Techy

Serious Security Issues with Lastpass

I had a scary moment this morning with my current password manager Lastpass.

Before I explain the problem, I’ll give some background. I currently have 299 passwords stored in my Lastpass account. Out of these, 4 of these are PayPal logins – all with different usernames and passwords. 1 personal account, 1 business master account and 2 business sub-accounts for employees. I keep the personal and business logins private, and share the sub-accounts with the relevant employees.

I got a call this morning from one of my employees telling me that his sub-account had my personal username instead of his username. I logged into my Lastpass account and sure enough, his account had my username. I checked my personal account, it also had my username. I checked the passwords – both were 15+ digit alphanumeric codes and both were different.

I changed the sub-account username back to what it should be by manually typing it in (ie I didn’t revert any changes). I asked my employee to log out then log back into his Lastpass account. I then logged onto my employee’s computer and went to PayPal.com. My personal account was logged in. This means that my employee was able to log into my personal PayPal account without me ever sharing it with him and despite it not having the correct password. I clicked ‘log out’, then Lastpass auto-filled the username and password fields and I clicked ‘log in’. PayPal then logged into the sub-account.

So, just to re-cap. Lastpass copied a username from one record to another without action from me. Lastpass then allowed a shared user to log into both accounts, without changing the password for either. If the password for the sub-account remained the same, how could he log into my personal account!?

I think this may be related to the ‘auto-login’ feature which I’ve seen mix up usernames and passwords before.

This is the final straw for Lastpass unfortunately. There is no way I will continue to use a password manager that is so insecure and unreliable. Anyone got any recommendations? I want it to be online so I can access from anywhere, and have sharing options so that I can share passwords with my team.

PS I feel I should share that I signed up for a ‘Premium’ Lastpass account which comes with ‘priority support’. Their first response did not show on my end – I had to get a Lastpass agent to screenshot it from their side so that I could see it. Their second response took 11 days (due to ‘heavy support period’ apparently). Since then, it has been faster and more comprehensive.

5 thoughts on “Serious Security Issues with Lastpass

  1. Hmmm, I just noticed your other posting PP and LP compared.

    I agree that PP is not so convenient to use in some ways, but it is the only online passcode management tool of this ilk that I have found for viable collaboration without going to enterprise scale solution. (Just fyi, I spent a lot of time during the last month researching this.)

    I certainly would also be interested if anyone has found anything better.

    Just to mention a couple things:
    – PP is very responsive to customers

    – they say they will be adding some improvements on the sharing tools that are going to make PP way more proficient for managing sharing (I have had some discussion with Francesco about this… happy to sshare more if your interested)

    – do not use the Basic Authentication feature in PP – it exposes your codes in the browser location history. (Due to the way http auth works there is no way around this until and unless they implement a fairly sophisticated strategy for handling this). I did not check this in LastPass, but I doubt there is any online-centric tool out there that is not at risk of exposing your codes with HTTP Basic Authentication due to the architecture of that methodology.

    Like I said, inconveniences exist, but considering the limited options out there I am very happy with PP, and I am very encouraged considering my interactions with the company so far.

    Other than that, for non-enterprise investment it looks like we would have to rely on online database tools like Zoho Creator, Dabble DB, (Coghead – but I think it died), or Caspio Bridge, …to name a few in that ilk, where you would setup your own online database, and could share out reports (like Zoho Views) that allow you to control what can be seen or edited.

    However, unfortunately those do not provide HPH (host-protected hosting of your data).

    Oh, I did see something called ‘securessheet’ that looks really interesting.

    The deal is, HPH and managed secure sharing of data and docs in a collaborative environment is still in its infancy. For less-than-enterprise-scale concerns it seems the market is wide-open and ripe for newcomers (wouldbe providers) into this field. I wish I had the skillsets for cutting a path into it – I think theres huge opportunity here.

    So hey, thanks for your excursions into this subject on your blog… I really appreciate it. Keep it up.
    TwoHawks

    1. Yes indeed, not quite as convenient, but safer and far more robust. And yes, the support from Francesco/Tara can be very good (although I have had a few support requests which have gone unanswered in the past).

  2. Fergus
    Are you still interested in “password managers”? If so, you might like to take a look at Netsso.com, which although much more than a password manager also includes that function. We are in beta. Also accessible via http://www.facebook.com/netsso or @netsso on twitter. You’ve studied these so deeply, I would love to know myour opinion.

Leave a Reply

Your email address will not be published. Required fields are marked *