[bko]

I think a lot of people use products like LastPass because it makes storing passwords easier. Works on mobile, computer, tablet. Pretty good experience tbh.

With something like LastPass it's also much easier to create unique strong passwords for other sites.

Also, let's be real:

> The information accessed was limited to standard business contact information and related customer relationship management (CRM) data, including customer names, phone numbers, email addresses, and physical addresses, as well as support case data and sales-related data.

I'm pretty sure 99% of the people on exposed have already had their names, phone numbers, email and physical addresses leaked already. This has nothing to do with the security of your passwords stored in LP. They have some CRM, some person from their 800 employees clicked a sketchy link and it leaked that. It's not good, but its hardly an indictment of their product or usefulness

[thesuitonym]

> I think a lot of people use products like LastPass because it makes storing passwords easier. Works on mobile, computer, tablet. Pretty good experience tbh.

> With something like LastPass it's also much easier to create unique strong passwords for other sites.

Sure, but LastPass, in addition to being the least secure option, doesn't even have a good user interface, and it's expensive. There are dozens of other password managers out there, each one better than LastPass in every way.

[Arainach]

Doing the research takes time and energy.

Switching takes time and energy.

Changing all your passwords after you switch so they aren't potentially exposed in the next LastPass break takes time and energy.

People have a lot of things going on and have to make a decision about whether the risk justifies the effort.

Then there's feature gaps. LastPass is available on all platforms, has convenient sharing, a good story for emergency recovery if I'm incapacitated and want family to get access to things, and support for 2FA options such as Yubikey. Most competitors lack at least some of those, which is an issue if you're relying on them.

Personally, I left Lastpass for 1Password several breaches ago, but it took me a couple weeks of research to decide where to move to, at least a week of changing passwords on sites afterwards, and however much time and energy it took me to help others who I share credentials with switch at the same time.

[fragmede]

Password managers are entirely a UX problem waiting to be solved better. Every time I hit a UX bug with my password manager, I mutter that I could do fix that, and then know that mine would also be worse in so many ways just to reach parity. What I wish is there was a public bug tracker of UX issues/optimizations that I, and the rest of the world, could log ideas to. Password managers are such a good idea but they all need just that much more work to be seamless.

[scottlamb]

Can you give me an example of a UX problem that you attribute to the password manager? That'd help me understand.

I often hit problems with 1Password's autofill on particular websites, but by and large I blame the website. Few examples:

* one website expects me to type the PIN then a Symantec VIP OTP token into a single field called "password". That's a (possibly deliberately) password manager-hostile design. I finally got annoyed with it enough to use an open source project called `python-vipaccess` to create a proper `otpauth://totp/...` URL I could add into 1Password and wrote a TamperMonkey script that added separate autofillable fields that would get concatenated automatically. Now 1Password works fine.

* frequently websites will complain about needing a valid credit card number after autofill. I have to go to the field, delete the last digit, add it back, tab away, then it works. I think they have just used the wrong event handlers and never tested it with autofill.

* they often will skip `autocomplete="new-password"` attributes, so my password manager will look for a (nonexistent) current password rather than prompting me for a new one, and/or they won't have the username and new password fields ever in the DOM at the same time so the password manager doesn't save it properly. (Even if it makes sense in terms of user-visible flow to do these in sequence, they can still leave the username in as a hidden form element for the benefit of the password manager.)

I've also hit UX problems in 1Password itself, for example the "quick access" pop-up doesn't reliably appear on the current Space in macOS. (Confusing and annoying to have to switch to another to see it.) But they seem less common.

[TimTheTinker]

1Password checks all these boxes and hasn't yet had a data breach.

Their biggest security hole is probably somewhere in the operational pipeline between 1P browser client developers and the static file servers hosting them.

[tcfhgj]

1P is open source now?

[trefoiled]

Unfortunately it's one of the most bug-ridden and unreliable pieces of software I've ever used. I encounter issues with it on a daily basis, but the burden of switching and a lack of superior options keeps me locked in.

[TimTheTinker]

Any example bugs that you've encountered in the last week?

[sleepybrett]

I stopped paying them when they killed local valuts, and secondarily when then moved away from native apps. I drifted along on the old 7.x client for awhile with local values.

I've more or less switched to apple keychain/passwords at this point. I need a solution for linux, and have been thinking about some kind of simple 1-way sync issue that dumps stuff from keychain into some other tool for use on linux.

[cm11]

Curious if you have any gripes or concerns about using the Apple keychain/passwords setup. Aside from Apple devices, do you mostly also stick with Safari? Was it hard to transition things like TOTP or passkeys?

[sleepybrett]

i mostly stick to firefox I do some management of moving some passwords back and forth (i'm not yet using the firefox extension for apple passwords because i just learned about it).. but because i use firefox on my phone as well.. nbd.

In terms of TOTP I just use googleauth and oathtool.

[qwertox]

> I'm pretty sure 99% of the people on exposed have already had their

Right, but LastPass is a company that wants to make you believe that you can trust them with some of your most important assets.

--

Probably related to this:

https://www.bleepingcomputer.com/news/security/lastpass-conf...

“On June 12th, LastPass was made aware of an incident that occurred at Klue (klue.com), a third-party market intelligence platform utilized by our go-to-market teams, which integrates with our Salesforce and Gong systems,” LastPass says.

"We immediately launched an investigation and learned that, as part of this incident, an unauthorized actor was able to obtain OAuth tokens Klue held for many of its customers, including LastPass.”

“The threat actor then used these credentials to access LastPass customer data within our Salesforce environment.”

[cdud3]

That's a npm supply chain attack style but next level for the Enterprise game: hack one and get access to everything of all of them since they are all unrestricted connected and with each other.

And then they force us to install cloudstrike, antiviruses and client side monitoring because "us are the security problem".

[brendoelfrendo]

> I think a lot of people use products like LastPass because it makes storing passwords easier. Works on mobile, computer, tablet. Pretty good experience tbh.

Yeah but wanting a product like LastPass doesn't require that you use LastPass. There are many good alternatives.

[bko]

What's the solution? Don't have a CRM and store stuff about customers under lock and key? Don't give access to the CRM to any employees? More security training about clicking shady links?

I don't get how you think some other competitor would be better suited against this threat. The right solution is to mitigate the damage. CRM has minimum available stuff, like names, addresses, etc. Don't keep stuff like payment information, passwords, etc in that place as that's the vulnerable system. It seems like that's what LP does and probably every other company in this space does.

Again, it's entirely reasonable to have an off the shelf CRM, pretty broad access to it. You try to prevent phishing email or phone scams (assuming this is what it was) but you have 800 employees, its bound to happen.

[iamacyborg]

> What's the solution?

Use any of the other password managers that don't have the poor security history that LP do.

[lazyasciiart]

I think they're asking how LastPass is supposed to prevent this particular breach.

[FooBarWidget]

When their CRM and support systems are improperly secured, it doesn't bode well for the security of their vaults. When attackers infiltrate one system, it's easier to laterally move to other systems.

Also, their marketing systems are also a mess. I've unsubscribed from their marketing emails multiple times, but to date I'm still getting marketing emails from them even though I'm no longer a customer. Even contacting their support about this issue hasn't helped.

[buzer]

Assuming you are in EU you could report them to local DPA. Objection (i.e. unsubscribing. Original automatic subscription may or or may not have been legal) to direct marketing is pretty much absolute due to GDPR Article 21(2), I'm not aware of any "workaround" companies have successfully managed to argue.

In the US you can report it to FTC for CAN-SPAM violations, but don't hold your breath on any enforcement.

[antiframe]

> I'm pretty sure 99% of the people on exposed have already had their names, phone numbers, email and physical addresses leaked already. This has nothing to do with the security of your passwords stored in LP. They have some CRM, some person from their 800 employees clicked a sketchy link and it leaked that. It's not good, but its hardly an indictment of their product or usefulness

Would you be okay will a public database of all people's names, emails, addresses, phone numbers, and other contact details? After all, most people's data have already been leaked somewhere. Credit reporting agencies have leaked more sensitive data. I, for one, still expect companies to keep my private data private. Especially companies who's started purpose is to keep my secrets secret. It's a bad look for them and if I trusted them this would make me lose my trust in them. But, they already lost my trust two or three (I lost count) breeches ago.

[vitally3643]

Of course it's not okay. But this is pissing in the ocean. This is throwing buckets of water on the Titanic.

The damage is already done. Your private information was already leaked long ago. You can't make a sunk boat more wet.

[antiframe]

I agree the ship has sailed but I have no desire to make it easier for people to spam me or social engineer any of my accounts. If they want to send some crypto to some stangers on the internet to do it, I can't stop that, but I am not going to hand the info to them on a silver platter.

[nekooooo]

my ssn (usa) and my credit info (also usa) was already leaked in a data breach. i don't care about my encrypted blob in lastpass being leaked because it's computationally too expensive to crack it (assuming it's not a targeted attack with hostile nation-state level gpu capacity)

[stingraycharles]

Where I’m from there actually were guides like this of the whole country, published once a year, I think even into the early 2000s. They stopped doing it for cost savings, but this type of information being public is considered fairly normal by many, as long as you have the ability to unsubscribe.

[briffle]

Only if we also add Social Security numbers, since it was supposed to be a unique Identitifier (like an email) and not a secret.

[philote]

Yes, a public database like this would be acceptable. That way the info isn't paywalled behind some white pages site or similar. And then maybe I could even update my own info to be correct. Contact info is pretty much out there for most people already. Hell, I put it on my resume and send that out to many people and put it on public sites.

[antiframe]

I am glad you want the world to know your phone number, but not everyone does.

Since we still use SMS as second factors (or primary, as some in this thread said they don't write down passwords but just use password reset links to login), it's not the best security hygiene

[basilikum]

> I think a lot of people use products like LastPass because it makes storing passwords easier. Works on mobile, computer, tablet. Pretty good experience tbh.

What you are describing is a password manager. No one here is questioning why people would use a password manager. That's like asking why people would use a toothbrush. The question is why anyone would use LastPass as their password manager.

> Also, let's be real:

> > The information accessed was limited to standard business contact information and related customer relationship management (CRM) data, including customer names, phone numbers, email addresses, and physical addresses, as well as support case data and sales-related data.

> I'm pretty sure 99% of the people on exposed have already had their names, phone numbers, email and physical addresses leaked already.

I'm sorry to put it so bluntly, but this comment strikes me as really baffling.

LastPass has a very long history of breaches, some of them very severe with a big fallout. It's at the point where the yearly LastPass breach has become a meme just like the yearly T-Mobile breach. It makes no sense whatsoever to look at this incidence without that context and to claim "it's not that bad, they only leaked xyz".

On another note, of course does a breach tell something about the security practices of a password manager company. You really want the developer of your password manager to have good security practices and any sign to the contrary is concerning even when it is not directly related to the core product. Of course security is not about absolutes and mistakes and incidents do happen – what counts is how, how is dealt with them and if they repeat. In the case of LastPass history, including this breach, shows that they have atrocious security and you do not want to let your credentials get any millimeter closer to them than you can possibly avoid.

> I'm pretty sure 99% of the people on exposed have already had their names, phone numbers, email and physical addresses leaked already.

Again, I'm sorry for being so direct, but this argument annoys me greatly: This argument – that others have done similar bad already and similar harm has already been done – is beyond stupid and needs to die. It's why slippery slopes are real. It's the reason why normalization of bad things happen. It's what people with bad intentions continuously use with great success to slowly make their bad deeds socially acceptable.

When my neighbor dumps his trash on the street that does not allow me to do the same and does not make it any better if I do. I will be just as much in the wrong as him. The only difference being – when I use that excuse – that I will also be a coward.

The wrongdoing of others is never an apology to do the same; and just because something bad is normal does not make it any better and it is especially not an argument for making it even worse.