SecuropeanDec 24, 2022
  • Any incident is stressful, and at this time of year is even worse. I feel really really bad for everyone involved.
  • Relying on users to pick a strong master password is not realistic. The #1Password approach appears to make more sense - force a secure default in the face of determined attackers who may ultimately succeed.
  • I suspect for many users the "notes" fields are more sensitive than their passwords. Passwords can be changed.
  • #LastPass will hopefully reflect on what design decisions drove them not to encrypt URLs, and if they have made any similar risk trade-offs elsewhere.
  • Attribution (if possible) matters here for all of our threat models.
  • I've seen little discussion of how the breach occurred, although the movement from dev environment->cloud backup is telling. The entire IT industry has walked itself into a cloud security nightmare, with easy-to-make mistakes or compromises having potentially severe consequences for many companies.
  • #Bitwarden appears marginally better than LP, but I'm not seeing anything fundamentally better? (see 2). More like out of the frying pan into a small pot.
  • I spent some time mucking around with Bitwarden self-hosted. Some of the guides to self-hosting I read were downright dangerous, and certificates were a problem. I'm unconvinced it's a realistic answer for all but a small few.

    • #infosec

    Show threadAdam Shostack  Dec 24, 2022

    @securopean I hate to pick a nit in the context of all your good work here, but I disagree that attribution matters, and especially that it matters to our threat models.

    What we know is one attacker was caught. We can't know their motives or what they'll do over time. We can make assumptions about those which (generally) lead to us convincing ourselves that all the very hard work of changing lots of passwords doesn't matter.

    Show threadAlun Jones
    @adamshostack @securopean To put it another way, if Putin dies tomorrow, and Russia suddenly becomes a utopian state based on peace love and universal harmony, and all those Russian hackers disappear, the threat model hasn't changed.
    Maybe the likelihood of a regionally-exposed threat being exploited decreases, but that's a bit of a stretch, given how many other threat actors there are, and assuming that the knowledge escapes and is spread to parts of the world who still want in to your data.
    Dec 24, 2022 at 5:19pmWeb