![]() I always assumed that the option only determined whether or not they were given the ability to click and view the password in the LastPass UI. I'm going to seriously reconsider using lastpass ever again. I agree with the rest of the commenters that sharing a password with someone and expecting it to remain secret is a bit foolish, but the problem I described here is a HUGE vulnerability. The problem is that you can replace steps #5 and #6 with (in chrome):Ħ) $('input').setAttribute('type', 'text')Īnd now your password is sitting there in plaintext without ever requiring your master password, despite telling lastpass to require your master password for any password access. Once again, exactly as you'd expect, and seems to require the master password before revealing anything. The problem here is that this would appear to be completely false as the article points out.Īnother way to get the password in lastpass:Ĥ) Click the eye icon to show your password This clearly involves your master password before doing anything that would seem to reveal your individual website password. ![]() Here is how the process goes for logging into a website with these settings:Ĥ) Lastpass fills in your password on the website and logs you in Having your password saved on lastpass just lets you view your list of password, as long as you have it set to require the master password before accessing an individual password. Lastpass has a bunch of fine grained access controls for when the password needs to be entered. I do the exact same thing STRML with my lastpass vault.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |