Firefox suddenly was claiming my master password was false and telling me I needed to log in again by typing my master password. I hadn't changed my password and this was before LastPass' recent security breach. It seemed to me this is how someone could attack LastPass, cause the client app to demand the password be typed again after having installed a keylogger. I contacted LastPass about my concerns and received a very nonchalant reply from LastPass.
Here's my communication with them. Read from the bottom up.
You This really pisses me off that your customer service tech had such a blasé attitude about concern about security some time back and now here you guys are with egg on your face.
Maybe you could teach your own customer service people a little bit about having the right attitude towards your user's security concerns.
You KNOW this is going to effect your public reputation and your business.
This is from your own email to your customers:
Dear LastPass User,
On May 3rd, we discovered suspicious network activity on the LastPass internal network. After investigating, we determined that it was possible that a limited amount of data was accessed. All LastPass accounts were quickly locked down, preventing access from unknown locations. We then announced our findings and course of action on our blog and spoke with the media.
As you know, LastPass does not have access to your master password or your confidential data. To further secure your account, LastPass now requires you to verify your identity when logging in. You will be prompted to validate your email if you try to log in from a new location. This prompt will continue to appear until you change your master password or indicate that you are comfortable with the strength of your master password.
Please visit https://lastpass.com/status
for more information.
The LastPass Team
Israel Ticket CLOSED
You http://www.theregister.co.uk/2011/05/05 ... ord_reset/
Still want to keep your head in the sand about security and act like I don't understand security? The cavalier attitude of your customer service specialist is why I cancelled my premium account on the 7th of April.
Start treating your customer's questions about security with a more reasonable attitude or you'll have more people defecting.
Lastpass' strong suit is security, not ease of use. There's plenty of other apps that take care of ease of use. My browser can remember my passwords. If you screw up in the area of security people will defect in droves.
You Oh, OK. If my box is owned then it's owned so you guys don't have to think about security. OK.
Israel If your box is owned, it's owned. There's no security in the software in the world that will protect you once that's happened, it's too late.
Are you blocking cookies in Firefox?
You Amber, I think you don't understand. It's not that the session logs out and I have to log back in. I see that often. It's that suddenly FireFox was saying the saved master password is invalid. So I'm having to retype the master password. I didn't change the master password, so why is LastPass for FireFox saying the master password is not valid? So I have to retype the master password. If I had a key logger installed, that would be a security risk. If a black hat was to find a way to install something that a) corrupted the LastPass stored master password and b) installed a key logger, then all he'd have to do is wait till LastPass rejected the corrupted stored master password and the key logger grabs it when it's reentered. That sounds like a probably the easiest attack vector against LastPass. Think about it.
Amber By default LastPass will keep you logged in, but if something ends your LastPass session (you logged off, or have one of your autologoff settings enabled, or you clear cookies or browser history when you close your browser) then you'll be prompted to enter your Master Password the next time you open Firefox. It's very unlikely to be a security risk.
You Uninstalling and reinstalling kept the problem. So I just put the password in and it's OK. But I'm uncomfortable that it asked me for the password with no apparent reason.
You It is only Firefox which is experiencing this issue. Safari's LastPass and Chrome's LastPass are logging in just fine.
I'll reinstall in Firefox and let you know if it's fixed up.
Just putting the password in FireFox might fix it up. I'm just wondering why it's suddenly asking for it. It seems like that would be how an attack against LastPass would appear. Someone would cause you to reenter your master password so they can get your password with a keylogger. Then they've have all your passwords.
If LastPass ever get hacked it's going to be really ugly since people are going to lose all their passwords in one fell swoop.
Amber Hi Greg,
Have you tried logging in both via the plugin and the website at https://lastpass.com/
? Does your password work in any of your browsers? If it seems to be isolated to Firefox, try reinstalling: https://lastpass.com/dl
and login again.
You I haven't changed my LastPass password in a long time. I have LastPass remember my master password. Now suddenly today Firefox says my password is not valid. Safari and Chrome are still good. So why would FireFox suddenly get all funny and not remember my password.