Posted by mooreds 8 hours ago
1- Tradeoff individual account risk, for systemic risk. You may argue password managers are safe, but few would argue that the risk model reduces the risk of individual password leaks more than the risk of all your passwords leaking. It's a tradeoff.
2- Cat and mouse security: There's a class of security decisions that work because they are new and different. First the weakness was that passwords were short, then you make passwords long but unmemorable, so people rely on some other mechanisms to authenticate, like a file on their computer, a drive, a fingerprint, facial recog, which may in turn be protected by a second factor password.
At first the new security model will not be stressed, but as more users migrate from one security model to the next one, that's when you are able to compare the security of both technologies, it starts being a juicy enough target that it becomes attacked.
So we are at the point where password managers are used enough that they start becoming worthwhile targets of attack (to overcome the difficulty of vulnerating them).
Also worth noting that these attacks are more winner-takes-all. In the sense that rather than seeing one account hacked every couple of hours, you will see them all hacked at once, because you introduced a vendor in the password supply chain AND because the vendor centralizes all of the passwords. So target that one vendor and from a single attack you get all the spoils. So when comparing the security of the olden method and the new, just 1 incident is enough to undo all of the reputational gains it has made over the years.
I don't think password managers which store encrypted vaults are less safe than trying to have and juggle strong unique-per-domain passwords, even if you think that the password manager is becoming a target.
I do think there are some cases where an online password manager makes sense, e.g. for businesses, but for individuals it's better to just stick with an offline password manager, at least for the high value accounts.
But if even that is too much then f.ex. `keepass` + a scheduled script to periodically backup to your own servers is also perfectly viable.
Wait. That's a thing? Like, there are drooling, mouth-breathing stooges out there that would trust not just one of their passwords to such a thing, but all their passwords to it?
And it's not unheard of that infections metastize, whether into developer accounts, product code... Probabilistically, this was a shot on goal.
I apologize for the mixed metaphors.
For backup, the hardware security key let's you download a file from it with all of your passwords encrypted, and the decryption password it's shown on it's screen (something like 12 random words)
https://news.ycombinator.com/item?id=48647272
Third time's the charm
The specific dependency that gets companies infected, and the optics that result, are so important. There have been sillier examples, but you can see how in this case, the priority of sales and profits has resulted in the sacrifice of the main quality measure of their main and only product.
What do you mean exactly here What do you think LastPass could have done to prevent this specific issue?
customer names, phone numbers, email addresses, physical addresses, support case data, sales-related data.
But LastPass does (Salesforce CNAME):
https://support.lastpass.com/s/?language=en_US
So this couldn't have happened to bitwarden, you own the reputation loss if any of your suppliers get owned. Though it really doesn't matter anymore for LastPass they leaked their customers vaults before, I have no idea how they can still be in business.
It's worth noting that this is not 'their marketing provider' what they do is load 30 different providers for some reason, to maximize the reach of their data sharing and advertising network. Well, their network reached too far and touched an infected node.
To be fair, and I don’t want to, supposedly the only thing that was compromised was contact info. No vaults were exfiltrated or unlocked (as far as the article info goes).
So this is really just another very boring info breach, not a targeted password-stealing hack.
The other breaches they suffered were worse.
Private company third party password managers are bad. Across the board. They're a bad idea.
Deeply localized actual best practices can help solve this. Private companies can also help, but only if it isn't in the form of "you can't have this unless you pay for it." The point is, it's like fighting fires, you can't isolate it.
It's a complete dead-end and the sooner the industry realizes this the better.