Via DownloadSquad I found out that a cross-site scripting (XSS) vulnerability was found in LastPass – an online password management service. The problem was reported to LastPass and they seem to have fixed it before the information went out public. What remains now is the question of how bad is this incident.
First off: don’t worry. Cardwell reported the vulnerability to LastPass before writing it up, and it has since been fixed. We’re not sure if the fix has propagated out to the Chrome and Firefox add-ons — but we have to assume that Cardwell wouldn’t have written his blog post if the vulnerability still existed.
With that said, you should still be more than a little concerned about the fundamental architecture of LastPass as an in-the-cloud password manager. While this cross-site scripting attack was fixed quickly, Cardwell thinks a similar attack “could easily happen again in future.”
It’s very hard for us to recommend LastPass as a password manager when further vulnerabilities will almost certainly be found. For the time being, you should check out KeePass, an offline password manager that, for now, is a lot more secure than LastPass.
Being a user of LastPass myself and knowing quite a few other people who use the service (some of them are even on my recommendation), I have to say that I am not pleased. I trust absolutely all of my passwords to LastPass and I rely on it being secure. Having said that, I have to point out that the world is still there. And mostly likely, it will still be there even if all those passwords get stolen and distributed all over the Internet. For sure, some people will lose some data. Some will probably lose some money. But I don’t think it can get any worse than that. Nobody will die.
More so, convenience and productivity beat security. Yes, there are a few security concerned individuals out there who would never trust their passwords to their own mother, let alone a web-based service that they have no control over. But most people aren’t like that. Most people, yours truly included, just don’t care enough. Modern world is filled with usernames and passwords and for most part people don’t care if someone else knows them or not. We only use credentials because we are forced to. Remembering all those logins and password is a tough job. Having it done by LastPass is awesome! You don’t have to remember passwords anymore. You don’t have to worry about losing them together with your laptop. You don’t have to worry about carrying the laptop with you at all times. Just save them to LastPass and you’ll be able to access them from anywhere – home, office, mobile, etc. This is so convenient that it’s almost irrelevant how many vulnerabilities will be found and exploited – LastPass still solves the hard problem for a lot of people. The only thing they have to worry about is competition that can and probably will exploit such incidents.