1 |
Rich Freeman wrote: |
2 |
> On Wed, Feb 17, 2021 at 3:01 AM Dale <rdalek1967@×××××.com> wrote: |
3 |
>> I suspect a lot of users are going to be moving from Lastpass because of |
4 |
>> this change. If their service was far better then people may pay it. |
5 |
>> Thing is, it isn't. As was pointed out in a couple things I read, they |
6 |
>> have been hacked in the past. What was taken was encrypted but still, |
7 |
>> they got hacked. |
8 |
> So, while I echo most of the sentiments in this thread already so I |
9 |
> won't repeat them, I do try to be careful about how I look at past |
10 |
> reports of hacks. |
11 |
> |
12 |
> Important considerations are: |
13 |
> 1. Why were they hacked? |
14 |
> 2. What did they do when they were hacked? |
15 |
> 3. What were the consequences? |
16 |
> 4. What is likely to happen in the future? |
17 |
> |
18 |
> When it comes to security the future is much more important than the |
19 |
> past. We look at the past as a predictor of the future. However, you |
20 |
> have to always keep this in mind. |
21 |
> |
22 |
> One thing I admire about Lastpass is that when they were hacked, they |
23 |
> immediately went public with it, disclosing at all times what was |
24 |
> known and explaining the impact to customers as best as they |
25 |
> understood it. They took steps to get users to change passwords/etc |
26 |
> which would protect them if the encrypted data was cracked in the |
27 |
> future. The way they handled the incident definitely made their |
28 |
> customers safer. |
29 |
> |
30 |
> Likewise as best as anybody can tell the consequences of the breach |
31 |
> were very limited. They ensured that customer vaults had solid |
32 |
> encryption, which gave them defense in depth - the breach of the |
33 |
> encrypted data wasn't able to be leveraged into a breach of the |
34 |
> unencrypted password data inside. |
35 |
> |
36 |
> These should both be seen as factors in their favor, and it is the |
37 |
> sort of thing that you can't really see until somebody is actually |
38 |
> hacked. |
39 |
> |
40 |
> I think one of the more concerning issues for their future was the |
41 |
> change in management when logmein bought them. I think people had |
42 |
> concerns about the new management. |
43 |
> |
44 |
> I definitely like that bitwarden is FOSS. One concern with ANY of |
45 |
> these web-based tools is that while they may very well be securely |
46 |
> implemented, the fact is that the actual code is remotely managed. At |
47 |
> any time somebody who obtains control over their infra could push out |
48 |
> updates that cause your client to compromise your data in a number of |
49 |
> ways. This requires more sustained control than just a quick snatch |
50 |
> of the encrypted cloud password store, but it is definitely a risk, |
51 |
> whether the code is FOSS or not. After all, Gentoo is FOSS, but if |
52 |
> somebody was able to gain control over the repositories/keys/etc they |
53 |
> could push literally anything in an update to your system, and unless |
54 |
> you're looking very carefully at your ebuilds you could have arbitrary |
55 |
> code running as root in no time. Obviously that is something infra |
56 |
> and the portage design tries to make unlikely, but it is definitely a |
57 |
> threat model really for any software distribution of any kind. The |
58 |
> automated nature of updates to these cloud-based password managers |
59 |
> makes these sorts of attacks potentially easier to pull off (though |
60 |
> I'd they would have resources dedicated to detecting a compromise like |
61 |
> this and mitigating it). |
62 |
> |
63 |
|
64 |
|
65 |
I was actually using Lastpass when the hack happen. I even mentioned |
66 |
earlier that while they were hacked, the hackers didn't gain anything |
67 |
because what they got was encrypted. Still, they are closed source. If |
68 |
their code was open source then it could be that the hack would not have |
69 |
happened since someone would have spotted the hole the hackers used. |
70 |
Who knows if there is another hole that hasn't been discovered yet. I |
71 |
didn't know about Lastpass being bought so this explains why the change |
72 |
is likely happening. After all, the new owners had to spend money to |
73 |
buy Lastpass and one way to get it back is to make more people pay or |
74 |
raise prices on the ones that already pay, or both. |
75 |
|
76 |
I've already switched. The export and import was easy enough. While |
77 |
the GUI looks different, it seems to do the same things. It's early yet |
78 |
but so far, it works well enough. I suspect we are not alone in this |
79 |
switch. Others may switch to something besides Bitwarden but I bet |
80 |
Lastpass is losing a lot of users. |
81 |
|
82 |
Dale |
83 |
|
84 |
:-) :-) |