Yellow Flag on Nostr: I published a lengthy write-up on #LastPass again, but the essence is quite short: ...
I published a lengthy write-up on #LastPass again, but the essence is quite short: they’ve had a year, they don’t seem to have done anything. If somebody wants real mitigation advice for the LastPass breach, the LastPass website is still the wrong place to look. It only downplays the impact.
Long-standing technical issues that security researchers have been warning about for years? Still ignored. When the next breach comes, users will be just as ill-protected as they were last year. People have to update iterations count manually, even though LastPass could have fixed it for everyone automatically. Weak master passwords are still permitted as long as people don’t change them. And much of the data is still not being encrypted (URLs, modification times etc).
Supposedly, they improved the security of their infrastructure. Conveniently for them, nobody can verify this claim. But they are clearly calling it a day, we shouldn’t expect any further improvements.
https://palant.info/2023/09/05/a-year-after-the-disastrous-breach-lastpass-has-not-improved/
Long-standing technical issues that security researchers have been warning about for years? Still ignored. When the next breach comes, users will be just as ill-protected as they were last year. People have to update iterations count manually, even though LastPass could have fixed it for everyone automatically. Weak master passwords are still permitted as long as people don’t change them. And much of the data is still not being encrypted (URLs, modification times etc).
Supposedly, they improved the security of their infrastructure. Conveniently for them, nobody can verify this claim. But they are clearly calling it a day, we shouldn’t expect any further improvements.
https://palant.info/2023/09/05/a-year-after-the-disastrous-breach-lastpass-has-not-improved/