Tavis Ormandy is either the first, or the last person on the planet you ever want to get an email from, depending on your point of view. As Google’s best, most prolific bug-hunter, he’s constantly on the prowl for security flaws that could be exploited by hackers that could put your data at risk. Recently, he found a pair of big ones.
LastPass is one of a number of companies that offer a password vault service. The idea is that because people have so many passwords, it’s hard to remember which one goes where.
The password vault means that you don’t have to. You store each of your passwords in one secure location. Then, they’re recalled from the vault automatically, when and as needed. That’s great in theory, and most digital security professionals recommend their use, but they do come with one glaring weakness.
Your password vault is only as secure as the company protecting it. If there are any bugs or flaws in the vault’s design, then any password you put into it is at risk if the hackers breach the vault. Since people tend to store all their passwords in the same vault, they essentially have the “all your eggs in one basket” problem.
Unfortunately, in recent months, there have been a whole string of vulnerabilities found in LastPass’ system. This has led to disgruntled users venting their frustrations on Twitter, wondering just how seriously the company takes digital security.
Just this past week, Ormandy himself identified two potentially devastating security flaws, one impacting people who use the Google Chrome web browser, and another that impacted FireFox users. In both cases, within hours of sending his report, the company responded and closed the security gaps that were discovered. However, the recent spike in discovered flaws is certainly disturbing to those who rely on the service to safeguard their passwords.