Wladimir Palant

Google sent me a mail to tell me how my website was doing. Took me a moment to realize that this wasn’t a glitch in their data.

Note how LastPass PR offloaded a ton of buzzwords here that don’t actually mean anything. They turned this kind of responses into an art. https://arstechnica.com/security/2026/02/password-managers-promise-that-they-cant-see-your-vaults-isnt-always-true/

Bitwarden at least admits that a fully compromised server isn’t part of their threat model. It’s the same for LastPass, and in the past they’ve rejected vulnerability submissions based on that – there are a number of very simple ways in which a compromised server is able to access your “secure” vault. But they won’t admit it, hoping instead that the message will drown in the noise they produce.

For the sake of completeness: Dashlane’s response is merely generic. 1Password’s response is correct from what I can tell: the “compromised server” scenario has been considered and the risks arising from it are documented, nothing new here.

#LastPass #infosec

RE: @soatok@furry.engineer

This is old news for some but way too many people didn’t get the memo: do not trust Matrix crypto. It’s not that they have issues (who doesn’t), it’s their approach which is the opposite of taking security seriously.

#Matrix #MatrixMessenger #infosec