Until everybody and their dog eventually replaces passwords, the long-running log-in security feature is here to stay. That said, there are ways in which you can decrease the likelihood of your account being compromised by an attacker.
One way is two-factor authentication, which sends a code to a different device, a code which you need to input along with your password to log into the account. A bug related to this security feature was just revealed to have been fixed by password management service provider, LastPass.
Back in February, a security researcher at Salesforce, Martin Vigo, privately disclosed a bug to LastPass, via the company's bug bounty problem. The issue itself has to do with people using Google Authenticator as an extra security measure on their LastPass vaults. The server-side bug meant that if the user was logged into LastPass and was then lured to a "nefarious website", Google Authenticator could be bypassed entirely. Vigo recently detailed the process on his blog.
Of course, LastPass continues to recommend users stay vigilant at all times and outlines a few safe practices:
- Beware of phishing attacks. Do not click on links from people you don’t know, or that seem out of character from your trusted contacts and companies.
- Never reuse your LastPass master password and never disclose it to anyone, including us.
- Use different, unique passwords for every online account.
- Two-factor authentication remains the most effective way to protect your account. Always enable 2FA for LastPass and other services like your bank, email, Twitter, Facebook, etc.
- Keep a clean machine by running antivirus and keeping your software up-to-date.
If you find any issues, LastPass encourages you to contact them using their bug bounty program.