Password Manager Bug Exposes Last Used Password

John Lister's picture

Password manager LastPass has suffered an embarrassing security glitch that reveals a user's last used password, though some security experts argue that pulling off the exploit would have been difficult at best.

The purpose of LastPass is to solve the problem of people having too many passwords to remember, but not wanting to reuse passwords across multiple sites. Once somebody signs up to LastPass, they create a single master password which is completely secret. Even LastPass itself doesn't store this password, so if a user forgets it, they are out of luck.

The master password then stores the user's passwords in a virtual "vault". Users can either manually visit the LastPass website to retrieve a stored password, or have the password automatically filled in to web forms through either a browser extension or mobile app.

Bug Exposes Last Used Password

Google's Project Zero security team recently revealed a bug that could have exposed a stored password for users of the extension Chrome and Opera. LastPass has confirmed the bug existed, though pointed out hackers would need to trick the user into visiting a compromised web page in order for the bug to be effective.

If exploited, the bug was able to extract the last used password from the web browser that LastPass automatically filled in for the user. That could be for any website, though by definition it would be more likely to be one the user regularly visited. (Source: bleepingcomputer.com)

It's important to remember that the bug didn't expose the master password for the user's LastPass account, which would have been a major problem. As noted, that isn't stored by LastPass.

Extensions Updated With Fix

The bug has now been fixed and the extension updated; to be on the safe side, LastPass has updated the extension for all the browsers it supports. Users don't need to take any action, though it may be worth restarting your browser and checking the extension update has worked and you have the latest LastPass version, which is 44.33.0. (Source: gizmodo.com)

Security experts are divided over exactly how serious this bug should be considered. Google's Tavis Ormandy, who discovered the bug, rated it as severe. Others say it wasn't critical and it's relevant that LastPass fixed it quickly.

It doesn't appear a good reason to stop using password managers if that's your chosen security measure. However, some users suggest avoiding password managers for the most sensitive login credentials, such as a main email account or an online bank.

Another suggestion to make password managers more secure is to have it only remember and auto-fill part of the password on a form, then manually enter in the last 4 or so letters or digits of the password. Of course that means the user will still need to remember part of the password, but the upside is that it adds an extra layer of security.

What's Your Opinion?

Do you use a password manager? Do bugs like this put you off? How would you prefer to balance convenience and security when it comes to website logins?

Rate this article: 
Average: 4.6 (11 votes)