PSA: Don't use third-party apps and services, period.

[daniel]

You log into LastPass with your master password on your computer (or other device) and your website passwords are downloaded to your computer or device. When you go to a website, LastPass will auto-fill the username and PW for that site. If you have 2FA setup for a particular website, you will then still get that push to complete the login from that website.

If you are on a forum, like this one, and choose to remain logged in, then LastPass won't need to log you in again. It's only when you log out of LastPass that you need to enter your master password again.

If I understand this correctly, then anybody who gets physical access to my computer can access all my critical web sites because LastPass fills in everything in. That doesn't sound good at all.

But if I turn off auto-fill, then what? I have to use my long master password every time I want to log back in to my bank?

 

[whatthe2]

If I understand this correctly, then anybody who gets physical access to my computer can access all my critical web sites because LastPass fills in everything in. That doesn't sound good at all.

But if I turn off auto-fill, then what? I have to use my long master password every time I want to log back in to my bank?

That’s correct. You can choose to leave yourself logged in to LastPass or not. If you have other people accessing your computer you have bigger issues.

 

[DrDabbles]

Nothing wrong with having auto-fill enabled for LastPass, that’s the whole point of it. The UN/PW are presented from your computer or device. Or are you talking about a different kind of auto-fill?

Just to let you know, there was a major roundup of these tools last year, and there's an exploit that captures auto-filled credentials. Their own recommendation was not to auto fill. Not the auto fill when you click a button to fill a form, but the auto fill that auto-populates password forms without you intervening in any way.

 

[whatthe2]

Just to let you know, there was a major roundup of these tools last year, and there's an exploit that captures auto-filled credentials. Their own recommendation was not to auto fill. Not the auto fill when you click a button to fill a form, but the auto fill that auto-populates password forms without you intervening in any way.

Not sure I’m understanding. If you visit a website that has a LastPass UN/PW stored it will auto fill (if the site supports it). Are you saying that should never be used? If so, can you provide a link? Haven’t seen that guidance.

 

[DrDabbles]

If I understand this correctly, then anybody who gets physical access to my computer can access all my critical web sites because LastPass fills in everything in. That doesn't sound good at all.

But if I turn off auto-fill, then what? I have to use my long master password every time I want to log back in to my bank?

If you aren't locking your computer when you walk away, then they can gain access to any site you've logged into anyway. So that's not really a valid concern- just lock your computer. When you lock it or log out, by default most password managers will log themselves out as well so when you return you need to supply at least the password again.

Not sure I’m understanding. If you visit a website that has a LastPass UN/PW stored it will auto fill (if the site supports it). Are you saying that should never be used? If so, can you provide a link? Haven’t seen that guidance.

If what you're asking is "Should the user/password be filled in without me needing to do anything as soon as I visit the site", then the answer is no. You should click on the LastPass icon and auto fill, or click on the LastPass icon within the field and tell it to fill the field then.

 

[whatthe2]

If you aren't locking your computer when you walk away, then they can gain access to any site you've logged into anyway. So that's not really a valid concern- just lock your computer. When you lock it or log out, by default most password managers will log themselves out as well so when you return you need to supply at least the password again.

Last Pass only logs you out if you log out of your computer not if you just lock it. But as mentioned, no one should have access to your login on a computer anyway.

 

[DrDabbles]

Last Pass only logs you out if you log out of your computer not if you just lock it. But as mentioned, no one should have access to your login on a computer anyway.

Given the setting is right here in front of me, I'm going to have to disagree. It locks on screensaver start as well as locking.

 

[Dan203]

You can also set certain logins to always require the Master Password and to require the Master Password to actually copy a password to the clipboard rather than just filling it in. Since I have a fingerprint scanner I use both of these features. I use the clipboard one on all passwords and the second prompt one on important stuff like banks, government agencies, etc... That way if someone ever gained access to a device of mine that was already unlocked they still couldn't do anything too nefarious.

Although with 2FA enabled on most accounts now that's pretty much impossible anyway.

 

[whatthe2]

Given the setting is right here in front of me, I'm going to have to disagree. It locks on screensaver start as well as locking.
View attachment 491691

Well, of course. If you have those settings enabled, which I don’t. I’m the only one using my computer to I don’t choose to use those. I was pointing out that you don’t HAVE to use it that way.

 

[saraghav]

I haven't read the full thread --- but I completely agree with the OP's argument.

I arrived at the same conclusion, but I still wanted to track the performance of my car over time. I ended up building my own cloud service using the unofficial Tesla APIs for that purpose (effectively equivalent to what TeslaFi or other services do), so that my password/access token stays secret.

Until Tesla officially supports developers and implements an app-permissions model, third-party apps are a security risk to vehicle owners. Unfortunately, I don't think many vehicle owners are aware of the risks.

 

[DrDabbles]

I haven't read the full thread --- but I completely agree with the OP's argument.

I arrived at the same conclusion, but I still wanted to track the performance of my car over time. I ended up building my own cloud service using the unofficial Tesla APIs for that purpose (effectively equivalent to what TeslaFi or other services do), so that my password/access token stays secret.

Until Tesla officially supports developers and implements an app-permissions model, third-party apps are a security risk to vehicle owners. Unfortunately, I don't think many vehicle owners are aware of the risks.

How are you keeping them secure?

 

[GreenT]

I recently saw what I think is an incredibly bad idea.
PayPal, yes them, when linking bank accounts, used to only ask you to provide your bank account number and routing number; then wait for two tiny deposits.
Now they suggest a better way.
Give them your username and password to the banking app and it is immediate.
WTH????????????????

 

[Dan203]

I recently saw what I think is an incredibly bad idea.
PayPal, yes them, when linking bank accounts, used to only ask you to provide your bank account number and routing number; then wait for two tiny deposits.
Now they suggest a better way.
Give them your username and password to the banking app and it is immediate.
WTH????????????????

This is the way Venmo and a few other services work. (I think CoinBase had this option as well) They usually have a link somewhere that lets you use the old method instead.

 

[SDRick]

I haven't read the full thread --- but I completely agree with the OP's argument.

I arrived at the same conclusion, but I still wanted to track the performance of my car over time. I ended up building my own cloud service using the unofficial Tesla APIs for that purpose (effectively equivalent to what TeslaFi or other services do), so that my password/access token stays secret.

Until Tesla officially supports developers and implements an app-permissions model, third-party apps are a security risk to vehicle owners. Unfortunately, I don't think many vehicle owners are aware of the risks.

Since you have not read the full thread, I have asked several times what are some actual or perceived worst-case scenarios about using Teslafi or other third-party apps? From a risk and reward perspective, I have not seen real world evidence of any downside with the Tesla.

In your wildest dreams, how bad could it get?

 

[Dan203]

Since you have not read the full thread, I have asked several times what are some actual or perceived worst-case scenarios about using Teslafi or other third-party apps? From a risk and reward perspective, I have not seen real world evidence of any downside with the Tesla.

In your wildest dreams, how bad could it get?

Technically the API key can gain access to yhe current GPS position of your car, unlock the door and enable remote driving. So they could use it to find where your car is parker, unlock it and drive away in it.

But since these are typically legit companies just trying to make a living they're probably not going to steal your car.

 

[DopeGhoti]

In your wildest dreams, how bad could it get?

This has also been answered several times in this thread. Also, if the app uses the API to authenticate purchases, someone could use the API to find your car, go to it, unlock it, enable keyless driving, and "help you" purchase FSD and the Performance boost if you don't already have them. Suddenly you are minus nine thousand dollars and one car!

 

[DopeGhoti]

But since these are typically legit companies just trying to make a living they're probably not going to steal your car.

The concern isn't so much about the app developers suddenly becoming bad actors, but that -- if that store the API key on their end for your convenience -- they might lose control of the ability to manage your car.

Them deciding to harvest your car's data and sell it is also a not completely unrealistic concern.

 

[Dan203]

The concern isn't so much about the app developers suddenly becoming bad actors, but that -- if that store the API key on their end for your convenience -- they might lose control of the ability to manage your car.

Them deciding to harvest your car's data and sell it is also a not completely unrealistic concern.

All keys can be revoked immediately by simply changing your Tesla password. So if there was some sort of breach, and the company knew about it, I'd hope they'd send out a notice to all their customers telling them to change their password.

They also expire automatically after 45 days. There also seems to be some sort of hard limit on the number of keys a single account can have. I'm working on my own app and have requested a lot of keys for my own car and a few times the keys have stopped working before the 45 days and without me changing my password. I haven’t played with it enough to figure out the exact limit though.

 

[DopeGhoti]

All keys can be revoked immediately by simply changing your Tesla password.

This, in experimentation, does not appear to be true. I changed my Tesla password and the API key I was using for Teslamate continued to work for a couple of days.

 

[willow_hiller]

This, in experimentation, does not appear to be true. I changed my Tesla password and the API key I was using for Teslamate continued to work for a couple of days.

If you're savvy enough with the API, you can invalidate past tokens immediately with `POST /oauth/token?grant_type=refresh_token`

Source: Authentication