Turns Out LastPass Is Slightly Less Secure Than We’d Hoped

By
Image
Photo: Gregor Schuster/Getty Images

Here at Select All, we’ve sung the praises of password manager LastPass for some time now. It’s free. It’s fairly easy to use. But, as is the risk with storing all your passwords in any one location, it’s not a perfect system. This week, LastPass announced on its blog that a Google security researcher, Tavis Ormandy, discovered a security exploit in the platform. The issue is a client-side vulnerability that affects the LastPass browser extension. The company is calling it “unique and highly sophisticated,” and says it’ll explain in further detail once it has finished fixing the problem.

Until that happens, LastPass has a few tips for keeping your passwords as secure as possible: If you haven’t already done so, make sure all your accounts use two-factor authentication. (Provided a given platform offers two-factor. If it doesn’t, drop it an email or an angry tweet asking why it doesn’t want its users to be safe.) And, as usual, be careful not to click any third-party links from unknown senders to avoid phishing scams.

Finally, LastPass is recommending all users launch password-protected websites directly from the LastPass vault (that is, not from the LastPass Chrome extension, which houses the vulnerability). “This is the safest way to access your credentials and sites until this vulnerability is resolved,” the company explained. Which sounds like a bit of a pain, but also a small price to pay for not having things go the way of Mark Zuckerberg’s Pinterest boards.

Major LastPass Exploit Discovered by Google Researcher