Is LastPass' locally stored One-Time-Password recovery a security problem?

I have actually tried to use account recovery with LastPass just to test this on Mar 5 2014. Lastpass sends you a link good for 48 hours via the email account associated with Lastpass. You need to access this link from a browser with a Lastpass plugin installed. If this plugin was used to access the lastpass account with the email address used for the account recovery, and if One Time Password was enabled, you will be taken to your vault and offered the chance to change your master password. HOWEVER, if you don't change your master password, you will still be left in your lastpass vault, with your various logins visible. You cannot export them without knowing the master password, but you can look at (edit) the various individual logins. Thus someone could take for example your bank login information without ever changing your master password. You might never know this has happened. This presumes that someone has access to your email account, for example, if you left it open on your computer when you stepped away.

I think turning off One Time Password is a very good idea. And the One Time Password in advanced options in the plugin, is PER MACHINE. So any other browsers you use, or portable versions, or if you ever logged into lastpass from someone's computer using their browser and plugin.

I think LastPass should probably disable One Time Password by default, even though some users would probably forget their master password and lose access to their password vault. Lastpass should at least make the One Time Password account wide, not per machine. So you don't have to remember every machine you ever logged from.


There are several way to implement such functionality, but basically yes all represent significant security risks, especially since they posses your password database too.

LastPass might offer some emergency contact information for disabling this feature if your machine got stolen. You could avoid using LastPass for any passwords that provide financial or deeper identifying information as well.

There are several open source password database programs like KeePass and KeePassX that store your entire password database locally.


I do view the local OTP as a security risk, however, there is an option to disable it in the browser extensions (at least for firefox and chrome). I always disable local OTP on each browser after installing the lastpass extension, which means, of course that I will loose my vault if I forget my master password. I think it would be more secure if lastpass had the local OTP disabled by default. I guess they had to make some trade-off between security and user dissatisfaction when they forget their password.