[cissou]

I understand your take on the problem, but one of the features of those services is that they are precisely online: I can get my passwords on my phone, tablet, desktop, laptop, abroad or at work. If my password manager is offline, it's safer, but it's also a poorer experience.

Maybe if there was a way to deploy our own personal password manager server on a dedicated server that would help the "one big target" issue.

[bargl]

You could roll out your own. But I personally trust the specialized team at Lastpass to monitor and look for these sorts of breaches a lot more than I trust myself.

That coupled with convenience makes it so I'm going to stick with an online password manager.

Even under a worst case scenario, I could change my major passwords fast enough with lastpass that I wouldn't be worried about loosing my online presence to anyone. It'd be a pain, but I'm confident that the LastPass team would keep me informed if that was necessary.

[Klathmon]

But even that won't help much.

If you are using "off the shelf" software, then that means i have something to scan for, and a vulnerability in the software means that i have tons of targets. Most of which won't be as secure as LastPass servers might be, and probably won't update immediately.

[comex]

Only if the software itself has a vulnerability - and it isn't that hard to secure a website or server that can't be accessed at all without a password, as opposed to one that needs to provide some level of service to anyone. Centralized services are also at risk of generic attacks such as convincing the hosting service/domain registrar/a company employee/etc. that you're authorized to change things, while pulling this off for many independently hosted site instances is considerably more difficult.

[fluidcruft]

I think if lastpass just allowed use of an out-of-channel external file as an additional encryption layer (as keepass can) then you should be able to worry about keeping that external file secure rather than worry about what's in the cloud.

[ocdtrekkie]

I wonder when people will realize "better experience" is not a universally good excuse for chipping away at security (and privacy).