Hacker News

I think a lot of people use products like LastPass because it makes storing passwords easier. Works on mobile, computer, tablet. Pretty good experience tbh.

With something like LastPass it's also much easier to create unique strong passwords for other sites.

Also, let's be real:

> The information accessed was limited to standard business contact information and related customer relationship management (CRM) data, including customer names, phone numbers, email addresses, and physical addresses, as well as support case data and sales-related data.

I'm pretty sure 99% of the people on exposed have already had their names, phone numbers, email and physical addresses leaked already. This has nothing to do with the security of your passwords stored in LP. They have some CRM, some person from their 800 employees clicked a sketchy link and it leaked that. It's not good, but its hardly an indictment of their product or usefulness

This.

If you want to be a security vendor reseller, just make sure to sell to orgs that have a compliance requirement, either by law or similar.

Do you sell firewalls? sell them to banks or something. Anti-malware endpoints? Insurances too. SIEMs? payment gateways for their PCI DSS environments.

Price it just below what would be the fine for not complying, that way you maximize the invoice.

I stopped playing the security vendor reseller game because it got too boring this way to make money.

And it will continue until we can sue company being breached for criminal negligence. Should a single company executive be personally liable in these situations, the scale of the problem would be orders of magnitude less severe because they would spend the appropriate amount of effort to cover their damn ass.

Because procurement is hard. Changing vendors is a big undertaking for big companies. They are certainly not going to be switching vendors every time there is an incident

At some companies, "approved security vendor" just means the breach comes with procurement paperwork.

Also use them as a password manager like an advanced version of Excel that fills in the passwords for you. Security isn't part of it. I have the feeling LastPass agrees.

It is inertia. Customers are sticky, they do not switch unless they have to. If you're an enterprise, you have to go through establishing a new vendor relationship, onboarding a new password vault with your IT team, communicate it across the org, migrate data from the old password vault to the new password vault, etc. There is a real cost in time and resources to do this, and so, many avoid it until they have no other choice.

Lastpass is owned by PE. Why? Because Francisco Partners and Elliott Management bought a cashflow that is sticky. Its why most software companies were acquired by PE prior to the Cambrian explosion of generative AI.

Moving to another solution involves some expense and operational risk (changing procedures, increased human error rates, locking yourself out). Even though the risk of staying with the existing solution goes from "unlikely" to "possible" (so maybe from yellow/amber to red), a lot of companies rationalize it as "but now the provider will be extra careful so the likelihood is actually lower".

Crowdstrike had a famous incident and is still probably #2 in the cybersecurity world. Sometimes assessing risk is a funny business.

it's "trivial" in the sense of "I can launch the app in 2 minutes," but "non-trivial" in the sense of "I have a working, synced password manager across my devices with good security practices."

KeePassXC is not for a "normal" user. It really needs to get default entry tempates [1] out the door.

[1] https://github.com/keepassxreboot/keepassxc/issues/8228

I use KeepassXC, but I have no need to share passwords with other people. In a corporate situation that would probably not work as well.

Passbolt and Bitwarden can be self-hosted on top of offering the usuals pros like MFA, an API incl. integrations (e.g. https://external-secrets.io/latest/provider/passbolt/) and a better UX that does not involve syncing files between team members

E2EE done properly is why. See 1Password security whitepaper for how.

This. KeePassXC plus Google Drive client is all you need.

But LastPass has been breached multiple times by now. I don't think they really care

What happened to the old days of only getting one chance to f-up? Once chance and they should be gone permanently.

Funny I used to work in an org with Okta.

Having your own auth workflow was instant fail with the well architected framework committee. Using Okta was instant pass.

I don't necessarily disagree with that policy but given that Okta was breached several times while I was working there, it was interesting the extent to which our CSO had blinders about it.

As someone that is not really in the game, does Okta have such a bad track record, and are there alternatives that are considered solid? From the outside, it seemed like EntraID is a bit of a burning dumpster fire, while Okta seemed expensive, but usable and decent (from comments I read)

Compare https://hn.algolia.com/?q=lastpass to basically any other password manager, like https://hn.algolia.com/?q=1password or https://hn.algolia.com/?q=bitwarden

Those companies do not have the same number and severity of security incidents. lastpass is truly in a category of its own

oh dang that's not good. I've had the same phone number since 2006 so I didn't really think about it

[delayed]

I am a vocal opponent to magic links via email (I am an unhinged person, in case it wasn't obvious before :) ).

I NEVER log into my mail from my laptop/desktop. I access my email via my phone's mail app.

So

1. try logging on via my laptop's browser

2. service sends a magic link to my email

3. click the link on my phone

4. now I'm logged in on my phone! not what I wanted!

The encrypted vaults, yes. Ideally they are worthless when the master password is sufficiently complex

Yes, in a separate breach.

No, Klue is a competitive intelligence tool for sellers. You use it to keep track of "battle cards" (i.e. if they are selling a deal vs. 1Password, sales rep would go into Klue to see what the advantages of LastPass are vs that specific competitor).

It's a purpose specific knowledge base, not a data broker or any sort. But it will surely have information of who you sold to or tried to sell to because of it.

does the UI have a compact mode?

How good is their mobile and sync story?

I was just making the change from LP to BW yesterday, completely by coincidence. My first reaction is that the out-of-box experience is poor.

The first step was easy. The account creation and import of legacy data all went pretty well. But after that it wasn't so pretty.

The first hurdle was trying to understand their model for sharing data (so my wife and I can share important credentials). The model that LastPass uses is pretty intuitive to me: it's just a matter of sharing a folder, so relatively transparent. But Bitwarden has a whole separate concept of "organization", and the items being managed don't go in "folders" here, but in "collections". So there are two separate, and subtly different, models in play, and this is confusing. The good news is that the client aggregates the data so when you're using it day-to-day to fill login forms, you don't have to worry about the differences.

Once I'd gotten the data in place, I had to get the clients set up on the various platforms (browser extensions; desktop native, which is actually required for the browser extension's security to work right; phone). The OoB settings were entirely paranoid, and had me re-entering the complex master password over and over, really annoying me. Figuring out how to get to a reasonable balance required figuring out some settings whose labels are misleading. For example, "Unlock with PIN" sounded to me like it was going to add an extra layer of security, but it turns out that it really means "allow unlock using PIN in lieu of master password".

Also, note that while most of the settings default to paranoia-level (like the "require master password every time I inhale", that I mentioned above), you will probably want to change the default crypto cypher. It defaults to PBKDF2, but a better modern approach is the other choice, Argon2id.

...which also reminds me that there's a distinct lack of parity between client platforms. Although you need the desktop native app to manage browser extension security, there's a bunch it can't do. For example, after importing my legacy data, I needed to select all the contents of my LP shared folders and move them to the BW organization collection, but the native app (which seems to be an Electron app, btw) doesn't have a multi-select feature; you need to do that in the online web app.

The problem is not the secrets vault. It's the casual acceptance of giving peoples data to third party processors. What value do last pass customers get from having their details passed on to a marketing firm? None. For all the talk of privacy and putting customers first they are acting like any other company in any other field.

Gmail is at least as large a target, and they don’t keep having breaches.

When they work… I finally gave up on 1Password as it has been getting worse and worse about actually autofilling for a few years. After all the Avengers turned into investors and the price increase was announced, I jumped ship. It felt like they were more worried about their ROI than the product. After 18 years of use, this was pretty disappointing.

You can and should have the best of both worlds. Using Enpass, the program _is_ local, it just backs up the entire database (encrypted SQLite3) to a cloud.

But if even that is too much then f.ex. `keepass` + a scheduled script to periodically backup to your own servers is also perfectly viable.

>At some point people started making it into a SaaS, because

Wait. That's a thing? Like, there are drooling, mouth-breathing stooges out there that would trust not just one of their passwords to such a thing, but all their passwords to it?

It became SaaS because its more practical when you have many devices or many users.

From a marketing perspective, a data breach of any kind looks horrible for a company whose entire job is keeping secrets safe.

I understand, just making a general comment.

And it's not unheard of that infections metastize, whether into developer accounts, product code... Probabilistically, this was a shot on goal.

I apologize for the mixed metaphors.

“ the priority of sales and profits has resulted in the sacrifice of the main quality measure of their main and only product”

What do you mean exactly here What do you think LastPass could have done to prevent this specific issue?

> the priority of sales and profits has resulted in the sacrifice of the main quality measure of their […] product

To be fair, and I don’t want to, supposedly the only thing that was compromised was contact info. No vaults were exfiltrated or unlocked (as far as the article info goes).

So this is really just another very boring info breach, not a targeted password-stealing hack.

The other breaches they suffered were worse.