| 1 |
Am 17.01.2012 12:29, schrieb Dale: |
| 2 |
> Neil Bothwick wrote: |
| 3 |
>> On Tue, 17 Jan 2012 04:27:09 -0600, Dale wrote: |
| 4 |
>> |
| 5 |
>>>>> I use Lastpass which does about the same as other password |
| 6 |
>>>>> managers. |
| 7 |
>>>> Doesn't LastPass store your passwords on their servers, and weren't |
| 8 |
>>>> they compromised last year? I'll stick with KeePassX, the password |
| 9 |
>>>> database is stored and encrypted locally. Even if I put it on |
| 10 |
>>>> DropBox, hacking that will only give the encrypted database. |
| 11 |
>>>> |
| 12 |
>>>> |
| 13 |
>>> None of the passwords were lost tho. |
| 14 |
>> This time. |
| 15 |
> |
| 16 |
> And maybe not the next time either, or the next time, or the next time. |
| 17 |
> Point is, can you state for a fact that no site will ever be broke into, |
| 18 |
> ever? |
| 19 |
> |
| 20 |
>> |
| 21 |
>>> They got everyone to change them |
| 22 |
>>> just in case but according to what I read, the hackers didn't get |
| 23 |
>>> anything. |
| 24 |
>> This time. |
| 25 |
> |
| 26 |
> See above. |
| 27 |
> |
| 28 |
>> |
| 29 |
>>> Keep in mind, they are encrypted locally, then sent to |
| 30 |
>>> them. They can't see the passwords either. |
| 31 |
>> How is it encrypted? If the encryption system is not open source, it is |
| 32 |
>> not trustworthy. |
| 33 |
> |
| 34 |
> The guy that owns it posted on this list a good while back. This was |
| 35 |
> before the hack job. According to the things I have read, it has been |
| 36 |
> improved even more than it was. I agree open source can be good but |
| 37 |
> that doesn't mean closed can't be since we don't know what it does. If |
| 38 |
> we don't know, neither does the hackers. |
| 39 |
> |
| 40 |
|
| 41 |
That last argument is flawed. What you describe is called security |
| 42 |
through obscurity. That violates Kerckhoffs's principle, one of the |
| 43 |
foundations of cryptography. |
| 44 |
|
| 45 |
I agree that the crypto system doesn't necessarily need to be |
| 46 |
open-source, depending on how much you trust the vendor. However, a good |
| 47 |
percentage of all security breaks are inside-jobs. This is far harder to |
| 48 |
pull off when the publish the source code or have some kind of |
| 49 |
certification process. |
| 50 |
|
| 51 |
Heck, even that might not protect you. See for example this thing: |
| 52 |
http://arstechnica.com/business/news/2012/01/device-turns-any-laptop-storage-into-a-self-encrypted-drive.ars |
| 53 |
|
| 54 |
It is NIST FIPS 140-2 level 1 certified. However, it used AES-ECB, |
| 55 |
something that is known to be far too weak for full disk encryption. It |
| 56 |
still got certified since it "works as expected." |
| 57 |
|
| 58 |
In conclusion: There are lots of pitfalls and using "secret" crypto |
| 59 |
systems makes it impossible to check for them, even if you know your stuff. |
| 60 |
|
| 61 |
Regards, |
| 62 |
Florian Philipp |
Archives