Feds Link Cyberheist to 2022 LastPass Hacks

Original Article ↗ Hacker News Discussion ↗

Local vs. cloud password storage

  • Many commenters prefer offline tools (KeePass/KeePassXC, GPG‑encrypted files) with keyfiles and redundant encrypted backups. Data integrity is handled via replication, error‑correcting backups, and “worst‑case” manual account recovery.
  • Syncing across devices is the main pain point: Syncthing, shared folders, and USB “sneakernet” are common, but iOS’s hostility to generic file access makes cross‑platform sync hard for families.
  • Some deliberately avoid putting main vaults on phones, accepting occasional inconvenience for a smaller attack surface.

LastPass breach and loss of trust

  • Strong consensus that LastPass’s handling of the 2022 incidents was poor: delayed disclosure (Christmas week), minimal admission of risk, and current statements that there is “no conclusive evidence” of linkage are viewed as evasive.
  • Technically, LastPass relied solely on master‑password‑derived keys with weak PBKDF2 iteration counts (sometimes as low as 1 or 5,000), and left metadata (including URLs, sometimes 2FA seeds) unencrypted, letting attackers prioritize high‑value crypto targets.
  • Several people moved away after earlier breaches and express surprise any company still standardizes on LastPass. Class‑action litigation is noted.

Comparing password manager designs

  • 1Password is praised for its additional high‑entropy “secret key” combined with the master password, making offline cracking far harder, and for generally strong UX. Concern: if all devices and the printed “emergency kit” are lost, recovery is impossible by design.
  • Bitwarden/Vaultwarden are valued for being fully open source and self‑hostable; some find the UX and filling behavior rougher than 1Password but acceptable, especially given transparency and control.
  • Other tools mentioned: KeePass variants, Password Store (pass), Strongbox (KeePass DBs on Apple platforms), Proton Pass, and new “local‑first” or self‑hosted secret managers. Debate over Bitwarden’s limited offline‑edit support.

Centralization, SPoF, and usability

  • Many see cloud vaults as an obvious high‑value target and single point of failure; others argue well‑implemented E2EE (e.g., 1Password’s model) makes cloud storage acceptable and far safer than password reuse.
  • Skeptics advocate “secret heuristics” (site‑dependent algorithms) instead of vaults; critics respond that patterns can be inferred from breaches, site rules differ, and manual entry is error‑prone—essentially “rolling your own crypto.”

Crypto, account recovery, and long‑term concerns

  • Discussion stresses that crypto systems aren’t “hacked”; instead, poor key management (like storing seed phrases in LastPass) leads to irreversible loss because transfers can’t be undone.
  • Several note that modern security practices (2FA, unrecoverable accounts) are unforgiving for non‑experts, unlike real‑world institutions that always have some recovery path.
  • There is side debate on digital longevity: some trust open formats (GPG, CSV, PDF/ZIP/JPEG) over proprietary vaults for data that may need to be opened decades later.