LastPass, the popular password manager service, is coming under some scrutiny in the wake of a hacker’s claims that he has found a way to overcome its major security processes.
The hacker in question is Sean Cassidy, Praesidio’s CTO, who spoke about his method, which he calls “LostPass”, at the ShmooCon hacker conference. Essentially, his method boils down to developing software that mimics the LastPass login overlay that pops up prompting a user to enter her master password, and even her second authentication factor, if that extra layer is enabled. The hacker would then gain access to the user’s main repository of password information.
It isn’t a perfect scheme, though. The LostPass method requires a user to visit a malicious or infected site, and it isn’t clear that it could actually capture the user’s second authentication factor if the user has opted for a fingerprint scan in that case. Meanwhile, LastPass has been highlighting solutions to this issue, and working on more. For example, the platform sends out email verification for instances in which a user tries to access LastPass from an unknown IP address, which should potentially prevent a hacker from gaining access from remote location, given that the user has a strong password—and, better still, two-factor authentication—for email. The company also advises users to always log in via their LastPass browser extensions, as the LostPass hack will suggest they have been logged out of LastPass when they haven’t.
Going forward, the implementation of even more sophisticated security measures like multimodal biometric authentication could act as a further bulwark against this kind of attack. For now, though, the digital security battle wages on.