t42 wrote: ⤴Thu Jul 29, 2021 2:02 am
newlyminted7 wrote: ⤴Thu Jul 29, 2021 1:35 am
Bear in mind the risks of entrusting your passwords to a supposedly "trustworthy company" online.
How do you suppose to crack LastPass encrypted vault 5,000 rounds of PBKDF2-SHA256 key with a salt of 100,000 rounds?
It isn't all about encryption. There are many weak points within any system - and hackers aren't going after the strongest point of defense. Weak points exist, even if it is a human, or unscrupulous business practices, or when data is in transit. Do
they decrypt for any reason? How do you know they don't? What about for legal reasons? What exactly happens in such a case? Just because a system or service utilizes encryption doesn't mean they are 100% secure. Nothing is. It is a matter of who do you trust. Do they have regular third party audits? Open source code? Why not? Those should be your first red flags right there. Anyone can put anything up online talking about how secure they are. Are they owned by crooks? A shady country? How would you know? Because they have a nice website talking about how great and secure they are? Security doesn't work that way.
Not many people thought gmail would datamine everyone's emails for ads when they launched, either. Why not? Because people thought they could trust them.
I'm pointing out that it is worth reconsidering where we store valuable information, especially if people are willing to store such valuable information with an online service. Maybe LastPass is fine. Maybe it's not. It's those red flags that should really raise eyebrows, though. And how comfortable are you being
their beta tester with
your data? Again, the best hacks go undetected, which means you'll never know if your data has been stolen (or shared by crooked businesses - remember the FB / Cambridge Analytca scandal? Does an apology get your data back?).
And, as SimonPeter pointed out, we just don't know what their code contains, nor what other online services it interacts with, or who their "partners" might be. And those third-party trackers in their Android app prove they are willing to engage in unethical and unscrupulous behaviour. Red flag number three. They are a
business, not a well-respected, audited, and open-source organization with a track record. They are in business to make money - as their adoption of third party trackers proves. This makes their motivation suspect, at least in my opinion.
t42 wrote: ⤴Thu Jul 29, 2021 2:02 am
Please remember, LastPass never has access to your master password.
LastPass has access to whatever it wants access to and they don't have to tell you. Companies have been known to do unscrupulous things before. If you type text into the password field and they record it, then they have that text. They don't have to tell you and they can do whatever they want. Can they be trusted? Perhaps. Forever? Who knows. Just like people used to trust Google, and many other companies. What if the company gets bought? Bottom line is there are many, many situations that can expose data to third parties. My point is you
greatly reduce the chances of your data being stolen, shared, or otherwise obtained if it's not there in the first place. In general, people are just too trusting of online services, in my opinion. Especially free ones.