[wp-trac] [WordPress Trac] #33441: LastPass autofills generated password for a WP user with my account's password + other LastPass problems

[WordPress Trac]

#33441: LastPass autofills generated password for a WP user with my account's
password + other LastPass problems
---------------------------+---------------------------------
 Reporter:  TheLastCicada  |       Owner:
     Type:  defect (bug)   |      Status:  reopened
 Priority:  normal         |   Milestone:  Awaiting Review
Component:  Users          |     Version:  4.3
 Severity:  normal         |  Resolution:
 Keywords:                 |     Focuses:  ui, administration
---------------------------+---------------------------------

Comment (by janaa):

 Replying to [ticket:33441 TheLastCicada]:
 > LastPass (at least using the Chrome extension) seems to really wrestle
 with the user-edit.php screen in 4.3.  I recorded a gif of my experience
 that you can watch
 [https://s3.amazonaws.com/uploads.hipchat.com/52421/362666/GZ1h3AiO2A6GGKo
 /lastpass-bugs.gif here].
 >
 > When editing an existing user, whenever "Generate Password" is clicked,
 LastPass fills in MY user's password and never shows me the password
 generated by WordPress.  With LastPass on, I cannot get it to show me the
 generated password instead of my own password.
 >
 > In addition, LastPass fills in my account's email address and username
 in the "E-Mail" and "Nickname" fields respectively.  You can see all of
 this in the gif linked above.
 >
 > I respect that this might be more of a problem with LastPass than with
 WordPress, but given the goal of the Generate Password button (to improve
 user account security by making it easier to create good passwords),
 having an incompatibility with a popular password manager seems to subvert
 that goal.  Especially since a password manager like LastPass is going to
 be almost mandatory for users to be able to use truly random passwords
 across all sites as we are (rightly) encouraging here.

 Thanks, TheLastCicada, for describing the issues so well, and for
 including your gif.  I have had exactly the same problem when editing
 existing users - both in Chrome and Firefox, for which I installed a
 LastPass extension.  When I edited the users via IE (which did not have a
 LastPass extension installed), all behaved correctly.  So it is clearly a
 problem related to interference by LastPass in the user editing form
 including secure password generation.

 The support advice from LastPass on this issue was to add the
 [mydomain.com]/wp-admin/user-edit.php URL to the "Never URLs" list in my
 LastPass account settings.  This worked - when I added the user-edit.php
 URL to the "Never fill forms" URL list, it prevents LastPass from
 interfering in the user-edit.php form.

 While creating this exception in my LastPass settings is a work-around
 (which will need to be repeated for every WordPress site that I
 administer), I totally agree with TheLastCicada's wise comments that:-

 > I respect that this might be more of a problem with LastPass than with
 WordPress, but given the goal of the Generate Password button (to improve
 user account security by making it easier to create good passwords),
 having an incompatibility with a popular password manager seems to subvert
 that goal. Especially since a password manager like LastPass is going to
 be almost mandatory for users to be able to use truly random passwords
 across all sites as we are (rightly) encouraging here.

 ... and I would hope that some resolution for compatibility between
 WordPress and LastPass might be arrived at.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/33441#comment:10>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform