But anybody that somehow feels a burst of anger at the title of this thread should actually read the article (it's very good) and then make their own research about what happened with the August disclosure. There are just too many possible attacks opened by lastpass that I don't think we should clear lastpass of any fault here, this is before we go into the fact that they are downplaying the unencrypted fields portion of it by not listing specifically which fields are unencrypted, something that is important because hackers straight up 100% have that information already, so the users should also have that information to see what steps if any they should take.Īs for lastpass disclosing, once you get to a company of a certain size leakage of information becomes ever more likely, so not disclosing would be a massive risk, for most companies far bigger than disclosing, at least if you are serving the EU because failure to disclosing this type of information in a timely manner can see you get finned with I believe up to 4% global turnover (not just profit), which can be pretty massive.Īnyway yes it is better to create a vault and assume it is going to get leaked at some point, and proceed accordingly, however that does not at all invalidate lastpass from their responsibility here.įirst, trust me, I completely understand where you're coming from.
Bitwarden reset password password#
But that's about it.Įven if you have a secure password, this leak still opens angles of attack that are 100% down to lastpass security practices, it is not unreasonable to have assumed that all information you stored on their servers (password related not payment info related) would be encrypted, and it isn't, having URL information associated with a name no less can lead to not only stronger phishing attempts, but straight up blackmail, like say if you are a priest or a conservative or whatever, and all of a sudden, you have a password for (which btw just so it is clear there is nothing wrong with that, but conservatives and the Catholic Church will be bigoted), that can easily create an attack vector for blackmail, and there are just countless things like this, including may I point out regarding abortions in the US currently, where it is illegal to have them in certain states and people unrelated at all to the abortion can sue people that had them and what not. It's understandable if people are iffy about attackers getting access to a list of what sites you have accounts with. That the website URLs are unencrypted was a bad mistake by LastPass, so if anything should be criticized here, it's that. As long as you're not treating your own security as a joke, LastPass isn't going to make you any less secure.Įdit: I misread part of the official blog post on my first reading. That LastPass actually told you about this attack is a point in their favor when most companies in their position would likely try to shove the whole thing under the rug and hope nobody notices. If you're one of those "I'm deleting my LastPass account" people as a result of this break-in, you're acting irrationally and doing yourself no favors. LastPass has done everything right from what I can see on my end. That's why it's just as important for me to make sure whatever damage can be done once you get past the barriers I have set up is minimal. When I design server security, I start with the assumption that nothing I do can fully protect against a focused attack. They have also communicated clearly with both customers and authorities. In this case, LastPass has made sure that any stolen data is basically worthless except in those cases where the customers themselves have deliberately ignored the LastPass password recommendations and put themselves at needless risk. What matters is how useful any stolen data is to the attackers and how the company that was attacked communicates with its customers and the authorities afterward. It's literally impossible for a company with an online presence to protect itself 100% from data theft. Whoever broke into LastPass has nothing of any real value outside of those accounts whose master passwords are "password1234" and such. The only people who need worry are the people who use crap master passworrds, and if you're one of those people, nothing LastPass could have possibly done would have made your data safe in any way, shape or form, nor will any other password manager save you from your own stupidity. WTF is this stupid-ass title and why is it still unchanged?Īs someone who works with computer security myself, this is a huge nothingburger.
0 kommentar(er)
