Huh? I don't follow this at all. Why should they not recommend password managers? More people should, in fact, be using them.
We'd all like answers to every question we could have about the compromise. As you can see upthread, they've already committed to providing some of those answers. In the meantime, they're probably slammed with other things, and you aren't actually entitled to answers to all of your questions. You are obviously free to take your business elsewhere if their answers aren't satisfactory.
To be fair, GP did say he didn't mind if they delayed answers until they've remediated the issue.
>you aren't actually entitled to answers to all of your questions. You are obviously free to take your business elsewhere if their answers aren't satisfactory.
I would agree, generally. But this is an issue wherein the company has failed the trust that was previously placed in them by the customer. The customer already made the decision to give the company his business and so could incur harm, even if he subsequently chooses to take his future business elsewhere.
So, I believe customers are certainly "entitled to answers". Judging from the way Kickstarter is handling this, it appears that they agree.
"But this is an issue wherein the company has failed the trust that was previously placed in them by the customer. The customer already made the decision to give the company his business and so could incur harm, even if he subsequently chooses to take his future business elsewhere."
Seriously? You think this is going to materially impact kickstarter? [1] That all of the sudden people will stop having projects and people will stop funding projects. That this is like the Corvair and "unsafe at any speed" or Audi unintended acceleration? To things like this a typical end will think "happens to everyone yawn what's for dinner".
[1] If anything the publicity of the break will help kickstarter if it gets any national media attention (I don't think it will but other security breaches have). Things like this are usually bad for well known brick and mortar companies (say Target) but not the same for a company at the lower level of brand awareness of Kickstarter. Very familiar to all of us on HN but in terms of the general public in fly over country not that well known. Remembering early stories of nasty stuff on ebay and craiglists that got mentioned that only helped them.
Sorry, while you are certainly more knowledgeable about security, I have to disagree with you.
We don't yet know what is going on and recommending password manager makes no sense until we know the actual problem. And deferring security breach to an external tool is not a recommendation anyone should make.
So having a password manager would solve a SQLi? It might be the case that this is just some stolen account from phishing attack. But do we know? We don't. So now using LastPass makes the user more confident about his or her password security inside KickStarter? How can anyone be happy with that conclusion?
Secondly, password managers don't make your password more secured. Maybe I should rephrase: don't even consider any online password manager. Storing multiple passwords in a single database that someone else owns? I don't see how that's going to make me feel better about password security. If anything, decentralized means we don't give a single person all the identity. Now we do. We tell LastPass here are the list of passwords I use. Great. I probably will be slightly happier with an offline password manager, but in the end, your brain can function and scale better than a service.
Sorry, fundamentally and practically I will have to disagree with you. And I stand by my own view and there is nothing wrong with my view and any downvote just seems ridiculous. In fact, I think people should think deeply before utilizing ANY password manager. If you have a security breach, focus on disclosure and tell people what went wrong because that's the only thing can tell people how to do better with their account.
Nothing in this comment constitutes an argument for password managers being a bad thing, or even simply not an unalloyed good thing. I am if anything more confused about what your argument is now.
I think you're confused -- 1Password is a local client, with no online component run by 1Password (well, by Agile Bits, the makers of 1Password). They have good clients for OSX and iOS, and kind of shitty clients for Android and Windows (IIRC).
1Password does have some sync functionality between devices, using third-party services (dropbox, iCloud) and LAN-local using wifi. Or you could otherwise copy your own encrypted password database between machines.
It won't prevent SQL injection but it makes it trivially easy to use a different password for each site so that when Kickstarter gets hacked you can just change that password.
People should use different passwords for different sites anyway but we both know they don't and most people wouldn't be able to handle that.
We'd all like answers to every question we could have about the compromise. As you can see upthread, they've already committed to providing some of those answers. In the meantime, they're probably slammed with other things, and you aren't actually entitled to answers to all of your questions. You are obviously free to take your business elsewhere if their answers aren't satisfactory.