I may have my facts wrong on some of this, so (those who actually know) please feel free to correct me?
2. Keyrings like LastPass are great for fools who refuse to take responsibility for their own data/account security. But for a programmer or system administrator to provide one attack vector (externally sourced, no less!) that gives access to all parts of the system isn't just negligent, its deliberate and wilful.
LastPass does not contain your passwords. It contains an encrypted version of your passwords - and only you have the encryption key. Storing passwords in LastPass does not make them any more insecure than any other form of password storage you can use - while allowing you to use purely random and very long passwords, no duplicates, for all your other services.
Storing passwords for all system components behind one password/access point
is a most obvious and deliberate insecurity. Security is about risk management. LastPass itself may be secure, but it is
completely inappropriate to use as a keyring for all of a production system's components. Putting "all your eggs in one basket" and needlessly creating such high risk is unforgivable.
Interesting to see that Intersango were so keen on finding exploits in other exchanges and then grandstand about how they were "warning" people and insisting that they are more qualified to look after your money on their exchange, yet when they were clearly aware of exploits in a system they took (or sought to take) ownership of, they deliberately decided not to fix them or warn the masses. Despicable.
BB.