Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

By default the browser plugin is configured in such a way that 2FA is completely bypassed for a second when logging in. This is officially documented, so we can likely assume that it will never be fixed.

https://lastpass.com/support.php?cmd=showfaq&id=2775



This isn't a bug, this is due to the offline access option. If your machine has the database locally cached, 2FA won't do anything because your database won't be encrypted with 2FA (not possible), just your master password. An attacker could just copy the cached database and decrypt it with your master password. All 2FA does is restrict who can download your database (both initial and updates), not decrypt it. If you don't like this behavior, disable offline mode.

This is just fear mongering.


> This isn't a bug

Boo hoo. Did I say it's a bug? I said it's a security issue. It's also an exceptionally stupid thing to have as standard behavior without warning. It demonstrates poor priorities and ideas about safety on the part of LastPass.


This "second" became very noticeable to me once I moved to Sydney. I was actually able to log in to my Gmail before my 2FA kicked in. Right then I decided that, despite being a loyal LastPass user for the last 10+ years, it was time to try something else.

I would prefer a tool that works for teams if anyone has suggestions. I care about how my team manages and shares their passwords. Looking for something that works across devices, and where I can share access but not necessarily share the actual passwords if I can avoid it. I really like LastPass, it's a shame about some of their issues.


I'm not an expert and i haven't tried this, but i would think you could use the pass tool and encrypt the files to multiple gpg keys, and share those files using a git server which you control. That sounds like a rather easy homebrew password manager that supports shared logins, i would think.

Disclosure: happy user of pass, but haven't tried encrypting to multiple identities.


Writing good security software is difficult, but that doesn't stop places who really shouldn't be doing it from trying and succeeding in a business sense. https://thycotic.com/products/secret-server/ passes JSON in URLs, and we're not even talking base64 here. Also, it's called "thycotic" like you're holding your tongue and saying "psychotic". There are more problems that I won't go into.


Well. Not to defend LP, but for those who don't click through, offline mode can (and should be?) disabled.

Perhaps this is a case where a feature that makes some sense in some cases was added, the problem is, outside that scope it's a really bad idea. But then someone said "We'll make it optional..." and the rest was history?


I wouldn't agree that it necessarily should be disabled. Sometimes I'm on my computer with no internet access... If offline access is disabled, I have no access to passwords for locally installed applications.


Makes sense.

What would I do? I'd probably set up a second Chrome user and the LP for that user/browser would be auth creds for only stuff I'd need offline.

That would allow the main LP vault to have it disabled. This mitigates exposure.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: