Your IT Consultant

Lots of Security Flaws in LastPass Password Manager

November 19, 2015

It’s been a bad couple of years for the popular password manager LastPass. Last year two security engineers were able to crack the master password and gain access to the password vault. This year, the two found several other flaws in the product. A design flaw in the LastPass session cookie, which stores a password decryption key (pwdeckey) allowed them to ultimately get access to all the passwords. Enabling two-factor authentication (2FA) didn’t help either and was able to be bypassed because of locally stored tokens. There were other problems with the 2FA implementation as well. Finally, other ways to bypass LastPass security were revealed. Suffice it to say that these two guys identified the apparent Swiss cheese security design of LastPass.

The bad news? The crap design of LastPass existed for at least a year if not longer. The good news…LastPass is fixed. The security engineers identified some problems and LastPass corrected them in pretty short order. When’s the last time you heard of a vendor acting so quickly to update its product? Are you listening Apple? Microsoft? Adobe?

E-mail:   Phone: 703.359.0700
Digital Forensics/Information Security/Information Technology
http://www.linkedin.com/in/johnsimek
http://www.senseient.com