Password Manager Trust Is Structurally Broken
LastPass disclosed yet another data breach, and the HN comments were not sympathetic. The core critique was sharp: the business model of a password manager requires users to trade individual account risk for systemic risk, and LastPass has now demonstrated repeatedly that it cannot manage the systemic risk side of that deal.
The comments articulated a clean version of the trust problem: storing all your secrets in one place with a third party only works if that third party is actually more secure than you would be on your own. LastPass has invalidated that premise multiple times now.
This is a product and trust failure, not just a security incident. The category of password management itself is not being questioned, but the centralized SaaS model for it is.
So what?
For founders building any product that holds sensitive user data, LastPass is the cautionary case study to cite in your own internal security reviews. The specific failure mode to avoid is underinvesting in security while over-relying on encryption-at-rest as a defense. The LastPass breaches happened partly because of how key material was stored, not just because someone got in.