I'm a long time user of another password manager. As the new IT Manager for a small company I thought it would be beneficial to move our employees in that direction and landed on LastPass as now being the best solution from a features/security/price perspective. That was until I started testing the browser extension and noticed that there is no way to restrict access to the vault. This is a HUGE problem.
I've tried to look at every possible option in the actual extension and I've tried my best to search for a solution on the forums with no success. I'm posting here mainly because I'm assuming that such a gaping security hole can be controlled in some manner that I'm just not finding.
Note that I have already seen the somewhat older posts proposing the solution of "set LastPass to auto-logout when your browser is idle or closed". That is at best a very poor work around and here's why. Users use LastPass for security and in some aspects convenience. The security seems obvious (i.e. no more spreadsheets full of logins, post-it notes under the keyboard, etc... and the convenience seems obvious (i.e. instead of having to remember or look up credentials now you can just click the icon and auto-fill your information for a login). So far so good.
The problem comes in when you step away from your computer. In general the best practice is to lock your workstation whenever you leave (and most organizations have Group Policies that do that automatically after 10 or 15 minutes as well). But even if you're very good with that, no one I know of consistently does that for quick, couple-of-minute things (e.g. run a form down the hall for a coworker to sign, a short consultation with a coworker on the other side of the cube, a fast bathroom break, etc...).
If the vault is locked down with a password, really the worst thing that someone can do with physical access to the workstation is very quickly access a particular website while the person is gone and maybe see some information they shouldn't. Bad...but not catastrophic. If the vault is freely accessible though---as it appears to be in the LastPass browser extension---that bad actor can then actually CAPTURE CREDENTIALS, go back to their own workstation and, at their pleasure and for as long as they want, access that protected site since they now know the specific Username & Password for the site. That's catastrophic.
Suggesting that users "set LastPass to auto-logout when your browser is idle or closed", to be effective for the kind of quick, couple-of-minute things mentioned above, would have to be as short as a minute or two in order to provide any real protection in those cases. And then of course using the tool becomes a major pain since you'll end up having to log back in dozens and dozens and dozens of times throughout the day. And "just close your browser before you leave" isn't always a good solution since there are multiple valid reasons why someone would need to keep some things open while stepping away for a quick minute.
So, after all of that, my questions are:
* Is there really no way to lock down the Vault?
* Is the official "solution" still "set LastPass to auto-logout when your browser is idle or closed"?
* Is that really how LastPass is going to leave things---despite the numerous concerns expressed by so many?
I sure hope not. That's probably going to be a deal breaker for our organization if that's the case. I'd appreciate any solutions to the issue! Thanks.