You trusted an online service to look after your passwords. Use something local, like 1password. I have no idea why anyone would use a hosted solution like LastPass. Of course something will happen?
1Password allows you to use a local vault, encrypted with a master password, that can be synced across devices in multiple ways, for instance using Dropbox. There's no web logins going, no 'someone elses database' accessed over the web. I have used this solution for a number of years, and would _never_ go for a cloud option like lastpass, for important personal data.
Just a sidenote to clarify that the last version of 1Password to allow local vaults is 1Password 7. They are not supported in any 1Password versions going forward. Although from what I understand the company was gauging interest and open to eventually reintroducing this if enough people wanted it, based on this explanation: https://1password.community/discussion/comment/602340/#Comme...
I see no big diff actually. It offers you no more security if you're directly compromised. It also doesn't help much in reducing the risk of the 3rd party services being hacked, as your data still travels through someone else's cloud. The one attack you avoid by it is LastPass being hacked and your encrypted vault stolen - but then you also open up yourself for Dropbox being hacked and your data stolen attack (which also makes for pretty big attack surface with its automatic sync on all machines). In both cases the attacker gets the encrypted vault, so having a good master password is a smart move.
One should really stay away from storing the vault on any permanent online storage, and do the one-time sync using temporary file-transfer services or even better some private peer-to-peer transfer method - but then you loose a lot of convenience of tools like LastPass or 1Password over the Dropbox. And in security everything is in picking the right balance between safety and convenience for you personally.
There is a fairly big difference, you are decrypting a local file using a master password NOT stored on the internet. No data is going over the wire, no 'other peoples computers'.
Even if someone got your vault file, with a _very strong_ master password it's just not going to get brute forced any time soon. [1]
With an online-only solution you have no idea how they are storing your data. I think 1p local vault (only) with db sync with an extremely strong master pw is adequate, but indeed for most use cases, it could be better to simply one-way sync from your main computer to your mobile device with something like Resilio Sync and avoid Dropbox entirely.
I cannot bring myself to trust any online service with this kind of data. Nobody is getting my master password without hacking my machine, brain, or government backdoor. There is a lot of peace of mind to be had with a local system IMO.
I would disagree with your premise. LastPass get hacked you hear all about it (this thread being a perfect example). You also then get group minds chasing solutions and spotting issues.
If you get hacked, you wont even know, and when you try to figure out how your genius security solution was foiled, you are on your own there too.
The only way your data is safer is in your mind, which is the first mistake of security; you dont get hacked because you knew about the weakness, you get hacked because you didn't.
PM's are, in most cases, a lot more advantageous for many reasons. But you can't really compare the solo solution at all, imo.
> There is a fairly big difference, you are decrypting a local file using a master password NOT stored on the internet.
That's the same thing that LastPass does AFAIK. According to their site:
"Your data is encrypted and decrypted at the device level. Data stored in your vault is kept secret, even from LastPass. Your master password, and the keys used to encrypt and decrypt data, are never sent to LastPass’ servers, and are never accessible by LastPass."
So they pull down the encrypted vault to the local machine before decrypting it, it's never on the wire in an unencrypted form, nor keys leave your local machine.... which is essentially exactly the same thing that you do with 1Password + Dropbox for sync, just in one service. (At least that's my understanding, I might be interpreting the LastPass statements wrong, in which case please do correct me.)
