I attended an information security meeting today and was surprised to find that many of the colleagues there didn’t rate LastPass as a password manager tool. There wasn’t time to find out the fuller details but I did some reading and I think I have identified both a weakness and a way to mitigate it.
The weakness is that LastPass is happy to automatically fill in login details for you. That is highly convenient unless you happen to visit a site (say one of those pages asking to check a few details before giving you free WiFi access) that can’t be trusted and silently opens further pages in the background… which LastPass obediently fills in login details for and a bit of javascript harvests the results and feeds to a malicious server.
The mitigation is to turn that feature off – check under the preferences. It means a little more work logging into each site you want to visit (but not as much as having to remember a secure password for each one and type the whole lot in without clumsy fingers making mistakes) and I think it avoids the problem of LastPass being so ‘clever’ in its attempts to be helpful that it ends up being very dumb.