I am once again asking you to stop using LastPass. The company has a history of security issues dating back years, and has yet to make holistic security improvements — or heck even investigate incidents properly.
Good alternatives:
- 1Password is my #1 rec, best for most use cases
- Bitwarden if you want open source
- KeePassXC if you want local vaults and open source
- I hear ok things about Dashlane but don’t know a ton
https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/
@jacob Do we have any real evidence that #1Password is any better? I do not think that lack of admitted breaches should be taken as evidence that none have occurred.
Any major password manager is going to be targeted by significant adversaries. I would suggest that having the encrypted databases compromised is par for the course and should be assumed into the threat model.
Is 1Password's model technically better than #LastPass, if we assume full DB access by an adversary?
@kadin I am quite confidant in 1Password’s case that:
A) they have not suffered a breach of encrypted vaults yet (95% confidance)
B) if they did they would disclose immediately (99.5% confidence)
C) stolen encrypted vaults would be secure enough against adversaries that decrypting them in bulk would take years/cost millions (85% confidence)
I’d place money on any of these bets
@benwr no - the 5% in (A) allows for the “they have been breached but don’t know about it” scenario.
IOW, I’m incredibly confidant (99%+) they’d disclose a breach, so the fact that they haven’t said anything means they’ve either not been breached (95%) or they have but haven’t detected it yet (5%)