![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Bad news about the LastPass password manager: https://blog.lastpass.com/2022/11/notice-of-recent-security-incident/
We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.My friend Jacob writes:
This is your regular reminder that if you're still using LastPass you should, uh, stop that.He and others recommend 1Password (paid, USD $34/yr) -- there are also other recommended alternatives in that thread.
It's not just this one incident; they've had a series of terrible incidents & appear to learn nothing. Eg: E2E encryption is littered with bugs and has been broken/bypassed repeatedly. The master key is accessible by the sever. Malicious plugins can exfil your master password. The support forum (phpbb) somehow knows your master password. And more.
This isn't about scorning; LastPass is actively unsafe and people need to not use it.
