Using <news:lQtxN.354397$xHn7....@fx14.iad>, Alan Browne wrote:
>> I would never use any of these apps. Storing passwords online just seems
>> incredibly foolish to me.
>
> As long as one guards the password to that file (and that password is
> not guessable) it is perfectly safe to store it online.
Nobody could deny this app easily slipped through Apple's checks and nobody
could deny it took Apple too long to react (at least if you ask the people
whose rather sensitive credit card & password data was apparently already
stolen in that interim where Apple was moribund, according to LastPass).
But on the topic of whether or not it's a good idea to store your sensitive
passwords on an online database which could ask for your credit card
information, there are always going to be pros and cons to the equation.
Many love online password programs, some of which automatically enter
passwords when you attempt a login to a given company (which is nice).
Online passwords are nice for a few other reasons, one of which is you
can't lose them if you lose your device. Another reason online passwords
are nice is all your devices access them anywhere (as long as you have
Internet access anyways). There's also the advantage of automatic sync with
all your devices if you happen to have added a new password from one.
But for every pro, there's a con that has to be weighed against it.
The main negative that this malware app took advantage of by stealing
people's credit card information and their passwords (most likely) is in
the fact people are paying for the service using their credit cards and
they are using real names & real phone numbers & real addresses.
Instantly, that's crossing the red line when it comes to basic privacy and
security on the Internet.
The other red line is that you're giving one outfit all your passwords, and
that one outfit is definitely going to be targeted by every hacker out
there, including the ones whose funding is many times the net worth of
LastPass (meaning they outfund LastPass by many times over).
If there are never any holes in LastPass security, they wasted their money.
But there are always holes. You know that. So that's the second con.
Granted those two cons won't outweigh the convenience of LastPass for
millions of people who are, let's put it nicely, not technically astute.
One simple test if someone is technically astute is to ask them if they're
using "cloud storage" and if they are, ask them which one and from that
answer, you will know whether they are technically competent or not.
Most are not.
By way of comparison, the technically competent people know how to set up
their own cloud (for example NextCloud) if a cloud is what they desire.
But better yet, the most technically competent probably shun clouds
altogether by storing the passwords in an encrypted password database (such
as KeepassXC) where syncing is handled on the LAN such that the kdbx
databases are always in sync across all your devices.
If they absolutely must have access from someone else's device (say on a
library computer when they're traveling and their phone battery is dead),
they can always upload that encrypted kdbx file to any cloud server.
This is just a point of view where the pros and cons are weighted different
for each person, mostly depending on their technical abilities more than
anything else.