1 |
Rich Freeman wrote: |
2 |
> On Mon, Feb 4, 2019 at 5:12 PM Dale <rdalek1967@×××××.com> wrote: |
3 |
>> Neil Bothwick wrote: |
4 |
>>> On Mon, 4 Feb 2019 15:59:02 -0500, Rich Freeman wrote: |
5 |
>>> |
6 |
>>>>> One reason I use LastPass, it is mobile. I can go to someone else's |
7 |
>>>>> computer, use LastPass to say make use of Paypal, Newegg, Ebay etc, |
8 |
>>>>> logoff and it is like I was never there. |
9 |
>>>> As much as I like Lastpass I would never do that. It isn't magic - it |
10 |
>>>> is javascript. If there is a compromise on your computer, then your |
11 |
>>>> password database will be compromised. This is true of other |
12 |
>>>> solutions like KeePassX and so on - if something roots your box then |
13 |
>>>> it will be compromised. |
14 |
>>> I don't see what root has to do with it. If someone gains access to your |
15 |
>>> box, they can copy the database file and then take their time trying to |
16 |
>>> crack the password, but you don't need to be root to do that. |
17 |
> Correct, it just needs access to the user's data or browser process, |
18 |
> which could mean running as root, or that user. |
19 |
> |
20 |
>> I might point out, LastPass encrypts the password before sticking it in |
21 |
>> a file. It isn't visible or plain text. Even getting the file would |
22 |
>> still require some tools and cracking to get the password itself. |
23 |
> That assumes you're attacking the password file directly. |
24 |
> |
25 |
> If you're using lastpass on a compromised system then there are many |
26 |
> ways that can be used to bypass the encryptions. They could sniff |
27 |
> your master password when you key it in, or read it directly from the |
28 |
> browser's memory. These things are protected from sandboxed code in |
29 |
> your browser, but not from processes running outside the browser |
30 |
> (unless again you're using a non-conventional privilege system like |
31 |
> selinux/android/etc). |
32 |
> |
33 |
|
34 |
|
35 |
One could argue the same thing with any password tool out there tho, |
36 |
right? After all, at some point, all password tools have to decrypt the |
37 |
password even if it is only in memory. At that point, it can be |
38 |
'sniffed' out. Thing is, if my system or any system I use is |
39 |
compromised, I'll have the same issue no matter what I do or what tool I |
40 |
use. Even if I use the password tool included in Firefox or any other |
41 |
browser, wouldn't I run into the same problem? Wouldn't I run into some |
42 |
other security problem if I used no password tool at all and just typed |
43 |
in the same password for say 20 or 30 different sites? The solution is, |
44 |
be reasonably secure. Nothing is 100% secure unless it is turned off |
45 |
completely, maybe not even then. I'm sure even selinux has its security |
46 |
issues as well. It is after all a OS that runs a lot of code and only |
47 |
needs one flaw in it. |
48 |
|
49 |
As I've pointed out before on different topics, if a person gets |
50 |
physical access or control of a machine and is able to install things on |
51 |
it, it doesn't really matter what one does unless they can detect it |
52 |
somehow before ever using anything. Given I only install things from |
53 |
trusted sources, the odds of that happening are likely very small. Even |
54 |
my neighbors don't install much of anything because they mostly use it |
55 |
to access financial sites and to check their email. They are a older |
56 |
pair so they don't use it like even someone my age does. Still, if I |
57 |
did have to use it in a situation, such as ordering computer parts to |
58 |
rebuild, I'd likely change my more important passwords just to be sure |
59 |
ASAP. I already do that regularly anyway especially for my financial |
60 |
sites. That's another thing LastPass tracks, how long a password has |
61 |
been in use for a site. It reminds me of that sort of thing. |
62 |
|
63 |
While I'm trying to come up with a good password, I don't expect it to |
64 |
cover every possible case. While I use LastPass, I don't expect it to |
65 |
be a perfect solution. I wouldn't expect it of any other tool either. |
66 |
Thing is, LastPass does what I need and is likely as secure as other |
67 |
tools that can do the same things. I get that one can be hacked as you |
68 |
describe but once a person is able to do what you describe, it really |
69 |
doesn't matter what tool I use. Even a simple keylogger can do the job |
70 |
if I use no password tool at all. I'm just trying to be reasonably |
71 |
secure. If everyone or even most everyone would do the same, those |
72 |
little script kiddys would have to work much harder. That's one thing I |
73 |
read about while googling for ways to come up with passwords. Over half |
74 |
the people using passwords use some really awful ones. Some use the |
75 |
same one for a lot of sites as well. Something we both know is bad. If |
76 |
everyone would put in even a tenth of the effort I am, the internet |
77 |
would be a much safer place. |
78 |
|
79 |
Dale |
80 |
|
81 |
:-) :-) |