Frankly, it leaves me exhausted in the same way the regular stream of sensational ignorant responses to violent video games, boobs in video games, or explicit lyrics in music leave me exhausted. It's extremely difficult to fight an ignorant public being exploited by a willfully ignorant and sensationalistic media.
The likes of Tech Crunch et al who should be in a position to counter such mainstream media reactions and behavior are all too often, unfortunately, jumping right into the fray and showing that they can be just as counter-productive as any big old-media outlets.
I just feel like it will get lost in the noise though
That was always one of the things that drove me batshit crazy about slashdot -- nominally it has editors, but they let straight up flame-bait submissions go through.
The solution as shown by delta1 is to escape it.
Aren't the ones writing "headlines". They are the one's reading and believing "headlines" without understanding.
They deserve better, especially seeing as how transparent they were about the whole situation and how they handled it.
I'd tend to look at these types of services as a convenience, nothing more. If you allow yourself to become reliant on them for access to your personal data, like banking, etc., then I'd say that you put too much faith/trust in them. Shit happens, all the time, despite the best intentions of people working hard to make sure it doesn't.
How do you go about keeping all of your usernames and passwords secure, then?
The encrypted database is local and synced everywhere. If DropBox goes down I have to fall back to another transport, but I am never "locked out".
It's a hell of a lot easier to do if you don't make it about straight random memorization though.
I have a little memory association I do with every site I need an account/pass for, based on various characters out of books I've read.
Every site has a character I've associated with it, to make it easier to remember, and I have a simple (to me) algorithm I use to generate the password that includes various capitalization and special characters.
Sure, it might take a bit of work early on to remember stuff, but if you learn how to memorize things effectively, it makes it much easier.
Mind you, I also know all my CC numbers, passport number, drivers license, etc., as well, so maybe I'm just weird.
The mnemonic is a good idea. I've thought about doing that - but then I fear that I'd forget the mnemonic :)
Most banks have phone numbers that you can call if you don't know your password. Some banks even let you reset your password if you know your account number and SSN.
EDIT: d'oh. It's maiden name, obviously.
With banks this secure, I really don't worry about keeping the login information in something like lastpass
Anyway, I also live in China, and have had problems with banks being so secure that it becomes inconvenient. A few months ago I tried to get into my ING account, for which I'd lost the password. Although I managed to authenticate my identity over the phone, they could only send me a new password to my address in the UK. However, this is a house my family no longer lives in... so the whole affair involved contacting the new occupants to forward the new password letter on to someone I knew. I've also had problems with Natwest's online payment system giving me an "unknown failure" message. After calling up, I found that the system had flagged my transaction as suspicious due to my location as revealed by my IP address. When dealing with such issues, I often feel like I'm trying to steal my own identity.
Anyway, after looking at the options I decided to use PasswordCard to manage my passwords, which is a physical solution (www.passwordcard.org). It's a card of random numbers, symbols and letters that you can print out. You then take a sequence of such symbols to form each new password that you need. I decided not to use a standard password manager since it's not very portable between machines (I travel quite a bit, and also with the current rate of technology change it's likely that in a few years I'll be using a device and OS that doesn't exist yet).
It's true that sometimes having very secure banks can be a pain... But, I would much rather have a bank that is very secure and a bit of a pain to sometimes access compared to a bank like mine where it's trivially easy to get access to someone's bank account...
I currently use 1password because it's not hosted, it's portable and I find it quite convenient...
BTW: You got my name but haven't got my correct birthday date. I've avoided having it in clear on internet because of identity thefts :-)
If you ever drop by Shanghai, feel free to hit me up for a drink
Why should I be worried about this? I'm not trolling... I just don't understand what we are all supposed to be afraid of.
I wish there was a way of securing all of them with the same secondary authentication token.
It looks like pwdhash works around this by functioning as a browser plugin (making your master password in accessible from the DOM) but I'd still be slightly worried about browser exploits allowing malicious sites to get at your master password.
pwdhash still leaks the length of the password since it aims to give users visual feedback of characters being typed.
Then you've also got the issue of automatic update of plugins being compromised. The question is really: is it more secure than the alternatives?
Financial institutions you type in: 'myfinancialpassword'
Other sites you type: 'myrelativelysecurepassword'
"Sorry, boss, can't work on that bug because I don't have my Redmine password. I also don't have the password for our build machine, so I can't sudo anything."
We also have a client who gave us remote access via a Java applet to SSH in with - can't use keys on those.
You have to be careful though because sometimes a mistake like that is not an honest mistake, but carelessness. To bring it back to the topic at hand, LastPass (possibly) made an honest mistake somewhere. Sony is careless. Fire Sony, run to LastPass because now they will be even more paranoid.
And this is a serious question, as I'm no expert in the field, but it seemed strange to me that they couldn't explain what actually happened with any certainty.
When was the last time that you "could have sworn" that you left your keys on the desk, but they're on the counter instead. Suppose that happened; it almost certainly means you just misremembered where you left your keys, but there is a TINY chance that someone might have stolen the keys, copied them, and put them back in the wrong place.
Just to be 100% certain, you immediately call a locksmith, and get your locks changed. And all the neighbors start talking about how poor you are at security for having allowed a burglar into your house.
THAT would be a reasonable analogy for what LastPass did.
The fact that LastPass has methods to notice small anomalies like this is reassuring.
I hope they explain how they are going to resolve this for the future.
I thought that my passwords are encrypted on my computer with master password known only to me, but same master password leaves my computer every time I log in to LastPass site via their website.
Could someone point me to where it is detailed how they manage without knowing my password or where it is explained why they need to know it?
Unfortunately you are right for the overwhelming majority of users who will see "LastPass Hacked!" then note "Don't use LastPass".
Unless they have a really awkward reason not having proper idea about possible hack is not a good sign.
Besides, it's a password manager. Of course it's going to be held to a higher standard of security. It failed at the one and only thing it is supposed to do.