“If someone tells you who they are, believe them the first time.”Įven though I deleted my LastPass account when the news broke, and have been moving to Bitwarden, I’m prepared to give LastPass the beenfit of the doubt. This information, available immediately to the “threat actor”, allows them to make staggeringly simple sorts & priority lists of users. That is quite unfortunate because there’s nothing that can be done now on this plaintext data being exposed. Item’s type (login, secure note, bank account, etc.) Item’s pw data: LastPass-generated or user-generated ( yikes) Item’s shared to an individual (yes / no) Item’s attachment presence (actual attachment is encrypted) Item’s login URL ( LastPass’ weak reasoning why they refuse to encrypt URLs) What LastPass stores and is not encrypted (mostly other bits look internal): As Leo & Steve noted, LastPass has stopped caring. Unfortunately, it looks trivial to have encrypted most of it as Bitwarden & 1Password both encrypt far more. This four-year-old GitHub repo has parsed out almost every field and was recently updated. LastPass’ Vault Format has been “decoded” for a while now. The $10 plan, which provides the ability to 2FA generation, is probably not as useful as you think since I have to have a separate authenticator for the Bitwarden vault itself. Just because Bitwarden is open source now doesn’t mean it’ll be so forever and, on that note, how are they making money if they give so much away for free. It also occurs to me that LastPass seemed to be doing everything right in the beginning, and people were singing its praises until they weren’t. That’s assuming the self hosted version is the same as the hosted one
It’s all very well telling me Bitwarden is oen source but, to me, that doesn’t matter if you aren’t looking at the code or don’t understand it.
I have come to this conclusion, even while listening to Steve’s take on things, because what guarentee do we have that the alternative is any better - I mean, really, unless you are going to self host Bitwarden and, possibly, not even then. Even though I deleted my LastPass account when the news broke, and have been moving to Bitwarden, I’m prepared to give LastPass the beenfit of the doubt.
0 kommentar(er)
