WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 4 years ago

#33441 closed defect (bug) (duplicate)

LastPass autofills generated password for a WP user with my account's password + other LastPass problems

Reported by: TheLastCicada Owned by: adamsilverstein
Milestone: Priority: normal
Severity: normal Version: 4.3
Component: Users Keywords:
Focuses: ui, administration Cc:
PR Number:

Description

LastPass (at least using the Chrome extension) seems to really wrestle with the user-edit.php screen in 4.3. I recorded a gif of my experience that you can watch here.

When editing an existing user, whenever "Generate Password" is clicked, LastPass fills in MY user's password and never shows me the password generated by WordPress. With LastPass on, I cannot get it to show me the generated password instead of my own password.

In addition, LastPass fills in my account's email address and username in the "E-Mail" and "Nickname" fields respectively. You can see all of this in the gif linked above.

I respect that this might be more of a problem with LastPass than with WordPress, but given the goal of the Generate Password button (to improve user account security by making it easier to create good passwords), having an incompatibility with a popular password manager seems to subvert that goal. Especially since a password manager like LastPass is going to be almost mandatory for users to be able to use truly random passwords across all sites as we are (rightly) encouraging here.

Attachments (1)

lastpass-bugs.gif (2.8 MB) - added by obenland 4 years ago.
Attach gif for posterity.

Change History (20)

@obenland
4 years ago

Attach gif for posterity.

#1 @obenland
4 years ago

  • Milestone changed from Awaiting Review to 4.3.1

#2 @SergeyBiryukov
4 years ago

I'm using LastPass Chrome extension too, but I could not reproduce any of the issues from the GIF. It does not automatically fill in Nickname, E-mail, or New Password field on my install.

#3 @HeadOnFire
4 years ago

Can't reproduce it as well.

Win 10 x64
Chrome 44.0.2403.157 m (64-bit)
LastPass 3.2.26

#4 @samuelsidler
4 years ago

  • Milestone changed from 4.3.1 to Awaiting Review

Moving back to Awaiting Review as we have two "can't reproduce" comments.

@TheLastCicada: Can you give us any more details about your setup that might be different or unique? Can you also try to reproduce with no other extensions installed, just Chrome+LastPass?

#5 @TheLastCicada
4 years ago

  • Keywords close added
  • Resolution set to worksforme
  • Status changed from new to closed

I'm on Chrome 45.0.2454.85 on OSX Mavericks with LastPass 3.2.29 (as of today) and now I cannot reproduce it either. Maybe LastPass changed something in their Chrome extension that solved this. I've tried it on the original site where I recorded the gif and another site and both work fine today. Whatever it was looks to have resolved itself - suggest we close this as fixed.

#6 @knutsp
4 years ago

  • Keywords close removed

#7 @SergeyBiryukov
4 years ago

  • Milestone Awaiting Review deleted

#8 @jjeaton
4 years ago

  • Resolution worksforme deleted
  • Status changed from closed to reopened

I'm able to reproduce this:

Mac OS X 10.10.5
Chrome 45.0.2454.85
LastPass 3.2.29

The only difference between my setup and @TheLastCicada's is the OS X version.

I have this happen on the user-edit.php screen and on the reset password screen wp-login.php?action=rp. If I view generated password it's always my Lastpass password. If I reset my password the generated password is always my Lastpass password, but worst of all, if I edit another user (not myself), without changing their password, it changes their password to my password.

A terrible screencast here: http://recordit.co/2V8gJzTOL7 showing this happening. I change one profile field, save, and then receive an email saying that the user reset their password (it gets reset to my password, which I verified by logging in with their username and my password).

#9 @SergeyBiryukov
4 years ago

  • Milestone set to Awaiting Review

#10 in reply to: ↑ description ; follow-up: @janaa
4 years ago

Replying to TheLastCicada:

LastPass (at least using the Chrome extension) seems to really wrestle with the user-edit.php screen in 4.3. I recorded a gif of my experience that you can watch here.

When editing an existing user, whenever "Generate Password" is clicked, LastPass fills in MY user's password and never shows me the password generated by WordPress. With LastPass on, I cannot get it to show me the generated password instead of my own password.

In addition, LastPass fills in my account's email address and username in the "E-Mail" and "Nickname" fields respectively. You can see all of this in the gif linked above.

I respect that this might be more of a problem with LastPass than with WordPress, but given the goal of the Generate Password button (to improve user account security by making it easier to create good passwords), having an incompatibility with a popular password manager seems to subvert that goal. Especially since a password manager like LastPass is going to be almost mandatory for users to be able to use truly random passwords across all sites as we are (rightly) encouraging here.

Thanks, TheLastCicada, for describing the issues so well, and for including your gif. I have had exactly the same problem when editing existing users - both in Chrome and Firefox, for which I installed a LastPass extension. When I edited the users via IE (which did not have a LastPass extension installed), all behaved correctly. So it is clearly a problem related to interference by LastPass in the user editing form including secure password generation.

The support advice from LastPass on this issue was to add the [mydomain.com]/wp-admin/user-edit.php URL to the "Never URLs" list in my LastPass account settings. This worked - when I added the user-edit.php URL to the "Never fill forms" URL list, it prevents LastPass from interfering in the user-edit.php form.

While creating this exception in my LastPass settings is a work-around (which will need to be repeated for every WordPress site that I administer), I totally agree with TheLastCicada's wise comments that:-

I respect that this might be more of a problem with LastPass than with WordPress, but given the goal of the Generate Password button (to improve user account security by making it easier to create good passwords), having an incompatibility with a popular password manager seems to subvert that goal. Especially since a password manager like LastPass is going to be almost mandatory for users to be able to use truly random passwords across all sites as we are (rightly) encouraging here.

... and I would hope that some resolution for compatibility between WordPress and LastPass might be arrived at.

#11 in reply to: ↑ 10 @adamsilverstein
4 years ago

@janaa - thanks for the feedback and steps you used to resolve.

I will dig into this issue further. I am hopeful the fix we develop for #33699 - disabling the hidden password field - will prevent LastPass from autofilling it.

Replying to janaa:

Replying to TheLastCicada:

LastPass (at least using the Chrome extension) seems to really wrestle with the user-edit.php screen in 4.3. I recorded a gif of my experience that you can watch here.

When editing an existing user, whenever "Generate Password" is clicked, LastPass fills in MY user's password and never shows me the password generated by WordPress. With LastPass on, I cannot get it to show me the generated password instead of my own password.

In addition, LastPass fills in my account's email address and username in the "E-Mail" and "Nickname" fields respectively. You can see all of this in the gif linked above.

I respect that this might be more of a problem with LastPass than with WordPress, but given the goal of the Generate Password button (to improve user account security by making it easier to create good passwords), having an incompatibility with a popular password manager seems to subvert that goal. Especially since a password manager like LastPass is going to be almost mandatory for users to be able to use truly random passwords across all sites as we are (rightly) encouraging here.

Thanks, TheLastCicada, for describing the issues so well, and for including your gif. I have had exactly the same problem when editing existing users - both in Chrome and Firefox, for which I installed a LastPass extension. When I edited the users via IE (which did not have a LastPass extension installed), all behaved correctly. So it is clearly a problem related to interference by LastPass in the user editing form including secure password generation.

The support advice from LastPass on this issue was to add the [mydomain.com]/wp-admin/user-edit.php URL to the "Never URLs" list in my LastPass account settings. This worked - when I added the user-edit.php URL to the "Never fill forms" URL list, it prevents LastPass from interfering in the user-edit.php form.

While creating this exception in my LastPass settings is a work-around (which will need to be repeated for every WordPress site that I administer), I totally agree with TheLastCicada's wise comments that:-

I respect that this might be more of a problem with LastPass than with WordPress, but given the goal of the Generate Password button (to improve user account security by making it easier to create good passwords), having an incompatibility with a popular password manager seems to subvert that goal. Especially since a password manager like LastPass is going to be almost mandatory for users to be able to use truly random passwords across all sites as we are (rightly) encouraging here.

... and I would hope that some resolution for compatibility between WordPress and LastPass might be arrived at.

#12 @adamsilverstein
4 years ago

The issue in this ticket should be resolved by the patch on #33699.

Help appreciated testing this: @janaa, @jjeaton & @TheLastCicada can you install the patch and see if this resolves the issue for you?

Thanks!

#14 @adamsilverstein
4 years ago

  • Owner set to adamsilverstein
  • Status changed from reopened to assigned

#15 @jjeaton
4 years ago

@adamsilverstein. I've tested this locally after applying the patch and it appears to have solved the issue. LastPass was also autofilling the email field with my saved username, and it's not doing that after applying the patch ¯\_(ツ)_/¯. Thank you!

#16 @adamsilverstein
4 years ago

  • Keywords commit added
  • Milestone changed from Awaiting Review to 4.3.2

Great, thanks for testing @jjeaton!

This ticket was mentioned in Slack in #core by adamsilverstein. View the logs.


4 years ago

#18 @adamsilverstein
4 years ago

  • Milestone changed from 4.3.2 to 4.4

#19 @ocean90
4 years ago

  • Keywords commit removed
  • Milestone 4.4 deleted
  • Resolution set to duplicate
  • Status changed from assigned to closed

Duplicate of #33699.

Note: See TracTickets for help on using tickets.