In a December 22 blog post about the “security incident (Opens in a new window),” LastPass representatives noted that the person behind the breach obtained “unencrypted data, such as website URLs.” Leaving the URLs without encryption wasn’t an accident it was a policy decision. But there was no need to capture and analyze data streams, as LastPass freely admits that it transmits this information without encryption. One report points out that these URLs could include password reset tokens (Opens in a new window) or username/password pairs. Why Doesn’t LastPass Encrypt the Sites I Visit?Ī policy causing alarm in the online security community is the discovery that LastPass stores unencrypted website links in credential vaults along with your encrypted credentials. After all, using a password manager is all about trust.īut due to a recent breach, poor handling of communication about it, and questionable policies, LastPass is on the verge of losing that trust. But do they follow those protocols? We trust they do, because any failure would eventually be exposed, causing major damage to the company’s reputation. There are known and proven protocols for password manager companies to handle your data and verify your master password without ever getting access to your data.
0 Comments
Leave a Reply. |