Kenn WhiteThe painful thing for LastPass users who did unfortunately reuse their master password on other sites is that this case is now an *offline* attack - which means 2FA or changing one's LastPass web password (or even master password) won't help much - the attackers have a point-in-time snapshot of all the credentials in those stolen vaults. And if you were using a weak (or worse, previously leaked) master password when they were stolen, you're screwed.
Todd Knarr@kennwhite Compromises like this are why I don't trust any password manager that backs data up to a server. Too much trust required of a big fat juicy target for attackers. Local storage only, thankyewverymuch, and I'll do my own backups and copying. It's not invulnerable, but I'm a smaller target and I control my own defenses.
George William Herbert@tknarr @kennwhite that’s defensible for techies, but non-experts may not be able to manage truly robustly recoverable local backup.
husbandpanda 🐼@georgewherbert @tknarr @kennwhite only to a limited degree. What do you do about portability that doesn't compromise the entire security of the storage? Is the issue.
@husbandpanda @tknarr @kennwhite All computer security is a tradeoff between usability and absolute security. In practice usability includes degraded modes recovery and amount and complexity of normal use and normal administrative functions.
Most users won’t effectively successfully backup locally off the system itself, so anything like a power surge or computer intrusion may wipe vault. Especially not remotely, so any fire or theft is service loss.
Most users won’t effectively successfully backup locally off the system itself, so anything like a power surge or computer intrusion may wipe vault. Especially not remotely, so any fire or theft is service loss.
@husbandpanda @tknarr @kennwhite 1pass uses something you know (passcode), something you have (any of n devices with your passcode encrypted master key), and remote storage with a better security model for a storage-opaque blob of secure data. Remote storage avoids local loss of the vault, a not uncommon issue for fallible normal users.
Doesn’t prevent everything, but a lot more end user failures are securely avoided, and the LastPass failure avoided.
Doesn’t prevent everything, but a lot more end user failures are securely avoided, and the LastPass failure avoided.
@georgewherbert @tknarr @kennwhite yeah I was considering it for this reason. all tech work I've ever done involved either thycotic or 1pass