Recent searches
Search options
Administered by:
I'm seeing a lot of hot takes on #LastPass, from people in #infosec coming to the conclusion that LastPass transparently disclosing breaches, or near breaches, or any incidents, is a sign of something terrible.
I think those people have not been at this long.
All companies eventually get hacked. All companies eventually will be breached, and it's not if; it's when.
And if you are a company storing millions of passwords, you better believe you are being attacked constantly.
Given that world, I want a company that:
- is transparent and lets their users know immediately when something is up and gives as many details as they can.
- can actually detect incidents and has a solid process to follow in dealing with them and communicating about them
If you think a company that never says, "hey, we had an incident," is more secure. .. oh boy.
It merely means they either a) can't detect incidents or b) are hiding them from you
If you are using a password manager that is silent about breaches, near misses, incidents, etc., That should be cause for concern.
@zate So this describes my take for anyone (non #infosec) when they ask me about password managers. For the most part, a good thing -- I recommend my parents use one so that they dont just reuse passwords. But the mindset that "all companies will eventually get hacked" is why I cant bring myself to use one. A compromise of a user's account contains the keys to their kingdom. It's a risk tradeoff -- risk of reuse vs risk of someone else compromising all your accounts. *You* can control the former (if security aware) but not the latter. My view is that #LastPass accepts A LOT of risk on behalf of their users. Thus they have to be extra secure. And compromises are extra damaging.
@downey@floss.social
It's shocking to me the number of #infosec professionals that perpetuate the myth that a company is required in order to use a password manager.
#OpenSource #passwordManager #LastPass
cc @keepassxc
@downey @willparker @keepassxc
I agree.
Now tell me how you scale that to all the users in a really marge modern enterprise.
@zate @downey @willparker
>Now tell me how you scale that to all the users in a really marge modern enterprise.
I think BitWarden is more suited to business environments, and is also open source.
@roddux @downey @willparker Nice, taking a look at their offering.
That's below my pay grade.
@downey @zate And that's why I use #LastPass because I can't be bothered to figure out how to access all my passwords across devices without it being a massive hassle and probably me fucking it up and being insecure.
I have friends who use #FOSS solutions but their solutions are utterly unfriendly to me, yet alone people who don't understand technology.
@downey @willparker @zate @keepassxc It's shocking to me the number of "infosec professionals" or whatever who don't understand actual PEOPLE - the best password manager is one that people will actually use and no solution we could roll out on our own would have that kind of buyin, because functionality is a very small part of it - ease of use and uptake and branding and docs, respectability and name recognition all matter.