Last Pass is not very secure.

[Ankit Sharma]

Quote

I’ve found a really easy way to bypass the fingerprint/PIN authentication that protects all of your 2FA codes. The Android app, produced by LastPass, doesn’t use the same protection that their flagship app uses (like locking when idle, lock on screen off, etc).

Here

 

Personally I think Linus or his team should address this because if I am not wrong then they have been sponsored by LastPass in the past.

[ItsMitch]

13th June 2017: Reported to LastPass support with proof. Jed from LP confirms that he can reproduce the issue

20th June: Followed up asking for an ETA. Support confirm that there is no ETA

7h December: Followed up, ticket pushed to “level 3 support”. Johnny from LP confirms that there are no updates and it is “still being investigated”.

8th December: Informed support that I would be publishing the details, received no response.

lmao

thank fuck I'm using DashLane

[dizmo]

Yeah. I never did trust something that stores all your password in a single entity.

[Guest]

I wouldn't say this is an indicator that Last Pass as a whole is insecure (I don't use it, but I digress). The article only shows that a companion 2fa app for android is insecure.

[NoRomanBatmansAllowed]

RIP me.

[ProjectBox153]

And this is why I don't use any password manager from someone else. I have the best one, my brain.

[ItsMitch]

LPS issued a quick tweet:

They've been aware of this for well over 6 months, this is really unacceptable, why not just fix it.

[TheUzu]

People with android phones don’t have anything worth stealing anyway.

 

What passwords are they going to steal anyway the ones that give out food stamps?

 

On a more serious note they’ll have to steal your phone to get your passwords anyway, that and unlock the phone.

[Lurick]

8 minutes ago, Jamiec1130 said:

And this is why I don't use any password manager from someone else. I have the best one, my brain.

Let me know how that works out for you when you need to remember a 23 character combination of letters, numbers, symbols, upper case, lower case, with no more than 2 consecutive characters and all non-dictionary based words.

[Whiskers]

I don't think this title is very accurate. Their Authenticator app seems to be insecure, but so far as we know that doesn't extend to the main LastPass app itself.

[vorticalbox]

19 minutes ago, dizmo said:

Yeah. I never did trust something that stores all your password in a single entity.

The storing of the passwords is not the issue. AstPass storage is actually very secure 

[ProjectBox153]

2 minutes ago, Lurick said:

Let me know how that works out for you when you need to remember a 23 character combination of letters, numbers, symbols, upper case, lower case, with no more than 2 consecutive characters and all non-dictionary based words.

It works fine, for me. Then again, I'm one who can remember phone numbers for pizza restaurants I haven't been to in ages.

[Lurick]

Just now, Jamiec1130 said:

It works fine, for me. Then again, I'm one who can remember phone numbers for pizza restaurants I haven't been to in ages.

If it works for you, it works

Just not always easy when you have to change complex passwords every six months ;-;

Never used the android app though, just the desktop version.

[onlybuilt4cubanxlinx]

11 minutes ago, Lurick said:

If it works for you, it works

Just not always easy when you have to change complex passwords every six months ;-;

Never used the android app though, just the desktop version.

Same and I'd be lost with out it. Writing down passwords or remembering them off the top of my head is not plausible.

[dizmo]

23 minutes ago, vorticalbox said:

The storing of the passwords is not the issue. AstPass storage is actually very secure 

Still wouldn't trust it. 

[Jade]

Talk about a clickbait title. It's LastPass Authenticator, not Lastpass.

[GoodBytes]

This entry does not meet the posting guidelines:

• You need to explain the news in your own words

Also, the news is incomplete. This is SOMEONE who CLAIMS that has found a way to by-pass it. We don't know the version of LastPass needed, and it seems to only affect the Android version of LastPass.

 

Moved to Phones and Tablet,

[Wolther]

I'll continue to use last pass. I wouldn't consider this as last pass as a whole is insecure really just a flaw in the Android app (which I don't even own an android).

[2FA]

I just use the Google Authenticator for 2FA where available, no need to go 3rd party for it.

[paddy-stone]

1 hour ago, Wolther said:

I'll continue to use last pass. I wouldn't consider this as last pass as a whole is insecure really just a flaw in the Android app (which I don't even own an android).

I use the desktop and android version of lastpass. I DO NOT use the 2FA from lastpass, I instead use my fingerprint which is as secure as I can currently get. I only remember a few major passwords that are like 21-37 characters long, one of which is my lastpass password. Everything else is a generated or custom password which is in excess of 37 characters normally (site dependent), and none are reused. I use keepass as a backup, and for non online passwords and such storage. For sites/apps that I do need 2FA where I can't substitute my fingerprint, then I use google authenticator as mentioned above, there are other options too from MS and others.