1 |
On Mon, Feb 4, 2019 at 5:12 PM Dale <rdalek1967@×××××.com> wrote: |
2 |
> |
3 |
> Neil Bothwick wrote: |
4 |
> > On Mon, 4 Feb 2019 15:59:02 -0500, Rich Freeman wrote: |
5 |
> > |
6 |
> >>> One reason I use LastPass, it is mobile. I can go to someone else's |
7 |
> >>> computer, use LastPass to say make use of Paypal, Newegg, Ebay etc, |
8 |
> >>> logoff and it is like I was never there. |
9 |
> >> As much as I like Lastpass I would never do that. It isn't magic - it |
10 |
> >> is javascript. If there is a compromise on your computer, then your |
11 |
> >> password database will be compromised. This is true of other |
12 |
> >> solutions like KeePassX and so on - if something roots your box then |
13 |
> >> it will be compromised. |
14 |
> > I don't see what root has to do with it. If someone gains access to your |
15 |
> > box, they can copy the database file and then take their time trying to |
16 |
> > crack the password, but you don't need to be root to do that. |
17 |
|
18 |
Correct, it just needs access to the user's data or browser process, |
19 |
which could mean running as root, or that user. |
20 |
|
21 |
> |
22 |
> I might point out, LastPass encrypts the password before sticking it in |
23 |
> a file. It isn't visible or plain text. Even getting the file would |
24 |
> still require some tools and cracking to get the password itself. |
25 |
|
26 |
That assumes you're attacking the password file directly. |
27 |
|
28 |
If you're using lastpass on a compromised system then there are many |
29 |
ways that can be used to bypass the encryptions. They could sniff |
30 |
your master password when you key it in, or read it directly from the |
31 |
browser's memory. These things are protected from sandboxed code in |
32 |
your browser, but not from processes running outside the browser |
33 |
(unless again you're using a non-conventional privilege system like |
34 |
selinux/android/etc). |
35 |
|
36 |
-- |
37 |
Rich |