I was just invited to use LastPass so some shared passwords could be used by me for testing web apps implementations. 

First thought: "What? Why would I ever allow some third party plugin to get on my browser and take control over my passwords?"

Second thought: "Some wise professionals suggested it is a good idea, I should look into it."

I have installed the plugin in a kind of isolation mode (I don't use FireFox for other things than testing, so I could use that).

Third thought: "What an ugly and unfriendly user interface?!"

The password got shared with me, I received it via LastPass plugin in FireFox. It worked to access the web app I was about to test. I thought I would have a look at that password. The user who shared it blocked it from viewing it: "This is a shared site. You are not permitted to view the password." Kind of good idea. But...

Next thought: "Once something is in my browser put into a form field it means it gets send out to the web, hence I should be able to see it if I want, because it is just there!"

Guess what. A small javascript in Firebug Console and the hidden password was no longer hidden. Actually, when I think about it now, no javascript needed at all, just changing in the inspector the type of the input from password to text and here we are, the dots covering the password are swapped into whatever password that was.

So much to block viewing shared passwords.

Anyway, thought after thought I proved to myself that using any third party SaaS for sharing, keeping passwords is a NO.

Leave a Reply.