In general, password databases are something very useful. How else would we be able to remember all the passwords we have chosen over past. And, in addition, how on earth would we be able to remember that password we only use any other year.
But where to put them? As we all know, (even password protected) Excel Sheets are a no-go. There are a bunch of really cool applications out there like KeePass. And nobody would even think of writing them down to paper. At least, we do hope this is the case.
The problem with where to actually store the files is a different matter. Yes, we could put our password database on a cloud share. Your mileage concerning mobile availability might vary, but especially for KeePass, this in general works pretty well according to our own experience.
I have always been a bit skeptical about “online” password safes. There might be very few people (if any) I would trust enough to give them access to my personal password database. And, most of the time, I know them for ages and – yes, for sure – I ultimately trust them. And even then: They have access to the file, but the key for the file is not at their hands until something really bad happens to me.
The question here is: Can you trust your “Password Safe Provider” really enough to give him all your credentials?
And, if you are able to answer this question with a “YES”, the next question is:
Do you really trust in the technology and methodology they use to protect your data? Until now, the answer could have been “don’t know” or “maybe, but there never happened something”.
Well, in that case I can assure: Those are no longer valid answers: https://blog.lastpass.com/2015/06/lastpass-security-notice.html/
You’re asking yourself now: How on earth could that happen?
Let me put it that way: John Glenn, former Astronaut on the Apollo Missions was once asked before Take-Off how he felt, sitting on top of this huge rocketship.
His answer was:
Well, the answer to that one is easy. I felt exactly how you would feel if you were getting ready to launch and knew you were sitting on top of two million parts — all built by the lowest bidder [on a government contract].
It’s the same thing with LastPass. And it’s the same thing with any other online password safe existing: They need to earn money. And to do so, they have to pay attention on their spending.
So, basically you give all your credentials to a provider primarily being interested (and that has to be a fact otherwise the company will struggle and fail in the end) in his own survival.
And since the competition is quite stiff in that market, you really have to calculate all actions through.
Apart from that: Absolute security is a myth. But it’s a good selling-point – and many customers fall for it, which rises again the question: Do you trust your vendor. And if yes: why?
As an addon remark: Even if they tell you now that “no customer data” has been captured. Can you really trust this claim?
For now one thing is clear: The passwords you stored there might now last forever. Someone might have them – and you do not have the slightest clue who it is – and what he will use them for.
The meaning of “LastPass” is clearly meant in a different way and it’s kind of cynic that the new interpretation of the name means something completely different.
And to make it perfectly clear: What I described here is not restricted to LastPass. What happened here is a general problem of the whole industry and can (and probably will at one point) with a very high probability happen to all other companies trying to live from cloud-based services.
Anyways: I would suggest that you change all your passwords. NOW.