What alarms me much more than the appearance of bad code quality is the fact that we have no direct way of checking what's actually going on under the hood and what impact it has on security. If there is one axiomatic requirement for the trustworthiness of a password manager, it's that it must be open source. That way people don't have to guess at the code quality from their use of file extensions. Lots of people seem to have a huge phobia of storing their passwords in the cloud and I have the f

I've been working on a reimplementation of the LastPass command line client lately and while I was also a bit surprised when I found out that the login URL was "https://lastpass.com/login.php" I didn't really think much of it. In the end the server side of things is really not critical since it only stores an encrypted version of the blob. Sure, it looks a bit sloppy, but if it works... The real weakness of lastpass is and always will be the clients, in particular those browser

Facebook was doing something similar (.php URL's). Should we avoid Facebook? Maybe. But for this reason? I was a PHP dev for nearly a decade and you can't possibly know the ways I hate it (unless you're a PHP dev too); but this is a very poor form of criticism.