Kenn WhiteThe painful thing for LastPass users who did unfortunately reuse their master password on other sites is that this case is now an *offline* attack - which means 2FA or changing one's LastPass web password (or even master password) won't help much - the attackers have a point-in-time snapshot of all the credentials in those stolen vaults. And if you were using a weak (or worse, previously leaked) master password when they were stolen, you're screwed.
Amit Bahree 🌎💾@kennwhite so which one is better - for a family subscription?
GillesdeChicago@kennwhite Personal IT Security is a mess - there are no easy solutions and things can go very badly if someone targets you.
Todd Knarr@kennwhite Compromises like this are why I don't trust any password manager that backs data up to a server. Too much trust required of a big fat juicy target for attackers. Local storage only, thankyewverymuch, and I'll do my own backups and copying. It's not invulnerable, but I'm a smaller target and I control my own defenses.
George William Herbert@tknarr @kennwhite that’s defensible for techies, but non-experts may not be able to manage truly robustly recoverable local backup.
husbandpanda 🐼@georgewherbert @tknarr @kennwhite only to a limited degree. What do you do about portability that doesn't compromise the entire security of the storage? Is the issue.
@husbandpanda @tknarr @kennwhite All computer security is a tradeoff between usability and absolute security. In practice usability includes degraded modes recovery and amount and complexity of normal use and normal administrative functions.
Most users won’t effectively successfully backup locally off the system itself, so anything like a power surge or computer intrusion may wipe vault. Especially not remotely, so any fire or theft is service loss.
Most users won’t effectively successfully backup locally off the system itself, so anything like a power surge or computer intrusion may wipe vault. Especially not remotely, so any fire or theft is service loss.
@husbandpanda @tknarr @kennwhite 1pass uses something you know (passcode), something you have (any of n devices with your passcode encrypted master key), and remote storage with a better security model for a storage-opaque blob of secure data. Remote storage avoids local loss of the vault, a not uncommon issue for fallible normal users.
Doesn’t prevent everything, but a lot more end user failures are securely avoided, and the LastPass failure avoided.
Doesn’t prevent everything, but a lot more end user failures are securely avoided, and the LastPass failure avoided.
@georgewherbert @tknarr @kennwhite yeah I was considering it for this reason. all tech work I've ever done involved either thycotic or 1pass
seismo!allegra!utzoo@kennwhite damn. Think I'm going to be resetting some passwords this week.
@SeismoAllegra @kennwhite "some" ie: all. lol.
Adrian Sanabria@kennwhite it pains me that everyone is having to scramble now, 2 days before Christmas, when the data was stolen 4 months ago
These updates have hit both extremes. From, "we recommend you do nothing", to "it's all gone, I hope you chose a good password"
Hopefully it's China, so we don't have to worry about it getting bruteforced and dumped on the Internet 🤷
Torben Volkmann@kennwhite @totosec mhmm, reuse a master password is never a good idea. Like any other password reuse, but worse.