1 |
Mick wrote: |
2 |
> On Tuesday, 5 February 2019 07:55:41 GMT Dale wrote: |
3 |
>> Mick wrote: |
4 |
>>> https://en.wikipedia.org/wiki/LastPass#Security_issues |
5 |
>>> |
6 |
>> From what I read, no users had their passwords compromised in those. |
7 |
> I read it differently. LastPass didn't know if any passwds were compromised |
8 |
> (or wouldn't tell you). As a precaution they asked users to change their |
9 |
> master passwd, while they changed their server's salt. In addition, there |
10 |
> were XSS vulnerabilities later on, which is probably to be expected with |
11 |
> JavaScript and similar technologies. |
12 |
> |
13 |
|
14 |
I recall the email vaguely. It said there was nothing that showed the |
15 |
passwords were compromised. I did change passwords for things like my |
16 |
bank etc but left the others alone. Of course, I change those passwords |
17 |
on a fairly regular basis anyway. Thing is, when it comes to financial |
18 |
stuff, I don't leave as much to chance. I found the email notice. Here |
19 |
is a bit of it: |
20 |
|
21 |
|
22 |
"No encrypted user vault data was taken, however other data, including |
23 |
email addresses and password reminders, was compromised." |
24 |
|
25 |
So, the encrypted stuff such as passwords was not compromised. They |
26 |
only got email addys and such which isn't a big deal. |
27 |
|
28 |
|
29 |
>> As |
30 |
>> I pointed out earlier, the passwords are already encrypted when they are |
31 |
>> sent to LastPass. If I called LastPass, could prove I am who I claim to |
32 |
>> be and asked them for a password to a site, they couldn't give it to me |
33 |
>> because it is encrypted when it leaves my machine. |
34 |
> I don't know exactly how the LastPass architecture is configured, other than |
35 |
> it relies on device based encryption activated with JavaScript, but anomalies |
36 |
> they observed in incoming and outgoing traffic on the 2011 incident indicate |
37 |
> someone was interfering with their data streams. Given Diffie-Hellman could |
38 |
> be compromised (e.g. as per Logjam) by precomputing some of the most commonly |
39 |
> used primes in factoring large integers, it may be someone was undertaking |
40 |
> comparative analysis to deduce ciphers and what not. If the server salt was |
41 |
> obtained, then one layer of encryption was compromised. |
42 |
> |
43 |
> All this is juxtaposition and my hypothesizing does not mean LastPass is not |
44 |
> useful, or not secure. It just means its design is not as secure as locally |
45 |
> run simpler encryption mechanisms, which do not leave your PC and are not |
46 |
> stored somewhere else. |
47 |
> |
48 |
> The greater surface area a security system exposes, the higher likelihood |
49 |
> someone will take a punt at cracking it. A browser, sandboxed or not, has far |
50 |
> too many moving parts and exposed flanks to keep crackers and state actors |
51 |
> busy. I expect with advances in AI this effort will accelerate |
52 |
> logarithmically. |
53 |
|
54 |
This is why I don't use the built in password manager in Firefox. |
55 |
Firefox most likely concentrates on the browser since its main job is |
56 |
being a browser. A password tool is a little lower on the list I would |
57 |
think. However, LastPass and other password tools, it is their main |
58 |
function to be password tools that are secure but can still work with |
59 |
the browser as well. |
60 |
|
61 |
|
62 |
> |
63 |
>> As I pointed out to Rich, I don't expect these tools to be 100%. There |
64 |
>> is no perfect password tool or a perfect way to manage them either. No |
65 |
>> matter what you do, someone can come along and poke a hole in it. If |
66 |
>> you use a tool, the tool is hackable. If you use the same password that |
67 |
>> is 40 characters long for several dozen sites, then the site can be |
68 |
>> hacked and they have the password for those other sites as well. The |
69 |
>> list could go on for ages but it doesn't really change anything. We do |
70 |
>> the best we can and then hope it is enough. Using tools is in my |
71 |
>> opinion better than not using a tool at all. At the least, they will |
72 |
>> have a hard time breaking into a site directly without my password. It |
73 |
>> beats the alternative which is cutting off the computer and unplugging |
74 |
>> it. :-( |
75 |
> Yes, well said. A disconnected and switched off PC is probably quite secure, |
76 |
> but what use is this to anybody. LOL! The effectiveness of PC security is |
77 |
> challenged on a daily basis and you eventually have to arrive at a personal |
78 |
> trade-off between security and usability. |
79 |
> |
80 |
|
81 |
This is what I run into with this new password project. I want one that |
82 |
is easy for me to remember, easy to type and such but I also want it to |
83 |
where some script kiddy can't crack it in like 10 seconds while laughing |
84 |
his/her fool head off at me. The decision to use a tool like LastPass, |
85 |
or any other tool for that matter, also means a trade off. Anything we |
86 |
use will expose us to something. That said, not using one exposes us to |
87 |
something else, even if it is just bad ways to deal with passwords. |
88 |
Using one password on several sites is one thing that jumps to my mind. |
89 |
We just have to try to be reasonable about it. One thing about this, |
90 |
I'm putting more effort into one password than most do for every |
91 |
password they have. |
92 |
|
93 |
Now to play with the strength meters some more. |
94 |
|
95 |
Dale |
96 |
|
97 |
:-) :-) |