Tavis Ormandy, a security researcher might have just got a little too excited when he posted on Twitter about some vulnerabilities of LastPass password manager; without giving any specific details. There were immediate responses and admonishes. Since then there have been debates as to whether he did right in using Twitter rather than disclosing the problems to LastPass directly.
Gunter Ollmann, CSO of Vectra Networks, did comment that though public warning might be useful, at times, it might just cause unwarranted fear among users and invite hackers towards these products before the vendor can respond or act. But if the product is really bad then it might be a warranted move, so that the users are forewarned and can stop usage altogether.
Ryan O’Leary, the VP of the Threat Research Center for WhiteHat Security, also ultimately agreed with Ormandy; as users were warned and could change their passwords before getting into trouble. Quite frankly, it is a tricky thing – responsible disclosure!
LastPass Quickly Fixed The Flaws
But having said all this, it should also be appreciated that LastPass quickly fixed the flaws. They verified the flaws with the security researchers and fixed the issue. They however, do recommend that all users update LastPass on their browsers. They also added that the problem might have only affected Firefox users.
After this episode, it has again become a debatable question whether password managers are really safe or not. Frankly, it is agreed that password managers will always continue to be targets for threats, but what is important is that the fix is done fast. Yes, it might be a good choice for users who tend to use the same weak passwords over and over again. But it is also considered a grave threat when all your passwords can be stolen at one go with very standard malware with keylogging capabilities.
Any kind of technological advancement goes along with risks. It is entirely up to the user to judge his own cost benefits as well as risk tradeoffs.