Submitted by BasedSweet t3_10z1kx5 in technology
FatedMoody t1_j85zcsf wrote
Reply to comment by spsteve in Millions of passwords stolen from LastPass earlier than company disclosed: Report by BasedSweet
Hey already replied first time without attitude even though you called my arguments bad without even understanding how LastPass works. Do you now see how LastPass going bankrupt or offline isn’t that big a deal as opposed to losing a piece of paper with all your passwords and no backup?
Now as for your follow up question. Yes if you updated a bunch of passwords at your office and LastPass goes down other devices won’t get the updates. However this shouldn’t be that big an issue since the work computer should have those changes you made locally
spsteve t1_j869c9r wrote
Next question; what happens if someone breaches last pass and destroys the vaults and nukes the backups (and given they've been so heavily breached, and I have 0 confidence in them corporately to store safe backups) then what.
My initial point was, there are lots of good reasons to argue against paper vs password manager, but loss isn't one of them. Anything can be lost, and with these companies getting breached at this level (including some having backups deleted) I don't think THAT is the argument to use.
Finally, I am genuinely curious; when have you used lastpass in an offline state? Like why??? LOL If your network is down, what are you signing into you don't have memorized?
FatedMoody t1_j877bdj wrote
> what happens if someone breaches last pass and destroys the vaults and nukes the backups (and given they've been so heavily breached, and I have 0 confidence in them corporately to store safe backups) then what.
I don't see this any different than your previous scenario. All your devices should have local copies. Sure, they may be a bit out of date but for the most part you should have most of your credentials
>My initial point was, there are lots of good reasons to argue against paper vs password manager, but loss isn't one of them
Well then we disagree. In my mind of the major features for LastPass is redundancy and they are more likely to be much better at it than I am and worse case I have copies on my devices. Truly losing a password can be extremely devastating, case in point (though an extreme example):
https://www.bbc.com/news/technology-55645408
>LOL If your network is down, what are you signing into you don't have memorized?
Imagine laptop you don't use often being locked and you're on a plane with your phone in airplane mode...
spsteve t1_j878g8s wrote
What I meant by destroy the vaults is corrupt them. Then your devices syncs the corrupted one. Done.
As for the use case, fair enough. I don't know I've ever had that issue as my physical devices all have passwords I remember and their passwords never leave my brain. If my physicals get compromised it is game over for everything else as far as I am concerned.
FatedMoody t1_j879aee wrote
Sure ok if there is a massive breach and that corrupts all your passwords and destroys backups but still allows to sync with every device you have destroying those copies and those devices also don’t have backups then yes you might be in trouble. No solution is absolutely foolproof. However what’s more likely, the scenario described here or someone accidentally throwing away their password list or it being lost in some home accident? That’s literally single point of failure
spsteve t1_j87aknf wrote
Normally I would agree with you, but given the level of breach suffered here AND the ABSOLUTE lack of transparency by the company, I wouldn't rule it out as an unreasonable concern.
With all the government supported bad actors in the world today the threat landscape has changed. State sponsored hacks designed to cause economic damage are becoming more and more common place. Sites like this are huge targets.
For the home user this is a difficult game but for the enterprise a well designed self-hosted solution (bitwarden for example) is the way to go right now IMHO.
Any of the big "public" cloud options are just too juicy a target. It is fairly trivial to set up your own reasonably redundant manager now if you're a company. The real issue is for the home user going forward. (But most home users have such horrible security posture i suppose it doesn't matter either).
Viewing a single comment thread. View all comments