I’m sure those who use it have heard by now that last pass lost all our vaults. I was fine with that since my password is pretty good and I assumed everything was encrypted after doing some research and getting some feedback from some folks in the security world that I follow I no longer feel that way. Here’s the post that changed my view
I foolishly thought the entire vault was encrypted it isn’t… that alone is enough for me to walk away
If you really care about .NET then Bitwarden. If you want simplicity then Dashlane. I use both. I also just happen to be a new Contributor to Bitwarden too!
The nice thing about Bitwarden you can self-host the Server too, and its open source. Even Hitachi forked them and rebranded it all and is doing their own cloud selling lol. Tesla or SpaceX uses them too, I know because they were building a proprietary Tesla Cipher or something like that.
Are we talking credential managers for the Enterprise or Individual?
One of the nice thing about an enterprise version, is we can actually know the external systems people login into: customer portals, supplier portals, banks, etc.
I’ve been a LastPass customer since like 2013/2014. This latest breach is pretty bad. I’ve been on the fence about switching but I think I’m going to. I’ve defended and supported LastPass through all their breaches. But, I think this is it. What is everyone else using/switching to?
I think the world is coming full circle. We used to carry pocket phone books with alphabetic index. Now we will have to start carrying pocket password books.
Backup of LastPass MFA/Federation Database – contained copies of LastPass Authenticator seeds, telephone numbers used for the MFA backup option (if enabled), as well as a split knowledge component (the K2 “key”) used for LastPass federation (if enabled). This database was encrypted, but the separately-stored decryption key was included in the secrets stolen by the threat actor during the second incident.
Secrets used to integrate third-party MFA vendors (e.g., Duo Security, RSA SecurID, SecureAuth) with LastPass.
Seeds used to generate TOTP authentication codes for Google Authenticator, Microsoft Authenticator, LastPass Authenticator, and Grid.
Secrets used to enable LastPass event logs to be sent to a customer’s Splunk instance, providing auditing/monitoring of LastPass events.
Credentials that may have been “pushed” to a LastPass user or group by a LastPass Business Administrator.
I see you never got any real answers to this question and now I am wondering if my gut feeling of not trusting any password manager was the right thing.