Just to clarify the title. It was not a deliberate backdoor on the part of Passwordstate. It was a supply chain attack. There is some history to their security holes (most of the known ones being patched).<p><a href="https://twitter.com/juanandres_gs/status/1385689464329187329" rel="nofollow">https://twitter.com/juanandres_gs/status/1385689464329187329</a><p><a href="https://github.com/NorthwaveSecurity/passwordstate-decryptor/blob/master/MORE_INFO.md" rel="nofollow">https://github.com/NorthwaveSecurity/passwordstate-decryptor...</a><p>A potential issue in the password management space is that Francisco Partners (owner of NSO Group) owns Lastpass (and LogMeIn).<p><a href="https://en.wikipedia.org/wiki/NSO_Group" rel="nofollow">https://en.wikipedia.org/wiki/NSO_Group</a><p><a href="https://www.globenewswire.com/news-release/2020/08/31/2086214/0/en/Francisco-Partners-and-Evergreen-Coast-Capital-Complete-Acquisition-of-LogMeIn.html" rel="nofollow">https://www.globenewswire.com/news-release/2020/08/31/208621...</a><p>Note: I work in the IAM and PAM space and designed dashboards for saas pass.
Passwordstate doesn’t seem to have automatic update and the update process is mildly annoying, so I can’t imagine very many people were unlucky enough to update during the couple of days they were compromised.<p>Not saying this isn’t very concerning from Click Studios, just that the number is going to be a lot smaller than 29,000.
I run Keepassxc in a VM with no networking enabled, and no networking stack enabled in the VM. The clipboard is shared 2-way with the host. I keep the DB on a shared volume so it can be backed up by the host machine.
Nothing is ever perfect. Password managers are good thing and vastly more pragmatic than the folksy homemade "nuclear-launch-code" alternatives some HN'ers describe here.<p>Sticking with my password manager.
These days I generally don't trust any security product. They are as much malware themselves as the malware which they claim to protect you from.<p>- Many security software providers are hackers or ex-hackers... So you're basically paying hackers to protect you from themselves. Why should I trust software which is almost 100% guaranteed to have been written by hackers more than any other random software I might download from the internet which has maybe a less than 1% chance of having been written by a hacker?<p>- The software security industry is more about selling security products than actually helping to keep people and companies secure. The incentives are to sell peace of mind while keeping systems vulnerable (don't kill the goose that lays the golden eggs).<p>- Most security products capitalize on fear rather than genuine threats (security tools tend to show lots of false positives to draw attention to themselves or to upsell additional software).
My password manager: a mental hash of some site attributes, my username, and a security level that results in a valid password.<p>A particularly-motivated attacker could easily reverse engineer my hash algorithm, given enough samples. But, good enough for me.
That's why I never used and will never use a password manager... You can't get more security by trusting more intermediaries with your passwords. When it comes to anything that matters, you want to trust as few intermediaries as possible.<p>The more entities have access to your passwords, the less secure you are. I can't believe I even have to say it, it seems so obvious.<p>Why not just remember your passwords? There is an infinite number of strategies and secret rules which you can use to easily remember your passwords.<p>Or for low-importance services, why not just use your browser's built-in password manager? You have to trust the browser maker anyway.