LastPass is great. We can share credentials and secrets through it. There's a feature where you can even share the login to a site on it, but they can't view the password - only lastpass can fill it up.
Can't really agree with that. For me, LastPass is a huge annoyance (it wants to fill in passwords on pages that these passwords definitely don't belong to, and it prompts you to save passwords over and over again with no "don't save passwords on this page" checkbox), and its UI is not really good either (e.g. the floating "+" icon in the vault - if you want to create a new folder you have to hover over it, for other items, you have to click it. Also, neither of these functions is available in the context menu - huh?!). And don't get me started about the "feature" of letting users use passwords, but not see them - security by obscurity anyone?
It's as much as a pain as you make it. For me if I keep it well organized I basically just forget that I have to login to things at work, I just click them and I'm in or I navigate and it's filled.
I can see how it might not be the solution you want for home but at work I'm just trying to get things done and that unfortunately involves a large number of passwords that can't easily be federated into an SSO like okta because they span businesses clients and companies. I don't understand the hate for LastPass, for me it just works (tm)
I think the hate mostly comes out of being forced to use a solution and then being annoyed because it tries to force itself onto you. Yes, I confess, when I'm waiting for an important email I sometimes check private emails on my work laptop, and I would love to be able to just tell LastPass to not prompt me to save the credentials for my email provider into my company account, but it's simply not possible, and then the repeated "helpful" save password prompts annoy the hell out of me...
LastPass is terrible if you want to use it for automation. There is no official support for the CLI interface (it's a community project), and it does not work on Windows by default (you'd need to install cygwin on every single server you wish to use the CLI, as opposed to a simple `winget install --name LastPass.CLI`). I cannot recommend that anyone use this product for enterprise use, especially for internal IT use.
People easily copying and pasting the password into a chat app to quickly share it with Greg from finance asking if he could just quickly log into the app even though he's not really supposed to?
Sure, its not too hard to get around that feature, you could just inject your own javascript on the page to dump the contents of the password field. But it does block the low hanging fruit of the millions of users who don't know how to do that who might abuse having access to the password because they don't really know better.
In essence, it helps to prevent those users who don't know better from leaking the password to places it shouldn't be. Obviously it doesn't prevent people who know how to get around it from getting around that protection, but in those circumstances you shouldn't really be sharing your password with someone who will abuse your trust.
The people likely to do such things counter to security are going to click phishing links, install malware and misuse their company devices anyway. Their problem is not technological in nature to solve - it is personal and behavioral. I call it theater because it doesn't significantly improve the security posture and maturity, while making both the user and administrator feel tough and hardened.
> The people likely to do such things counter to security are going to click phishing links, install malware and misuse their company devices anyway.
Are you arguing that because they might make mistakes elsewhere we shouldn't bother putting any barriers up to them breaking policy, and that the only thing we should do is more training? I'd argue both things should be done. I do agree preventing LastPass from directly exposing the password isn't a very strong protection, but lets not act like it doesn't prevent any kind of password abuse. Sure, users should be more trained, but we should also create more barriers to prevent them from shooting off their toes.
It almost sounds like an argument to get rid of barriers on highways. Drivers should just know to not drive off the cliff; if people are driving off the highway clearly all we need to do is train them more. Barriers are just safety theater, people might still end up driving off the cliff if they try hard enough!
You asked for a use case for this feature and I gave you a use case that happens all the time and which such a feature prevents a large percentage of those users. You'd need someone determined to break the policy to dump the password and share it someplace they shouldn't, as opposed to someone doing it without thinking "is this against policy? shrug"
I think parent is referring to the idea that it's not a problem for a technically inclined person to when the extensions is filling out the password inspect the password HTML element and "see" it. Other options would include sniffing network traffic in your browser or replacing DNS with self hosted website with a form under the same domain to trick the extension to fill in a form on a website you control (since they match based on the typed in domain).
> There's a feature where you can even share the login to a site on it, but they can't view the password - only lastpass can fill it up.
Is there anything that stops someone from letting LastPass fill the field, then use the browser tools to change the form field from `password` to `text`?
