The idea here is not to bash on LastPass in any way, the team behind LP has certainly done more in the name of computer security and making the web a more secure place than most other entities save a select few. That said, and while we’re hardly security researchers of the likes of Tavis Ormundy and others, recent issues with LastPass’ approach to security have left us seriously questioning the value the LastPass team places on the security of the user data when compared to some of the other offerings currently available and we’ve decided to make the switch to 1Password, which has a slightly better reputation among security experts due to its more thoughtfully designed security model and its approach to handling sensitive data (in both offline and cloud modes). We’ve been using LastPass to manage our credentials since it first came out in 2008, and have been paying customers from just about when that option was first made available. Since then, a lot has changed and the world has (hopefully) become a more security-conscious place – and security experts have come to a consensus on a lot of practices and approaches when it comes to encryption and the proper handling of sensitive data.īoth of these password managers are heavily vetted and constantly under scrutiny from security researchers, crackers, state security agencies, white hat hackers, and more with open bug bounty programs (though some considerably more generous than others), and are probably “safe” choices for the average computer user. Back in 2008, the internet was a very different place than it is today, especially when it comes to security. Assuming you have a sufficiently strong master password the risk of bad actors getting your passwords from the breach is only miniscully higher now than it was before the breach.1Password and LastPass are probably the two best known names in the password storage business, both having been around from 20, respectively. Look change your passwords if it helps you sleep at night but let us not panic and blow things out of proportion. If you don't then I suggest migrating to KeePass on a secured thumb drive which exposes you to a number of more probable to happen risks but at least it maybe minimizes the risks of your vault being stolen (actually I'm not even sure how much it does that) Either you believe in the encryption or you don't. In fact, I would say that design is to prepare for something that was inevitable and will happen again somewhere. Look this shouldn't have happened and LP's response leaves at lot to be desired but the entire design of Lastpass (and Bitwarden or any other online password manager) is that bad actors can get everything LP has and they still won't be able to access your vault before the end of the universe (at least using classical computing methods, quantum computing, of course, throws that out the window but probably isn't something to worry about any time soon if at all in our lifetimes). If you truly believe that because bad guys getting your vault is such a risk that they can crack the encryption in any form of reasonable time frame - why are you putting your passwords on any online service or even perhaps any computer or device that connects to the Internet? Even if cracked you have time, probably years,decades or centuries, to change passwords. Should you change passwords in your vault? Unless you’re master password was bad chosen or you never changed your iteration rate to 100,100 or better you are almost certainly safe. So bad guys are going to grab a vault spend a few hours trying to get the easy targets and then move on because there’s gonna be some easy targets to crack. As LP didn’t qualify password levels there are lots of 8 character password vaults with only 5000 iterations applied to them. Under those circumstances a well selected password is unlikely to EVER be cracked. Your key is also salted (LP hasn’t said if salts were taken) and hopefully has 100,100 rounds of encryption applied to it. Then they have to leverage multiple CPUs or GPUs to attack the vault. So the bad guys have to pick your vault out of 30 Million to work on.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |