I'm seeing a lot of hot takes on #LastPass, from people in #infosec coming to the conclusion that LastPass transparently disclosing breaches, or near breaches, or any incidents, is a sign of something terrible.
I think those people have not been at this long.
All companies eventually get hacked. All companies eventually will be breached, and it's not if; it's when.
And if you are a company storing millions of passwords, you better believe you are being attacked constantly.
Given that world, I want a company that:
It merely means they either a) can't detect incidents or b) are hiding them from you
If you are using a password manager that is silent about breaches, near misses, incidents, etc., That should be cause for concern.
I think those people have not been at this long.
All companies eventually get hacked. All companies eventually will be breached, and it's not if; it's when.
And if you are a company storing millions of passwords, you better believe you are being attacked constantly.
Given that world, I want a company that:
- is transparent and lets their users know immediately when something is up and gives as many details as they can.
- can actually detect incidents and has a solid process to follow in dealing with them and communicating about them
It merely means they either a) can't detect incidents or b) are hiding them from you
If you are using a password manager that is silent about breaches, near misses, incidents, etc., That should be cause for concern.
Will Parker
•Michael Downey 🚩
•#OpenSource #passwordManager #LastPass
cc @keepassxc