If you use any kind of password manager, you likely trust that app quite intimately. Using it, you likely feel a bit safer from phishing attacks than users who enter their passwords on a per-site basis. If you stumble across a fake Facebook login page, LastPass, for example, won’t do its thing. The popular password manager app, however, is not invincible. No password manager is. As demonstrated by security expert Sean Cassidy at the recent ShmooCon security meetup, users of password managers should be mindful as well. Perhaps the caveat would apply even more to password manager users; If somebody loses one password to a phishing attack, their trouble is with that particular service. If somebody is duped into entering their details for a fake LastPass pop up window, as shown in the main image, every password they have falls into the wrong hands. Essentially, their digital life is now somebody else’s to control until they can take serious steps to wrestle control back.
Using what he called LostPass, Cassidy presented a fake LastPass popup window that looked remarkably similar to the real thing. Because LastPass uses a master password that a user must enter each time they access a site that requires LastPass to enter their password for them, getting that one password could expose a user’s entire digital fingerprint, so to speak. Using a similar setup, a phishing attack could dupe a user into entering their details and feed them to an outside source. Next thing they know, their bank account could be dry and their Facebook account could be posting scams from all over the web.
LastPass representatives were quick to point out, of course, that this is not a vulnerability with LastPass in particular. Phishing attacks in similar and various forms have been around for a very long time. Cassidy was emphasizing, instead, how easy it would be for a user’s entire password book to fall into the wrong hands. It is always best practice to exercise caution on the web, but password manager users in particular should be careful. If you use a password manager, memorize the login screen very carefully and keep a picture for reference if needed. If any details are off, including the URL if applicable, you should report the page in question to the password manager app’s developers at once.