1 |
On Mon, Feb 4, 2019 at 3:49 PM Dale <rdalek1967@×××××.com> wrote: |
2 |
> |
3 |
> One reason I use LastPass, it is mobile. I can go to someone else's |
4 |
> computer, use LastPass to say make use of Paypal, Newegg, Ebay etc, |
5 |
> logoff and it is like I was never there. |
6 |
|
7 |
As much as I like Lastpass I would never do that. It isn't magic - it |
8 |
is javascript. If there is a compromise on your computer, then your |
9 |
password database will be compromised. This is true of other |
10 |
solutions like KeePassX and so on - if something roots your box then |
11 |
it will be compromised. |
12 |
|
13 |
If you were talking about something like a Chromebook that is still |
14 |
locked down and you're using guest mode or logging in under a separate |
15 |
user account from anybody else, then you're probably fairly safe |
16 |
against that. However, if you're just looking into a generic windows |
17 |
box or a shared linux account then there isn't going to be much |
18 |
protection if something has compromised the system. |
19 |
|
20 |
At that point you're vulnerable to all kinds of attacks, from theft of |
21 |
the password manager database, to just skimming the accounts you're |
22 |
using. |
23 |
|
24 |
This won't stop sniffing of individual passwords, but you could at |
25 |
least protect your overall database by looking up the password on a |
26 |
secure device (your phone or whatever) and rekeying it on the |
27 |
untrusted device. Then while that password is still vulnerable your |
28 |
password database never touches that box. |
29 |
|
30 |
-- |
31 |
Rich |