When I worked at LogMeIn (previous owners of LastPass), I relocated to Budapest and worked in the same building as LastPass' engineering (I was in another division though). Getting a sneak peek of how the sausage is made gave me the hibbie jibbies and I switched to 1Password there and then. It appears like I dodged a bullet.
They haven’t had the history of security problems that LastPass has had, and they’ve taken steps to handle this kind of situation by including an extra per-user key to stymie password guessing if someone does get the vaults:
I stopped using them when they switched to subscription-only but I think it’s in their favor that they have planned for a nightmare scenario rather than assuming it won’t happen.
Yeah I thought the same. I don't think 1Password is immune to security issues. However, after seeing several things I did not like in LastPass development, I decided 1Password was the safer bet. Knock on wood, they claim they've never been hacked and I hope it stays that way.
Moving from one cloud based password manager to another is hardly a solution. Use password managers which locally store the file and then sync them with gdrive/Dropbox. You can also add another layer of encryption to the file to be extra safe.
I cannot talk about specifics obviously since I was an employee. I can only say I did not see the sw engineering and infrastructure rigour I'd expect from a service that is managing very sensitive information.
Sounds about right. Awhile back I noticed the LastPass password generator was not in fact outputting a random password but that at least a few characters of the password followed a predictable pattern.
I reported it and it was fixed, but it's beyond me how a supposedly security focused company can let such a severe bug in such an important yet simple feature get to production.
