Submitted by glawgii t3_ztx9k5 in technology
OppositeCode t1_j1g29qx wrote
Reply to comment by colonel_beeeees in The Lastpass hack was worse than the company first reported by glawgii
Well I personally trust my current password manager (Bitwarden). When you save your account to that password manager. It is supposed to be fully encrypted and uploaded to the cloud. This is that if there is a breach, the hackers only have your encrypted information (essentially useless).
In the case of this LastPass hack, the URLs of accounts weren't encrypted while the rest of the usernames and passwords were. This can lead to phishing attacks attempting to gain access to that website's account.
There are also local password managers, however I decided against them, as it is not convenient for my personal situation. I started with LastPass but switched to Bitwarden after they implemented their single device policy. As of now Bitwarden has not been breached. With the code being open source, the ability to self host, and the developers responsive & open to suggestions; it has earned my trust.
scruffles360 t1_j1gs5fw wrote
I presume bitwarden doesn’t have any browser integration until the user logs in and asks for credentials?
I ask because that’s likely why LastPass doesn’t encrypt urls. When you go to a site, it knows it has a password and can prompt you to fill it. It’s a compromise in security for the convenience of browser integration. Whether or not it’s a good compromise is debatable but a lot of people are making it sound like laziness or a flaw. It’s most likely a usability choice.
OppositeCode t1_j1gxe32 wrote
Yes, unless you are logged in your vault won't be decrypted. I assume you mean something similar to this? https://bitwarden.com/help/uri-match-detection/ https://bitwarden.com/help/website-icons/
Correct me if I'm wrong, but I assume the website match should be done locally otherwise it would be encrypted. https://bitwarden.com/help/what-encryption-is-used/
Browser extensions are a weak point but it also prevents everyday people from getting phished. As if the domain is not matching, you won't be able to fill your information (since it won't show).
As always, if you don't trust cloud you can either self host or use a local password manager.
scruffles360 t1_j1gymq9 wrote
That may be similar. When you go to a login page and LastPass tells you you have 4 accounts on that site.. it gets that information using the unencrypted URLs. It doesn’t log you into your vault unless you try to use one of them. (There are settings to leave you logged in, but they discourage that).
I’m going to have to do some research and see what’s out there.
OppositeCode t1_j1gz5yx wrote
I'm not a developer so it would be your best bet to ask in different subreddits such as: r/privacy r/PrivacyGuides r/Bitwarden
coolfarmer t1_j1i9egc wrote
I LOVE Bitwarden! I switched from LastPass 6 months ago, best move ever :)
Viewing a single comment thread. View all comments