Rich Freeman wrote: > On Wed, Feb 17, 2021 at 3:01 AM Dale <rdalek1...@gmail.com> wrote: >> I suspect a lot of users are going to be moving from Lastpass because of >> this change. If their service was far better then people may pay it. >> Thing is, it isn't. As was pointed out in a couple things I read, they >> have been hacked in the past. What was taken was encrypted but still, >> they got hacked. > So, while I echo most of the sentiments in this thread already so I > won't repeat them, I do try to be careful about how I look at past > reports of hacks. > > Important considerations are: > 1. Why were they hacked? > 2. What did they do when they were hacked? > 3. What were the consequences? > 4. What is likely to happen in the future? > > When it comes to security the future is much more important than the > past. We look at the past as a predictor of the future. However, you > have to always keep this in mind. > > One thing I admire about Lastpass is that when they were hacked, they > immediately went public with it, disclosing at all times what was > known and explaining the impact to customers as best as they > understood it. They took steps to get users to change passwords/etc > which would protect them if the encrypted data was cracked in the > future. The way they handled the incident definitely made their > customers safer. > > Likewise as best as anybody can tell the consequences of the breach > were very limited. They ensured that customer vaults had solid > encryption, which gave them defense in depth - the breach of the > encrypted data wasn't able to be leveraged into a breach of the > unencrypted password data inside. > > These should both be seen as factors in their favor, and it is the > sort of thing that you can't really see until somebody is actually > hacked. > > I think one of the more concerning issues for their future was the > change in management when logmein bought them. I think people had > concerns about the new management. > > I definitely like that bitwarden is FOSS. One concern with ANY of > these web-based tools is that while they may very well be securely > implemented, the fact is that the actual code is remotely managed. At > any time somebody who obtains control over their infra could push out > updates that cause your client to compromise your data in a number of > ways. This requires more sustained control than just a quick snatch > of the encrypted cloud password store, but it is definitely a risk, > whether the code is FOSS or not. After all, Gentoo is FOSS, but if > somebody was able to gain control over the repositories/keys/etc they > could push literally anything in an update to your system, and unless > you're looking very carefully at your ebuilds you could have arbitrary > code running as root in no time. Obviously that is something infra > and the portage design tries to make unlikely, but it is definitely a > threat model really for any software distribution of any kind. The > automated nature of updates to these cloud-based password managers > makes these sorts of attacks potentially easier to pull off (though > I'd they would have resources dedicated to detecting a compromise like > this and mitigating it). >
I was actually using Lastpass when the hack happen. I even mentioned earlier that while they were hacked, the hackers didn't gain anything because what they got was encrypted. Still, they are closed source. If their code was open source then it could be that the hack would not have happened since someone would have spotted the hole the hackers used. Who knows if there is another hole that hasn't been discovered yet. I didn't know about Lastpass being bought so this explains why the change is likely happening. After all, the new owners had to spend money to buy Lastpass and one way to get it back is to make more people pay or raise prices on the ones that already pay, or both. I've already switched. The export and import was easy enough. While the GUI looks different, it seems to do the same things. It's early yet but so far, it works well enough. I suspect we are not alone in this switch. Others may switch to something besides Bitwarden but I bet Lastpass is losing a lot of users. Dale :-) :-)
