Conclusion - use online password databases with caution
The bottom line is that this type of product is now coming under greater scrutiny than it would have done in the recent past. Users need to configure it with great care and not simply assume that the basic security settings will suffice. LastPass, meanwhile, needs to take more seriously its committment to third-party security review in the way it promised to when Computerworld spoke to the company at the time of tis takeover by LogMeIn last October.
- Different browsers update plug-ins at slightly different speeds. Officially, FireFox runs a check every 24 hours, Chrome more often still. In theory, if a stable fix is available for a security hole, it should update quickly. But the only sure way to know is to check the plug-inversion number. Oddly, we encountered one Firefox install where the LastPass 4.x installation appeared to be two months out of date while reporting that no update was available. This is probably an issue with the browser itself but it underlines the need to check.
- It doesn't appear to make any difference to security whether users run version 3.x or the more recent 4.x but differences in the way they work can result in distinct vulnerabilities.
- The need to use multi-factor authentication has never been more pressing, preferably implemented using a hardware token. This is not a magic shield but increases security markedly. This means paying for the Premium version but at $12 it is surely the only responsible way to use such a critical piece of software. We would not recommend using LastPass or any online password store without this security. The risk is not only high but could be worse than using no store at all.
- As far as we can tell all of the above will apply to LastPass Enterprise users who will, presumably, mostly be using version 3.0.
Sign up for Computerworld eNewsletters.