|
|
|
|
|
|
by aasasd
2625 days ago
|
|
|
> put it under a note with an unrelated or gibberish title More like, don't use Lastpass if they can't keep all your password-use data on the client side, which is supposed to be their entire shtick? This detail about the metadata leak should be the main outtake, if not the news of the day. When I looked into using Lastpass, I asked them on the support forum why their own documentation says they can alert you when emails you use on websites appear in leaks, if the password database is supposed to be inaccessible by the Lastpass backend. They said I'm reading the docs wrong and it's only the Lastpass account email that they alert about. I re-checked the docs: nope, clearly says website accounts that I put into the database. Here's the thread, which has a screenshot of the docs at that time: https://forums.lastpass.com/viewtopic.php?f=12&t=165485 In the end they said the checks are done locally—by downloading dozen-gigabyte leak archives like the exploit.in, I guess? But still I suppose the alert emails are sent server-side. And the support saying I was “misquoting the manual” was enough for me. |
|
|
I would guess they are doing the checks with a technique called k-anonymity. It doesn't require sending the password, nor does it send too much data to the client. Troy Hunt offers a service using this technique.