
A Note from LastPass - anu_gupta
http://blog.lastpass.com/2014/07/a-note-from-lastpass.html
======
JamesBaxter
I can't imagine how I'd survive without Lastpass. One of it's added benefits
is seeing just how many different services you don't use any more still have
your details.

I did a purge a few months back and I'm down from 150 sites to about 70. It
was depressing how many sites I had to email to ask them to delete my account.

~~~
scrollaway
Been there too and fully agreed.

That said, if you ever need something less centralized than lastpass, try
KeepassX: [https://www.keepassx.org/](https://www.keepassx.org/)

~~~
JohnTHaller
I'd recommend KeePass over KeePassX if you're in Windows-land or don't mind
running KeePass 2.0 which runs under .NET and Mono. KeePassX's last stable
release was in 2010 and hasn't had any patches since then. Its 2.x branch has
been in alpha for years.

~~~
scrollaway
I don't know what you're talking about.

[https://github.com/keepassx/keepassx/commits/master](https://github.com/keepassx/keepassx/commits/master)
\- Last commit 3 weeks ago.

[https://www.keepassx.org/news/2014/04/433](https://www.keepassx.org/news/2014/04/433)
\- Last alpha released in April.

~~~
JohnTHaller
Exactly what I said. There hasn't been a stable release since 2010. And the
next version has been in alpha for years. You linking to the current alpha
build and alpha source on master doesn't refute that.

------
tptacek
I think this is the research they're referring to:

[http://devd.me/papers/pwdmgr-usenix14.pdf](http://devd.me/papers/pwdmgr-
usenix14.pdf)

(Note that this is a USENIX paper, which makes the "we let them publish it"
comment sort of weird).

The bookmarklet attack isn't subtle; page 8 explains how they were able to set
up a malicious site that could obtain Lastpass (say) Dropbox credentials.

~~~
pwman
It's not a 'we let them publish' it's a we respected their wishes in that we
would hold off on talking about it until they published.

------
GeorgeOrr
I love LastPass, and this response is one of the reasons why. There will
always be issues in security, there is nothing out there that will ever be
perfect. The question is how you respond when things are discovered.

The one caveat I have is that I do wish they open sourced. Overall I prefer
that when it comes to security.

But LastPass has always responded well when issues come up.

~~~
ChrisLTD
Open source is no panacea when it comes to security. OpenSSL's Heart Bleed
vulnerability comes to mind.

You also have to have qualified and dedicated people regularly reading and
testing the code. I'd rather LastPass hired more security experts who we could
be sure were testing the code.

------
schrodingersCat
While I do appreciate this disclosure, I'm not sure doing so a year later
warrants much applause. While I agree this is a vulnerability that only effect
a small subset of users (<1%), this actual number of users could be large
depending on the size of their customer base (likely tens of thousands).

~~~
pwman
If we stole the thunder from security researchers by announcing about things
they've found before they can we'd risk that they'd consider holding back. I
feel it's the right move to encourage the researchers and respect their
wishes.

------
n0body
lastpass is awesome, and i like their disclosure policy. nothing worse than
trying to cover things up.

