Micro.blog

nielsk
nielsk

I wonder why LastPass gets pried open regularly but 1Password doesn’t.

Is 1Password really safer? Is it a more uninteresting target? Or didn’t they notice breaches? After all you can only tell about that you were hacked, when you know it.

muhh
muhh

@nielsk these are quite unfair questions since even 1PW can't refute them. Maybe LastPass is just that bad.

nielsk
nielsk

@nielsk why are these unfair? Are they doing things better? Or are they worse?

I know that 1P can’t really answer them. Those are questions worth to ask though. Maybe LastPass does a better job in monitoring and discovery. Maybe 1P just got lucky so far.

muhh
muhh

@nielsk "Argumentum ex silentio".

Of course it's important to know how and why 1pw has this clean track record in regards of security. But you can't get there by asking questions that imply ignorance and missing due diligence.

nielsk
nielsk

@muhh how do I imply ignorance? You are reading things into this what I didn’t write.

I wrote: how comes that these things happen to LP but not to 1P? And the answers could be:

  • nobody comes that far
  • nobody finds them interesting enough (why?)
  • it happened and they don’t know
muhh
muhh

@nielsk Ok, sorry, ignorance might be a bit strong. But again, you write "it happened and they don't know".

I think you weaken your argument and very important intention (as I understood it in the first place: "how can it be that 1PW doesn't have any issues?"), when you leave out the possibility that 1PW might be successful in not making these severe mistakes.

It's not that I'm convinced that 1PW has the holy grail of security management and does everything alright and will never have any problems. But they have a long history (longer than lastpass), that without incidents and a huge userbase in the Apple ecosystem. Which has or at least has had a lot of developers and security related folks actively working there.

In reply to
pimoore
pimoore

@muhh @nielsk Turns out LastPass really is that bad, and that you likely don’t hear about others like 1PW and Apple because they’re doing things right. LastPass was using legacy PBKDF version 1 instead of 2, which only incorporates 5,000 iterations:

chaos.social/@jonty/10...

This is an inexcusable and lax security practice for such an important service.

ecschwarz
ecschwarz

@pimoore Just got your email about the details - gonna add that in since that’s some great information!

pimoore
pimoore

@ecschwarz I was trying to find your profile here to reply instead, helps if I spell it correctly. 😆

ecschwarz
ecschwarz

@pimoore Haha - I’ve also been a little more quiet here. Mostly giving Mastodon an honest try and then forgetting this side of things.