@aiden56 @leo What's the saying, fool me 5 times, shame on you?

I guess some people will still keep giving them one more chance.

@aiden56 @leo

My former employer loved LastPass and I hated it so very much. I never felt safe using it.

@aiden56 @leo It's certainly concerning since the point at which LastPass captures URLs is typically during account creation and poorly coded sites might be passing all kinds of "data" in that URL.

I usually let LastPass automatically save new credentials, but I try to go back into it later and strip the URL down to the base domain.

I'm assuming they don't encrypt the URLs since they are used for matching the site you are on in the browser, but there could be another technical consideration.

@aiden56 @leo

I guess we'll do round two of the hot takes on this stuff.

So, generally many, many websites use your email address to log you in. some use a username, but it's more the norm to use your email.

The same email that has been in countless leaks for years and years is on countless "consolidated" lists etc, and is likely run against all manner of websites as part of the standard billions-long email stuffing lists.

Given that so many websites have email enumeration issues, that is it is sort of hard to both allow a user to lookup if their email exists or not when registering and make it not able to tell the same thing to a massively distributed, slow attack coming from residential IP's .. then they are going to know quickly if you are on a site.

they actually likely just don't care. The list of URLs your email is associated with is unlikely to really give any of these big operations any kind of advantage. They already factor in that knowledge.

So then, I assume you're going to jump ship to some other password provider, of which there are many. Of which, just about all are or will be, under attack at some point. If you think you are going to jump to a provider who can protect your stuff 100%, then that's funny.

I know, I know, we can/should all host our passwords on our own self-hosted service or only locally in our systems, and sure, that likely does provide a certain measure of security, I guess? But I already do that. It's an encrypted block here locally that I just ask LastPass to store and backup.

The thing is, for this kind of thing, you have to factor in Shannon's maxim / Kerckhoffs's principle in that the enemy knows the system. Assume they can get to the encrypted blob, and assume they can know your username on a site. The controls still hold secure in this case.

@aiden56 @leo I personally don't care or mind that the password vault was leaked. That is the whole reason why I decided to use a vault that had a Trust No One policy. I knew that eventually the vault would have leaked. Everyone needs to understand and learn that, if the data is online, it's public. Sorry, no way around that. It is never an 'if' it leaks, it is always a 'When'.

What really disappointed me was that they decided to leave the URL unencrypted.

@leo @aiden56

Yeah, i’m a lastpass user and discovered this fact while reading their email and blog post explaining the leak

Astoundingly bad design