| 1 |
On Mon, Feb 4, 2019 at 5:12 PM Dale <rdalek1967@×××××.com> wrote: |
| 2 |
> |
| 3 |
> Neil Bothwick wrote: |
| 4 |
> > On Mon, 4 Feb 2019 15:59:02 -0500, Rich Freeman wrote: |
| 5 |
> > |
| 6 |
> >>> One reason I use LastPass, it is mobile. I can go to someone else's |
| 7 |
> >>> computer, use LastPass to say make use of Paypal, Newegg, Ebay etc, |
| 8 |
> >>> logoff and it is like I was never there. |
| 9 |
> >> As much as I like Lastpass I would never do that. It isn't magic - it |
| 10 |
> >> is javascript. If there is a compromise on your computer, then your |
| 11 |
> >> password database will be compromised. This is true of other |
| 12 |
> >> solutions like KeePassX and so on - if something roots your box then |
| 13 |
> >> it will be compromised. |
| 14 |
> > I don't see what root has to do with it. If someone gains access to your |
| 15 |
> > box, they can copy the database file and then take their time trying to |
| 16 |
> > crack the password, but you don't need to be root to do that. |
| 17 |
|
| 18 |
Correct, it just needs access to the user's data or browser process, |
| 19 |
which could mean running as root, or that user. |
| 20 |
|
| 21 |
> |
| 22 |
> I might point out, LastPass encrypts the password before sticking it in |
| 23 |
> a file. It isn't visible or plain text. Even getting the file would |
| 24 |
> still require some tools and cracking to get the password itself. |
| 25 |
|
| 26 |
That assumes you're attacking the password file directly. |
| 27 |
|
| 28 |
If you're using lastpass on a compromised system then there are many |
| 29 |
ways that can be used to bypass the encryptions. They could sniff |
| 30 |
your master password when you key it in, or read it directly from the |
| 31 |
browser's memory. These things are protected from sandboxed code in |
| 32 |
your browser, but not from processes running outside the browser |
| 33 |
(unless again you're using a non-conventional privilege system like |
| 34 |
selinux/android/etc). |
| 35 |
|
| 36 |
-- |
| 37 |
Rich |
Archives