| 1 |
Rich Freeman wrote: |
| 2 |
> On Wed, Feb 17, 2021 at 3:01 AM Dale <rdalek1967@×××××.com> wrote: |
| 3 |
>> I suspect a lot of users are going to be moving from Lastpass because of |
| 4 |
>> this change. If their service was far better then people may pay it. |
| 5 |
>> Thing is, it isn't. As was pointed out in a couple things I read, they |
| 6 |
>> have been hacked in the past. What was taken was encrypted but still, |
| 7 |
>> they got hacked. |
| 8 |
> So, while I echo most of the sentiments in this thread already so I |
| 9 |
> won't repeat them, I do try to be careful about how I look at past |
| 10 |
> reports of hacks. |
| 11 |
> |
| 12 |
> Important considerations are: |
| 13 |
> 1. Why were they hacked? |
| 14 |
> 2. What did they do when they were hacked? |
| 15 |
> 3. What were the consequences? |
| 16 |
> 4. What is likely to happen in the future? |
| 17 |
> |
| 18 |
> When it comes to security the future is much more important than the |
| 19 |
> past. We look at the past as a predictor of the future. However, you |
| 20 |
> have to always keep this in mind. |
| 21 |
> |
| 22 |
> One thing I admire about Lastpass is that when they were hacked, they |
| 23 |
> immediately went public with it, disclosing at all times what was |
| 24 |
> known and explaining the impact to customers as best as they |
| 25 |
> understood it. They took steps to get users to change passwords/etc |
| 26 |
> which would protect them if the encrypted data was cracked in the |
| 27 |
> future. The way they handled the incident definitely made their |
| 28 |
> customers safer. |
| 29 |
> |
| 30 |
> Likewise as best as anybody can tell the consequences of the breach |
| 31 |
> were very limited. They ensured that customer vaults had solid |
| 32 |
> encryption, which gave them defense in depth - the breach of the |
| 33 |
> encrypted data wasn't able to be leveraged into a breach of the |
| 34 |
> unencrypted password data inside. |
| 35 |
> |
| 36 |
> These should both be seen as factors in their favor, and it is the |
| 37 |
> sort of thing that you can't really see until somebody is actually |
| 38 |
> hacked. |
| 39 |
> |
| 40 |
> I think one of the more concerning issues for their future was the |
| 41 |
> change in management when logmein bought them. I think people had |
| 42 |
> concerns about the new management. |
| 43 |
> |
| 44 |
> I definitely like that bitwarden is FOSS. One concern with ANY of |
| 45 |
> these web-based tools is that while they may very well be securely |
| 46 |
> implemented, the fact is that the actual code is remotely managed. At |
| 47 |
> any time somebody who obtains control over their infra could push out |
| 48 |
> updates that cause your client to compromise your data in a number of |
| 49 |
> ways. This requires more sustained control than just a quick snatch |
| 50 |
> of the encrypted cloud password store, but it is definitely a risk, |
| 51 |
> whether the code is FOSS or not. After all, Gentoo is FOSS, but if |
| 52 |
> somebody was able to gain control over the repositories/keys/etc they |
| 53 |
> could push literally anything in an update to your system, and unless |
| 54 |
> you're looking very carefully at your ebuilds you could have arbitrary |
| 55 |
> code running as root in no time. Obviously that is something infra |
| 56 |
> and the portage design tries to make unlikely, but it is definitely a |
| 57 |
> threat model really for any software distribution of any kind. The |
| 58 |
> automated nature of updates to these cloud-based password managers |
| 59 |
> makes these sorts of attacks potentially easier to pull off (though |
| 60 |
> I'd they would have resources dedicated to detecting a compromise like |
| 61 |
> this and mitigating it). |
| 62 |
> |
| 63 |
|
| 64 |
|
| 65 |
I was actually using Lastpass when the hack happen. I even mentioned |
| 66 |
earlier that while they were hacked, the hackers didn't gain anything |
| 67 |
because what they got was encrypted. Still, they are closed source. If |
| 68 |
their code was open source then it could be that the hack would not have |
| 69 |
happened since someone would have spotted the hole the hackers used. |
| 70 |
Who knows if there is another hole that hasn't been discovered yet. I |
| 71 |
didn't know about Lastpass being bought so this explains why the change |
| 72 |
is likely happening. After all, the new owners had to spend money to |
| 73 |
buy Lastpass and one way to get it back is to make more people pay or |
| 74 |
raise prices on the ones that already pay, or both. |
| 75 |
|
| 76 |
I've already switched. The export and import was easy enough. While |
| 77 |
the GUI looks different, it seems to do the same things. It's early yet |
| 78 |
but so far, it works well enough. I suspect we are not alone in this |
| 79 |
switch. Others may switch to something besides Bitwarden but I bet |
| 80 |
Lastpass is losing a lot of users. |
| 81 |
|
| 82 |
Dale |
| 83 |
|
| 84 |
:-) :-) |
Archives