I had a scary moment this morning with my current password manager Lastpass.
Before I explain the problem, I’ll give some background. I currently have 299 passwords stored in my Lastpass account. Out of these, 4 of these are PayPal logins – all with different usernames and passwords. 1 personal account, 1 business master account and 2 business sub-accounts for employees. I keep the personal and business logins private, and share the sub-accounts with the relevant employees.
I got a call this morning from one of my employees telling me that his sub-account had my personal username instead of his username. I logged into my Lastpass account and sure enough, his account had my username. I checked my personal account, it also had my username. I checked the passwords – both were 15+ digit alphanumeric codes and both were different.
I changed the sub-account username back to what it should be by manually typing it in (ie I didn’t revert any changes). I asked my employee to log out then log back into his Lastpass account. I then logged onto my employee’s computer and went to PayPal.com. My personal account was logged in. This means that my employee was able to log into my personal PayPal account without me ever sharing it with him and despite it not having the correct password. I clicked ‘log out’, then Lastpass auto-filled the username and password fields and I clicked ‘log in’. PayPal then logged into the sub-account.
So, just to re-cap. Lastpass copied a username from one record to another without action from me. Lastpass then allowed a shared user to log into both accounts, without changing the password for either. If the password for the sub-account remained the same, how could he log into my personal account!?
I think this may be related to the ‘auto-login’ feature which I’ve seen mix up usernames and passwords before.
This is the final straw for Lastpass unfortunately. There is no way I will continue to use a password manager that is so insecure and unreliable. Anyone got any recommendations? I want it to be online so I can access from anywhere, and have sharing options so that I can share passwords with my team.
PS I feel I should share that I signed up for a ‘Premium’ Lastpass account which comes with ‘priority support’. Their first response did not show on my end – I had to get a Lastpass agent to screenshot it from their side so that I could see it. Their second response took 11 days (due to ‘heavy support period’ apparently). Since then, it has been faster and more comprehensive.