| HN Mirror

The point is if they even have access to my encrypted data, they wouldn't be able to access the plaintext without the key (and yes the passphrase is not sufficient).

This is just lazy scaremongering.

link

namaria 475 days ago

The point you're trying to make is a trivial one: in the absence of errors, there are no problems.

LastPass e2ee was never the problem in the original story either.

link

commandersaki 475 days ago

You are wrong, the article posted said the heists happened because of both a breach and cracking master passwords. LastPass E2EE relied on keys from the master password using a password hash that had a low iteration count. Therefore low entropy passphrases could easily be cracked. Furthermore not all data was encrypted. This is all a weakness of their E2EE. 1Password uses both PAKE for remote authentication and a high entropy key (128-bit) and therefore doesn't solely rely on a master password. There is an actual difference.

Of those links you posted, two of them could've equally affected a password manager that was local. All password managers can be subverted by external threats whether using cloud storage or not.

My point is, properly implemented E2EE (hopefully vetted by cryptographers) is marginally different to a password manager using local storage. Sure having it cloud hosted can affect more than one user, but attacking the ciphertext data would be infeasible.

link

rm_-rf_root 475 days ago

> attacking the ciphertext data would be infeasible

If insufficiently protected, any attack surface may be compromised. It’s just a matter of time, resources, and will.

“The only winning move is not to play.”

link