I always recommend that everybody — from the technologically illiterate to experienced software engineers — use a password manager. Everybody is lazy; no one likes having to remember a bunch of different passwords, and will almost certainly reuse them across the hundreds of sites we have accounts for. By using random passwords stored in a password manager, we save ourselves the trouble and are much more secure for it.
But no software is perfect. Every codebase has bugs, some more serious than others. Certainly, some software designs have a larger attack surface, and in this regard LastPass is probably more vulnerable than most, exposing itself through a browser plugin that may be at risk of browser-based attacks.
So it isn’t a huge surprise that LastPass has a bug that “makes it possible for malicious websites to steal user passcodes and in some cases execute malicious code on computers running the program,” according to reporting by ArsTechnica. The vulnerability was disclosed by a researcher for Google’s Project Zero, but its implementation details, to the best of anyone’s knowledge, are currently only known to that team and the LastPass developers; hopefully, no one else discovered it first, and there are no known in-the-wild attacks. A fix is expected shortly.
In any case, it is fortuitous that Google’s Project Zero researchers are looking out for even password managers now. The world is a safer place when such vulnerabilities are responsibly discovered, disclosed, and fixed.