this post was submitted on 06 Sep 2023
115 points (99.1% liked)

Technology

59197 readers
4055 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

In November 2022, the password manager service LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users. Since then, a steady trickle of six-figure cryptocurrency heists targeting security-conscious…

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 4 points 1 year ago

Yes, definitely. It instigated a lot of turmoil and a gamut of spicy takes regarding the fundamental question of whether password managers as a model "work". On the one hand some people laughed at the idea of putting your password on the cloud and touted post-it notes for being a more secure alternative. On the other hand people extolled the virtues of the cryptographic model at the base of password managers, claiming that even if tomorrow the entire LastPass executive org went rogue, your password would still be safe.

As far as I understand, the truth is more nuanced. Consider that this breach took place 9 months ago, but you're only reading about cracked passwords now. It seems like the model did what it was supposed to do, and people behind the breach had to patiently brute-force victim master passwords. This means they got to the least secure passwords first: If you picked "19 deranged geese obliterating a succulent dutch honey jar at high noon" or whatever, you're probably safe. But it doesn't strike me as too wise to get complacent on account of this, either. Suppose next time the attackers get enough access to "tweak" the LastPass chrome extension to exfiltrate passwords. Now what?

The thing is we're stuck between a rock and a hard place with passwords. We already know it's impractical to ask users to remember 50 different secure passwords. So assuming we solve this using a password vault, there's no optimal place to keep it. On the cloud you get incidents like this. Outside of the cloud one day you're going to lose your thumb drive, your machine, your whatever. "So keep a backup" but who out of your normie relatives is honestly going to do this, and do you really trust a backup you haven't used in 5 years to work in the moment of truth? I don't know if there is any proper solution in the immediately visible solution space, and if there is, I don't know if anyone has the financial incentive to implement it, sell it, buy it. People say the future is in passwordless authentication, FIDO2 etc, but try to google actually using one of these for your 5 most-used accounts, you're not going to come out of the experience very thrilled.