Lesley Carhart 
I’m worried about LastPass’ incident, but I’m equally worried about password managers of renown at all that have not recently disclosed any (data or code base) cybersecurity incidents. Any password manager is a huge, juicy target…
I’m also worried about all y’all going “lololol pEoPle UsE LasTPaSs” when getting just one person on a reputable password manager they’ll actually understand how to use is a massive, uphill battle.
Anyway, like other sane people have said, you don’t have to stop using LastPass - for gods’ sakes just use a password manager. If you use it, spend some time over the holidays changing all your meaningful passwords in it and your master password. Make sure you’re signed up for haveibeenpwned. If a cloud-based password manager is right for your risk and threat model, for heavens sakes don’t stop using it in favor of a techier option you won’t use.
Polychrome 
@hacks4pancakes how do you feel about KeepPass over Syncthing? 
Nastypouch@Polychrome @hacks4pancakes I'm not Lesley, but I personally think it's largely a matter of how much you're willing to fuss with stuff. I've used KeePass for years now and I have it set up to sync to a bunch of different places (two different computers under my control as well as some cloud storage). Syncthing would make the syncing easier to set up but my system works for me and that's what matters.
@Polychrome @Nastypouch I agree. Much higher barrier to entry and potential to screw it up, but if you have the patience and expertise to keep it up to date, go for it.
IMO it's important to not use a cloud-based password manager because of how frequently they're targeted for attacks, but I agree with Lesley that if your options are "use a cloud-based one" and "don't use one at all", then anything is better than nothing.
@Nastypouch @Polychrome that’s like the deciding factor for the vast majority of people I talk to.
Yeah it's been super difficult to get even relatively technically-inclined people I know to use a password manager. Usability is an enormous factor if you're not dealing with some turbonerd (I say this with love and put myself in this category) who's willing to spend a weekend moving all their passwords over and setting up a custom syncing solution.
I guess the best password manager is the one you use.
mav 
@Polychrome @hacks4pancakes I'd ask why not self hosted Bitwarden, which is probably easier to use if not to implement, but can't see why this wouldn't be just fine.
Sam Morreel@hacks4pancakes Agree, use something that's within grasp of a particular user's understanding, convienience and risk acceptance.
Dr. Russ 
@hacks4pancakes I've frequently argued for "the little password book." As long as your handwriting is nice, it's a fantastic resource for older generations to have a non technical and very well understood medium for remembering access. Most of my elder family doesn't trust password manager companies, or the cloud (wonder where they got that from).
My pro arguments are that store it in a safe place, and you'll be fine from most tragic events:
1. A decent fire rated safe will keep it out of prying hands and eyes (and water if on 2nd floor)
2. Most websites make password/access recovery easy now with the right amount of pretext access
3. Thieves really don't care about this much anymore; cash, silver, electronics is more easily fenced
...
As far as writing it down and 5th amendment concerns go, well If law enforcement requests are a part of your threat model, then we have different lives. :P
@dntlookbehindu that’s fine, if you will use it across all your devices and it fits your threat model.
@hacks4pancakes I also have the life experiences of trying to restore access to systems from those who have passed on; what a friggin nightmare. Most password management solutions don't consider the "hey, you're fragile and you'll die. How's the access going to be passed to the next of kin?" considerations and solutions.
Bitwarden has something like that in it, which I like. I'm going to die one day, and the last thing I want my family to deal with is dancing through all the systems to regain access and keep the lights blinking while data migrates.
My older family members write theirs down, because fewer systems and similar reasons.
@hacks4pancakes morbid annual reminder, talk with your loved ones these next few weeks to ensure you know where their data is stored... Cus we ain't here forever.
Steve "Looking for Work" Pordon (he/him/his)@dntlookbehindu @hacks4pancakes I was thinking about that when I read your "password book" post. If I have a heart attack, I'd want my family to be able to get into my computer and get important documents and photos. That's one way to ensure that.
When my dad died, I had to use Hiren's to break into his Windows desktop to back everything up. It was frankly just extra stress on top of everything else.
calindrome@dntlookbehindu @hacks4pancakes So much this. I had a brain injury nearly 5 years ago. My working memory was nonexistent and I had to reset my passwords multiple times a week on the same sites. Now that I’ve recovered a bit more, I have a system that is coded and written down. Every day I want to become a Luddite even more.
Dr. Ryan Straight@hacks4pancakes I got my super anti-tech mother to use LastPass a couple years ago, which was a huge win. I told her to change her master password and sent her the instruction link. She did it on her own and I'm just so, so proud.
Ben Curran 
@hacks4pancakes Good call out of the "DoNt UsE LaStPaSs" crowd. It was interesting to see that even someone as visible as @SwiftOnSecurity is also a LastPass user and also had realistic and level-headed response to it. It took me years to convince my wife and father-in-law to use ANY password vault. A Family LastPass subscription where I could manage the backend and also be able to share common passwords was KEY to their adoption. The best password solution is the one that gets used.
v̾i̾t̾r̾i̾o̾l̾i̾x̾@hacks4pancakes this is why I write all my passwords on post its
Steve Riggins@hacks4pancakes my mother rest her soul is saying “this is why i used Word!” sigh lol. We promote managers heavily at our user group
Catherine is not complacent@hacks4pancakes I’ve always been a huge fan of having them written down. They can go right into a journal, just tell someone you trust where they are. Change monthly or ideally weekly and use your own alphanumeric system to pick them. I use scrabble tiles and dice throws. Weird? Maybe.
Fennix 
@hacks4pancakes It's a bit unfair to characterize "they were breached and didn't detail the extent of it for a full month" as a reason to stop using their service as "insane".
Set aside the security concerns; this is just a business I don't want to work with anymore and will not be recommending to anyone.
ReFraggedBeans @hacks4pancakes personally Im leaving it anyways, two breaches in a row kills any trust in their technology actually being solid, but Im just moving to another option for a password manager
@ReFraggedBeans that’s cool, it should be everyone’s prerogative based on their personal threat model. Just don’t tell other people to get rid of it is all I’m saying.
eagerpebble@hacks4pancakes and times like this are a good time as any to cull your accounts and make sure as many as possible have MFA.
Accidental CISO@hacks4pancakes And don't fall into the trap of thinking that hosting it yourself is going to make it more secure.
Viss@accidentalciso @hacks4pancakes "less of a juicy target"
Greg@accidentalciso @hacks4pancakes it's a fallacy that only comes to me after I've already started the docker container. 😅
William@accidentalciso @hacks4pancakes eh, there are things like mooltipass where the key lives in hardware.
I mean, it's not very secure hardware and definitely not physically, but it's probably fairly resilient to having your actual host thoroughly compromised.
Zate 🦘🇦🇺@hacks4pancakes I want to understand the rationale behind the "change all your passwords" stuff I see going around. If you had a long password, and you are using unique passwords, and 2FA for things that matter, I am struggling to work out what the rush to change passwords is?
Especially considering, this happened months ago.
Am I missing a piece here?
@zate it really depends on exactly how strong and unique your master password is. The problem is that in an offline attack folks have all the time in the universe to dictionary attack.
Hobson Lane@hacks4pancakes might as well switch to a new one that is easier to use and more #secure (#FLOSS and never #hacked) such as #BitWarden or possibly #KeyPass
@hobs this is exactly the thing I’m warning against in this thread. For abnormally techy people who will spend the time to do it properly, sure! Also “never hacked” is like saying “it’s awfully quiet” and almost always leads to despair. But this is not good advice for the vast majority of people.
Alzamon (Alberto GM)@hacks4pancakes I used to be a long time Lastpass user but their increasing security breaches made me jump ship to Bitwarden; the transition was less cumbersome than expected and had worked out fine for me so far. Still, I can't convince my boomer mom to stop writing her passwords on a notebook only she understands - maybe it's her low-tech way of doing what I do with 2FA and a password manager.
Joe Tomasone@hacks4pancakes I'm a fan of 1Password, myself.
Patrick C Miller @hacks4pancakes don't stop using password managers because a single password manager has a security issue. If you did this every time a product had a security issue you wouldn't have any products left to use. It's not if they have a security issue, it's how they handle it. Everyone is essentially buying time between hacks.
@patrickcmiller @hacks4pancakes They all have this same issue. That if someone gets the encrypted blob, yes, they can attack it offline. All of them have that issue. It's literally the entire job of the thing is to make the encrypted blob.
@zate @hacks4pancakes well said. And so true. It all comes down to the time/cycles needed to break the encrypted blob.
@patrickcmiller @hacks4pancakes right, and having done a quick glance over whitepapers for LP and 1Password, I think sure, 1PAssord is likely to be doing something that looks a bit stronger.
But it's white papers, and I ain't a crypto guy. I just think that the stuff I am reading for both, should be pretty good at protecting something that gets breached given other good practices on the sid of the consumer.
@zate @hacks4pancakes few of us really qualify as crypto people... 😀
SusanBradley/SBSDiva/PatchLady@hacks4pancakes Or add two factor (yubikey even)
@hacks4pancakes that is a good point, using LastPass is a significant bit better than using nothing.
I'd still recommend something that _isnt_ LastPass, but yeah.
🇨🇦@hacks4pancakes I just had the experience of seeing this toot in mastodon a few hours ago. A minute ago I was on Reddit looking up details of LastPass, and this toot was referenced and linked. It was a nice and unexpected feeling to see a post on Mastodon used as a source.
DROP\ TABLE Hacker of Earthsea@hacks4pancakes its lame people get all secruity paranoid about stuff. i like keepsafe personally, using a password manager trumps mfa IMO. feel free to spend 1n25 seconds guessing xD