> This is also why I can’t imagine ever using Plaid/Mint/etc that require my bank credentials just to do minor stuff like make payments or read transactions.

That's the fault of banks. We need open banking, with APIs using OAuth or similar with scopes or some way for per-action/item access.

They could have started simpler with app passwords that provide read only access. They purposefully drug their feet under the false principal that they own their clients' data.

What if the bank were collectively owned and operated, and used a clever cryptographic scheme to simultaneously allow full transparency and full monetary autonomy?

Then I guess that multiple bad actors would jump at the chance to irreparably scam thousands of accounts out of millions of dollars. Or something like that.

Things are improving bit by bit. BofA and Chase both have OAuth and pretty granular permissions now. Citi and Wells Fargo have OAuth APIs too, though I haven't worked with them personally. That's the top 4 consumer banks, but many credit unions are stuck in the past. Credit unions in general need to wake up about how far behind they are in IT investment, and use a common IT vendor to modernize.

Exactly. I should be able to create read only tokens. I think banks don’t really want us getting our own data without going through their marketing interface.

Already exists in EU.

As far as I know, there is no common, open banking API in the EU, unless you are talking about IBAN, which is more like an exchange framework.

Open Banking aka PSD2 exists, and it is very different from IBAN.

unfortunately, individuals are not allowed to make use of it for private purposes. You must be a registered business and then be entered in a register before you get any keys.

"but it would be very bad if my bank or brokerage gets rooted"

Yup. I put everything in the password manager except primary email and bank/brokerage.

> I’m sure LastPass tried really hard to protect data. But everything fails eventually.

Sure, but password managers available over the internet are especially vulnerable. They're major centralized honeypots given the data they handle, and leaks are probably worth millions on the black market. To think that any company could handle this responsibility is naive at best.

Password managers are an entire section of software that shouldn't exist. They're too confusing and a chore to use for the general public, even if users are educated about their importance, and would like to secure their accounts. Many non-technical people don't bother or care at all.

The way forward is to get rid of passwords altogether and make passwordless authentication the norm. There have been some usability improvements in recent years in this area, to the point where it could reach mass adoption, but the change needs to start with developers.

I was a LastPass user for many years, many years ago, and trusted them, but have since moved all my passwords offline. And I would very much like not to worry about maintaining accounts, updating passwords, etc. Ugh, what a chore.

> [Password managers are] major centralized honeypots given the data they handle, and leaks are probably worth millions on the black market.

My knowledge in this area is admittedly limited but shouldn't password managers be fully encrypting your data with a key only you have (like 1Password). The way I understood it was that these leaks shouldn't be a problem because the data is worthless without the master key. Although I guess LastPass wasn't doing it that way.

I was specifically talking about _online_ password managers in that quote. Even in the best case scenario that they do follow all best modern security practices for storing the data at rest, there are countless exploit opportunities while the data is in transit, especially considering the clients are web browsers, with their own security issues. Not to mention the vulnerability from rogue employees, social engineering, etc.

Entrusting _any_ company with the secrets to your digital life is a bad idea in general. I know that 1Password is the darling in this space, but breaches are a matter of time. They only need to mess up once. Their entire business reputation relies on being 100% secure, which is impossible. I'm not surprised LastPass is reluctant to share more information; they want this to go away as soon as possible so that business can continue as usual. It also wouldn't suprise me if there were other breaches that were never made public, at LastPass, 1Password, or any of these companies.

> I was specifically talking about _online_ password managers [...] considering the clients are web browsers

Is that an actual thing?! I'm only familiar with password managers that use the Internet to synchronize, i.e. it's still 100% possible to apply the cryptography such that the service vendor or anyone else cannot read your passwords stored or in transit.

I can maaaybe imagine password managers with a web interface that however still decrypts locally, client-side.

TLS does a good job at this, and I'm not assuming it's compromised. But it's complex to setup correctly, and I'd rather avoid the need to transmit sensitive data everytime I access my credentials, and entrust my most critical information with a 3rd party, all to support a service that shouldn't exist to begin with.

Password managers are currently a necessary evil, so if you must use them, use an offline one, and sync across devices via any other secure mechanism.

> TLS does a good job at this, and I'm not assuming it's compromised. But it's complex to setup correctly

TLS has nothing to do with it. TLS is transport security, which is relatively useless for preventing the service provider to access your data.

I'm sorry to say this, but this is just word salad, including the "I'm not assuming it's compromised" bit.

> and entrust my most critical information with a 3rd party

The point is you don't need to do that, and can still sync over the Internet.