

LastPass Finds Security Holes In Its Online Password Manager - yurisagalov
http://blog.lastpass.com/2014/07/a-note-from-lastpass.html

======
jt2190
While this news is a little worrisome, I view LastPass as a "better than what
I'd do otherwise" solution, not a "perfect" solution. I no longer use my small
set of short, easy-to-remember passwords over and over again across multiple
sites. Now most of my passwords are long random strings that I don't even
know. The overall increase to my average security offsets the downsides of
having a centralized target for attackers, I think.

~~~
rcthompson
> I view LastPass as a "better than what I'd do otherwise" solution

Do you think it's better than, say, using a desktop-based password manager to
save passwords to an encrypted file, and then syncing that file to all your
machines via Dropbox?

~~~
tnyswutnw
Used to use lastpass but I've found KeePass & KeeFox (firefox Addon) to be
just as sufficient for daily use. Just as usable as lastpass and you have much
more options for syncing data you know you own and isn't apart of a juicy
targeted password database.

------
zedpm
Any security hole is of course concerning, but as a LastPass user, I'm not at
all concerned about the two issues mentioned in this article. The two features
in question are, IMHO, not part of a typical use case for the product.

------
tptacek
Somehow, this poor writeup of LastPass's disclosure is ranking higher than the
original post, which predates it on the site:

[https://news.ycombinator.com/item?id=8022543](https://news.ycombinator.com/item?id=8022543)

~~~
dang
Yes. We'll change the url from [1], which points to this. Unfortunately, we
don't yet have a way to do any better than that. But see [2] for two things
we're working on that will help in these situations.

1\. [http://techcrunch.com/2014/07/11/lastpass-finds-security-
hol...](http://techcrunch.com/2014/07/11/lastpass-finds-security-holes-in-its-
online-password-manager-doesnt-think-anyone-exploited-them/)

2\.
[https://news.ycombinator.com/item?id=8016584](https://news.ycombinator.com/item?id=8016584)

------
PeterWhittaker
The headline is fearmongery: While the security holes are real, they concern
not the security of persistent site-specific passwords but of a) bookmarklets,
used by less than 1% of their user base, and b) of one-time passwords (OTPs).

I've been using LastPass for over a year on multiple platforms and many, many
sites and didn't even know those features existed....

As written, the headline makes it seem that perhaps, just perhaps, persistent
password storage is at risk. Now THAT would freak me out.

But the current news is, for me and many users, nothing to see here, please
move along.

Responsible disclosure yes, excellence in headline writing not so much.

------
donniezazen
What do you guys use to store GPG and SSH keys passphrases? Your GPG can be
your most valuable stuff. Remembering passphrase of several subkeys seems
impossible. The only two passwords I remember are Google Account and LastPass.
I could probably remember GPG Master key passphrase but do you think it could
also be saved in LastPass.

------
quaunaut
I wonder if they had any way to reasonably detect these being used maliciously
after they'd fixed it, since they fixed this as long ago as September 2013.

It'd be a neat sort of non-honeypot.

------
gojomo
s/Finds/Discloses/

