A number of LastPass users are taking to the company’s forums to complain about a pretty unfortunate bug that affects its extension’s automatic log-off features—something you’ll always want to enable as a backup security measure.
According to reports, the bug doesn’t appear to be platform-specific: Firefox, Chrome, and Brave users alike on Windows and macOS have jumped into the thread to describe how LastPass’ “log off after x minutes of inactivity” has stopped working. And they aren’t happy about this issue. As one user wrote:
“I noticed this last week and confirmed it on two different computers. This to me is a huge security issue. Both lastpass extensions on chrome and safari clearly states that it should log me out after 10 minutes, but it doesn’t. It used to until sometime last week. Please lastpass fix this or I’ll try another password manager.”
LastPass representatives joined the thread after about a week from the main surge of comments to indicate that the company is working to patch the issue with an update. No ETA for the fix was available as of when we published this article.
It’s also unclear what’s actually triggering the bug. I attempted to replicate this issue using the LastPass extension in Chrome 80 on my MacBook, but found that LastPass’ auto-logoff settings worked perfectly. I turned on the setting to log me off after a minute of doing nothing on my MacBook. I then waited a minute and LastPass’ icon switched from red to grey—and I was logged out.
The same happened when I checked the other setting, “Log out when all browsers are closed.” When I quit and reopened Chrome, I had to log back into LastPass.
Nevertheless, you’ll want to test LastPass’ auto-logoff settings—if you use them—on your own setup. If they aren’t working for you, you’ll need to remember to manually log out of LastPass once you’re done using it.
While you should also be using some stronger authentication mechanism (like a great password or a fingerprint) to keep intruders out of your desktop or laptop PC when you’re away, making sure your password manager isn’t giving up every single login you use to anyone who is sitting in front of your keyboard is probably a good thing. In fact, it’s the most important thing.