A Google security researcher has discovered new vulnerabilities in the LastPass password manager. The good news? LastPass already fixed them.
The bad news? These kinds of episodes always trigger a knee-jerk reaction in certain circles.
So I want to be very clear about this: As I wrote in First Steps: Secure Your Online Identity, using a good password manager is in fact one of the key steps you can and should take to protect yourself. And, yes, LastPass is a good password manager.
Our reactions to things are in many ways a sign of the times. Anything can be turned into a negative these days, and while one might choose to focus a story about this event as “oh, look, LastPass has f@#$ed up again,” I think the opposite is perhaps more relevant: These events don’t actually happen very often, and LastPass fixed the problems immediately.
That’s the kind of response we should be looking for, not denouncing. And as for this incident specifically, LastPass says it has impacted no customers.
Even the security researcher who found the vulnerabilities is impressed: “Very impressed with how fast @LastPass responds to vulnerability reports,” he tweeted. “If only all vendors were this responsive [thumbs up].”
Not surprisingly, Last Pass recommends exactly the same advice I published in First Steps: Secure Your Online Identity, but it also adds two other bits: Be wary of phishing attacks, and keep your PC up-to-date with AV/anti-malware, both of which amount to “just don’t be stupid.” It’s good advice. Including for those who are writing articles about this incident.
If you’re using LastPass, your browser plug-in/app should update automatically. But it doesn’t hurt to check, you know, using that “don’t be stupid” mantra.
Tagged with LastPass