1 |
On Monday, 4 February 2019 22:12:16 GMT Dale wrote: |
2 |
> Neil Bothwick wrote: |
3 |
> > On Mon, 4 Feb 2019 15:59:02 -0500, Rich Freeman wrote: |
4 |
> >>> One reason I use LastPass, it is mobile. I can go to someone else's |
5 |
> >>> computer, use LastPass to say make use of Paypal, Newegg, Ebay etc, |
6 |
> >>> logoff and it is like I was never there. |
7 |
> >> |
8 |
> >> As much as I like Lastpass I would never do that. It isn't magic - it |
9 |
> >> is javascript. If there is a compromise on your computer, then your |
10 |
> >> password database will be compromised. This is true of other |
11 |
> >> solutions like KeePassX and so on - if something roots your box then |
12 |
> >> it will be compromised. |
13 |
> > |
14 |
> > I don't see what root has to do with it. If someone gains access to your |
15 |
> > box, they can copy the database file and then take their time trying to |
16 |
> > crack the password, but you don't need to be root to do that. |
17 |
> |
18 |
> I might point out, LastPass encrypts the password before sticking it in |
19 |
> a file. It isn't visible or plain text. Even getting the file would |
20 |
> still require some tools and cracking to get the password itself. |
21 |
> Cracking the master password would likely be much easier and doesn't |
22 |
> even require access to the box itself, Linux or windoze. Also, LastPass |
23 |
> only stores the encrypted password on its servers. Even if LastPass is |
24 |
> hacked, the passwords are still encrypted. It's one reason LastPass |
25 |
> shouldn't have to worry about getting court orders to turn over |
26 |
> passwords. It doesn't really have them. I would suspect that cracking |
27 |
> a encrypted password is as difficult as is just poking at a password |
28 |
> until it is guessed. |
29 |
> |
30 |
> Even if a person is using a perfect tool, cracking a password is always |
31 |
> going to be possible. The tougher the password, the harder it will be |
32 |
> and the longer it will take. Still, it can be done. Using these tools |
33 |
> just makes it harder. I'm not aware of a perfect password tool. I |
34 |
> doubt one exists or ever will either. ;-) It's still good to pick one, |
35 |
> use it and try to be as secure as one can. |
36 |
> |
37 |
> Dale |
38 |
> |
39 |
> :-) :-) |
40 |
|
41 |
A solution like LastPass et al., using a browser's javascript to access it, |
42 |
under a single master passwd, theoretically would have so many side-channel |
43 |
attacks no one would be wasting time to brute force anything. |
44 |
|
45 |
https://en.wikipedia.org/wiki/LastPass#Security_issues |
46 |
|
47 |
You could use gpg/openssl to encrypt a number of files, which would contain |
48 |
your different website/application passwds. For paranoid use cases you can |
49 |
use asymmetric keys and store your private key out-of-band. Sure, it won't be |
50 |
as convenient as LastPass, but I expect it would be more secure and unlikely |
51 |
to be compromised by XSS vulnerabilities. |
52 |
|
53 |
-- |
54 |
Regards, |
55 |
Mick |