Misleading article. This isn't a flaw with lastpass.. it's people being idiots and falling for phishing attacks. Every single service has this "flaw" if you want to call it that.
If I am reading right, this is just a script that a website would install and then fake a lastpass message while having you enter in your information. I dunno about you but I have my lastpass setup in a way that if a random website asked for my password, and especially my auth codes, I'd immediately know something is up leave the site. There's zero reason
I would need to enter in any of that information when browsing the web.
Originally Posted by Shaded War
I had someone tell me LastPass was so great and I should use it, but I didn't buy into it. The whole idea of it seems idiotic. May as well just use the same password for every single website while your at it because once they can figure out or hack your LastPass, the have everything anyway.
Sorry, but no.... Using the same PW for every website is the worst thing you could possibly do. The only thing worse would basically be just giving your PWs out to random strangers.
If you use lastpass without ANY form of secondary authentication, then you have a point, but no one with common sense is going to do that. There are 4-5 authentication layers you can add to your account, and even the free ones are good enough to stop someone even if they have your password.
It's extremely rare for a civilian to get "hacked", they'd most likely need to piss someone off pretty bad. People who claim they got hacked 99.9% of the time got a virus, and/or phished. There's no difference here, nothing can save you from user error.
Originally Posted by randomizer
FWIW, lastpass was hacked in 2015. The attackers gained access to email addresses and encrypted master passwords. Only the email addresses are of any real use.
Everything was heavily encrypted and last I heard the master passwords were not taken but they suggested a PW change anyway. All lastpass owners were immediately acknowledged of the breach.
Even if there was a full breach and the hacker managed to do the near-impossible and break the encryption, any user with authentication is still 100% protection even without a password change. The others should have changed their PWs after the breach, which would be months (or years) before the encryption would be broken.Edited by Murlocke - 1/20/16 at 12:52pm