SecuropeanDec 24, 2022
  • Any incident is stressful, and at this time of year is even worse. I feel really really bad for everyone involved.
  • Relying on users to pick a strong master password is not realistic. The #1Password approach appears to make more sense - force a secure default in the face of determined attackers who may ultimately succeed.
  • I suspect for many users the "notes" fields are more sensitive than their passwords. Passwords can be changed.
  • #LastPass will hopefully reflect on what design decisions drove them not to encrypt URLs, and if they have made any similar risk trade-offs elsewhere.
  • Attribution (if possible) matters here for all of our threat models.
  • I've seen little discussion of how the breach occurred, although the movement from dev environment->cloud backup is telling. The entire IT industry has walked itself into a cloud security nightmare, with easy-to-make mistakes or compromises having potentially severe consequences for many companies.
  • #Bitwarden appears marginally better than LP, but I'm not seeing anything fundamentally better? (see 2). More like out of the frying pan into a small pot.
  • I spent some time mucking around with Bitwarden self-hosted. Some of the guides to self-hosting I read were downright dangerous, and certificates were a problem. I'm unconvinced it's a realistic answer for all but a small few.

    • #infosec

    Show threadThe Computer CellarDec 24, 2022
    @securopean we’ve been recommending Bitwarden for a while, ever since LastPass went to an almost-paid-only model. What would you cite as specific concerns with them, and should we consider recommending something else?
    Show threadSecuropean
    @computercellar Hey, I haven't really looked into BitWarden, but I'm wondering what I'm missing when people say they are moving from LP to BW as the core product looks very similar to LastPass to me - encrypted online vaults, protected by user-chosen master passwords. (Obviously the self-hosted BitWarden has a different risk model, and might be a good option for someone who really understands what they are doing.). 1Password has made an attempt at finding a solution to the weak master password problem, and some of the other options mentioned here take different approaches (e.g. storing data in a personal vault only).
    Dec 24, 2022 at 8:29pmWeb
    Show threadThe Computer CellarDec 24, 2022
    @securopean you’re only as secure as your master password, that’s for sure.