EvaPour one out for all of the security practitioners who are going to have to spend the holidays patiently explaining that using a password manager is still good, actually, to people who have glanced at a headline about the latest LastPass breach.
David Short ๐ช๐บ ๐ต๐ธ ๐ณ๏ธโ๐@evacide I have always wondered about this. Given that the password manager has to send all your passwords to the browser in plain text, why not use the built-in password storing function of the browser? This would seem to reduce the attack surface?
Troed Sรฅngberg@troed @evacide that begs the question about the key used to encrypt the manager/browser comms. If the browser knows the key and is compromised, an attacker would have that key. Unless modern browsers have a dedicated API that allows pass through of encrypted passwords directly to the remote service?
@dwasmkuk The browser does not know the key - the user has to input it after a reboot / regularly etc. The strength of that user-known master password is what protects the (now leaked) vaults.
(I'm a LastPass user, with a very strong master password. I haven't done any mitigation, yet)
@troed do you enter the key/master password into the browser or into Lastpass?