LastPass Quickly Fixes New Vulnerabilities

LastPass Quickly Fixes New Vulnerabilities

A Google security researcher has discovered new vulnerabilities in the LastPass password manager. The good news? LastPass already fixed them.

The bad news? These kinds of episodes always trigger a knee-jerk reaction in certain circles.

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

So I want to be very clear about this: As I wrote in First Steps: Secure Your Online Identity, using a good password manager is in fact one of the key steps you can and should take to protect yourself. And, yes, LastPass is a good password manager.

Our reactions to things are in many ways a sign of the times. Anything can be turned into a negative these days, and while one might choose to focus a story about this event as “oh, look, LastPass has f@#$ed up again,” I think the opposite is perhaps more relevant: These events don’t actually happen very often, and LastPass fixed the problems immediately.

That’s the kind of response we should be looking for, not denouncing. And as for this incident specifically, LastPass says it has impacted no customers.

Even the security researcher who found the vulnerabilities is impressed: “Very impressed with how fast @LastPass responds to vulnerability reports,” he tweeted. “If only all vendors were this responsive [thumbs up].”


Not surprisingly, Last Pass recommends exactly the same advice I published in First Steps: Secure Your Online Identity, but it also adds two other bits: Be wary of phishing attacks, and keep your PC up-to-date with AV/anti-malware, both of which amount to “just don’t be stupid.” It’s good advice. Including for those who are writing articles about this incident.

If you’re using LastPass, your browser plug-in/app should update automatically. But it doesn’t hurt to check, you know, using that “don’t be stupid” mantra.


Tagged with

Share post

Please check our Community Guidelines before commenting

Conversation 22 comments

  • DavidCKWalker

    23 March, 2017 - 6:08 am

    <p>This seems unduly positive. Although incredibly convenient, password managers have the potential to increase attack surface. I cancelled my LastPass account and went fully in with Google's own manager because I don't trust a small player to get a product of this complexity right. Try KeePass if you insist on an alternative to Google's solution – It's open source and is recommended by the researcher in question </p>

    • George Rae

      23 March, 2017 - 8:50 am

      <blockquote>So in one sentence you call LastPass a small player, which is funny on it's own. Then you recommend a one person shop open source project with many forks. </blockquote><p><br></p>

      • DavidCKWalker

        23 March, 2017 - 8:59 am

        <blockquote><a href="#92565"><em>In reply to George Rae:</em></a></blockquote><blockquote><em>FYI – another two bugs from the same researcher in the past week. I have no faith LastPass have a grip on this, no matter how well intentioned </em></blockquote><blockquote>And there are many eyes on KeePass unlike the alternatives. </blockquote>

        • Reinier Zevenhuijzen

          25 March, 2017 - 7:51 pm

          <blockquote><em><a href="#92566">In reply to DavidCKWalker:</a></em></blockquote><p>Google security researchers have also found bugs in Windows, Mac, Android, Linux, Internet Explorer, Chrome, etc. </p><p><br></p><p>What software do you use that never had vulnerabilities?</p>

      • Thomas Crowe

        23 March, 2017 - 10:23 am

        <blockquote><a href="#92565"><em>In reply to George Rae:</em></a></blockquote><p>A large player&nbsp;written by&nbsp;security experts, open source, as well as independent review is what the world needs. Right now we don't have it, and LastPass seems to be the best net positive I found so far.</p>

      • skane2600

        23 March, 2017 - 2:24 pm

        <blockquote><em><a href="#92565">In reply to George Rae:</a></em></blockquote><p>The number of forks that third-parties have made to an open source product is irrelevant to the original. Since KeePass doesn't store your passwords in the cloud it is inherently more secure than any password manager that does. For some people the inconvenience of not being able to sync automatically across devices is a non-starter, but better security always involves trade-offs.</p>

        • Programmatic 410

          25 March, 2017 - 12:07 pm

          <blockquote><em><a href="#92636">In reply to skane2600:</a></em></blockquote><p>Enpass is a good compromise in that it can work like KeePass locally or using personal cloud storage, rather than 3rd party centralized storage as with LastPass, plus it works better than KeePass for browser fills on phones and Windows.</p><p><br></p><p>Personally, I still prefer LastPass, though I keep my few important accounts only in KeePass and backup LastPass into KeePass (LastPass imports easily into KeePass). I also like the recent interface and other improvements of LastPass.</p>

    • Neyah

      23 March, 2017 - 10:46 am

      <blockquote><a href="#92551"><em>In reply to DavidCKWalker:</em></a></blockquote><p>Hasn't Chrome's password manager happily exposed all of your passwords in the past at the click of a button?</p><p><br></p>

      • DavidCKWalker

        23 March, 2017 - 10:53 am

        <blockquote><em><a href="#92595">In reply to Neyah:</a></em></blockquote><p>No that was browser based form fill. This is accessed via Works on mobile and desktop. I exported from LastPass to CSV, enabled the Chrome flag and then uploaded. I'm all in on Chrome though. </p>

    • Spineless

      29 March, 2017 - 12:46 am

      <blockquote><a href="#92551"><em>In reply to DavidCKWalker:</em></a></blockquote><p>The problem with going all-in with Google's password manager is that you are locked into the Google ecosystem. Then why not use the Microsoft password manager? LastPass works everywhere…</p>

  • Thomas Crowe

    23 March, 2017 - 9:18 am

    <p>LastPass said "We have no indication that any of the reported vulnerabilities were exploited in the wild, but we’re doing a thorough review at this time to confirm.". I'm guessing they will be looking into their logs with a forensic eye to see if any unusual activity occurred. Hope they have a hardware enforced one-way channel&nbsp;write-only log provider hardware&nbsp;that can be read offline in read-only mode. That is not the same as it has impacted no customers, and I'm not sure exactly how they can even verify that claim. As much as I like the narrative of praising their fast response, which in fact deserves much praise, this is something that deserves extra scrutiny, due to the <em>all eggs in one basket </em>problem. They are in fact the very definition of why TNO (trust no one) exists. We are entrusting that they write code to make our lives safer while being more manageable at the same time and yet we are not really sure what code is executing in their extension. And yes, using them in theory is much better than falling back to using the same password everywhere methodology. It is raising the bar much better than older methods. That trust falls apart though, when issues like this arise, leaving me to wonder if it's not better to keep passwords all separate that were generated and stored from a separate non-internet connected device that is vetted via open source hardware and software design with independent review, and one where we can reproduce the product ourselves from raw materials if needed. To copy and paste a password to the internet connected device, a separate&nbsp;hardware enforced one way channel presents the password when needed.&nbsp;That sounds crazy, but it appears that password managers are now the low hanging fruit, and this should be an eye opener that the bar needs to be raised more towards this alternative&nbsp;nut-brained scheme if we are ever to truly live up to the holy grail TNO mindset.</p>

    • Delmont

      23 March, 2017 - 9:43 am

      <blockquote><a href="#92569"><em>In reply to Thomas Crowe:</em></a></blockquote><p>You really don't expect anyone to read all that gibberish do you?</p>

      • Thomas Crowe

        23 March, 2017 - 10:13 am

        <blockquote><a href="#92574"><em>In reply to Delmont:</em></a></blockquote><p>Let me be perfectly clear. I use LastPass every day on all my devices and absolutely love and recommend the product as it's the best one in the market. That said, I also believe in TNO, and due to the nature of the product, I believe it should come with heavy scrutiny and raises some serious concerns in general&nbsp;despite being the best. That is all.</p>

      • skane2600

        23 March, 2017 - 2:34 pm

        <blockquote><em><a href="#92574">In reply to Delmont:</a></em></blockquote><p>You're reply is ironic. Do you often label things you haven't read as "gibberish", or was his expectation that someone might read it justified in your case?</p>

        • Vuppe

          24 March, 2017 - 5:08 pm

          <blockquote><a href="#92638"><em>In reply to skane2600:</em></a></blockquote><p>'You're' tehe</p>

          • skane2600

            27 March, 2017 - 11:35 am

            <blockquote><em><a href="#92865">In reply to Vuppe:</a></em></blockquote><p>That's the least of my typos.</p>

  • Bats

    23 March, 2017 - 10:23 am

    <p>Lastpass is actually the one recommendation, by Paul, that was actually very good. Out of a 5 star rating, the average production recommendation by Paul has to be a "1." Everything from Windows Phone, Zune, Band, Xbox, Stream, etc… has all been very bad. If you listened or read Paul's recommendation to buy a certain product and you followed it, I know you ended up being very disappointed and dissatisfied. All his recommendations are just nothing short than peculiar to say the least.</p><p><br></p><p>However, despite that very long and bad streak, Lastpass is the only shiny 5 star recommendation that has been excellent. I learned about this from Paul as a Windows tip, listening to Windows Weekly about 8-9 years ago (or perhaps more). I came to use Lastpass after using Portable Roboform for years and I tried to replace the tool with similar others, in order to avoid paying the LastPass annual premium of $12. All in all, Lastpass is just the best. I am confident that the moment…the very moment, a breach occurs in their system, that they'll act on it immediately with the utmost intensity. The LastPass team is also very transparent. This is how much I trust the Lastpass guys.</p>

    • KingPCGeek

      Premium Member
      23 March, 2017 - 3:49 pm

      <blockquote><em><a href="#92585">In reply to Bats:</a></em></blockquote><p><br></p><p>I have tried to use LastPass several times and come to the conclusion every time that Roboform is so much better. The days of Portable Roboform are long gone, now its Roboform Everywhere. You really get what you pay for.</p>

      • Thomas Crowe

        23 March, 2017 - 4:10 pm

        <blockquote><a href="#92664"><em>In reply to KingPCGeek:</em></a></blockquote><p>I found that RoboForm to work better with legacy websites and browsers better than other password managers, but last time I used it years back (around when they first came out), the database was stored in plain text. I would imagine they are much more security focused nowadays.</p>

  • DaveHelps

    Premium Member
    23 March, 2017 - 10:37 am

    <p>I would much sooner trust a vendor with a history of discovering and fixing vulnerabilities in their products than one who tells you their product doesn't have any – the latter usually means they aren't looking.</p><p><br></p><p>For LastPass, the fact they were able to respond so quickly suggests a well-established process hardened by repeated practice. That doesn't happen by accident.</p>

  • jboman32768

    Premium Member
    24 March, 2017 - 12:55 am

    <p>I don't know why people think giving all their passwords to a 3rd party is a good idea, or tying it up in a browser plug-in</p><p><br></p><p>KeePass has been my choice for years – and I think most people who are serious about this stuff would make the same choice.</p>

  • Steve Martin

    Premium Member
    24 March, 2017 - 4:52 pm

    <p>The real problem is that we're still stuck with using passwords for authentication in the first place. Something they are provably bad at. </p><p>The worst password management tool is better than remembering a couple of passwords that are used over and over.</p><p>The worst non-password authentication process is better than the best password management tool.</p><p>LastPass works until apps and websites get freed from the username/password paradigm for security.</p>

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Thurrott © 2023 Thurrott LLC