LastPass security breach(s)

[mushroom_daddy]

LastPass has reported another security breach, and as I understand it, not for the first time.  I do like to think that Enpass is the best of the bunch, with the encrypted database stored in your own vault, but then if you sync that in the cloud (DropBox, Google Drive, etc.) to access anywhere & anytime, are you really any safer?  Just how secure is any password manager?

Discuss!

At the end of day, I guess, if it's in the cloud it could get hacked – but if encrypted what are the real chances of any comprehensive password data being recovered by the hacker?

Edited December 1, 2022 by mushroom_daddy

[Ivarson]

Enpass plays a lot on the card that their infrastructure doesn't hold any vaults, and therefore is more secure and compliant. Might be true. But any modern and proper password manager implements zero knowledge anyway, meaning that even with access to your vaults, they would never gain access to the keys needed to decrypt. 

In both cases (Enpass with local /sync vault) and cloud based managers with vaults on the vendors cloud, it's imperative that the software lifecycle is secured. Enpass being closed sourced and with more and more bells and wizzles that makes outbound calls, it's especially crucial. 

Also known as supply chain vector 

They've partially addressed that by recently getting iso27001 certification. 

Edited December 1, 2022 by Ivarson

[Discordant]

The threat actor got a copy of everyone’s encrypted vaults. Sure, they were encrypted, but you can be sure there are a lot of people who used easy-to-guess master passwords. You know that a lot of people are going to have a lot of very private info go public at some point. People don’t only store login data in their LastPass vault. 
 

I’m glad Enpass supports using offline local vaults. It is safer.

[Discordant]

Discussion of the hack from a security researcher:

https://palant.info/2022/12/26/whats-in-a-pr-statement-lastpass-breach-explained/