Gentoo Archives: gentoo-user

From: Rich Freeman <rich0@g.o>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Re: Coming up with a password that is very strong.
Date: Tue, 05 Feb 2019 14:13:43
Message-Id: CAGfcS_=3XgjJHHO+gScpwvH6gad3SV+r0oYi8c7S-StnvA6B3A@mail.gmail.com
In Reply to: Re: [gentoo-user] Re: Coming up with a password that is very strong. by Dale
1 On Tue, Feb 5, 2019 at 2:34 AM Dale <rdalek1967@×××××.com> wrote:
2 >
3 > Rich Freeman wrote:
4 > > On Mon, Feb 4, 2019 at 5:12 PM Dale <rdalek1967@×××××.com> wrote:
5 > >> Neil Bothwick wrote:
6 > >>> On Mon, 4 Feb 2019 15:59:02 -0500, Rich Freeman wrote:
7 > >>>
8 > >>>>> One reason I use LastPass, it is mobile. I can go to someone else's
9 > >>>>> computer, use LastPass to say make use of Paypal, Newegg, Ebay etc,
10 > >>>>> logoff and it is like I was never there.
11 > >>>> As much as I like Lastpass I would never do that. It isn't magic - it
12 > >>>> is javascript. If there is a compromise on your computer, then your
13 > >>>> password database will be compromised. This is true of other
14 > >>>> solutions like KeePassX and so on - if something roots your box then
15 > >>>> it will be compromised.
16 > >
17 > >> I might point out, LastPass encrypts the password before sticking it in
18 > >> a file. It isn't visible or plain text. Even getting the file would
19 > >> still require some tools and cracking to get the password itself.
20 > > That assumes you're attacking the password file directly.
21 > >
22 > > If you're using lastpass on a compromised system then there are many
23 > > ways that can be used to bypass the encryptions. They could sniff
24 > > your master password when you key it in, or read it directly from the
25 > > browser's memory. These things are protected from sandboxed code in
26 > > your browser, but not from processes running outside the browser
27 > > (unless again you're using a non-conventional privilege system like
28 > > selinux/android/etc).
29 >
30 > One could argue the same thing with any password tool out there tho,
31 > right?
32
33 Of course. This is by no means specific to Lastpass. I wasn't
34 reacting to your use of Lastpass (I use it myself). I was reacting to
35 your statement that you can go to someone else's computer and use
36 lastpass on that computer and then log off and it is as if you were
37 never there.
38
39 > Given I only install things from
40 > trusted sources, the odds of that happening are likely very small.
41
42 Not if you go typing your Lastpass master password into computers
43 owned by people who aren't as careful as you are...
44
45 If you do want the benefits of a password manager on an untrusted
46 computer then you might want to look into the hardware/USB-based
47 solutions, or alternatives like U2F and so on.
48
49 Now, you're still vulnerable to MITM attacks and so on against the
50 sites you're actually logging into, but your credentials for other
51 sites would not be at risk since they stay on the hardware device,
52 which is going to be hardened against USB attacks (well, at least you
53 hope it would be). If you're using conventional passwords then of
54 course something could still sniff that password since it has to pass
55 through the untrusted computer. If you're using OTPs or U2F/etc then
56 you may still be vulnerable to some cookie-based attacks and MITM and
57 so on, but if you log off at the end of your session that at least
58 limits their duration.
59
60 Personally I would like to switch to a hardware-based solution, but
61 they have their own set of downsides:
62
63 1. Less convenience - you have to physically have the device on you
64 (I don't carry my keys around in the hosue/etc), and plug it in when
65 you want to use it.
66 2. Recovery options aren't always great. Often these devices don't
67 really have their own recovery solution, and you're stuck following
68 the recovery options on each individual site. Many of these are
69 pretty lousy.
70 3. Often no support for multiple hardware devices (and keeping them
71 in sync). Again you're stuck with what individual sites allow, and
72 many sites don't let you have multiple hardware tokens registered.
73 4. Lack of convenience features like auto-changing passwords. Some
74 software-based solutions have this. Though, to be honest, I rarely
75 trust these because if something goes wrong I could lose account
76 access and this can be difficult or impossible to recover from in many
77 situations.
78
79 A big advantage (and disadvantage) of the software-based solutions is
80 that they're just data files and you can back them up trivially.
81
82 Really though a lot of this boils down to the fact that PKI is a hard
83 problem without a trusted and convenient mediator, and this largely
84 doesn't exist in the world of free online services.
85
86 --
87 Rich

Replies

Subject Author
Re: [gentoo-user] Re: Coming up with a password that is very strong. Dale <rdalek1967@×××××.com>