Friday, December 23, 2022

The last straw for LastPass

from here and here

How does a password management company make such a grave error as not protecting URLs? Knowing you have an account on a questionable website is sensitive in and of itself, without giving away the username or password, and by sensitive I mean it can get folks killed in some places.

This metadata will also be useful for phishing attacks, so if you're a LastPass user, you might see an increase in phishing emails. However, since the breach itself was months ago, the increase might have already happened.

Password managers are still good, of course, but maybe not this particular one, and maybe not online ones. Online password managers are incredibly valuable targets, while each of us individually is  generally not. An offline password manager would require someone getting through your own defenses to compromise you instead of compromising millions of users at once.