Security Issues with LastPass on Android

LastPass' Android app is one of the most downloaded passwords managers on the Play Store with over 10 million installations. I investigated security issues with the app for my capstone project. Here are some of the biggest problems I found with it.

The app's password generator can generate two types of passwords: pronounceable or non-pronounceable. The pronounceable password generator has several issues, the biggest one of them being its inability to produce passwords of lengths that you specify. Don't believe me? See the screenshot below.

Although this is an extreme case, I found out that approximately one percent of all pronounceable passwords generated by this app are smaller than specified. This is the distribution of lengths of produced passwords when set to generate passwords of length 16:

I suspect that nobody counts the number of characters in the generated passwords. On my device, I can't even see the entire password if it is more than 14 characters long. If you use or have used the option in the past to generate pronounceable passwords, check the lengths of your passwords. You may find that some of them are smaller than what you wanted.

Leave a Comment