’m Leo Notenboom for askleo.com. Remember have fun, stay safe and yeah, don’t forget to back up. Take care.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Podcast audio
|
|
I down loaded the newest version. First thing I noticed was the new interface. It sucks compared to the old one. It is not intuitive as before. I also had problems with LP not signing in correctly and it is noticeably slower. While I appreciate them fixing under the hood it doesn’t work or look as good as before.
Hi Leo. We have been using LastPsass for several years now, well, ever since life got to be complicated because one needed to memorize so many passwords!
Thank you for your video. We were not aware pf this vulnerability until I watched your video. We agree with you completely and remain confident with LastPass. In fact, it’s the only vault we’ve used.
About a month ago I changed my LP password and horrors, forgat some of it! How could I retrieve my password? They did provide a way, through my cellphone!
Way to go, LP!
I like LastPass a lot, so thanks for the shot out for them. I also like what you shared about the importance of disclosure. I work in the medical device field and there is talk about importance of disclosure of cybersecurity vulnerabilities (see new FDA Guidance on Post-Market Cybersecurity, specifically ISAOs) and I think what you have here shows the benefit, and I may share with others.
I agree I think Lastpass totally handed this bug very well., with over 350 passwords and secure notes in Lastpass all with unique passwords I feel even safer now. I still have a great faith in Lastpass and will continue to recommend it to family and friends.
Leo,
Thank you very much for this video. I have been using LastPass for three years now and I love it. When I heard about this breach, I got worried but had faith that they would fix it fast and they did. Thanks for reassuring me that this is a wonderful, safe program in which to save passwords. I have about 100 different passwords and I am so happy to learn that LastPass is safe once more.
I have to say that I have been very frustrated with Lastpass’ ability to store multiple logins for the same site. In my experience, it is a hit or miss if it will work. I have more than one Amazon login stored but the only browser I can get that to work in is in Safari and for WordPress I have multiple logins and it fails miserably at allowing me to login with the stored information.
I have 25 WordPress logins. I’ve had problems when I had the link pointing to the comments page instead of the dashboard page.
I have many sites with multiple logins and they all work well. I’d have to know EXACTLY how things are failing for you.
After 20 years online I’ve found that few sites are worth registering for if you can view them otherwise, I don’t have to communicate through almost all of them and I have a small group of websites I call home.
Really, I have cats, and bicycles and stereo gear to keep running…and HOUSEWORK. I’m simply not about to die typing and I have no need of a cellphone. I DO have a small radio to listen to on my bike but I tend to ride without it.
The internet is not my job or my life, it’s a reference point.
Password Vaults:
I use an Excel Spread Sheet. 3 columns: Account Name User ID and Password
I assign a Password to the SS. I then copy it to a USB drive which is on my key chain for my house keys and car key. Always with me except when I’m sleeping.
Simple and FREE. What’s the danger I’m exposed to, if any?
Someone stealing the thumbdrive and cracking Excel’s encryption. Depending on the version of Excel, that could be easy or hard.
ALso, potential remnants in Windows temporary files and paging file as you open the spreadsheet.
No mp3 version of the video?
Huh. Not sure what happened to it. I’ll get right on that :-).
Leo, Thanks for Heads Up on Excel approach and possible danger
When I need to provide a password for a site, I have it generated by a program that makes a password of 40 characters long, chosen from a set of 200 different ones. I have Lastpass to remember it. Problem is that most sites don’t tell you the conditions they have for new passwords.
On my iPad, the current version is 4.1.8. I cant see 4.1.45.
I believe this is a chrome-only issue and doesn’t apply to iPad.
I use Lastpass and Dashlane simultaneously in case something should happen to one, I’ve still got the other.
I’ll being using LastPass for almost 10 years. I didn’t know about this incident until I got your email and I thank you for that. This incident will not change my mind to stop using it, for now. Like you said, every software is not 100 % secured. Windows, Apple and Linux OS, they all are not 100 % secured either and we still use them. I don’t use it everyday and when I do, I only use it for the sites that are saved in the vault.
Thank you Leo for explaining about Last Pass and the recent ‘bug’, which I had not heard about. It is reassuring, however, to have it confirmed by a respected expert as yourself, that there is nothing to worry about, because of their impressive response. I am sure my Computer magazine ( which I shall not name) will love splashing an eye-catching headline about this LP bug on the cover of its next edition to capitalise! I shall continue to feel confident with Last Pass. Thanks.
I read about the incident last week on a forum, but I didn’t panic. As far as I remember, in one of your past newsletters articles, you ask the question about what keeps one sleeping at night — I don’t remember exactly how the question was formulated— I had to bring LastPass as an example. I did say that I use LastPass (which I am still using, by the way) but I will never let it remember any password regarding my financial institutions, videlicet: two bank accounts an Paypal; and that was exactly in reference to the subject at hand.
Like you, Leo, I trust LastPass and I will keep using it for the foreseeable future until they drop the ball as you put it. Thanks for the reassurance you gave in your video. It’s really comforting.
Hi Leo,
After reading the transcript of your Video, “Let’s talk about LastPass”, I listened to the Video – because of an obvious error in the transcript:
The key word “don’t” is missing in the transcript which garbles the last sentence in the below excerpt.
” The bottom line, of course, is that all software has bugs. Every single piece of software that you’re using today has a bug in it somewhere. Anybody that claims otherwise, either is lying because they have an agenda to promote or they just understand software. ”
Whatever program was used for this translation from Video to Text should be upgraded* to maintain the excellent quality of everything you generate.
Regards,
and many thanks for Ask Leo!
Peter
Thanks for pointing out the typing mistake. We fixed it. …And the program used for the translation is a person. She’s pretty smart and has all her latest upgrades installed, so no updates needed! (Meant to be funny.)
Hi Leo,
The past two or three LastPass vulnerabilities that happened over the last 3 yrs or so I only found out about only through “Ask Leo”. I think LastPass should some how have an alert to all users about previous vulnerabilities and there fixes. Would this be feasible? What do you think.
Only if there’s something I need to DO, do I want them to broadcast anything. (And they’ve done this once – and while it wasn’t something everyone NEEDED to do, it was out of a sense of extra precaution relating to the specific problem at the time.)
In this case there actually was nothing to do, as Lastpass updates itself as needed.
Aside from that as long as they keep documenting things on their blog, I’m happy.
The problem with lastpass…Apparently… It use to be 12 bucks… Reasonable…but login and now it’s 2 bucks a month. I use to use the free version of roboform. Then… After learning it well… And pretty happy with it…. They started to take away features what made it great. So I started paying…then they upped the price… I fear this is what is going to happen with lastpass and they already upped the price by 100%!
Look, I know companies need to make money but… I feel two bucks really isn’t worth it. and… like I said, it’s just a matter of time before they start cranking that up… so… Best bet? Use Keepass — open source. Can’t go wrong … a bit of a learning curve but…. at least you know you want get rapped in the end and gotta start all over again.
Would be nice, if google had an extension (free) you just donate what you want, kinda like adblock.. If you really love it, donate more or hate it… don’t donate anything.
FWIW the free version is enough for most people, and even so $2/mo is totally worth it, in my opinion.
I used to pay the $12 because it included a LastPass browser for Android. Now the free version includes the browser and none of the additional features are anything I’d use.
Two questions:
1. In the last week, every time i open LastPass.com I get a message in the tab bar that says “(1) Ruben sent a message” and the word “vault” shows up also.
Screenshot of message in tab:
https://docs.google.com/document/d/1AQF8moJ6B1sbqb_bVxx-vBnKks2oJdiJl02yrGxuKhM/edit?usp=sharing
Any suggestions? Thanks.
2. Leo, you mentioned in your LastPass security breach video that, among browsers, Chrome has the most problems handling LastPass. How about browsers _based_ on chrome?
1) “Vault” makes sense because when you login to LastPass it opens your password vault. Mine says “My LastPass Vault” when I open the web version. I have NO idea why the other stuff would appear unless there’s a misbehaving extension somewhere. It kinda feels like a chat sesssion left-over if you’ve ever used chat-based support.
2) There’s really no way to say for certain. For the most part I’d expect them to be the same or similar, but it really depends on what changes they’ve made to differentiate it from Chrome itself.
Any information on the “(1) Ruben sent a message” that alternates with “#1 Password Manager, Vault & Digital Wallet app | Lastpass” ????
I am getting the same “Ruben” message. I also can’t log in. I get NET::ERR_CERT_COMMON_NAME_INVALID
I have cleaned browsing data, etc. run malware cleaner, av.
I deleted the Chrome extension but I can’t get to LastPass to download it again. I’m getting the same thing on multiple computers on multiple networks.
I just noticed a small “chat” popup in lower right corner of the screen. It says “Hi! I’m Ruben. Questions?”
Perhaps that is our “Mystery Tab Stalker.”
Thank you! That’s what allowed me to duplicate this:
This is, indeed, a side-effect of the chat-based support that LastPass offers on their web page before you login:
I say “before you login” because, for me at least, it goes away after I login to my LastPass account. It’s possible that depending on the browser you’re using and perhaps even the timing of things it might persist after login, but that, at least, is the source.
I’ve been using lastpass for 3 years after your recommendation and loved it. Until 2 weeks ago. Now, every time I get on a site that’s in my Lastpass vault, LP keeps asking if I want to add the address and/or If I want to add the site to LP. I even go to the page of a website, it asks to add the address or add to last pass. The sites are already saved in LP. Over and over and over. I’ve changed settings, to Don’t overwrite fields that are already filled, emptied my cache, rebooted but all to no avail. Help.
This can happen if the site you’re visiting starts using a different final URL when you’re signing in. For example outlook.com will take you to live.microsoft.com (or something like that). So what gets saved is the latter. If that ever changes (as it has) then LastPass doesn’t realize it’s the same site. I just let it save again.