this post was submitted on 27 Dec 2022
4 points (100.0% liked)

Security

5183 readers
2 users here now

Confidentiality Integrity Availability

founded 5 years ago
MODERATORS
[email protected]
4
What’s in a PR statement: LastPass breach explained (palant.info)
submitted 2 years ago by [email protected] to c/[email protected]
3 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 2 points 2 years ago (1 children)

Due to their frontend architecture and how it interacts with their backend, you have no idea if they store your master password or associated encryption keys on their servers or not. They say they don't, but they totally could and it's impossible to prove or disprove.

What? That sounds really really bad. If that is true LastPass was an absolute security nightmare all along.

[–] [email protected] 2 points 2 years ago

Unless they (or someone compromising their servers) decide to store it. Because they absolutely could, and you wouldn’t even notice. E.g. when you enter your master password into the login form on their web page.

But it’s not just that. Even if you use their browser extension consistently, it will fall back to their website for a number of actions. And when it does so, it will give the website your encryption key. For you, it’s impossible to tell whether this encryption key is subsequently stored somewhere.

None of this is news to LastPass. It’s a risk they repeatedly chose to ignore. And that they keep negating in their official communication.

Yeah...