Password Manager Bug Exposes Last Used Password
Password manager LastPass has suffered an embarrassing security glitch that reveals a user's last used password, though some security experts argue that pulling off the exploit would have been difficult at best.
The purpose of LastPass is to solve the problem of people having too many passwords to remember, but not wanting to reuse passwords across multiple sites. Once somebody signs up to LastPass, they create a single master password which is completely secret. Even LastPass itself doesn't store this password, so if a user forgets it, they are out of luck.
The master password then stores the user's passwords in a virtual "vault". Users can either manually visit the LastPass website to retrieve a stored password, or have the password automatically filled in to web forms through either a browser extension or mobile app.
Bug Exposes Last Used Password
Google's Project Zero security team recently revealed a bug that could have exposed a stored password for users of the extension Chrome and Opera. LastPass has confirmed the bug existed, though pointed out hackers would need to trick the user into visiting a compromised web page in order for the bug to be effective.
If exploited, the bug was able to extract the last used password from the web browser that LastPass automatically filled in for the user. That could be for any website, though by definition it would be more likely to be one the user regularly visited. (Source: bleepingcomputer.com)
It's important to remember that the bug didn't expose the master password for the user's LastPass account, which would have been a major problem. As noted, that isn't stored by LastPass.
Extensions Updated With Fix
The bug has now been fixed and the extension updated; to be on the safe side, LastPass has updated the extension for all the browsers it supports. Users don't need to take any action, though it may be worth restarting your browser and checking the extension update has worked and you have the latest LastPass version, which is 44.33.0. (Source: gizmodo.com)
Security experts are divided over exactly how serious this bug should be considered. Google's Tavis Ormandy, who discovered the bug, rated it as severe. Others say it wasn't critical and it's relevant that LastPass fixed it quickly.
It doesn't appear a good reason to stop using password managers if that's your chosen security measure. However, some users suggest avoiding password managers for the most sensitive login credentials, such as a main email account or an online bank.
Another suggestion to make password managers more secure is to have it only remember and auto-fill part of the password on a form, then manually enter in the last 4 or so letters or digits of the password. Of course that means the user will still need to remember part of the password, but the upside is that it adds an extra layer of security.
What's Your Opinion?
Do you use a password manager? Do bugs like this put you off? How would you prefer to balance convenience and security when it comes to website logins?
Most popular articles
- Which Processor is Better: Intel or AMD? - Explained
- How to Prevent Ransomware in 2018 - 10 Steps
- 5 Best Anti Ransomware Software Free
- How to Fix: Computer / Network Infected with Ransomware (10 Steps)
- How to Fix: Your Computer is Infected, Call This Number (Scam)
- Scammed by Informatico Experts? Here's What to Do
- Scammed by Smart PC Experts? Here's What to Do
- Scammed by Right PC Experts? Here's What to Do
- Scammed by PC / Web Network Experts? Here's What to Do
- How to Fix: Windows Update Won't Update
- Explained: Do I need a VPN? Are VPNs Safe for Online Banking?
- Explained: VPN vs Proxy; What's the Difference?
- Explained: Difference Between VPN Server and VPN (Service)
- Forgot Password? How to: Reset Any Password: Windows Vista, 7, 8, 10
- How to: Use a Firewall to Block Full Screen Ads on Android
- Explained: Absolute Best way to Limit Data on Android
- Explained: Difference Between Dark Web, Deep Net, Darknet and More
- Explained: If I Reset Windows 10 will it Remove Malware?
My name is Dennis Faas and I am a senior systems administrator and IT technical analyst specializing in cyber crimes (sextortion / blackmail / tech support scams) with over 30 years experience; I also run this website! If you need technical assistance , I can help. Click here to email me now; optionally, you can review my resume here. You can also read how I can fix your computer over the Internet (also includes user reviews).
We are BBB Accredited
We are BBB accredited (A+ rating), celebrating 21 years of excellence! Click to view our rating on the BBB.