A Google security researcher has discovered new vulnerabilities in the LastPass password manager. The good news? LastPass already fixed them.
The bad news? These kinds of episodes always trigger a knee-jerk reaction in certain circles.
Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!
"*" indicates required fields
So I want to be very clear about this: As I wrote in First Steps: Secure Your Online Identity, using a good password manager is in fact one of the key steps you can and should take to protect yourself. And, yes, LastPass is a good password manager.
Our reactions to things are in many ways a sign of the times. Anything can be turned into a negative these days, and while one might choose to focus a story about this event as “oh, look, LastPass has f@#$ed up again,” I think the opposite is perhaps more relevant: These events don’t actually happen very often, and LastPass fixed the problems immediately.
That’s the kind of response we should be looking for, not denouncing. And as for this incident specifically, LastPass says it has impacted no customers.
Even the security researcher who found the vulnerabilities is impressed: “Very impressed with how fast @LastPass responds to vulnerability reports,” he tweeted. “If only all vendors were this responsive [thumbs up].”
Not surprisingly, Last Pass recommends exactly the same advice I published in First Steps: Secure Your Online Identity, but it also adds two other bits: Be wary of phishing attacks, and keep your PC up-to-date with AV/anti-malware, both of which amount to “just don’t be stupid.” It’s good advice. Including for those who are writing articles about this incident.
If you’re using LastPass, your browser plug-in/app should update automatically. But it doesn’t hurt to check, you know, using that “don’t be stupid” mantra.
<blockquote><em><a href="#92565">In reply to George Rae:</a></em></blockquote><p>The number of forks that third-parties have made to an open source product is irrelevant to the original. Since KeePass doesn't store your passwords in the cloud it is inherently more secure than any password manager that does. For some people the inconvenience of not being able to sync automatically across devices is a non-starter, but better security always involves trade-offs.</p>
<blockquote><a href="#92569"><em>In reply to Thomas Crowe:</em></a></blockquote><p>You really don't expect anyone to read all that gibberish do you?</p>
<blockquote><em><a href="#92574">In reply to Delmont:</a></em></blockquote><p>You're reply is ironic. Do you often label things you haven't read as "gibberish", or was his expectation that someone might read it justified in your case?</p>
<blockquote><em><a href="#92865">In reply to Vuppe:</a></em></blockquote><p>That's the least of my typos.</p>
<p>Lastpass is actually the one recommendation, by Paul, that was actually very good. Out of a 5 star rating, the average production recommendation by Paul has to be a "1." Everything from Windows Phone, Zune, Band, Xbox, Stream, etc… has all been very bad. If you listened or read Paul's recommendation to buy a certain product and you followed it, I know you ended up being very disappointed and dissatisfied. All his recommendations are just nothing short than peculiar to say the least.</p><p><br></p><p>However, despite that very long and bad streak, Lastpass is the only shiny 5 star recommendation that has been excellent. I learned about this from Paul as a Windows tip, listening to Windows Weekly about 8-9 years ago (or perhaps more). I came to use Lastpass after using Portable Roboform for years and I tried to replace the tool with similar others, in order to avoid paying the LastPass annual premium of $12. All in all, Lastpass is just the best. I am confident that the moment…the very moment, a breach occurs in their system, that they'll act on it immediately with the utmost intensity. The LastPass team is also very transparent. This is how much I trust the Lastpass guys.</p>