| 1 |
On Monday, 4 February 2019 22:12:16 GMT Dale wrote: |
| 2 |
> Neil Bothwick wrote: |
| 3 |
> > On Mon, 4 Feb 2019 15:59:02 -0500, Rich Freeman wrote: |
| 4 |
> >>> One reason I use LastPass, it is mobile. I can go to someone else's |
| 5 |
> >>> computer, use LastPass to say make use of Paypal, Newegg, Ebay etc, |
| 6 |
> >>> logoff and it is like I was never there. |
| 7 |
> >> |
| 8 |
> >> As much as I like Lastpass I would never do that. It isn't magic - it |
| 9 |
> >> is javascript. If there is a compromise on your computer, then your |
| 10 |
> >> password database will be compromised. This is true of other |
| 11 |
> >> solutions like KeePassX and so on - if something roots your box then |
| 12 |
> >> it will be compromised. |
| 13 |
> > |
| 14 |
> > I don't see what root has to do with it. If someone gains access to your |
| 15 |
> > box, they can copy the database file and then take their time trying to |
| 16 |
> > crack the password, but you don't need to be root to do that. |
| 17 |
> |
| 18 |
> I might point out, LastPass encrypts the password before sticking it in |
| 19 |
> a file. It isn't visible or plain text. Even getting the file would |
| 20 |
> still require some tools and cracking to get the password itself. |
| 21 |
> Cracking the master password would likely be much easier and doesn't |
| 22 |
> even require access to the box itself, Linux or windoze. Also, LastPass |
| 23 |
> only stores the encrypted password on its servers. Even if LastPass is |
| 24 |
> hacked, the passwords are still encrypted. It's one reason LastPass |
| 25 |
> shouldn't have to worry about getting court orders to turn over |
| 26 |
> passwords. It doesn't really have them. I would suspect that cracking |
| 27 |
> a encrypted password is as difficult as is just poking at a password |
| 28 |
> until it is guessed. |
| 29 |
> |
| 30 |
> Even if a person is using a perfect tool, cracking a password is always |
| 31 |
> going to be possible. The tougher the password, the harder it will be |
| 32 |
> and the longer it will take. Still, it can be done. Using these tools |
| 33 |
> just makes it harder. I'm not aware of a perfect password tool. I |
| 34 |
> doubt one exists or ever will either. ;-) It's still good to pick one, |
| 35 |
> use it and try to be as secure as one can. |
| 36 |
> |
| 37 |
> Dale |
| 38 |
> |
| 39 |
> :-) :-) |
| 40 |
|
| 41 |
A solution like LastPass et al., using a browser's javascript to access it, |
| 42 |
under a single master passwd, theoretically would have so many side-channel |
| 43 |
attacks no one would be wasting time to brute force anything. |
| 44 |
|
| 45 |
https://en.wikipedia.org/wiki/LastPass#Security_issues |
| 46 |
|
| 47 |
You could use gpg/openssl to encrypt a number of files, which would contain |
| 48 |
your different website/application passwds. For paranoid use cases you can |
| 49 |
use asymmetric keys and store your private key out-of-band. Sure, it won't be |
| 50 |
as convenient as LastPass, but I expect it would be more secure and unlikely |
| 51 |
to be compromised by XSS vulnerabilities. |
| 52 |
|
| 53 |
-- |
| 54 |
Regards, |
| 55 |
Mick |
Archives