I should imagine they've probably thought of that 😉, indeed they have! The Android app requires unlocking after a short period of time, the browser app can be configured to do the same. It's standard security practice to not leave databases like these unlocked, or even the keys in memory when they are not in use. Of course, someone would have to defeat the security on the device itself first in any case. I get that it feels uncomfortable having all of your eggs in one basket though.
This is an old episode of the Security Now podcast, but it has in in-depth discussion of passwords and Lastpass, starting here
https://youtu.be/r9Q_anb7pwg?t=3329
Tim.
________________________________
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> on behalf of James H. H. Lampert <jamesl@xxxxxxxxxxxxxxxxx>
Sent: 18 March 2021 18:23
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: Re: How to validate passwords without storing them anywhere.
And exactly what difference does encrypting the password manager file
make, if anybody signed on to your desktop box, smartphone, or tablet
can still use it, without having to manually enter a strong password
that has never been written down *anywhere*?
--
JHHL
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at
https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related questions.
Help support midrange.com by shopping at amazon.com with our affiliate link:
https://amazon.midrange.com
midrange.com
