The code, tech, and mindset behind LastPass is a joke. They started just after the “dark ages” of security but don’t seem to have upgraded their mental model of security since. I’ll share with you the moment I discovered something that made me cancel my schedule for the day, research alternatives, write a LastPass to 1Password converter [0], and cancel my LastPass account and subscription.<p>Are you ready?<p>You log in to their support forums and online community with the same password you decrypt your vault with.<p>[0]: <a href="https://neosmart.net/blog/2017/a-free-lastpass-to-1password-conversion-utility/" rel="nofollow">https://neosmart.net/blog/2017/a-free-lastpass-to-1password-...</a><p>EDIT:<p>To answer some of the comments, since understandably not everyone is a security expert:<p>What happens if LastPass’s web forum is compromised and all their additional security counts for nothing?<p>Even if not: you have no problem with people being conditioned to enter the password securing all their passwords repeatedly into random pages for random content not related in any way, shape, or form to their vault in a web browser?<p>Containment is the name of the game. It’s hard enough making one app secure enough to enter your password into. Then extending that with an SSO, relying on The security of none other than notoriously crappy phpBB, vulnerable to upstream code injections, XSS, phishing attacks, and god knows what else, and you still think you can trust them to keep your master password secure?<p>LastPass is such a juicy target and this is such an easy attack vector that I can virtually guarantee at some point phpBB - or, more accurately, their abuse of it - will be a massive liability and the source of a huge catastrophe for them, if it hasn’t secretly already.<p>Of course they know to treat changes to their authentication apps very carefully and code review each and every syllable added or removed (well, I hope so). But do they review upstream patches to the forum software they use? What about the third party template they have installed? Do they hold off on patches after a security bug is discovered in phpBB so they can review the code changes? Do they even upgrade their forums? What about a vulnerability in PHP itself? Do they secure the server hosting their authentication apps in the same manner as the server hosting their forums? Do their web developers undergo the same background checks and scrutiny their core developers undergo? How many sysadmins have access to the website? Do they provide the same access monitoring to people managing an ancillary feature like their forum software?<p>The list just goes on forever. You’re as secure as the weakest link. All anyone that want to break into LastPass has to do is get some code into phpBB or the random phpBB themes and plugins they use and it’s game over for millions of LP users and billions of credentials worldwide.<p>See the problem?