> LastPass is quite open to scrutiny and what's important is how responsive they are to new findings -- very responsive, from everything I've ever seen. Including many findings from the author of the article.
That is nice, but it is not sufficient mitigation for the issue to be dismissed.
There are more concerns in this article than the title issue, and it seems that in the past, LastPass has made some questionable design decisions that did turn out to have problems that needed to be fixed. I hope and assume that, prior to adopting these design choices, LastPass analyzed the risk and concluded that it had avoided creating any vulnerabilities, but nevertheless, there were some that it had overlooked.
If you continue in this manner, you are increasing the risk of creating a zero-day vulnerability that gets exploited, and I would guess that a central repository of passwords would be a particularly attractive target for bad actors. I would much prefer a security company to stay away from questionable design choices, rather than have rather complex and more-or-less tendentious arguments that the way they are doing it is safe, especially when there have been cases in the past where their arguments were not sound.
> This is just not something I have enough cycles in the day to let bother me.
Another reason to prefer KISS. If the vendor had refrained from making questionable choices that require complex analysis (such as the decision to fall back to server-provided pages for parts of the browser extension functionality), trying to figure out whether it matters to you would be less of a problem -- to the point, maybe, where you don't fall back on an "I can't be bothered" attitude.
That is nice, but it is not sufficient mitigation for the issue to be dismissed.
There are more concerns in this article than the title issue, and it seems that in the past, LastPass has made some questionable design decisions that did turn out to have problems that needed to be fixed. I hope and assume that, prior to adopting these design choices, LastPass analyzed the risk and concluded that it had avoided creating any vulnerabilities, but nevertheless, there were some that it had overlooked.
If you continue in this manner, you are increasing the risk of creating a zero-day vulnerability that gets exploited, and I would guess that a central repository of passwords would be a particularly attractive target for bad actors. I would much prefer a security company to stay away from questionable design choices, rather than have rather complex and more-or-less tendentious arguments that the way they are doing it is safe, especially when there have been cases in the past where their arguments were not sound.
> This is just not something I have enough cycles in the day to let bother me.
Another reason to prefer KISS. If the vendor had refrained from making questionable choices that require complex analysis (such as the decision to fall back to server-provided pages for parts of the browser extension functionality), trying to figure out whether it matters to you would be less of a problem -- to the point, maybe, where you don't fall back on an "I can't be bothered" attitude.