May 10, 2016

The Flaw in LastPass

A person can almost find everything on the internet as it is filled to the brim with hundreds of sites. Each site has something to offer which is different from each other. Facebook offers social time, YouTube gives anything to watch, Google is the modern source of knowledge or Dropbox keeps your files. There are also sites officially owned by your company and organizations you are in.

In the real sense, there are people who are so eager to try all of them and having so many accounts to manage comes with drawbacks. It can be the time you allot for each account (as surely you’ll have a favorite) or the list of passwords you will likely forget unless you are so wise to take notes of all your logins. Besides, using the same password on all your accounts is a bi compromise with your security.
A password manager is an application that helps user store multiple logins and put into immediate use. It records the username and password used on a particular site, so that whenever you log into the app, you don’t have to type out everything. Life gets easier, doesn’t it?

Of all the password managers, LastPass is the most popular. It is the easiest app to store passwords letting you edit and audit them when the account underwent hacking. It also uses two-factor authentication to perform certain features for your convenience and security. Free to download, LastPass supports various operating systems and has plugins for different browsers.
However, there seemed to be an aspect overlooked. Sean Cassidy who is working in a cyber security firm found that it is prone to phishing attacks. Using a pun, he called the phishing attack LostPass.
LostPass happens when a hacker deceives the users into thinking that they were signed out of the platform and leading them to a fake LastPass login page. The master password will be recorded, disclosing the rest of the passwords into danger. The hacker will send the users a notification about the invalidity of the password, asking for the 2FA (two-factor authentication) codes. The moment the users enter their 2FA codes, they’re doomed.
It is rather relieving that this LostPass has not happened yet in the internet, and Cassidy’s research has given LastPass the notion and the time to improve their UX and system to avoid a big fiasco. Although LastPass has now employed email confirmation for every password, it is still enough. On the bright side, the issue is continuously addressed.

Get in touch with NMS