Hacker News new | ask | show | jobs
by gxs 1025 days ago
Honestly, if this is truly the case, LastPass is partially to blame here.

Sure, there's nothing in the TOS contractually obligating them to do this - but starting a low level awareness campaign to warn people with passwords that haven't changed in years about this risk seems like an easy thing to do that a (in keeping with the theme) "security minded" company should be enthusiastic about doing.

You can't nanny everyone, but surely if you're paying for a password manager you'd appreciate these kinds of notices.
2 comments
djfdat 1025 days ago
They did have something like that back when I used it. It would tell you repeated passwords, passwords that have appeared in leaks, weak passwords, etc
link
diogenes4 1025 days ago
> but starting a low level awareness campaign to warn people with passwords that haven't changed in years about this risk seems like an easy thing to do that

Rate of change seems like a very poor signal compared to absolute password strength, which won't change over time. Isn't this already built into lastpass?

link
gxs 1025 days ago
Ah, I was talking about OPs comment - it wasn't that passwords weren't changed often - it's that they were created a long time ago when that particular length/complexity was thought to be enough.
link
diogenes4 1022 days ago
I see what you're saying, but 8 characters was also considered not enough 20 years ago. Naturally it takes a long time for good practices to propagate but
link