I don't think that's a fair criticism of Lastpass for having "security issues" for the following reasons:

1. In the blog post you linked, no user passwords were at risk. They were being abundantly cautious, which makes sense since they hold everyone's passwords.

2. In the talk you linked, this is a inherent problem with storing keys on your local filesystem and not a problem with Lastpass. 1password is also "vulnerable" to this attack.

3. This current phishing attack is not a vulnerability in Lastpass itself, or anything wrong with their cryptography. As the author points out, anyone who falls for this will receive an automatic email notice (if 2FA is not on) from Lastpass and if you have geographic restrictions enabled this attack won't work at all (note 1password does not have these features).

4. Storing encrypted data in the cloud is not inherently a vulnerability, although it increases your attack surface. Many users of 1password also do this with features like Dropbox sync, and Dropbox provides much less rigorous access control compared to Lastpass.

5. 1password has had it's own share of security blunders. The most recent being their database format that leaks all of your account names and the URL they are for, which 1password defended was for "performance reasons". http://myers.io/2015/10/22/1password-leaks-your-data/

EDIT: Updated to mention that alert emails are only sent if 2FA is disabled.

Thanks for the link to the 1password compromise, although, I stand by my point, that compromise is due to extraneous features as opposed to the core functionality. Being conservative myself, that's not a feature I use.

I see 1password's main vulnerability being that someone could gaining access to a device and vault passcode or obtaining that passcode through a keylogger.

I'm not sure how difficult it would be to brute force into 1Password locally but either way it's a low benefit game compared to the potential access with a compromise to a cloud based scenario like LastPass.

But I'm always open to security advice...

> I'm not sure how difficult it would be to brute force into 1Password locally but either way it's a low benefit game compared to the potential access with a compromise to a cloud based scenario like LastPass.

I'm not sure if you're familiar with how Lastpass works in general, but all of the data you store with Lastpass is encrypted in almost an identical manner to your 1password vault. They can't read your passwords.

A "compromise" of Lastpass would require brute forcing each user's vault in order to gain any actual passwords, which would require an extraordinarily long time.

I know it sounds concerning saying "put all your passwords in the cloud" but the reality is that it's no different than using 1Password with sync enabled.

>the reality is that it's no different than using 1Password with sync enabled.

Except that a users LastPass vault lives in the "cloud" so that a compromise of that password can likely open the door and makes it a more enticing target to begin with. Compared the likely hood of merely getting at the 1password vault (assuming it's not synced to the cloud) being a significant barrier.

Again, for me this discussion is educational, I'm curious how having this data in the cloud could ever be considered more secure than local storage.

> I'm curious how having this data in the cloud could ever be considered more secure than local storage

It's not, I didn't mean to give that impression. It increases your attack surface, which is a tradeoff that 99.99% of users are happy to make for the convenience of having instant and strongly secured access to all of their passwords from anywhere.

I meant to point out that this is no different than how the vast majority of 1Password users configure their database: with Dropbox syncing.

For me, this is a required feature to using a password manager. If you do not need this feature, local storage only is better. However, I'll argue that if you have that level of concern then you should also not be using any closed source password manager in the first place.

Are you sure about the vast majority, do you have a source for that?

I use 1pass too and would never consider storing passwords in the cloud, let alone on Dropbox.

I think you may be wrong about #3. The author argues that anyone with 2factor turned on will NOT receive email notification, and I'm not sure what you mean by geographic restriction. You can disallow Tor IPs but that is about it.

Sorry, you're right that 2FA accounts will not receive the email. I've updated my comment.

In addition to the TOR IP block, you can also restrict it to only allow access from select countries. This is what I meant by geographic restriction.