Alert – A Popular Password Manager Has Serious Security Flaw Right Now


A password manager company announced that there is a vulnerability that could allow attackers to gather stored passwords.

Password managers are very helpful since they make it so convenient to be secure, and can greatly simplify and speed up the login process at websites. Many people feel password managers are worth the risks, especially when the risks can be minimized as summarized below:

First, as you can see, there is no guarantee that password managers are perfect. Never store super-sensitive passwords into your password manager. Store them in your head.

Second, enable two-step verification on all websites. Then, if an unauthorized person obtains your password, they will have a difficult time logging in, if they cannot perform the second step.

Third, one of the ways to launch the exploit involves tricking the user into clicking a link, such as a link in an email message, or getting a script to run on a web page as the user visits the page. Using click-to-play can greatly minimize those risks.

To learn more about the first two, see last week’s newsletter posted at www.fosterinstitute dot com/blog/your-iphone-and-ipad-are-in-danger. Never mind the title; the content addresses the first two steps listed above even if you use Windows or Android.

As for the third point, we’ll cover click-to-play next week, or you can simply google those terms and get started right away.

The announcement came from LastPass, and don’t panic if you use it. LastPass says the exploit is very difficult for an attacker to use, but not impossible. Resetting your passwords is not going to help, yet. Only after LastPass develops a patch, and then only when LastPass on your computers are patched. LastPass said this only affects users using the LastPass extension in Chrome, but that researchers have used the exploit in other browsers too. Email us if you want more technical details.

Please forward this to anyone you know who may use a password manager or lets their browsers remember their passwords.


Leave a Reply