| 1 |
Mick wrote: |
| 2 |
> On Tuesday, 5 February 2019 07:55:41 GMT Dale wrote: |
| 3 |
>> Mick wrote: |
| 4 |
>>> https://en.wikipedia.org/wiki/LastPass#Security_issues |
| 5 |
>>> |
| 6 |
>> From what I read, no users had their passwords compromised in those. |
| 7 |
> I read it differently. LastPass didn't know if any passwds were compromised |
| 8 |
> (or wouldn't tell you). As a precaution they asked users to change their |
| 9 |
> master passwd, while they changed their server's salt. In addition, there |
| 10 |
> were XSS vulnerabilities later on, which is probably to be expected with |
| 11 |
> JavaScript and similar technologies. |
| 12 |
> |
| 13 |
|
| 14 |
I recall the email vaguely. It said there was nothing that showed the |
| 15 |
passwords were compromised. I did change passwords for things like my |
| 16 |
bank etc but left the others alone. Of course, I change those passwords |
| 17 |
on a fairly regular basis anyway. Thing is, when it comes to financial |
| 18 |
stuff, I don't leave as much to chance. I found the email notice. Here |
| 19 |
is a bit of it: |
| 20 |
|
| 21 |
|
| 22 |
"No encrypted user vault data was taken, however other data, including |
| 23 |
email addresses and password reminders, was compromised." |
| 24 |
|
| 25 |
So, the encrypted stuff such as passwords was not compromised. They |
| 26 |
only got email addys and such which isn't a big deal. |
| 27 |
|
| 28 |
|
| 29 |
>> As |
| 30 |
>> I pointed out earlier, the passwords are already encrypted when they are |
| 31 |
>> sent to LastPass. If I called LastPass, could prove I am who I claim to |
| 32 |
>> be and asked them for a password to a site, they couldn't give it to me |
| 33 |
>> because it is encrypted when it leaves my machine. |
| 34 |
> I don't know exactly how the LastPass architecture is configured, other than |
| 35 |
> it relies on device based encryption activated with JavaScript, but anomalies |
| 36 |
> they observed in incoming and outgoing traffic on the 2011 incident indicate |
| 37 |
> someone was interfering with their data streams. Given Diffie-Hellman could |
| 38 |
> be compromised (e.g. as per Logjam) by precomputing some of the most commonly |
| 39 |
> used primes in factoring large integers, it may be someone was undertaking |
| 40 |
> comparative analysis to deduce ciphers and what not. If the server salt was |
| 41 |
> obtained, then one layer of encryption was compromised. |
| 42 |
> |
| 43 |
> All this is juxtaposition and my hypothesizing does not mean LastPass is not |
| 44 |
> useful, or not secure. It just means its design is not as secure as locally |
| 45 |
> run simpler encryption mechanisms, which do not leave your PC and are not |
| 46 |
> stored somewhere else. |
| 47 |
> |
| 48 |
> The greater surface area a security system exposes, the higher likelihood |
| 49 |
> someone will take a punt at cracking it. A browser, sandboxed or not, has far |
| 50 |
> too many moving parts and exposed flanks to keep crackers and state actors |
| 51 |
> busy. I expect with advances in AI this effort will accelerate |
| 52 |
> logarithmically. |
| 53 |
|
| 54 |
This is why I don't use the built in password manager in Firefox. |
| 55 |
Firefox most likely concentrates on the browser since its main job is |
| 56 |
being a browser. A password tool is a little lower on the list I would |
| 57 |
think. However, LastPass and other password tools, it is their main |
| 58 |
function to be password tools that are secure but can still work with |
| 59 |
the browser as well. |
| 60 |
|
| 61 |
|
| 62 |
> |
| 63 |
>> As I pointed out to Rich, I don't expect these tools to be 100%. There |
| 64 |
>> is no perfect password tool or a perfect way to manage them either. No |
| 65 |
>> matter what you do, someone can come along and poke a hole in it. If |
| 66 |
>> you use a tool, the tool is hackable. If you use the same password that |
| 67 |
>> is 40 characters long for several dozen sites, then the site can be |
| 68 |
>> hacked and they have the password for those other sites as well. The |
| 69 |
>> list could go on for ages but it doesn't really change anything. We do |
| 70 |
>> the best we can and then hope it is enough. Using tools is in my |
| 71 |
>> opinion better than not using a tool at all. At the least, they will |
| 72 |
>> have a hard time breaking into a site directly without my password. It |
| 73 |
>> beats the alternative which is cutting off the computer and unplugging |
| 74 |
>> it. :-( |
| 75 |
> Yes, well said. A disconnected and switched off PC is probably quite secure, |
| 76 |
> but what use is this to anybody. LOL! The effectiveness of PC security is |
| 77 |
> challenged on a daily basis and you eventually have to arrive at a personal |
| 78 |
> trade-off between security and usability. |
| 79 |
> |
| 80 |
|
| 81 |
This is what I run into with this new password project. I want one that |
| 82 |
is easy for me to remember, easy to type and such but I also want it to |
| 83 |
where some script kiddy can't crack it in like 10 seconds while laughing |
| 84 |
his/her fool head off at me. The decision to use a tool like LastPass, |
| 85 |
or any other tool for that matter, also means a trade off. Anything we |
| 86 |
use will expose us to something. That said, not using one exposes us to |
| 87 |
something else, even if it is just bad ways to deal with passwords. |
| 88 |
Using one password on several sites is one thing that jumps to my mind. |
| 89 |
We just have to try to be reasonable about it. One thing about this, |
| 90 |
I'm putting more effort into one password than most do for every |
| 91 |
password they have. |
| 92 |
|
| 93 |
Now to play with the strength meters some more. |
| 94 |
|
| 95 |
Dale |
| 96 |
|
| 97 |
:-) :-) |
Archives