Tuesday, January 19, 2016
LostPass attack reveals LastPass 2FA phishing weakness
LastPass has, over the weekend of 16-17 January 2016, been back in the news courtesy of yet another weakness courtesy of the LostPass attack. Nothing has been compromised, apart from maybe the good name of LastPass as every potential weak spot that is shown to be exploitable whittles away at user trust in the product. A security researcher has shown how the LostPass attack could bypass LastPass logins even with 2FA enabled. Passwords suck. Consumer and small business password vaults and management tools make them a lot less sucky. Until your password manager gets compromised and then we move firmly into ‘elephants through a straw’ sucking territory. LastPass is probably the best known and largest of the password managers out there. Recently acquired by LogMeIn for $125 million, leading to no small amount of user hostility in the usual social media circles, LastPass knows all about the compromise risk.