ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > General Software Discussion

Multiple LastPass Vulnerabilities Discovered Recently

(1/5) > >>

I (mostly) stopped using LastPass a couple years ago for reasons unrelated to this, but it seems multiple password-leaking vulnerabilities (and other dangerous exploits) have been discovered recently:

LastPass works by storing your passwords in the cloud. It provides browser extensions that connect to your LastPass account and automatically fill out your saved login details when you surf to your favorite sites.

However, due to the discovered vulnerabilities, simply browsing a malicious website would be enough to hand over all your LastPass passphrases to strangers. The weak LastPass script uncovered by Ormandy could be exploited by tricking it into granting access to the manager's internal data. It can also be potentially abused to execute commands on the victim's computer – Ormandy demonstrated this by running calc.exe simply by opening a webpage.-
--- End quote ---

Even though I no longer use LastPass for new passwords, my account still has many old passwords I haven't updated in a while, and I have kept the extension installed because of that, since it seems to work more reliably than the extension for the password manager I switched to. So maybe it's time for me to fully ditch LastPass.

KeePass or bust

Nothing about LessPass?  Surprisingly little activity on that thread, and that's what I'm looking at switching to.

Just installed LastPass yesterday and deleted logins from my browser.  What now?  Sigh!!

Nothing about LessPass?  Surprisingly little activity on that thread, and that's what I'm looking at switching to.
-wraith808 (March 21, 2017, 08:11 PM)
--- End quote ---

LessPass uses very interesting ideas, but I don't plan to move to it because I have an old-fashioned password manager program that runs locally (though it does sync the encrypted database via dropbox - or maybe it's google drive). I manually copy/paste my passwords instead of using any browser integration.  I'm happy with that solution.  I believe it's safe enough for me because even though the database is in the cloud, it's not in a centralized database with a lot of users - anyone compromising it would be someone targeting me specifically rather than collecting passwords for thousands or millions of people.

Though I would be quite interested in hearing about anyone else's experience - maybe it'll convince me to switch.


[0] Message Index

[#] Next page

Go to full version