1 |
On Wednesday 22 Jul 2015 19:43:43 Dale wrote: |
2 |
|
3 |
> So, don't use something that is within your browser but then go and type |
4 |
> that password . . . in your browser? Yea, that'll work. Heck, if I |
5 |
> really wanted something that secure, I'd unplug the ethernet cable and |
6 |
> turn off my modem. Then I might be secure. |
7 |
|
8 |
LOL! No, I meant that you decrypt your passwd containing text file, sql file, |
9 |
localc file, or whatever file you use. Then you use something like cat, or |
10 |
less, or localc to view/search it. It can all be scripted so that you run a |
11 |
single command alias in a terminal and it asks you for your gpg passphrase, |
12 |
before it opens the file for you. |
13 |
|
14 |
A terminal is unlikely to suffer from XSS, javascript injection, sql |
15 |
injection, et al. but a browser could. Then you can copy & paste whichever |
16 |
account passwd you needed into a browser, but this will NOT be your master |
17 |
passphrase. Even if the passwd you paste into a browser ends up being |
18 |
compromised, it will only be one passwd and a single account, rather than your |
19 |
master passphrase and all your accounts. |
20 |
|
21 |
|
22 |
> Just how many of these sticks do I need? Are we looking at a dozen or |
23 |
> more which will have to be all kept up to date as well? Come on, be |
24 |
> realistic here. I doubt anyone is going to spend the time to do all that. |
25 |
|
26 |
You need more than one, if you want to keep your passwds file stored off your |
27 |
machine. I keep mine on a PC which is air-gapped and a second copy on a USB |
28 |
stick. You may need a third copy kept at different premises, if you want to |
29 |
guard against DR. |
30 |
|
31 |
|
32 |
> But with Lastpass, I don't have to worry about that. I can go to my |
33 |
> brothers house, put my email and password in Lastpass and carry on with |
34 |
> life. No need for a USB stick at all or having to wonder when was the |
35 |
> last time I updated the passwords on it either. |
36 |
> |
37 |
> I'm trying to be realistic here. I try to be as secure as I can but |
38 |
> within REASON. As I mentioned above, if I really need and must be that |
39 |
> secure, I'd unplug the ethernet cable and turn off my modem. Then I |
40 |
> wouldn't have to worry about it unless someone broke into my home. Of |
41 |
> course, I wouldn't have the benefit of using the internet either. |
42 |
|
43 |
Sure, security and convenience are not always best bedfellows. We are |
44 |
discussing about hypothetical risks here and different users' risk tolerances. |
45 |
If you encrypt the file separately with a strong key before you upload it, and |
46 |
this encryption key is different to your authentication key on the Lastpass |
47 |
website, then the risk of your encrypted file being cracked is rather low. |
48 |
When people discovered that their Lastpass account had been compromised, this |
49 |
did not necessarily mean that their encrypted file had been compromised too. |
50 |
However, I don't know exactly what the security architecture of Lastpass is to |
51 |
comment on the specifics. All I'm saying is that I wouldn't trust storing my |
52 |
passwds on the cloud for the sake of convenience. |
53 |
|
54 |
YMMV. :-) |
55 |
|
56 |
-- |
57 |
Regards, |
58 |
Mick |