Password Managers Hacked: Passwordstate and Lastpass

Passwordstate security failure was worse than Lastpass – but any entity can be hacked or have a cybersecurity failure.

Looking into the specifics Passwordstate issue is discussed in portswigger website.


“Passwordstate was subject to scrutiny by Swiss security consultancy modzero AG following a customer request to check the password manager’s security.

Modzero researchers Constantin Muller, Jan Benninger, and Pascal Zenker duly conducted an audit of Passwordstate and found a range of security issues, as documented in the team’s disclosure report (PDF)”


modzero was able to find several technological problems with how the API works, as well as how the software accepts data – since the XSS(Cross Site Scripting) attacks were able to bypass the way passwords are stored and transferred to the user.

“An Attacker can use  the XSS to read passwords or elevate their privileges. Exploiting an administrator account allows for RCE (Remote Code Execution). “

RCE is always bad since there the defender does not know and will allow the attacker to execute malicious software at will.



Finally LastPass also had a security incident(as shown in the main image of this post).  But fortunately the LastPass problems did not include the revealing of client data since the way they are stored means one must have the password of the user to open and see the information.  A good explanation of this technique in encryption is the mcafee blog entry here.

This hack makes choosing a main password to your main account very important so that the hackers will have a very hard time into gaining access to your data in case something happens.

Read my book to learn more about how good cybersecurity policy should be made.


Just because these two companies/efforts had cybersecurity problems does not mean one should not have a password manager. In fact in this day and age it is more important than ever as there are just too many passwords to keep track of.