Good week for Software Security FUD (MSE and LastPass vulnerability found)

[Paul Keith]

MSE vulnerability

Lastpass Vulnerability

XSS flaw explanation (don't really understand this)

Yep... I'd have left LastPass immediately if they'd revealed passwords. I'm not that bothered about someone potentially knowing the sites I got to. Most of them are stuff like forums (where you can see my username anyway) and Facebook (which are obvious sites for just about everyone).
What you said about password variations is fine, but it doesn't take into account this wouldn't work in practice. Most, if not all, sites I go to will lock you out for 10 to 30 minutes after 3 to 5 password fails. The only way any type of brute force (even a variation guessing) attack would work is if they had access to the database itself, which would be extremely rare and while possible (Gawker!) is very unlikely. Also, my example of adding "123" was just an example, and would probably be very early in any list of variations. You could use something better which would be harder to guess as a variation.
(A) is true, but there are also risks with not using such a service that you have to weigh up. For example, password re-use, tending to use predictable passwords versus random passwords, risk of phishing (LP would only enter the pw on the real site), keyloggers, being watched/recorded typing pw in, etc.
(B) + (C) exactly what I do. I can't (I don't think anyway) use LP for my bank as it asks for random characters from two passphrases. I don't use it for Gmail or PayPal (I use 2-factor though for both). I already use Facebooks login from new computer notification. All good advice.

Source

Open source desktop password manager vs. Proprietary Cloud-based password manager food for thought discussion:

Why would anyone trust a proprietary security tool? Have we learned nothing?

Essential parts of their code can be reviewed.
Incentives matter. LastPass has every incentive to keep their system secure -- one serious breach and their business is dead.
While open source has advantages, it doesn't help if there are not enough people maintaining it, and if security patches are not pushed to you automatically. Peer review is not the only factor in the game.

Source

[Deozaan]

Grr! I just started using LastPass since the whole Gawker fiasco! Now I have to switch?

[Perry Mowbray]

Grr! I just started using LastPass since the whole Gawker fiasco! Now I have to switch?

-Deozaan (February 27, 2011, 05:02 PM)

No... I'd just keep your very sensitive passwords (banks etc) out of the cloud.

PayPal is my main issue I think as all my banks use other measures that are not stored in LP.