In November 2022, the password manager service LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users. Since then, a steady trickle of six-figure cryptocurrency heists targeting security-conscious…
it’s a bad idea to have all your passwords centralized but for me it’s still an upgrade in security compared to remembering a few different passwords. I understand security is very important but I want to be able to appreciate convenience and not have to write all my random passwords on a book that I would have to bring with me all the time and look at every time I want to type a password. there’s no such thing as bulletproof security. I’m quite happy to have reduced my attack vectors to nearly one single point so I can focus on defending that one single point.
Password vaults are great! Giving them to a central authority is… a little risky though. LP has a pretty decent history other than this, so I don’t fault anyone for using them. But after that breach, it’s probably good to consider those creds burned and recycle them.
A good self-hosted alternative might be something like Keepass on Syncthing. Though a downside of that is that you might be even less likely to know of a vault exfil than a service like LP.
Either way you go, it’s good to recognize the limiations and act accordingly.