Thursday, 23 March 2017

LastPass Quickly Fixes Security Hole - Doesn't Fix Managers In General


Google uncovered a security vulnerability in the LastPass password manager. One that LastPass quickly fixed. That's good, but I'm not sure that it is anywhere near good enough.

Just a week ago I wrote about the attractiveness of password manager services to bad actors. This is exactly the reason why.

Discovery of a vulnerability like this potentially opens the doors to every service vaulted inside. Bank, credit card, share dealing accounts, retail, email and any other account of value. All unlocked by one vulnerability in an unrelated service.

A better demonstration of keeping all your eggs in one basket I haven't seen.

This isn't a criticism of LastPass itself, but we've seen in the past how difficult it is to keep a service secure. When the service holds such critical information that risk becomes unpalatable.

There are many other ways of securing passwords. Using one of those instead would seem a very sensible decision indeed.

No comments: