I wonder how many companies that use LastPass are telling their employees that they have to rotate any critical secrets stored in LastPass but not actually doing anything to follow up or enforce that and so nobody is going to do it because it's such a gigantic pain in the ass?
Conversation
Notices
-
Charles U. Farley (freakazoid@retro.social)'s status on Friday, 13-Jan-2023 04:46:14 JST 
Charles U. Farley
-
Charles U. Farley (freakazoid@retro.social)'s status on Friday, 13-Jan-2023 05:00:48 JST
Charles U. Farley
"We got pwned because of the LastPass breach, but it's not our fault because we told everyone to rotate any critical secrets they had stored in LastPass."
Adrian Cochrane repeated this. -
Charles U. Farley (freakazoid@retro.social)'s status on Friday, 13-Jan-2023 05:00:48 JST
Charles U. Farley
Which raises an interesting question: how do you actually ensure people DO rotate critical secrets after a compromise of the company's official password manager?
The answer is: the company needs to have emergency access to everyone's vaults, and to keep regular snapshots to know what secrets were there at a given time. Then you can just scan for any critical secrets in the vault, same as scanning for them in your VCS repos.
-
All 076萌SNS content and data are available under the