We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Security weakness LastPass?
Options
mike_question
Posts: 6 Forumite
I have been trying out LastPass which is supposed to be a super secure way of storing all your passwords - "extra strong encryption" - "everything stored in a digital vault" - etc - etc. The idea is you can protect everything in this one place.
Their system is so secure even they don't store the passwords - it's done by algorithms or something.
But how safe is it?
I just tried to log in to my LastPass "vault" but couldn't remember my password. So they have a recovery option which just asks for your email address without any password and they just send you a "One Time" password without fuss. In fact I didn't even receive the "One Time" password - the system just logged me in there and then!
Hey presto - anyone who can access our email account (which I believe isn't all that difficult) can then easily access our "super safe" LastPass account with all of our digital existence, credit cards and everything laid bare for them to use.
Doesn't this make LastPass a bit pointless? In fact isn't it positively dangerous for creating a false sense of super security whereas in fact any bright kid can just walk in?
Their system is so secure even they don't store the passwords - it's done by algorithms or something.
But how safe is it?
I just tried to log in to my LastPass "vault" but couldn't remember my password. So they have a recovery option which just asks for your email address without any password and they just send you a "One Time" password without fuss. In fact I didn't even receive the "One Time" password - the system just logged me in there and then!
Hey presto - anyone who can access our email account (which I believe isn't all that difficult) can then easily access our "super safe" LastPass account with all of our digital existence, credit cards and everything laid bare for them to use.
Doesn't this make LastPass a bit pointless? In fact isn't it positively dangerous for creating a false sense of super security whereas in fact any bright kid can just walk in?
0
Comments
-
What do Last Pass say about your complaint ?0
-
Password managers are pointless rubbish that , like you have discovered, simply add in potential weaknesses.
Just use a system for creating memorable complex passwords0 -
I will ask LastPass for comments - just thought I would see what folk thought
Password managers seem to be a good idea - every password is strong and different - it would take hours to do that manually without a password manager system
But if there is a massive security hole in the system then clearly they are a BAD idea!0 -
mike_question wrote: »...anyone who can access our email account (which I believe isn't all that difficult) can then easily access our "super safe" LastPass account
What makes you think that?0 -
What makes me think emails aren't too difficult to break into?
I'm not sure exactly - just a vague awareness that cyber criminals and even newspapers, for instance, have been known to do it as a matter routine. Also, I have never read or heard anyone say "oh yes go right ahead and use emails as a place to send or store information that needs to be kept secure.
So that's why I'm puzzled that LastPass were happy to let me into my LastPass account without additional security - just using email.0 -
Enable two factor authentication
Multifactor Authentication refers to a device that can be enabled for use with your LastPass account, and requires a second step before you can gain access to your account.
https://support.logmeininc.com/lastpass/help/enable-multifactor-authentication-lp0100020 -
Enable two factor authentication
Multifactor Authentication refers to a device that can be enabled for use with your LastPass account, and requires a second step before you can gain access to your account.
https://support.logmeininc.com/lastpass/help/enable-multifactor-authentication-lp010002
Cheers for that, I thought only the paid for subscriptions had that feature.0 -
An attacker would also have to have gained remote access to your machine in order to make use of the recovery one-time password (the recovery password is specific to a browser & computer pair):mike_question wrote: »Hey presto - anyone who can access our email account (which I believe isn't all that difficult) can then easily access our "super safe" LastPass account with all of our digital existence, credit cards and everything laid bare for them to use.
https://support.logmeininc.com/lastpass/help/recover-your-lost-master-password-lp020010#UseRecoveryPW0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 350.8K Banking & Borrowing
- 253.1K Reduce Debt & Boost Income
- 453.5K Spending & Discounts
- 243.8K Work, Benefits & Business
- 598.7K Mortgages, Homes & Bills
- 176.8K Life & Family
- 257.1K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards