Hacker News new | ask | show | jobs
by dathery 461 days ago
It would probably be more accurate to say that LastPass has the information to decrypt your vault if they can guess your password. By contrast 1Password would need to both guess your password and guess your personal secret key. The latter is effectively impossible assuming the key generation was well-implemented. The trade-off is that users must keep track of their own secret keys.
2 comments
Everdred2dx 461 days ago
How does that work with sharing vaults between devices?
link
pigbearpig 461 days ago
You have to provide the secret key to each device on initial setup. After that, you just need your password.
link
HeatrayEnjoyer 461 days ago
What if you're in a foreign location and your devices are all stolen or lost?
link
9x39 460 days ago
You'd have to contact someone to get the secret key from your 1Pass emergency kit, wherever you stored it. That is, unless you can memorize long strings of numbers really well.
link
soraminazuki 460 days ago
Then you have a much bigger and immediate problem at hand.
link
HeatrayEnjoyer 460 days ago
What do you mean?

There's a tourist experiencing this scenario probably every minute.

link
swat535 460 days ago
This is why 1Password provides an emergency kit where you can record your secret key and store it securely.

How you choose to safeguard it depends on your preferences and your "threat level".

For example, you can keep it in a bank vault or print multiple copies to store it under your pillow, taking a picture, or save it in your email, etc.

link
TeMPOraL 460 days ago
Not really. The biggest, most immediate and most threatening problem in this scenario, is inability to access your passwords, and therefore inability to use banking and means of electronics communication.
link
panick21_ 461 days ago
What if in lastpass you have 2FA?
link
TingPing 461 days ago
2FA has nothing to do with the encryption, if that data is leaked.
link
panick21_ 461 days ago
My understanding is some of the key strength was to low. If 2FA increases the key strength, that should have an impact no?
link
MyOutfitIsVague 461 days ago
2FA does not increase the key strength. The key is solely derived from the password. 2FA limits access to somebody who already has the password to get in. The LastPass leak was of a backup, though, for which 2FA does nothing.
link
panick21_ 460 days ago
I see, that's unfortunate.
link