maumay t1_j1hpzu3 wrote on December 24, 2022 at 1:13 PM

Reply to comment by sleepybrett in The Lastpass hack was worse than the company first reported by glawgii

Ultimately there is negligible risk if an attacker gets their hands on your encrypted data if it was encrypted correctly. Using something like bitwarden which is open source and regularly audited by external parties give you a pretty strong guarantee this is the case. Storing the vault in the cloud is much more convenient when needing to access passwords from multiple devices.

sleepybrett t1_j1i7o37 wrote on December 24, 2022 at 3:53 PM

'if it was encrypted correctly.'

For me, there are just some things that I will trust a company to do for me by proxy, and some things I don't. Keeping my identity (if someone has all your passwords they can become, effectively you) secure is one of those things that I'd rather do myself.

Convince is the enemy of security.

maumay t1_j1n0kv2 wrote on December 25, 2022 at 7:16 PM

Do you trust the correct implementation of TLS encryption when your credentials are sent over the internet? What difference is there with trusting the correct implementation of password encryption?

sleepybrett t1_j1n61mr wrote on December 25, 2022 at 7:59 PM

I can verify the TLS implimentation in my browser. I do not have access to 1passwords client and server apps source code.

maumay t1_j1nc0xy wrote on December 25, 2022 at 8:46 PM

Ok, like I mentioned there are open source password manager like bitwarden whose source code is regularly audited and which can be verified by anyone.

sleepybrett t1_j1ndo7s wrote on December 25, 2022 at 8:59 PM

I currently use bitwarden because I can host my own backend for it.