Last week, a famous security researcher took to Twitter to vaguely yet ominously warn everyone that was using LastPass, a popular password manager.
This may or may not have been the same bug that a different researcher noticed last week, in which he figured out that he could exploit LastPass’s autofill functionality1 to get other people’s passwords.
You’ll be forgiven for perhaps having missed the brouhaha over either of these issues because LastPass rolled out fixes within 24 hours. But the entire episode raised two big questions.
First, is it appropriate to take to Twitter or another public channel to warn people of a security flaw, or is it irresponsible fear-mongering that may lead to further compromise of the software? It depends on what information the tweet contained.
Ryan O’Leary, vice president of the Threat Research Center for WhiteHat Security, based in Santa Clara, Calif., said,
“Responsible disclosure is a tricky thing,” but ultimately agreed with Ormandy’s actions.
“Tavis did not disclose how he was able to remotely compromise accounts, which would have had immediate, devastating implications,” O’Leary told SearchSecurity. “Instead, he made it known to users that there is a critical flaw and he would report the findings immediately to LastPass to fix. This was so users would know of the issue, and to potentially stop using the service and change their passwords immediately.”
The second question that arises is, of course, whether LastPass—or any password manager—can be considered truly safe to use.
The answer is that they are not truly safe because nothing really is, but they are safer than the alternative, which is reusing your passwords or using weak passwords, or both. The key is to keep abreast of how often the service you used is compromised and to be vigilant about applying updates and changing your master password when there is a hack. If you start to see news that multiple vulnerabilities exist, and the company isn’t fixing them promptly, then it may be time to consider switching password managers, but that doesn’t seem to have been the case in this instance.
So–you can probably continue to use LastPass, you should definitely change your LastPass password, and you should absolutely turn on two-factor authentication. In a world where everything is ultimately hackable at some level, that is likely as safe as you can be.
In which LastPass—and any other password manager—automatically fills in your password on websites you visit. It’s often viewed as one of the main advantages of using a password manager. ↩