In this article I want to show you a very simple method how any LastPass user (no special know-how required) can simply reveal LastPass’ “hidden” passwords if they are shared with them. Also, I will explain why I believe that this whole “hide shared passwords” feature in LastPass isn’t a good feature to have in first place, as it implies security where there is actually none (other than security by obscurity).
This is not really any new news, as it was discussed more than three years ago, and LastPass even acknowledged this issue in their “Security FAQs”. That’s why I am even more surprised that it hasn’t been fixed yet! Until after reading this article, most end users will probably still consider the “hide password” feature to be secure.
That said, I still am a confident LastPass user and LastPass Enterprise advocate in my organization. I am certain that using strong and unique passwords and managing them in a secure fashion with a password manager is way better than reusing weak passwords. I totally agree with Jessy Irwins standpoint in this InfoWorld article, and it also summarizes my own standpoint on the recent discussions about password managers relatively well.
Important note: LastPass’ core functionality and security concept is not affected by this spotlighted issue!
LastPass offers users a feature to share site passwords with other LastPass users. An example for one of the many use cases would be to share a Netflix account with other family members. So far, so good – makes sense.
Optionally, the sharer can decide to “Allow recipients to view passwords”. By default (meaning that the checkbox isn’t marked), LastPass implies that a shared password is “hidden” from the recipient in a sense, that he is supposed to be able to login with it, but isn’t able to see what the password actually is.
To be very precise, this is how LastPass officially describes the feature in their FAQs:
What does “Allow recipients to view passwords” do when sharing a single site?
Checkmarking “Allow recipients to view passwords” will let the recipient of the shared site view the username and password of that site entry, as well as any other data included (such as notes). If this option is not checkmarked, the password will be hidden and the recipient will not be able to view or edit the entry.
How can you reveal hidden passwords?
There are several different ways to extract the password, since that data will have to leave your browser – which is totally under the users control, by the way – in able to authenticate against the server.
One method would be to intercept the HTTP packages directly on the network, or by placing a local proxy server in front of the connection. Another would be to simply send the request to a web server that you control and capture the transmitted data; that is especially useful for avoiding encrypted TLS connections. To do that, you can simply create a new “Equivalent Domains” entry in your LastPass settings for your own server’s domain name and the targets domain name.
But even these simple methods are unnecessarily complicated.
The easiest way to see hidden passwords in plain text is to simply tell your browser to show it to you.
You can do that by either manipulating the HTML directly in your browser (e. g. with Chromes ready to use “Developer Tools”; hit F12) or even easier by installing the Chrome extension “ShowPassword”.
This is how you can try it out yourself
(assuming that you are already using LastPass and somebody shared a password with you and didn’t check “Allow recipients to view passwords” anyway)
- Install Google’s web browser, Chrome on your PC or Mac.
- Install the Chrome extension “LastPass: Free Password Manager” by lastpass.com.
- Install the Chrome extension “ShowPassword” by a161803398.
- Login to your LastPass account through the LastPass Chrome extension.
- Navigate to the site with the shared password.
- Let the LastPass extension fill out the username + password in the login window.
- Hover over the password input box with your cursor.
- Done. You are now able to see the “hidden” password in plain text. Feel free to copy and paste it or do whatever you like with it!
Here is a screenshot that demonstrates how the “ShowPassword” extension works.
That was too easy!
Yes, it is really that trivial. The concept just doesn’t make sense. You cannot give the recipient the control to use a password in a web browser and then rely on the browser and hope that it will simply not reveal the password to the user. Period.
One could argue that you should only share credentials with people you trust anyway and that this issue isn’t really problematic. I agree that you should only share credentials with people you absolutely trust (and also only if it is absolutely necessary). But this still remains as a problem, as it implies an extra layer of security that just doesn’t exist.
How can this be fixed?
My two suggestions:
- Remove the feature completely.
- Change the default behavior of the check mark – by default (unchecked) it should NOT try to hide the shared password; when checking the box, a very obvious disclaimer text should appear and explain to the user, that this feature is only useful in very, very specific use cases and that the recipient WILL BE ABLE TO SEE THE PASSWORD, IF THEY WANT TO.
I asked LastPass twice (on two different occasions) if they could explain where the need for this feature is coming from and what a realistic use case would be, but they did not answer this question in any way. Instead, they answered that they are aware of this and that do have a disclaimer about this feature (here and here). They also mentioned that they have created a Feature Request about this matter.
Please, LastPass, I really like your software and your patching and information policy hasn’t disappointed me yet. I’d gladly keep it that way.
I will stay in touch with LastPass and post any updates about this matter on this blog. Feel free to write a comment, I’d like to hear your opinion! Thanks for reading.
Update #1: I checked for any news about the “Feature request” that their support team internally posted – but nope, no update yet. Now I’ll see if they respond to messages on their Facebook page.
Update #2: They replied very quick on Facebook. But no real answer yet to my questions. See for yourself: https://www.facebook.com/LastPass/posts/1451021911580261
Update #3: LastPass’ response via ticket:
To reiterate what has been said previously, this is documented already as a known limitation, as Andrew has already provided in his previous response.
I can certainly keep this ticket open for you, and let you know if a change or update has been made.
Unfortunately there is not an ETA I can provide for you, as this feature request and improvement will be prioritized accordingly at the dev team’s discretion.
Thanks for your understanding.