At LastPass, the safety and security of your data is our top priority. Our product is built with that in mind, knowing that you have entrusted us with the protection of sensitive personal and business information. Beyond password management, we also frequently share best practices with our community so that you’re able to keep your data safe, no matter which browser, device, or application you’re using.
Today, we would like to recommend a best practice for your web browser settings. Within your browser (such as Google Chrome, or Microsoft Edge), there are many settings that you can customize, whether it is for productivity or security, or simply preference. However, it’s not always clear what the implications of those settings might be.
In browsers like Google Chrome and Microsoft Edge, there is a spell check feature that shares plain text data, including passwords, with your browser. LastPass already has controls in place to prevent these features from looking at sensitive vault data such as passwords.
This week, our friends at Otto-JS highlighted that when users with the spell check feature enabled also opt to ‘show password’ in the login field, it would then share the plain text password to Google or Microsoft, depending on the browser that you’re using. At LastPass, we immediately updated our product to prevent this from happening, and now, plain text passwords are never shared with the browser.
As a best practice, if you plan to use the “show password” feature in LastPass, we recommend that you disable spell check altogether. You can find additional best practices on browser settings on our Support site.
