While I was on vacation a few weeks ago, I observed my brother-in-law helping his mom with her new smartphone. He recommended that she password-protect it, and he began to explain why before she interrupted him. “Another password?” she grumbled. “How am I supposed to remember another password?”
From my seat across the room, I held back a chuckle. It is a complaint I hear all the time regarding passwords – how are we supposed to remember all the unique passwords we set up? One of the pieces of advice on how to do that is to sign up for a site like LastPass, which stores all of your passwords so you only need to remember one – your LastPass password – to access that site.
I admit, I never jumped on that bandwagon because saving passwords on a website seemed like a security risk to me. Anything that deals with website and software is always at risk, right? It turned out that LastPass v2.0.20 has a vulnerability when used in the IE browser. According to HelpNet:
The bug . . . makes the passwords that LastPass automatically fills into the fields in IE also be stored in plaintext into the computer memory, which ultimately allows them to be extracted via a memory dump.
PC Magazine explained how it became aware of the problem from one of its readers:
Our reader informed us that when he performed a memory dump on Windows IE, he was able to retrieve stored LastPass passwords in plaintext. It seems that when the password manager autofills fields in IE, the unencrypted passwords remain accessible in memory. Passwords from previous sessions do not appear to be affected, as quitting IE cleans up the memory. Additionally, passwords which have not been used to autofill fields remain encrypted and cannot be retrieved using this vulnerability.
LastPass has released a patch for the vulnerability and it is recommended that IE users apply the patch as soon as possible.
I applaud LastPass for quickly taking care of the problem in order to provide better security for its users. Some security experts say that this vulnerability should not deter users from utilizing password managers like LastPass. I’m still not sold on whether saving passwords through a program like this is the most secure way to keep track of them. But then, it does beat keeping them written down on a sticky note attached to your computer.