Viewing a single comment thread. View all comments

VellDarksbane t1_j1hphea wrote

Assuming everything is implemented in the way Lastpass says it is, only if the attackers were still in the network, and had setup a system to scrape passwords. From what they’re saying, the attackers grabbed the encrypted vaults, which are useless without the master password, so anyone with a strong master password that hadn’t been reused anywhere will be fine.

There are options for password managers if you don’t trust lastpass, such as keepass, which stores the database locally, so no third party has any ability to view them. You then have to worry about backing up the database itself to avoid a hard drive going bad wiping out your password vault, but it is free iirc.

2

GlitteringAccident31 t1_j1htsf1 wrote

I think serving this locally for 99pct of users is much more error prone.

Backing up to the cloud, serving from an instance for availability across devices, backups on a bucket somewhere. so many possible attack vectors.

Bitwarden is free as well

3

VellDarksbane t1_j1jkgmp wrote

I agree, but being more error prone, and having to reset passwords more often, is better than password reuse for most users too. Lastpass, bitwarden, etc, all require you to trust the team you’re purchasing it from to some degree. Keepass is fully offline, with no ability to sync, except what you do to keep the file synced.

For most end users personal use, which is going to be many people in this thread, their backup is going to be a personal onedrive/icloud, a flash drive, or something like backblaze if they’re being fancy. They aren’t going to be configuring S3 buckets to keep their 50-100 password database backed up, if they back it up at all.

1