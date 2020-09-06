Geekzone: technology news, blogs, forums
ForumsDesktop computingLastPass lax browser security settings


#275727 6-Sep-2020 18:27
I’m under pressure to change to a more user friendly password manager from my favourite of many years KeePass, so I’m trialling LastPass as it seems to be in the top five of most reviews.

 

It concerns me that the default browser settings are pretty lax and leaves local security open to abuse and it makes me wonder it there are other things I should know about. Using the Windows 10 environment, not an issue in Android as it works through the app. Don't know about iOS.

 

My issue:

 

By default, the LastPass browser extension allows the LastPass user to always be logged in and active when the browser is closed and then restarted.

 

Even if you shutdown and restart the computer, then LastPass is active and ready to go. Yes, I can change this to be more secure, but with limitations. And yes, this is only an issue if I leave my logged in computer unattended and a shifty character comes along, and yes I can log out of LastPass, but I cannot control others. But as a password manager shouldn’t it be more secure than this? I don’t really think this is a case of Tin Hats, this is supposed to be a secure password manager after all.

 

Details.

 

     

  1. There is no global control of this setting in the account settings, it needs to be changed in each browser extension. We only have 3 household computers, with an average of three browsers each, others will have more. Hmm.
  2. LastPass browser extensions options are not password protected (I don’t even know if this is possible), so even if you set the extension to logout of LastPass when you close the browser, Mr Shifty can all ways change this option if they happen to use your PC. You don’t even need to be logged into LastPass to change the extension settings.
  3. In the global account advanced settings, you can fine control when you are prompted for the master password, but invoking any of these mean you basically need to re-enter your master password all the time making things pretty unworkable. Fortunately, as far as I can see the master password is required to implement any of these changes – I see even versions from last year had this as an option, not mandatory.
  4. This has been around a while, e.g. post starting 2016 https://forums.lastpass.com/viewtopic.php?f=12&t=230475&hilit=browser+extension&start=10

 

As it stands, it could work in my environment, but given the above has little to offer over KeePass on the desktop. Can't say I'd recommend it to many of my friends.

Webhead
  #2558025 6-Sep-2020 18:33
You might want to check out 1Password, it does not behave the same way you describe LastPass does.

  #2558029 6-Sep-2020 19:30
Swapped out Lastpass for Dashlane at the beginning of the year and am happy. Lastpass was getting more annoying to use and they didn't seem very quick to update and improve their software.

 
 
 
 


  #2558039 6-Sep-2020 19:50
Why are you no longer using keepass?




BDFL - Memuneh
  #2558043 6-Sep-2020 20:06
MartinGZ:

 

By default, the LastPass browser extension allows the LastPass user to always be logged in and active when the browser is closed and then restarted.

 

 

This is not the default. If you check the box to keep it logged in, LastPass will actually show you a notice saying this is bad and asking for confirmation. 




 

 

