LastPass Quickly Fixes New Vulnerabilities

Posted on March 23, 2017 by Paul Thurrott in Cloud, Mobile, Windows, Windows 10 with 22 Comments

LastPass Quickly Fixes New Vulnerabilities

A Google security researcher has discovered new vulnerabilities in the LastPass password manager. The good news? LastPass already fixed them.

The bad news? These kinds of episodes always trigger a knee-jerk reaction in certain circles.

So I want to be very clear about this: As I wrote in First Steps: Secure Your Online Identity, using a good password manager is in fact one of the key steps you can and should take to protect yourself. And, yes, LastPass is a good password manager.

Our reactions to things are in many ways a sign of the times. Anything can be turned into a negative these days, and while one might choose to focus a story about this event as “oh, look, LastPass has [email protected]#$ed up again,” I think the opposite is perhaps more relevant: These events don’t actually happen very often, and LastPass fixed the problems immediately.

That’s the kind of response we should be looking for, not denouncing. And as for this incident specifically, LastPass says it has impacted no customers.

Even the security researcher who found the vulnerabilities is impressed: “Very impressed with how fast @LastPass responds to vulnerability reports,” he tweeted. “If only all vendors were this responsive [thumbs up].”


Not surprisingly, Last Pass recommends exactly the same advice I published in First Steps: Secure Your Online Identity, but it also adds two other bits: Be wary of phishing attacks, and keep your PC up-to-date with AV/anti-malware, both of which amount to “just don’t be stupid.” It’s good advice. Including for those who are writing articles about this incident.

If you’re using LastPass, your browser plug-in/app should update automatically. But it doesn’t hurt to check, you know, using that “don’t be stupid” mantra.


Tagged with

Join the discussion!


Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Comments (22)

22 responses to “LastPass Quickly Fixes New Vulnerabilities”

  1. DavidCKWalker

    This seems unduly positive. Although incredibly convenient, password managers have the potential to increase attack surface. I cancelled my LastPass account and went fully in with Google's own manager because I don't trust a small player to get a product of this complexity right. Try KeePass if you insist on an alternative to Google's solution - It's open source and is recommended by the researcher in question

    • George Rae

      So in one sentence you call LastPass a small player, which is funny on it's own. Then you recommend a one person shop open source project with many forks.

      • skane2600

        In reply to George Rae:

        The number of forks that third-parties have made to an open source product is irrelevant to the original. Since KeePass doesn't store your passwords in the cloud it is inherently more secure than any password manager that does. For some people the inconvenience of not being able to sync automatically across devices is a non-starter, but better security always involves trade-offs.

        • Programmatic 410

          In reply to skane2600:

          Enpass is a good compromise in that it can work like KeePass locally or using personal cloud storage, rather than 3rd party centralized storage as with LastPass, plus it works better than KeePass for browser fills on phones and Windows.

          Personally, I still prefer LastPass, though I keep my few important accounts only in KeePass and backup LastPass into KeePass (LastPass imports easily into KeePass). I also like the recent interface and other improvements of LastPass.

      • Thomas Crowe

        In reply to George Rae:

        A large player written by security experts, open source, as well as independent review is what the world needs. Right now we don't have it, and LastPass seems to be the best net positive I found so far.

      • DavidCKWalker

        In reply to George Rae:
        FYI - another two bugs from the same researcher in the past week. I have no faith LastPass have a grip on this, no matter how well intentioned
        And there are many eyes on KeePass unlike the alternatives.
    • Spineless

      In reply to DavidCKWalker:

      The problem with going all-in with Google's password manager is that you are locked into the Google ecosystem. Then why not use the Microsoft password manager? LastPass works everywhere...

    • Neyah

      In reply to DavidCKWalker:

      Hasn't Chrome's password manager happily exposed all of your passwords in the past at the click of a button?

      • DavidCKWalker

        In reply to Neyah:

        No that was browser based form fill. This is accessed via Works on mobile and desktop. I exported from LastPass to CSV, enabled the Chrome flag and then uploaded. I'm all in on Chrome though.

  2. jboman32768

    I don't know why people think giving all their passwords to a 3rd party is a good idea, or tying it up in a browser plug-in

    KeePass has been my choice for years - and I think most people who are serious about this stuff would make the same choice.

  3. DaveHelps

    I would much sooner trust a vendor with a history of discovering and fixing vulnerabilities in their products than one who tells you their product doesn't have any - the latter usually means they aren't looking.

    For LastPass, the fact they were able to respond so quickly suggests a well-established process hardened by repeated practice. That doesn't happen by accident.

  4. Bats

    Lastpass is actually the one recommendation, by Paul, that was actually very good. Out of a 5 star rating, the average production recommendation by Paul has to be a "1." Everything from Windows Phone, Zune, Band, Xbox, Stream, etc... has all been very bad. If you listened or read Paul's recommendation to buy a certain product and you followed it, I know you ended up being very disappointed and dissatisfied. All his recommendations are just nothing short than peculiar to say the least.

    However, despite that very long and bad streak, Lastpass is the only shiny 5 star recommendation that has been excellent. I learned about this from Paul as a Windows tip, listening to Windows Weekly about 8-9 years ago (or perhaps more). I came to use Lastpass after using Portable Roboform for years and I tried to replace the tool with similar others, in order to avoid paying the LastPass annual premium of $12. All in all, Lastpass is just the best. I am confident that the moment...the very moment, a breach occurs in their system, that they'll act on it immediately with the utmost intensity. The LastPass team is also very transparent. This is how much I trust the Lastpass guys.

    • KingPCGeek

      In reply to Bats:

      I have tried to use LastPass several times and come to the conclusion every time that Roboform is so much better. The days of Portable Roboform are long gone, now its Roboform Everywhere. You really get what you pay for.

      • Thomas Crowe

        In reply to KingPCGeek:

        I found that RoboForm to work better with legacy websites and browsers better than other password managers, but last time I used it years back (around when they first came out), the database was stored in plain text. I would imagine they are much more security focused nowadays.

  5. Thomas Crowe

    LastPass said "We have no indication that any of the reported vulnerabilities were exploited in the wild, but we’re doing a thorough review at this time to confirm.". I'm guessing they will be looking into their logs with a forensic eye to see if any unusual activity occurred. Hope they have a hardware enforced one-way channel write-only log provider hardware that can be read offline in read-only mode. That is not the same as it has impacted no customers, and I'm not sure exactly how they can even verify that claim. As much as I like the narrative of praising their fast response, which in fact deserves much praise, this is something that deserves extra scrutiny, due to the all eggs in one basket problem. They are in fact the very definition of why TNO (trust no one) exists. We are entrusting that they write code to make our lives safer while being more manageable at the same time and yet we are not really sure what code is executing in their extension. And yes, using them in theory is much better than falling back to using the same password everywhere methodology. It is raising the bar much better than older methods. That trust falls apart though, when issues like this arise, leaving me to wonder if it's not better to keep passwords all separate that were generated and stored from a separate non-internet connected device that is vetted via open source hardware and software design with independent review, and one where we can reproduce the product ourselves from raw materials if needed. To copy and paste a password to the internet connected device, a separate hardware enforced one way channel presents the password when needed. That sounds crazy, but it appears that password managers are now the low hanging fruit, and this should be an eye opener that the bar needs to be raised more towards this alternative nut-brained scheme if we are ever to truly live up to the holy grail TNO mindset.

  6. Steve Martin

    The real problem is that we're still stuck with using passwords for authentication in the first place. Something they are provably bad at.

    The worst password management tool is better than remembering a couple of passwords that are used over and over.

    The worst non-password authentication process is better than the best password management tool.

    LastPass works until apps and websites get freed from the username/password paradigm for security.