SecuropeanDec 24, 2022
  • Any incident is stressful, and at this time of year is even worse. I feel really really bad for everyone involved.
  • Relying on users to pick a strong master password is not realistic. The #1Password approach appears to make more sense - force a secure default in the face of determined attackers who may ultimately succeed.
  • I suspect for many users the "notes" fields are more sensitive than their passwords. Passwords can be changed.
  • #LastPass will hopefully reflect on what design decisions drove them not to encrypt URLs, and if they have made any similar risk trade-offs elsewhere.
  • Attribution (if possible) matters here for all of our threat models.
  • I've seen little discussion of how the breach occurred, although the movement from dev environment->cloud backup is telling. The entire IT industry has walked itself into a cloud security nightmare, with easy-to-make mistakes or compromises having potentially severe consequences for many companies.
  • #Bitwarden appears marginally better than LP, but I'm not seeing anything fundamentally better? (see 2). More like out of the frying pan into a small pot.
  • I spent some time mucking around with Bitwarden self-hosted. Some of the guides to self-hosting I read were downright dangerous, and certificates were a problem. I'm unconvinced it's a realistic answer for all but a small few.

    • #infosec

    Show threadPhillip Hallam-Baker

    @securopean Take a look at the Mathematical Mesh. It is an infrastructure whose primary purpose is to manage private keys across multiple devices. It uses novel threshold cryptography to allow for a seamless user experience.

    The credential vault is end-to-end encrypted and only the user's endpoints ever have decryption capability.

    The system is designed to be resistance to certain types of supply chain manipulation of devices. It takes multiple compromised for any breach to occur.

    It is all open source and open specification and no proprietary service either. Open as in open.

    http://mathmesh.com/

    The Mathematical Mesh

    The Mathematical Mesh
    Dec 24, 2022 at 4:59pmWeb