That sounds like a study that proves IF is better than Keto, not IF is better than CICO alone.

I agree, but being more error prone, and having to reset passwords more often, is better than password reuse for most users too. Lastpass, bitwarden, etc, all require you to trust the team you’re purchasing it from to some degree. Keepass is fully offline, with no ability to sync, except what you do to keep the file synced.

For most end users personal use, which is going to be many people in this thread, their backup is going to be a personal onedrive/icloud, a flash drive, or something like backblaze if they’re being fancy. They aren’t going to be configuring S3 buckets to keep their 50-100 password database backed up, if they back it up at all.

Assuming everything is implemented in the way Lastpass says it is, only if the attackers were still in the network, and had setup a system to scrape passwords. From what they’re saying, the attackers grabbed the encrypted vaults, which are useless without the master password, so anyone with a strong master password that hadn’t been reused anywhere will be fine.

There are options for password managers if you don’t trust lastpass, such as keepass, which stores the database locally, so no third party has any ability to view them. You then have to worry about backing up the database itself to avoid a hard drive going bad wiping out your password vault, but it is free iirc.