6 Matching Annotations
  1. Jun 2019
  2. Apr 2019
    1. LastPass has always been stressing that they cannot access your passwords, so keeping them on their servers is safe. This statement has been proven wrong several times already, and the improvements so far aren’t substantial enough to make it right. LastPass design offers too many loopholes which could be exploited by a malicious server. So far they didn’t make a serious effort to make the extension’s user interface self-contained, meaning that they keep asking you to trust their web server whenever you use LastPass.
    2. Some of these actions will prompt you to re-enter your master password. That’s merely security theater

      "Security theater". I dig that term.

    3. LastPass is run by LogMeIn, Inc. which is based in United States. So let’s say the NSA knocks on their door: “Hey, we need your data on XYZ so we can check their terrorism connections!” As we know by now, NSA does these things and it happens to random people as well, despite not having any ties to terrorism. LastPass data on the server is worthless on its own, but NSA might be able to pressure the company into sending a breach notification to this user.
    4. In particular, the decision to fall back to server-provided pages for parts of the LastPass browser extension functionality is highly problematic.
    5. Should you be concerned about LastPass uploading your passwords to its server?

      TL;DR: Yes, very much.