Viewing a single comment thread. View all comments

spsteve t1_j869c9r wrote

Next question; what happens if someone breaches last pass and destroys the vaults and nukes the backups (and given they've been so heavily breached, and I have 0 confidence in them corporately to store safe backups) then what.

My initial point was, there are lots of good reasons to argue against paper vs password manager, but loss isn't one of them. Anything can be lost, and with these companies getting breached at this level (including some having backups deleted) I don't think THAT is the argument to use.

Finally, I am genuinely curious; when have you used lastpass in an offline state? Like why??? LOL If your network is down, what are you signing into you don't have memorized?

1

FatedMoody t1_j877bdj wrote

> what happens if someone breaches last pass and destroys the vaults and nukes the backups (and given they've been so heavily breached, and I have 0 confidence in them corporately to store safe backups) then what.

I don't see this any different than your previous scenario. All your devices should have local copies. Sure, they may be a bit out of date but for the most part you should have most of your credentials

>My initial point was, there are lots of good reasons to argue against paper vs password manager, but loss isn't one of them

Well then we disagree. In my mind of the major features for LastPass is redundancy and they are more likely to be much better at it than I am and worse case I have copies on my devices. Truly losing a password can be extremely devastating, case in point (though an extreme example):

https://www.bbc.com/news/technology-55645408

>LOL If your network is down, what are you signing into you don't have memorized?

Imagine laptop you don't use often being locked and you're on a plane with your phone in airplane mode...

1

spsteve t1_j878g8s wrote

What I meant by destroy the vaults is corrupt them. Then your devices syncs the corrupted one. Done.

As for the use case, fair enough. I don't know I've ever had that issue as my physical devices all have passwords I remember and their passwords never leave my brain. If my physicals get compromised it is game over for everything else as far as I am concerned.

1

FatedMoody t1_j879aee wrote

Sure ok if there is a massive breach and that corrupts all your passwords and destroys backups but still allows to sync with every device you have destroying those copies and those devices also don’t have backups then yes you might be in trouble. No solution is absolutely foolproof. However what’s more likely, the scenario described here or someone accidentally throwing away their password list or it being lost in some home accident? That’s literally single point of failure

1

spsteve t1_j87aknf wrote

Normally I would agree with you, but given the level of breach suffered here AND the ABSOLUTE lack of transparency by the company, I wouldn't rule it out as an unreasonable concern.

With all the government supported bad actors in the world today the threat landscape has changed. State sponsored hacks designed to cause economic damage are becoming more and more common place. Sites like this are huge targets.

For the home user this is a difficult game but for the enterprise a well designed self-hosted solution (bitwarden for example) is the way to go right now IMHO.

Any of the big "public" cloud options are just too juicy a target. It is fairly trivial to set up your own reasonably redundant manager now if you're a company. The real issue is for the home user going forward. (But most home users have such horrible security posture i suppose it doesn't matter either).

1