LastPass opens WITHOUT login!

Have questions about LastPass, or having problems using it? Ask for help here!

Moderators: admin, Israel, anatoly_LP, chantieLP, robyn, JoeSiegrist

LastPass opens WITHOUT login!

Postby Chubbles » Sun Nov 10, 2019 12:17 pm

On my Mac if I quit Lastpass when I put my computer to sleep ,when I come back the next day my lastPass vault is open. :o . If I don't Quit LastPass the master password is required to open the vault. Does the vault truly close?
Chubbles
 
Posts: 7
Joined: Mon Apr 20, 2015 5:04 pm

Re: LastPass opens WITHOUT login!

Postby browner87 » Mon Nov 11, 2019 12:10 am

I don't think LastPass ever encrypts your passwords before storing them, except server side. The same thing happens on Android. If you setup a password/pin/biometric vault unlock and tell it not to remember your master password, then reboot your phone, LastPass will open without any form of authentication and let you at all your passwords. I like to think that the server side portion of LastPass is kind of secure, but I've lost all faith in the security of their apps :c
browner87
 
Posts: 2
Joined: Wed Jul 27, 2016 5:02 pm

Re: LastPass opens WITHOUT login!

Postby jpenny84 » Mon Nov 11, 2019 11:42 am

Your session stays active unless you log out or set an idle timeout in your LastPass preferences. The idle timeout must be shorter than any hibernation or sleep settings on the computer.
jpenny84
 
Posts: 8793
Joined: Tue Mar 06, 2012 9:10 pm

Re: LastPass opens WITHOUT login!

Postby Chubbles » Mon Nov 11, 2019 2:33 pm

Hay folks,
Thanks for the replies. I have determined that if I log out under the browser extension, then quit, the vault does not open on it's own. If I log out under the status menu the vault automatically opens when I wake the computer! I have the idle timeout set at 30 minutes.
Still leaves us with the question does the vault truly close.
chubbles
Chubbles
 
Posts: 7
Joined: Mon Apr 20, 2015 5:04 pm

Re: LastPass opens WITHOUT login!

Postby FlyingHawk » Wed Nov 13, 2019 12:58 pm

browner87 Wrote:I don't think LastPass ever encrypts your passwords before storing them, except server side. The same thing happens on Android. If you setup a password/pin/biometric vault unlock and tell it not to remember your master password, then reboot your phone, LastPass will open without any form of authentication and let you at all your passwords. I like to think that the server side portion of LastPass is kind of secure, but I've lost all faith in the security of their apps :c

Your passwords are always encrypted when they're saved to disks.
On desktop, there's a complex mechanism that allows you seamless access but still encrypts everything.
See more info here:
https://www.reddit.com/r/Lastpass/comme ... _sessions/

On mobile, again, passwords are always encrypted on disk. But your vault key is stored in Keystore/Keychain, whose security is hardware-backed.
More info here: https://source.android.com/security/keystore
What it means is that your vault key's security is delegated to your phone's system security, i.e. you're secure as long as no one can break your screenlock.
FlyingHawk
 
Posts: 822
Joined: Wed Mar 18, 2015 12:04 pm


Return to General Support & Troubleshooting

Who is online

Users browsing this forum: Google [Bot], MSN [Bot] and 66 guests