Let’s Talk About Lastpass
Let’s talk about Lastpass’ most recent problem, shall we? Hi everyone! I’m Leo Notenboom for askleo.com. In recent weeks, I think it was actually the 31st of March, it was announced that vulnerabilities had been discovered in Lastpass, specifically in the Chrome extension, if I’m not mistaken, but that’s actually pretty much irrelevant at this point.
The vulnerabilities allowed, potentially allowed, someone to get hacked information in your Lastpass vault. It required that you actually visit a malicious site, have malware installed on your machine or visit a site that in turn itself had been infected with some kind of malicious adware so it’s not something that just happened out of the blue, it’s something that actually required that an attacker lure you to a malicious website and at which point they could try to take advantage of this vulnerability in Lastpass.
It was a security researcher at Google who actually discovered this; he actually discovered a, I’ll call it a series of issues, a series of vulnerabilities with respect to Lastpass. The story, as I understand it is he actually discovered these or thought about these things in the shower. I don’t know what it is about showers but a lot of good ideas seem to happen there.
At any rate, he did the right thing. He did what we call “responsible disclosure”. He let Lastpass know of the details of the vulnerabilities that he had discovered and actually included his proof of concept code in that disclosure to Lastpass. Conversely, Lastpass did the right thing. They accepted that report that responsible disclosure and they then went to work on confirming the vulnerability and then moving on to fix it.
Lastpass has been fixed. It’s been updated. Chanced are you’re already running the updated version of it if you’ve allowed it to do it’s normal automatic updating as most of us recommend you do. The version number, I believe you want to look for is 4.1.45 or better. I believe there’s some documentation that says for 4 or better but I just happened to look at my own version number and I’m at 4.1.45.
Now, as always, some people freak out. They get very concerned that, “Oh my gosh, there’s a vulnerability in Lastpass. The world is coming to an end. All our passwords are going to get stolen, yada, yada.” Well, a couple of interesting points about that: A) That hasn’t happened. It hasn’t happened this time and in fact, it hasn’t happened ever to our knowledge. Lastpass hasn’t been hacked. Lastpass, to my knowledge, has never been hacked. Every report that I’ve read that claims that they have been turns out to be something completely unrelated to an actual breach and this particular vulnerability never to have been exploited in the wild.
So what that means is that, yeah, there was a problem. Yeah, it’s been fixed. Everything that is supposed to have happened in these circumstances has happened. Lastpass continues to be safe to use and as you might expect, I continue to use it myself. I have a lot of information in Lastpass and I continue to trust it with that information for a variety of reasons, which I’ll explore in just a second.
The bottom line, of course, is that all software has bugs. Every single piece of software that you’re using today has a bug in it somewhere. Anybody that claims otherwise, either is lying because they have an agenda to promote or they just don’t understand software.
Software is, as I’m sure you can understand, incredibly complex and it’s been proven a number of different ways that there’s no way to prove that your software doesn’t have a bug. The reality of the situation is that software, all software is created by humans and humans are fallible and sometimes that fallibility makes its way into the code. That’s just the reality of the situation.
Similarly, knowing this, all software vendors perform some level of testing and checking and making sure that what they have created is as correct, as secure in this case, as is possible for them to know. As a result though, sometimes bugs still come through. What matters then is what happens when those bugs are found, when those bugs are reported. That’s in a way, the essence of responsible disclosure.
It makes the assumption that, I as a security tester, maybe have found something. I’m going to tell you, the software provider, about the problem I found in your software and give you a certain amount of time to fix it before I go public. Lastpass jumped on it right away. I mean they fixed it within days and my understanding was it was no small fix.
Where I feel badly about this scenario is when there are other vendors that get this responsible disclosure and ignore it or don’t do anything about it in the timeframe that they are told about beforehand. We have definitely seen Microsoft, for example, get told of critical vulnerabilities in Internet Explorer and then ignore it for the three months that they were given to fix the problem only to fix it at the last moment after the bug, the vulnerability had been made public and in detail.
So, that’s the other end of the spectrum. Lastpass, like I said, the folks that make it acted quickly and responsibly to take care of this problem before it became public knowledge. To be clear, the acknowledged receipt of the report from the security researcher. They duplicated the bug, reproduced it themselves. They were able to understand that in fact it was a vulnerability. They acknowledged that to the researcher again (I believe). They then went to work fixing it. While they did that, they were public about their having been a vulnerability discovered.
They did not detail what the vulnerability was but they did not attempt to hide the fact. They fixed the problem quickly and they updated the problem. They updated their software, again, as quickly as they could. It was, like I said, a lot of work. They then pushed the updated software to everyone that is using Lastpass. Again, assuming you have connectivity and automatic updates of some sort enabled for Lastpass, you should already be running the fixed software.
But more importantly, and to me, I think more responsibly, is that after everything was said and done, Lastpass then said, ok, here’s the problem. Here’s what we discovered. Here’s our post mortem on the entire scenario. Here’s what was discovered. Here’s how it was exploited. Here’s what was wrong and here’s how we fixed it.
That to me, that level of transparency about how they do their software and what’s going on, to me is awesome. It really is. I mean, that’s the kind of stuff that I wish other vendors, like say Microsoft or Apple or any of the others would actually aspire to. It’s the kind of responsible reporting that I actually really appreciate out of major software vendors, especially for something as important as Lastpass and Lastpass’ password vault.
So there are two issues that I want to address here and the reason I’m actually coming to you on video today. One is, like I said, I really appreciate the reaction of Lastpass to this particular problem. These kinds of problems are going to happen. They’re going to happen in any software. Every piece has a bug in it and chance are for something as important as a security software, yeah, there’s going to be something that may turn out to be/ a secure vulnerability, a security vulnerability.
They acted in an exactly the right manner when that bug was reported. This actually gives me greater confidence in Lastpass – not less. The fact that they had a bug, to me, is inevitable. The fact that they handled as well as they did is where it makes all the difference in the world. So, like I said, I feel more confident using Lastpass after this scenario than I did before.
Now, not everybody feels that way. I get it. Software is kind of magical. Security software is really important. If you feel that you need to switch to a different password vault then fine. There are plenty of good ones out there. Keypass, Roboform, One Password … there’s a bunch of others. They’re all fundamentally very good, but like I said, I have lost no confidence in Lastpass. In fact, my confidence has only gotten better.
The other reaction we get is, “Oh my god, password vaults are evil” because people can get at your stuff. Again, to me that is a severe over-reaction. In my opinion, using a password vault, any of the currently secure, reputable, good password vaults like Lastpass is ultimately more secure than every other alternative. I really don’t care what alternatives you might come up with are. If you’ve got an algorithm, if you’ve got a piece of paper, if you’ve got something stored in a safe somewhere, Lastpass and password vaults like it allow you to do two incredibly important things.
One, is they let you use truly random, complex, hard-to-guess, long passwords and they let you use a different one on every site you visit. Every site on which you have an account. Those two characteristics of passwords are only more and more important as the world gets smarter, as more accounts happen, as hackers get more prolific.
Password vaults make it easy to do the right thing when it comes to password lengthy, password complexity and password diversity. To me, that is significantly more important and taking it easy on those three issues actually puts you at significantly greater risk, in my opinion, than does using a good password vault.
So, that’s where I’m at. I’m still using Lastpass. I’m going to keep on using Lastpass until something more significant, I mean if they really do drop the ball someday, I’ll be here to tell you that I’m ready to go but I’m not. Lastpass did the right thing. Password vaults are still more secure than the alternatives and that’s where I’m at. Where are you at? Let me know in the comments down below.
As always with my videos, this video will be on askleo.com. Here’s a link to it. You’ll find it out there, that’s where all the comments are read, all the comments are moderated to keep the YouTube trolls out and I’d love to hear what you have to say. Until next time, I’m Leo Notenboom for askleo.com. Remember have fun, stay safe and yeah, don’t forget to back up. Take care.