Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Why Password Vault Bugs Make Me Cringe

A couple of weeks ago, it was announced that LastPass had a bug that could, in certain circumstances, expose a password to a malicious website.

It makes me cringe, but not for the reasons you might think.

And it doesn’t have to be LastPass. I’d cringe in the same unexpected way for most of the bugs discovered in any sufficiently mature password vault.

I cringe because of the predicable, unwarranted, over-reaction.

Become a Patron of Ask Leo! and go ad-free!

The presentation

Headlines are meant to grab your attention.

They’re not meant to inform you; they’re not meant to convey meaningful information; they’re not even required to be accurate. They’re meant to grab your attention so you’ll take the next step: click through to read more.

Many sensational headlines result. When software as popular, ubiquitous, and as important as LastPass is discovered to have a bug, the headline writers go nuts.

“Google warns users of popular password manager LastPass that bug exposed their credentials to being hacked”

“LastPass fixes flaw that leaked your previously used credentials”

“Google Reveals Security Bug in LastPass Password Manager That Exposed Users’ Last Entered Password”

Each of those headlines is both correct and fundamentally wrong in a very critical — yet sensational — way.

Each reads as if your information has already been exposed.

It has not.

How vulnerable are you?

Keep Calm and LastPass OnNot particularly.

If you read beyond the headline — often beyond even the first few paragraphs of the accompanying story — then the relevant information comes out.

  1. If you’re tricked into visiting a malicious web site,
  2. And if that site happens to attempt to exploit this vulnerability,
  3. Then credentials you might have used immediately prior
  4. Might be exposed to the malicious site.

LastPass describes it as:

To exploit this bug, a series of actions would need to be taken by a LastPass user, including filling a password with the LastPass icon, then visiting a compromised or malicious site, and finally being tricked into clicking on the page several times. This exploit may result in the last site credentials filled by LastPass to be exposed.

To reiterate, you would have needed to visit a malicious site intentionally targeting this vulnerability. There were no such sites known before the vulnerability was fixed.

Pragmatically, you were never at risk.

What should you do?

Probably nothing. LastPass automatically updates itself, and had done so before the vulnerability was announced.

As long as you’re allowing everything to update automatically, as you should, then you’re fine. It’s as if nothing happened, because from your perspective, nothing actually happened. The process worked exactly as it is supposed to:

  • Discovery of a vulnerability was responsibly disclosed to LastPass.
  • LastPass fixed it.
  • Software was automatically updated.
  • The existence of the no-longer-active vulnerability was made public.

Why I cringe

It’s the over-reaction.

The over-reaction of people who read “there’s a vulnerability” and think “OH MY GOD ALL IS LOST!!!”

The people who hear a report of things working exactly as expected, and exactly as they should, and use that as some kind of justification for abandoning or avoiding password vaults altogether.

The people who will now use significantly less secure passwords that they can easily remember, or a significantly less secure means of storing their password, or revert to the significantly less secure technique of using the same password in multiple places.

The people who will put themselves at significantly higher risk, not because of the discovered-and-fixed vulnerability, but because of their unwarranted reaction to it.

It’s the over-reaction of these folks that make me cringe the moment I see the headline.

It’s the response that matters

To be clear, I’m talking about mature software that has a solid track record. If LastPass had a history of security vulnerabilities, or of having responded to such reports poorly … well, then, I wouldn’t be using or recommending LastPass in the first place.

Context matters.

All software has bugs — no exception. That means, in the context of any well-regarded software, it’s their track record of having few if any serious vulnerabilities, and reacting appropriately to anything that is discovered, that matters most. LastPass has never been breached (regardless of what once-again misleading headlines might have hinted), and they reacted appropriately to a previously discovered vulnerability.

If you expect perfect software — if your position is “one strike and you’re out” — then you probably shouldn’t use any software at all.

Look instead for how a company reacts to the issues that inevitably come up.

LastPass continues to measure up, in my opinion, and did everything right. Those over-reactions are just that: unwarranted over-reactions.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Podcast audio

Play

Footnotes & References

1: No, LastPass has never been breached. Again, headlines mislead. In fact, LastPass has always responded appropriately and proactively to any hint of an issue — even in the face of a risk of misleading headlines. Even so, the very design of LastPass’s technology would render an actual breach of their servers pointless, because information is securely encrypted.

10 comments on “Why Password Vault Bugs Make Me Cringe”

  1. The fact of the matter is this…the folks who should be reading this, will not, even if they did, it wouldn’t make any difference anyway. In their mind LastPass has been hacked and that is what they will preach. PC world had the most fair report in my opinion, while LifeLock/Norton is using it to lure more customers.

    As for myself, I did not blink. I use two factor authentication with a long pass-phrase, I also use LastPass to generate email account passwords and I have a scheduled image BACKUP nightly (three machines) with EaseUs! Life is good and I have piece of mind!

    Reply
  2. If one uses Lastpass or any other password manager prpoerly, a vulnerability of this type is not a big deal. It is only one password. Besides, Lastpass has the capability for a user to change passwords whenever the user wants and can be setup to remind users to change passwords on a schedule if so desired.
    I would think that if you are going to use a password manager that you would also take a few minutes to learn how it works during the process to set it up.
    When the news broke that a vulnerability was found in Lastpass, I went beyond the headlines and then realized that it was a “Nothing to see here” type of event. Besides, I’ve taken other measures to prevent someone from taking advantage of a data breach that may affect me. Getting one of my user names and passwords would not do much good for whoever got it, except on that one site. Even then, It wouldn’t be that useful.

    Reply
  3. I use Keepass. Same thing… there have been issues. Keepass found them and fixed them before it was publicly notified. Of course the public notification never mentioned in any way, shape or form that the issue had been found and fixed before anybody “out in the wild” had found it.

    Publishers who publish garbage like this… well they oughta be shutdown. Permanently. And yes… I’m definitely a hard liner.

    Reply
    • Unfortunately, in cases like these, the necessity of a free press outweighs the risk of some erroneous information getting through. It’s up to people to research the issues themselves. Fake news has been around since the beginning of news. I’m sure a lot of the hieroglyphics in the pyramids were fake news :-)

      Reply
  4. The “Nothing to see here” can apply to almost all vulnerabilities hyped in the press. Before a vulnerability can impact any particular computer many other conditions have to exist (just like Leo’s 4 points for a LastPass bug).

    Reply
  5. In my experience:

    – software packages suddenly have a critical bug,
    – suppliers suddenly disappear.

    So I don’t use a password vault. Instead, I manage my 100+ (strong) passwords manually.

    Reply
    • I prepare for that eventuality by backing up my LastPass vault. I save it and encrypted it usingzip encryption. My reason for using zip encryption is for the reasons you’ve mentioned here. It’s one technology that will never go away because I’ll always have a copy of the program that created it, in this case, 7Zip.
      How Do I Back UP LastPass?
      In fact, your comment prompted me to back up my LastPass passwords and encrypt the list. I have 439 passwords saved.

      Reply
    • @ Gordon Campbell

      I really think it’s a mistake to choose DIY over a password manager. There are no advantages to this, and you lose immensely in security, features and ease of use.

      No reputable software publisher, or online service, has ever disappeared the way you say. Even the anonymous developers of True Crypt, which folded hastily for reasons still unknown, left users with a forewarning and a way out. I still use True Crypt to this day, sometimes.

      There are several outstanding open source password managers available (often free). You can’t go wrong with one of the favorite variants of Kee Pass — it has many forks. Kee Pass proper has been certified for intelligence work in France. Bitwarden is free, open source, and you can self-host it if you wish.

      In the very unlikely case that one of those developers would suffer a catastrophic event some day (say, overwhelming health problems), others would certainly come forth to pick up the job.

      Reply
      • Even if they did suddenly disappear (agree this is highly unlikely), backing up regularly solves this problem as well. I have instructions for LastPass here: How Do I Back Up LastPass? — the resulting backup is plain text and does not require LastPass. It could be imported into your replacement of choice. (One of the reasons I left RoboForm, by the way, they had no export at the time. No idea if that’s still the case.)

        Reply
  6. Sheesh!

    Even if you’re in the “stupid, overreactionary” category, this should not affect your security because, if you’re sensible — although, I’ll freely grant, that that’s inconsistent with being “stupid” and “overreactionary” — but, as I say, IF you’re SENSIBLE, then the most you’ll do, is to immediately switch to another, more robust and secure, password vault!

    Fearful and distrusting of LastPass? So, use KeePass instead! Wham! — security restored!

    So, what’s the problem?!? :o :)

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.