What Happens After Lastpass?

Lastpass being super transparent and putting their reputation on the line with their post about getting hacked is either terribly clever, or terribly stupid.

Terribly clever because it churns away all the users storing ultra sensitive information there, and keeps all the non important information used for the everyday activities of the web. (Imgur accounts, disposable Reddit accounts, spam Twitter accounts, etc). If you think about this; it makes sense. Using a hosted service to store mission critical information is not only stupid, it is dangerous, and puts the onus on Lastpass to protect it, which as they have made clear: they are not going to protect it. But they will keep your lame Imgur account. They will keep your lame Flickr where you store holiday snaps and pictures of flowers. They will keep those Reddit accounts you keep on creating to upvote your stuff.

Bad Move?

On the other hand, Lastpass revealing this information could wipe them out entirely, along with all their data. Imagine, for example, hearing news that 5 years of web logins and surfing was compromised there. The next obvious action taken by such a user is to export all this out of Lastpass, switch over to some other solution, and abandon Lastpass entirely, telling all their friends on social media about their move, and running Lastpass into the ground because of a network effect. This has probably already happened. I imagine Lastpass does have users like that who are not especially savvy and place their trust in a black box like Lastpass without a care for a future breach.


On the other hand, there are viable alternatives like Keepass and 1Password which are not a black box and are ethically designed with the user in mind, and not the bank accounts of the creators. My personal favourite is Keepass because it is FOSS. Second would be 1Password (1Password is closed source and proprietary, but the design implementation is heavily scrutinized by their community and has more eyeballs on it than other solutions). Also, 1Password responds to threat landscapes and are ahead of the curve in terms of infosec. AgileBits, the company who ships 1Password actually care about this stuff. Plus they're not a hosted service, so they're not spreading themselves too thinly.