[Inhibit]

How many programmers work on last pass? From a solo coder with no specific interest in cryptography I wouldn't find this kind of flaw odd.

From a large development team whose sole product centers around encryption? It seems strange to get it this wrong. What leads to that might make a good business case study.

[tasuki]

Interesting, my intuition is exactly the opposite of yours: I'd expect a solo coder to get it right more than a large organisation full of people with different incentives and priorities.

[semicolon_storm]

Exactly, these flaws feel like the kind of thing that pops up due to a conflict between product UX people and security people. Surely they had at least 1 engineer who was aware that unencrypted website URLs, EBC Mode, and not upgrading work factors was a bad idea. They just likely lost out to some product owner who thought displaying favicons, detecting reused passwords on the server, and not bother the user to upgrade on login were more important than security.

At big companies, too often do the people in charge of the product seem to forget what core product really is.

[malepoon2]

It's not a large development team. I moved away from them years ago because support for FIDO keys for example was always "coming soon" and still isn't there. They've been coasting for years and this breach doesn't surprise me at all.

[Fire-Dragon-DoL]

As a paying user, I totally agree.

They have been coasting for years. There are some serious bugs they never addressed.

I wish I could export my "password history" in some way

[weird-eye-issue]

I've used a Yubikey with LastPass for several years

[malepoon2]

Yes but they don't support the WebAuthn/FIDO2 standard. The Yubikey option they have is less secure because I think it's OTP under the hood, so it doesn't protect against phishing.

[hotpotamus]

I suspect most of the work of a password manager goes into the other features. At one point (not sure if they still do), Lastpass had a feature that could auto-rotate passwords for you for select sites. From watching it attempt it once or twice, it looked like it was done with scripted screen-scraping which must have been tedious to develop and maintain. Also providing form filling functionality seems like it took a lot of work.