LastPass, the popular password management tool, has been patched to fix a security flaw that could have left the passwords of Internet Explorer users potentially exposed.
Regular readers will know that I am a big proponent of computer users protecting themselves with tools like Bitwarden, 1Password, and KeePass to help remember and generate unique passwords for every website they use.
It’s a lot better, for instance, than trusting your web browser to remember your password.
But it is essential, of course, that these password management programs are secure – and not leaking sensitive information.
As PC Magazine describes, a flaw was found in the Windows Internet Explorer version of LastPass that meant passwords could be read in plaintext if a memory dump was performed on Internet Explorer.
Fortunately, there are some mitigating circumstances, as the folks at LastPass described to PC Magazine:
“This particular issue would be extremely difficult to exploit – requiring that you be using IE, that you’ve logged in to LastPass to decrypt your data, perform a memory dump, hunt through the memory dump, and actually locate the passwords – we have made fixing this a priority because we value the privacy and security of our users’ data above all else.”
Nevertheless, LastPass responded quickly – and included a security patch for the problem (alongside other fixes) in an important update.
Although this incident is undoubtedly embarrassing for LastPass, I still recommend password management software for all internet users. Keep them updated, and you should find them a heck lot safer than trying yourself to remember secure passwords for every website you access.
So Graham
What password manager do you recommend/use? I'm currently using RoboForm, but I never see it mentioned in articles like yours which usually mention LastPass, 1Password, and KeePass.
This worries me a little as the lack of mentions of RoboForm implies that it's not that good…
I haven't ever used RoboForm myself, but I've also not heard anything bad about it. :) I would be surprised if it does a less than competent job as it has been around for a long time.
This doesn't seem much different than any other password vault solution. If you get a memory dump with the key in it you can decrypt anything that was in the vault.
Physical access makes plugging in a Firewire or Thunderbolt device to grab memory dumps easy.
About the only thing I could see doing different would be to make auto-lock a default option.