It makes me cringe, but not for the reasons you might think.
And it doesn’t have to be LastPass. I’d cringe in the same unexpected way for most of the bugs discovered in any sufficiently mature password vault.
I cringe because of the predicable, unwarranted, over-reaction.
Become a Patron of Ask Leo! and go ad-free!
Headlines are meant to grab your attention.
They’re not meant to inform you; they’re not meant to convey meaningful information; they’re not even required to be accurate. They’re meant to grab your attention so you’ll take the next step: click through to read more.
Many sensational headlines result. When software as popular, ubiquitous, and as important as LastPass is discovered to have a bug, the headline writers go nuts.
“Google warns users of popular password manager LastPass that bug exposed their credentials to being hacked”
“LastPass fixes flaw that leaked your previously used credentials”
“Google Reveals Security Bug in LastPass Password Manager That Exposed Users’ Last Entered Password”
Each of those headlines is both correct and fundamentally wrong in a very critical — yet sensational — way.
Each reads as if your information has already been exposed.
It has not.
How vulnerable are you?
If you read beyond the headline — often beyond even the first few paragraphs of the accompanying story — then the relevant information comes out.
- If you’re tricked into visiting a malicious web site,
- And if that site happens to attempt to exploit this vulnerability,
- Then credentials you might have used immediately prior
- Might be exposed to the malicious site.
LastPass describes it as:
To exploit this bug, a series of actions would need to be taken by a LastPass user, including filling a password with the LastPass icon, then visiting a compromised or malicious site, and finally being tricked into clicking on the page several times. This exploit may result in the last site credentials filled by LastPass to be exposed.
To reiterate, you would have needed to visit a malicious site intentionally targeting this vulnerability. There were no such sites known before the vulnerability was fixed.
Pragmatically, you were never at risk.
What should you do?
Probably nothing. LastPass automatically updates itself, and had done so before the vulnerability was announced.
As long as you’re allowing everything to update automatically, as you should, then you’re fine. It’s as if nothing happened, because from your perspective, nothing actually happened. The process worked exactly as it is supposed to:
- Discovery of a vulnerability was responsibly disclosed to LastPass.
- LastPass fixed it.
- Software was automatically updated.
- The existence of the no-longer-active vulnerability was made public.
Why I cringe
It’s the over-reaction.
The over-reaction of people who read “there’s a vulnerability” and think “OH MY GOD ALL IS LOST!!!”
The people who hear a report of things working exactly as expected, and exactly as they should, and use that as some kind of justification for abandoning or avoiding password vaults altogether.
The people who will now use significantly less secure passwords that they can easily remember, or a significantly less secure means of storing their password, or revert to the significantly less secure technique of using the same password in multiple places.
The people who will put themselves at significantly higher risk, not because of the discovered-and-fixed vulnerability, but because of their unwarranted reaction to it.
It’s the over-reaction of these folks that make me cringe the moment I see the headline.
It’s the response that matters
To be clear, I’m talking about mature software that has a solid track record. If LastPass had a history of security vulnerabilities, or of having responded to such reports poorly … well, then, I wouldn’t be using or recommending LastPass in the first place.
All software has bugs — no exception. That means, in the context of any well-regarded software, it’s their track record of having few if any serious vulnerabilities, and reacting appropriately to anything that is discovered, that matters most. LastPass has never been breached (regardless of what once-again misleading headlines might have hinted), and they reacted appropriately to a previously discovered vulnerability.
If you expect perfect software — if your position is “one strike and you’re out” — then you probably shouldn’t use any software at all.
Look instead for how a company reacts to the issues that inevitably come up.
LastPass continues to measure up, in my opinion, and did everything right. Those over-reactions are just that: unwarranted over-reactions.
1: No, LastPass has never been breached. Again, headlines mislead. In fact, LastPass has always responded appropriately and proactively to any hint of an issue — even in the face of a risk of misleading headlines. Even so, the very design of LastPass’s technology would render an actual breach of their servers pointless, because information is securely encrypted.