PSA: Stop using Lastpass for anything valuable.

Malware is a thing.

lpass ls \
| grep -oP '(?<=id: )([0-9]+)' \
| xargs -n1 bash -c 'lpass ls | grep "id: $1]"; lpass show $1' --

Before anyone asks, no 1password is not any better, or any other pure software password manager.

op list items \
| jq -r '.[].uuid' \
| xargs -n1 bash -c 'op get item "$1"' --

If you are protecting food delivery passwords or a reddit account, Lastpass and similar are good enough.

The are -not- good enough for production cloud api tokens, financial credentials, 2FA backups, crypto-asset keys, etc.

For high value secrets, assume the system in front of you is compromised.

Decrypt one secret at a time in external touch-activated hardware like a Yubikey, Mooltipass, or Trezor.

Then malware can't take your whole secret database at once.


"Tell me what password manager to use."

Not sponsored, but the only hardware secret manager I tested that you don't need to be an engineer to use.

I recommend engineers try Password Store encrypted to a Yubikey.

· · Web · 4 · 6 · 5

Ignore suggestions that a valid defense is to just not have the CLI tools installed and/or never leave things unlocked.

1. Malware can bring any tools it needs with it.
2. Malware can be automatically triggered when you unlock your password manager

@lrvick Bookmarking it, might get one to write software against!

Really interesting
It's not cheap but interesting

@lordmax For someone protecting things valued at thousands of $ or more, then spending a small % for security is well worth it.

If you are not protecting any significant value, than any password manager you find easy to use is fine.

@lrvick worth mentioning, it was out of stock for almost the whole 2020-2022 period (i tried to buy multiple times). Now they are on stock 😁

Sign in to participate in the conversation

The original server operated by the Mastodon gGmbH non-profit