SecuropeanDec 24, 2022
  • Any incident is stressful, and at this time of year is even worse. I feel really really bad for everyone involved.
  • Relying on users to pick a strong master password is not realistic. The #1Password approach appears to make more sense - force a secure default in the face of determined attackers who may ultimately succeed.
  • I suspect for many users the "notes" fields are more sensitive than their passwords. Passwords can be changed.
  • #LastPass will hopefully reflect on what design decisions drove them not to encrypt URLs, and if they have made any similar risk trade-offs elsewhere.
  • Attribution (if possible) matters here for all of our threat models.
  • I've seen little discussion of how the breach occurred, although the movement from dev environment->cloud backup is telling. The entire IT industry has walked itself into a cloud security nightmare, with easy-to-make mistakes or compromises having potentially severe consequences for many companies.
  • #Bitwarden appears marginally better than LP, but I'm not seeing anything fundamentally better? (see 2). More like out of the frying pan into a small pot.
  • I spent some time mucking around with Bitwarden self-hosted. Some of the guides to self-hosting I read were downright dangerous, and certificates were a problem. I'm unconvinced it's a realistic answer for all but a small few.

    • #infosec

    Show threadGhost0x0

    @securopean
    While i firmly believe a password manager is a good idea, the devil is in the details. The lastpass compromises, has me thinking about some stuff
    Around how that’s setup and what my risks might actually be.

    Also what I should tell friends and fam that I know use lastpass.

    Dec 24, 2022 at 3:15pmWeb
    Show threadSecuropeanDec 24, 2022
    @ghost0x0 Absolutely, same here, and I'll be quizzed on this over Christmas. I'm currently (strongly) leaning towards the 1Password model when family ask me, but I don't know enough about the product yet to recommend it.
    Show threadGhost0x0Dec 24, 2022

    @securopean
    I moved off of lastpass a while ago, but only just removed my lastpass about a month ago.

    I moved to Bitwarden, it mostly what I recommend now. And I do tell people about keepass also.
    And yea upcoming random pop quiz’s will happen.

    Show threadBinary Large OctopusDec 24, 2022
    @ghost0x0
    Same here, using and recommending Bitwarden as well. While the password manager should be a solid peace of software, I find it equally important to also educate the person you recommend one to about the importance of the master password and how to choose a good one.
    @securopean
    Show threadGhost0x0Dec 26, 2022

    @bloc @securopean

    yea solid on bitwarden, but looking at it more deeply.

    Show threadGhost0x0Dec 26, 2022

    @securopean

    so far, i am solid on bitwarden, and thats what i recommend. BUT: i an more deeply looking at bitwarden, and its model.