Skip to main content


I'm seeing a lot of hot takes on #LastPass, from people in #infosec coming to the conclusion that LastPass transparently disclosing breaches, or near breaches, or any incidents, is a sign of something terrible.

I think those people have not been at this long.

All companies eventually get hacked. All companies eventually will be breached, and it's not if; it's when.

And if you are a company storing millions of passwords, you better believe you are being attacked constantly.

Given that world, I want a company that:
  • is transparent and lets their users know immediately when something is up and gives as many details as they can.
  • can actually detect incidents and has a solid process to follow in dealing with them and communicating about them
If you think a company that never says, "hey, we had an incident," is more secure. .. oh boy.

It merely means they either a) can't detect incidents or b) are hiding them from you

If you are using a password manager that is silent about breaches, near misses, incidents, etc., That should be cause for concern.
So this describes my take for anyone (non #infosec) when they ask me about password managers. For the most part, a good thing -- I recommend my parents use one so that they dont just reuse passwords. But the mindset that "all companies will eventually get hacked" is why I cant bring myself to use one. A compromise of a user's account contains the keys to their kingdom. It's a risk tradeoff -- risk of reuse vs risk of someone else compromising all your accounts. *You* can control the former (if security aware) but not the latter. My view is that #LastPass accepts A LOT of risk on behalf of their users. Thus they have to be extra secure. And compromises are extra damaging.
🤔 It's shocking to me the number of #infosec professionals that perpetuate the myth that a company is required in order to use a password manager.

#OpenSource #passwordManager #LastPass

cc @keepassxc
⇧