1 |
On Tue, Feb 5, 2019 at 2:34 AM Dale <rdalek1967@×××××.com> wrote: |
2 |
> |
3 |
> Rich Freeman wrote: |
4 |
> > On Mon, Feb 4, 2019 at 5:12 PM Dale <rdalek1967@×××××.com> wrote: |
5 |
> >> Neil Bothwick wrote: |
6 |
> >>> On Mon, 4 Feb 2019 15:59:02 -0500, Rich Freeman wrote: |
7 |
> >>> |
8 |
> >>>>> One reason I use LastPass, it is mobile. I can go to someone else's |
9 |
> >>>>> computer, use LastPass to say make use of Paypal, Newegg, Ebay etc, |
10 |
> >>>>> logoff and it is like I was never there. |
11 |
> >>>> As much as I like Lastpass I would never do that. It isn't magic - it |
12 |
> >>>> is javascript. If there is a compromise on your computer, then your |
13 |
> >>>> password database will be compromised. This is true of other |
14 |
> >>>> solutions like KeePassX and so on - if something roots your box then |
15 |
> >>>> it will be compromised. |
16 |
> > |
17 |
> >> I might point out, LastPass encrypts the password before sticking it in |
18 |
> >> a file. It isn't visible or plain text. Even getting the file would |
19 |
> >> still require some tools and cracking to get the password itself. |
20 |
> > That assumes you're attacking the password file directly. |
21 |
> > |
22 |
> > If you're using lastpass on a compromised system then there are many |
23 |
> > ways that can be used to bypass the encryptions. They could sniff |
24 |
> > your master password when you key it in, or read it directly from the |
25 |
> > browser's memory. These things are protected from sandboxed code in |
26 |
> > your browser, but not from processes running outside the browser |
27 |
> > (unless again you're using a non-conventional privilege system like |
28 |
> > selinux/android/etc). |
29 |
> |
30 |
> One could argue the same thing with any password tool out there tho, |
31 |
> right? |
32 |
|
33 |
Of course. This is by no means specific to Lastpass. I wasn't |
34 |
reacting to your use of Lastpass (I use it myself). I was reacting to |
35 |
your statement that you can go to someone else's computer and use |
36 |
lastpass on that computer and then log off and it is as if you were |
37 |
never there. |
38 |
|
39 |
> Given I only install things from |
40 |
> trusted sources, the odds of that happening are likely very small. |
41 |
|
42 |
Not if you go typing your Lastpass master password into computers |
43 |
owned by people who aren't as careful as you are... |
44 |
|
45 |
If you do want the benefits of a password manager on an untrusted |
46 |
computer then you might want to look into the hardware/USB-based |
47 |
solutions, or alternatives like U2F and so on. |
48 |
|
49 |
Now, you're still vulnerable to MITM attacks and so on against the |
50 |
sites you're actually logging into, but your credentials for other |
51 |
sites would not be at risk since they stay on the hardware device, |
52 |
which is going to be hardened against USB attacks (well, at least you |
53 |
hope it would be). If you're using conventional passwords then of |
54 |
course something could still sniff that password since it has to pass |
55 |
through the untrusted computer. If you're using OTPs or U2F/etc then |
56 |
you may still be vulnerable to some cookie-based attacks and MITM and |
57 |
so on, but if you log off at the end of your session that at least |
58 |
limits their duration. |
59 |
|
60 |
Personally I would like to switch to a hardware-based solution, but |
61 |
they have their own set of downsides: |
62 |
|
63 |
1. Less convenience - you have to physically have the device on you |
64 |
(I don't carry my keys around in the hosue/etc), and plug it in when |
65 |
you want to use it. |
66 |
2. Recovery options aren't always great. Often these devices don't |
67 |
really have their own recovery solution, and you're stuck following |
68 |
the recovery options on each individual site. Many of these are |
69 |
pretty lousy. |
70 |
3. Often no support for multiple hardware devices (and keeping them |
71 |
in sync). Again you're stuck with what individual sites allow, and |
72 |
many sites don't let you have multiple hardware tokens registered. |
73 |
4. Lack of convenience features like auto-changing passwords. Some |
74 |
software-based solutions have this. Though, to be honest, I rarely |
75 |
trust these because if something goes wrong I could lose account |
76 |
access and this can be difficult or impossible to recover from in many |
77 |
situations. |
78 |
|
79 |
A big advantage (and disadvantage) of the software-based solutions is |
80 |
that they're just data files and you can back them up trivially. |
81 |
|
82 |
Really though a lot of this boils down to the fact that PKI is a hard |
83 |
problem without a trusted and convenient mediator, and this largely |
84 |
doesn't exist in the world of free online services. |
85 |
|
86 |
-- |
87 |
Rich |