Using a password manager has 2 main tradeoffs and mistakes:
1- Tradeoff individual account risk, for systemic risk. You may argue password managers are safe, but few would argue that the risk model reduces the risk of individual password leaks more than the risk of all your passwords leaking. It's a tradeoff.
2- Cat and mouse security: There's a class of security decisions that work because they are new and different. First the weakness was that passwords were short, then you make passwords long but unmemorable, so people rely on some other mechanisms to authenticate, like a file on their computer, a drive, a fingerprint, facial recog, which may in turn be protected by a second factor password.
At first the new security model will not be stressed, but as more users migrate from one security model to the next one, that's when you are able to compare the security of both technologies, it starts being a juicy enough target that it becomes attacked.
So we are at the point where password managers are used enough that they start becoming worthwhile targets of attack (to overcome the difficulty of vulnerating them).
Also worth noting that these attacks are more winner-takes-all. In the sense that rather than seeing one account hacked every couple of hours, you will see them all hacked at once, because you introduced a vendor in the password supply chain AND because the vendor centralizes all of the passwords. So target that one vendor and from a single attack you get all the spoils. So when comparing the security of the olden method and the new, just 1 incident is enough to undo all of the reputational gains it has made over the years.
How does anyone seriously trust LastPass anymore? Years ago, I was working for a company handling bank data. They were using LP immediately following a previous LP security incident and had no plans to migrate away.
I'm sure this is worse than using lastpass in some way
but for the past couple years I've just generated and forgotten 90% of my passwords. the final 10% I keep in a password manager. But if the service isn't really that important I just use the 'forgot my password' to change and generate a new password every time I need to login
> The information accessed was limited to standard business contact information and related customer relationship management (CRM) data, including customer names, phone numbers, email addresses, and physical addresses, as well as support case data and sales-related data.
Lots more companies affected. Some more listed below:
>"Klue has not said how many of its hundreds of customers are affected. Several companies have come forward to confirm they had data stolen during the attack, including Gong, Jamf, HackerOne, Insurity, OneTrust, Recorded Future, Snyk, Sprout Social, and Tanium."
>Cybercrime group Icarus took credit for the breach, saying on its leak site that it will publish the stolen data on Monday if the company does not pay the hackers’ ransom."
This isn't great but it's not that big of a deal either. A lot of companies got bit by the Klue breach but it's not like your vaults are being accessed.
any company that stuck around (or began using) lastpass after vaults were leaked probably does not care about this one at all, considering its just CRM data.
i can sympathize a little bit with companies that stick with lastpass. when i had to switch an org from lastpass to 1password, it was a massive undertaking and incredibly annoying. however, i have no sympathy for anyone who has chosen lastpass after 2022.
Private company third party password managers are bad. Across the board. They're a bad idea.
Deeply localized actual best practices can help solve this. Private companies can also help, but only if it isn't in the form of "you can't have this unless you pay for it." The point is, it's like fighting fires, you can't isolate it.
It's a complete dead-end and the sooner the industry realizes this the better.
This is why I use Microsoft Teams and Outlook as my password manager. I just save my passwords to draft or email them to my coworkers so they never lose track /s
I've been an Enpass user for years because I got a lifetime purchase for a good deal. They don't host the cloud services for syncing passwords. Instead you just auth your cloud storage (I use Google Drive) and it syncs to that.
This approach seems better to me. For one thing, I'd already be screwed if someone malicious got into my Google account, probably worse than if they got into my password manager. And additionally, this means they're not creating an absolute jackpot of data to breach in a centralized place. No one's gonna hack Enpass of all their passwords because that would require hacking all of Google Drive, Dropbox, iCloud, etc. and looking for the files manually.
> No one's gonna hack Enpass of all their passwords because that would require hacking all of Google Drive, Dropbox, iCloud, etc. and looking for the files manually.
Or they compromise their self-update system if that exists.
50 comments
[ 0.23 ms ] story [ 57.7 ms ] threadhttps://news.ycombinator.com/item?id=48647272
Third time's the charm
1- Tradeoff individual account risk, for systemic risk. You may argue password managers are safe, but few would argue that the risk model reduces the risk of individual password leaks more than the risk of all your passwords leaking. It's a tradeoff.
2- Cat and mouse security: There's a class of security decisions that work because they are new and different. First the weakness was that passwords were short, then you make passwords long but unmemorable, so people rely on some other mechanisms to authenticate, like a file on their computer, a drive, a fingerprint, facial recog, which may in turn be protected by a second factor password.
At first the new security model will not be stressed, but as more users migrate from one security model to the next one, that's when you are able to compare the security of both technologies, it starts being a juicy enough target that it becomes attacked.
So we are at the point where password managers are used enough that they start becoming worthwhile targets of attack (to overcome the difficulty of vulnerating them).
Also worth noting that these attacks are more winner-takes-all. In the sense that rather than seeing one account hacked every couple of hours, you will see them all hacked at once, because you introduced a vendor in the password supply chain AND because the vendor centralizes all of the passwords. So target that one vendor and from a single attack you get all the spoils. So when comparing the security of the olden method and the new, just 1 incident is enough to undo all of the reputational gains it has made over the years.
but for the past couple years I've just generated and forgotten 90% of my passwords. the final 10% I keep in a password manager. But if the service isn't really that important I just use the 'forgot my password' to change and generate a new password every time I need to login
> The information accessed was limited to standard business contact information and related customer relationship management (CRM) data, including customer names, phone numbers, email addresses, and physical addresses, as well as support case data and sales-related data.
Well, I hope Klue got them more customers than they are losing due to this.
>"Klue has not said how many of its hundreds of customers are affected. Several companies have come forward to confirm they had data stolen during the attack, including Gong, Jamf, HackerOne, Insurity, OneTrust, Recorded Future, Snyk, Sprout Social, and Tanium."
>Cybercrime group Icarus took credit for the breach, saying on its leak site that it will publish the stolen data on Monday if the company does not pay the hackers’ ransom."
https://techcrunch.com/2026/06/22/klue-hack-results-in-data-...
i can sympathize a little bit with companies that stick with lastpass. when i had to switch an org from lastpass to 1password, it was a massive undertaking and incredibly annoying. however, i have no sympathy for anyone who has chosen lastpass after 2022.
Private company third party password managers are bad. Across the board. They're a bad idea.
Deeply localized actual best practices can help solve this. Private companies can also help, but only if it isn't in the form of "you can't have this unless you pay for it." The point is, it's like fighting fires, you can't isolate it.
It's a complete dead-end and the sooner the industry realizes this the better.
This approach seems better to me. For one thing, I'd already be screwed if someone malicious got into my Google account, probably worse than if they got into my password manager. And additionally, this means they're not creating an absolute jackpot of data to breach in a centralized place. No one's gonna hack Enpass of all their passwords because that would require hacking all of Google Drive, Dropbox, iCloud, etc. and looking for the files manually.
Or they compromise their self-update system if that exists.