| 1 |
Rich Freeman wrote: |
| 2 |
> On Mon, Feb 4, 2019 at 5:12 PM Dale <rdalek1967@×××××.com> wrote: |
| 3 |
>> Neil Bothwick wrote: |
| 4 |
>>> On Mon, 4 Feb 2019 15:59:02 -0500, Rich Freeman wrote: |
| 5 |
>>> |
| 6 |
>>>>> One reason I use LastPass, it is mobile. I can go to someone else's |
| 7 |
>>>>> computer, use LastPass to say make use of Paypal, Newegg, Ebay etc, |
| 8 |
>>>>> logoff and it is like I was never there. |
| 9 |
>>>> As much as I like Lastpass I would never do that. It isn't magic - it |
| 10 |
>>>> is javascript. If there is a compromise on your computer, then your |
| 11 |
>>>> password database will be compromised. This is true of other |
| 12 |
>>>> solutions like KeePassX and so on - if something roots your box then |
| 13 |
>>>> it will be compromised. |
| 14 |
>>> I don't see what root has to do with it. If someone gains access to your |
| 15 |
>>> box, they can copy the database file and then take their time trying to |
| 16 |
>>> crack the password, but you don't need to be root to do that. |
| 17 |
> Correct, it just needs access to the user's data or browser process, |
| 18 |
> which could mean running as root, or that user. |
| 19 |
> |
| 20 |
>> I might point out, LastPass encrypts the password before sticking it in |
| 21 |
>> a file. It isn't visible or plain text. Even getting the file would |
| 22 |
>> still require some tools and cracking to get the password itself. |
| 23 |
> That assumes you're attacking the password file directly. |
| 24 |
> |
| 25 |
> If you're using lastpass on a compromised system then there are many |
| 26 |
> ways that can be used to bypass the encryptions. They could sniff |
| 27 |
> your master password when you key it in, or read it directly from the |
| 28 |
> browser's memory. These things are protected from sandboxed code in |
| 29 |
> your browser, but not from processes running outside the browser |
| 30 |
> (unless again you're using a non-conventional privilege system like |
| 31 |
> selinux/android/etc). |
| 32 |
> |
| 33 |
|
| 34 |
|
| 35 |
One could argue the same thing with any password tool out there tho, |
| 36 |
right? After all, at some point, all password tools have to decrypt the |
| 37 |
password even if it is only in memory. At that point, it can be |
| 38 |
'sniffed' out. Thing is, if my system or any system I use is |
| 39 |
compromised, I'll have the same issue no matter what I do or what tool I |
| 40 |
use. Even if I use the password tool included in Firefox or any other |
| 41 |
browser, wouldn't I run into the same problem? Wouldn't I run into some |
| 42 |
other security problem if I used no password tool at all and just typed |
| 43 |
in the same password for say 20 or 30 different sites? The solution is, |
| 44 |
be reasonably secure. Nothing is 100% secure unless it is turned off |
| 45 |
completely, maybe not even then. I'm sure even selinux has its security |
| 46 |
issues as well. It is after all a OS that runs a lot of code and only |
| 47 |
needs one flaw in it. |
| 48 |
|
| 49 |
As I've pointed out before on different topics, if a person gets |
| 50 |
physical access or control of a machine and is able to install things on |
| 51 |
it, it doesn't really matter what one does unless they can detect it |
| 52 |
somehow before ever using anything. Given I only install things from |
| 53 |
trusted sources, the odds of that happening are likely very small. Even |
| 54 |
my neighbors don't install much of anything because they mostly use it |
| 55 |
to access financial sites and to check their email. They are a older |
| 56 |
pair so they don't use it like even someone my age does. Still, if I |
| 57 |
did have to use it in a situation, such as ordering computer parts to |
| 58 |
rebuild, I'd likely change my more important passwords just to be sure |
| 59 |
ASAP. I already do that regularly anyway especially for my financial |
| 60 |
sites. That's another thing LastPass tracks, how long a password has |
| 61 |
been in use for a site. It reminds me of that sort of thing. |
| 62 |
|
| 63 |
While I'm trying to come up with a good password, I don't expect it to |
| 64 |
cover every possible case. While I use LastPass, I don't expect it to |
| 65 |
be a perfect solution. I wouldn't expect it of any other tool either. |
| 66 |
Thing is, LastPass does what I need and is likely as secure as other |
| 67 |
tools that can do the same things. I get that one can be hacked as you |
| 68 |
describe but once a person is able to do what you describe, it really |
| 69 |
doesn't matter what tool I use. Even a simple keylogger can do the job |
| 70 |
if I use no password tool at all. I'm just trying to be reasonably |
| 71 |
secure. If everyone or even most everyone would do the same, those |
| 72 |
little script kiddys would have to work much harder. That's one thing I |
| 73 |
read about while googling for ways to come up with passwords. Over half |
| 74 |
the people using passwords use some really awful ones. Some use the |
| 75 |
same one for a lot of sites as well. Something we both know is bad. If |
| 76 |
everyone would put in even a tenth of the effort I am, the internet |
| 77 |
would be a much safer place. |
| 78 |
|
| 79 |
Dale |
| 80 |
|
| 81 |
:-) :-) |
Archives