Lastpass insecurity settings

Edit: I’ve been told by a Lastpass engineer (via Twitter) that the geo-location issue mentioned below has to do with local cache. I’ve tested it and yes, when accessing the acount in another country, it will release a local cache item before locking out again, but not if you have no local cache. I still don’t think that’s ideal. So, adding to my below caveats on securing your machine for travel: Realise that local cache behaves differently when logging into Lastpass.

This is not to say that Lastpass isn’t a good solution, but that user settings can sometimes be compromising security in ways you may not intend.


A lot of people use Lastpass, but not very securely. If you are using the cloudbased system for accessing your passwords, then your settings for each password should look like this:

lastpass-grab

Over the summer, you may have seen the news that LastPass was hacked. It likely compromised people who don’t use very complex pass phrases. And it wouldn’t have done much harm to people using its multi-factor authentication to log in. But, it is evidence that Lastpass is hackable and some people use it for all their passwords.

lastpass2But what really puts people in jeopardy are the Lastpass options themselves. For example, so long as you think hackers are only people who exist in other countries, you can add security to your account by limiting access to your own country. But even here, the system design is flawed (VPN usage aside, for the moment) LastPass sends a password and login (from your local cache) before it checks a country.

lastpass-github

So if you’re computer’s stolen or your password has been exposed, then someone can quite easily (and securely) get in or guess their way into at least one account even if they are abroad, before it cancels out. At this level, they’ve got your email address. If Lastpass is opening that for you, they can then use the lastpass.com/unlock url to get into your entire vault, bypassing geo-restrictions. At this stage, if you don’t have multi-factor security enabled, the game is up. It’s not an extra layer of security, it’s minimum security, but most people wouldn’t think to set it up.

My main beef with LastPass is that it offers too many choices that appeal to the human tendency towards convenience. You can use auto-log into everything as you visit. Security is about conscious thought, though. People should realise what they’re logged into instead of having it constantly happening invisibly in the background. Disabling auto-fill shouldn’t be an option hidden under “advanced” settings. You should have to enable it somewhere that’s difficult to find, or maybe just not have the feature at all.

Second gripe: (See note at top about this, though. I think there needs to be better UX around tackling this.) If you’re going to have a setting that checks what country the user is in, then don’t let auto-fill trigger BEFORE it checks where it’s being sent.