| 1 |
On Wednesday 22 Jul 2015 19:43:43 Dale wrote: |
| 2 |
|
| 3 |
> So, don't use something that is within your browser but then go and type |
| 4 |
> that password . . . in your browser? Yea, that'll work. Heck, if I |
| 5 |
> really wanted something that secure, I'd unplug the ethernet cable and |
| 6 |
> turn off my modem. Then I might be secure. |
| 7 |
|
| 8 |
LOL! No, I meant that you decrypt your passwd containing text file, sql file, |
| 9 |
localc file, or whatever file you use. Then you use something like cat, or |
| 10 |
less, or localc to view/search it. It can all be scripted so that you run a |
| 11 |
single command alias in a terminal and it asks you for your gpg passphrase, |
| 12 |
before it opens the file for you. |
| 13 |
|
| 14 |
A terminal is unlikely to suffer from XSS, javascript injection, sql |
| 15 |
injection, et al. but a browser could. Then you can copy & paste whichever |
| 16 |
account passwd you needed into a browser, but this will NOT be your master |
| 17 |
passphrase. Even if the passwd you paste into a browser ends up being |
| 18 |
compromised, it will only be one passwd and a single account, rather than your |
| 19 |
master passphrase and all your accounts. |
| 20 |
|
| 21 |
|
| 22 |
> Just how many of these sticks do I need? Are we looking at a dozen or |
| 23 |
> more which will have to be all kept up to date as well? Come on, be |
| 24 |
> realistic here. I doubt anyone is going to spend the time to do all that. |
| 25 |
|
| 26 |
You need more than one, if you want to keep your passwds file stored off your |
| 27 |
machine. I keep mine on a PC which is air-gapped and a second copy on a USB |
| 28 |
stick. You may need a third copy kept at different premises, if you want to |
| 29 |
guard against DR. |
| 30 |
|
| 31 |
|
| 32 |
> But with Lastpass, I don't have to worry about that. I can go to my |
| 33 |
> brothers house, put my email and password in Lastpass and carry on with |
| 34 |
> life. No need for a USB stick at all or having to wonder when was the |
| 35 |
> last time I updated the passwords on it either. |
| 36 |
> |
| 37 |
> I'm trying to be realistic here. I try to be as secure as I can but |
| 38 |
> within REASON. As I mentioned above, if I really need and must be that |
| 39 |
> secure, I'd unplug the ethernet cable and turn off my modem. Then I |
| 40 |
> wouldn't have to worry about it unless someone broke into my home. Of |
| 41 |
> course, I wouldn't have the benefit of using the internet either. |
| 42 |
|
| 43 |
Sure, security and convenience are not always best bedfellows. We are |
| 44 |
discussing about hypothetical risks here and different users' risk tolerances. |
| 45 |
If you encrypt the file separately with a strong key before you upload it, and |
| 46 |
this encryption key is different to your authentication key on the Lastpass |
| 47 |
website, then the risk of your encrypted file being cracked is rather low. |
| 48 |
When people discovered that their Lastpass account had been compromised, this |
| 49 |
did not necessarily mean that their encrypted file had been compromised too. |
| 50 |
However, I don't know exactly what the security architecture of Lastpass is to |
| 51 |
comment on the specifics. All I'm saying is that I wouldn't trust storing my |
| 52 |
passwds on the cloud for the sake of convenience. |
| 53 |
|
| 54 |
YMMV. :-) |
| 55 |
|
| 56 |
-- |
| 57 |
Regards, |
| 58 |
Mick |
Archives