
Google's Project Zero researcher discovers “major” security issue in LastPass - aloukissas
http://www.independent.co.uk/life-style/gadgets-and-tech/news/lastpass-hack-security-problem-password-manager-a7658806.html
======
sp332
Previous discussion
[https://news.ycombinator.com/item?id=13960097](https://news.ycombinator.com/item?id=13960097)

------
kakarot
If you use online password management for anything security-critical then
you're a fool. It pains me to see Lastpass so readily trusted even by the HN
community.

~~~
thraway2016
Agreed. A combination of cryptsetup luksOpen foobar && mount foobar && vim
foobar/passwords.txt has always worked fine.

I suspect it has to do with the modernist fetish of convenience. Not having
all your data synchronized to all devices at all times is apparently a fate
worse than death.

~~~
CobrastanJorji
I started using LastPass because I found that for all but my bank, Google, and
Amazon passwords, I was using the same password on every other page. I've
found that it's really great to just let LastPass pick a lengthy password for
every new site I join and know that I'll still be able to log into it later
from my phone or my laptop or my desktop without problem.

I get that it's got some serious security holes, but it's better than not
using it, because if I don't use it then I'm just gonna start repeating the
same username and password across sites again.

The enemy I'm fighting is my own laziness. I'm not choosing between "use
LastPass" and "lock my passwords in an encrypted fileystem." I'm choosing
between "use LastPass" and "use the same password everywhere," and LastPass is
better than that.

------
ry_ry
So if they want 2fa enabled and users to avoid browser plugins it
inadvertantly suggests a vector to start looking at.

At a guess, an API vuln that issues a token of some description?

------
astrodust
LastPass tire fire continues to spread.

