People always ask me if I use a password manager. The answer is no. I am too paranoid to put all of my passwords in one place. Instead, I prefer to use variations on complex pass phrases that I can remember and I change them frequently. I have a good memory, so it works for me.
Even though I do not use a password manager (and by password manager I do not mean a file called “passwords!”), many people do. If you use LastPass as your password manager, and you read this blog, you will know that LastPass has had its share of issues.
In the past few weeks, those issues escalated when a member of Google’s Zero Day Project found some vulnerabilities in Last Pass that users should be aware of. According to reports, the issue could take some time to fix, and is being described as a “major architectural problem.”
The vulnerability affects version 4.x users and would allow a phishing attacker to steal passwords from the LastPass vault when the user is directed to a malicious website. It also could execute code on the user’s computer if it is running LastPass’s binary component (autologoff, fingerprint authentication, copy username button, copy password button, allowing importing and exporting data, adding a layer of additional encryption, import from Chrome, Safari, and Opera browser password managers). Ouch.
LastPass is advising its customers to launch sites from inside the Vault instead of from the toolbar or using auto-fill and then turn on two-factor authentication sites that offer it until there is a fix.
LastPass has promised to release its analysis when it has fixed the issue, and if you are a LastPass user, you may wish to read it closely.
It should be noted that security experts are praising LastPass on its responsiveness to the recent issues and all indications are that they are working hard to resolve the most recent one.
Nonetheless, the Privacy Tip for this week is that I would reconsider putting all of your passwords in one place.