| 1 |
Rich Freeman wrote: |
| 2 |
> On Tue, Feb 5, 2019 at 2:34 AM Dale <rdalek1967@×××××.com> wrote: |
| 3 |
>> Rich Freeman wrote: |
| 4 |
>>> On Mon, Feb 4, 2019 at 5:12 PM Dale <rdalek1967@×××××.com> wrote: |
| 5 |
>>>> Neil Bothwick wrote: |
| 6 |
>>>>> On Mon, 4 Feb 2019 15:59:02 -0500, Rich Freeman wrote: |
| 7 |
>>>>> |
| 8 |
>>>>>>> One reason I use LastPass, it is mobile. I can go to someone else's |
| 9 |
>>>>>>> computer, use LastPass to say make use of Paypal, Newegg, Ebay etc, |
| 10 |
>>>>>>> logoff and it is like I was never there. |
| 11 |
>>>>>> As much as I like Lastpass I would never do that. It isn't magic - it |
| 12 |
>>>>>> is javascript. If there is a compromise on your computer, then your |
| 13 |
>>>>>> password database will be compromised. This is true of other |
| 14 |
>>>>>> solutions like KeePassX and so on - if something roots your box then |
| 15 |
>>>>>> it will be compromised. |
| 16 |
>>>> I might point out, LastPass encrypts the password before sticking it in |
| 17 |
>>>> a file. It isn't visible or plain text. Even getting the file would |
| 18 |
>>>> still require some tools and cracking to get the password itself. |
| 19 |
>>> That assumes you're attacking the password file directly. |
| 20 |
>>> |
| 21 |
>>> If you're using lastpass on a compromised system then there are many |
| 22 |
>>> ways that can be used to bypass the encryptions. They could sniff |
| 23 |
>>> your master password when you key it in, or read it directly from the |
| 24 |
>>> browser's memory. These things are protected from sandboxed code in |
| 25 |
>>> your browser, but not from processes running outside the browser |
| 26 |
>>> (unless again you're using a non-conventional privilege system like |
| 27 |
>>> selinux/android/etc). |
| 28 |
>> One could argue the same thing with any password tool out there tho, |
| 29 |
>> right? |
| 30 |
> Of course. This is by no means specific to Lastpass. I wasn't |
| 31 |
> reacting to your use of Lastpass (I use it myself). I was reacting to |
| 32 |
> your statement that you can go to someone else's computer and use |
| 33 |
> lastpass on that computer and then log off and it is as if you were |
| 34 |
> never there. |
| 35 |
|
| 36 |
What I meant was, they couldn't use it without knowing my password. |
| 37 |
Sure, I may leave something, like LastPass installed but disabled, on |
| 38 |
their computer but no one can use it without it being logged in. Once I |
| 39 |
logout and close the browser, that pretty much ends the session. Most |
| 40 |
sites I visit are not set to remember me anyway and some don't allow |
| 41 |
it. I also logout before leaving a site especially when I'm on a |
| 42 |
computer other than mine. So, once I logout, they can't login as me |
| 43 |
without my password. We sort of went in different directions. |
| 44 |
|
| 45 |
If I really wanted to, I could use some bootable media like Knoppix. I |
| 46 |
think it comes with Firefox already installed. I could boot that, |
| 47 |
install LastPass, do my thing, reboot into the OS and not have to worry |
| 48 |
about anything they have installed at all. I do keep copies of those |
| 49 |
around and try to update every once in a while. I certainly keep |
| 50 |
sysrescue up to date. I don't think it has a browser tho. It may but |
| 51 |
I'm not sure. |
| 52 |
|
| 53 |
|
| 54 |
>> Given I only install things from |
| 55 |
>> trusted sources, the odds of that happening are likely very small. |
| 56 |
> Not if you go typing your Lastpass master password into computers |
| 57 |
> owned by people who aren't as careful as you are... |
| 58 |
> |
| 59 |
> If you do want the benefits of a password manager on an untrusted |
| 60 |
> computer then you might want to look into the hardware/USB-based |
| 61 |
> solutions, or alternatives like U2F and so on. |
| 62 |
> |
| 63 |
> Now, you're still vulnerable to MITM attacks and so on against the |
| 64 |
> sites you're actually logging into, but your credentials for other |
| 65 |
> sites would not be at risk since they stay on the hardware device, |
| 66 |
> which is going to be hardened against USB attacks (well, at least you |
| 67 |
> hope it would be). If you're using conventional passwords then of |
| 68 |
> course something could still sniff that password since it has to pass |
| 69 |
> through the untrusted computer. If you're using OTPs or U2F/etc then |
| 70 |
> you may still be vulnerable to some cookie-based attacks and MITM and |
| 71 |
> so on, but if you log off at the end of your session that at least |
| 72 |
> limits their duration. |
| 73 |
> |
| 74 |
> Personally I would like to switch to a hardware-based solution, but |
| 75 |
> they have their own set of downsides: |
| 76 |
> |
| 77 |
> 1. Less convenience - you have to physically have the device on you |
| 78 |
> (I don't carry my keys around in the hosue/etc), and plug it in when |
| 79 |
> you want to use it. |
| 80 |
> 2. Recovery options aren't always great. Often these devices don't |
| 81 |
> really have their own recovery solution, and you're stuck following |
| 82 |
> the recovery options on each individual site. Many of these are |
| 83 |
> pretty lousy. |
| 84 |
> 3. Often no support for multiple hardware devices (and keeping them |
| 85 |
> in sync). Again you're stuck with what individual sites allow, and |
| 86 |
> many sites don't let you have multiple hardware tokens registered. |
| 87 |
> 4. Lack of convenience features like auto-changing passwords. Some |
| 88 |
> software-based solutions have this. Though, to be honest, I rarely |
| 89 |
> trust these because if something goes wrong I could lose account |
| 90 |
> access and this can be difficult or impossible to recover from in many |
| 91 |
> situations. |
| 92 |
> |
| 93 |
> A big advantage (and disadvantage) of the software-based solutions is |
| 94 |
> that they're just data files and you can back them up trivially. |
| 95 |
> |
| 96 |
> Really though a lot of this boils down to the fact that PKI is a hard |
| 97 |
> problem without a trusted and convenient mediator, and this largely |
| 98 |
> doesn't exist in the world of free online services. |
| 99 |
> |
| 100 |
|
| 101 |
This is what was mentioned in another post. No matter what we use, it |
| 102 |
is a trade off. While it may be rare that I need it, I like the idea of |
| 103 |
my passwords being stored somewhere that can be available if I'm |
| 104 |
somewhere else or my computer blows a gasket. No matter what is used, |
| 105 |
there is some risk involved unless we don't use a computer at all. |
| 106 |
Heck, even having a computer that is unplugged from the internet can |
| 107 |
still have security issues. At one point, that used to be a option but |
| 108 |
then you have to bring media in for updates or other data to be added. |
| 109 |
If it is compromised, well, there you go. |
| 110 |
|
| 111 |
I saw a link on a link posted here that lists password tools on the wiki |
| 112 |
thing. LastPass and one other that is dead now was the only two that |
| 113 |
seemed to fit what I like having. Given that the other is no longer a |
| 114 |
option, LastPass is the only one that works like I want it too. Now |
| 115 |
later on something better may come along but for the moment, LastPass is |
| 116 |
the set of trade-offs that has to be dealt with. Some of that is |
| 117 |
because I just don't have time to try to figure out how to store things |
| 118 |
encrypted on USB sticks and such as well. I still haven't had time to |
| 119 |
play with the kodi thing for my videos either. |
| 120 |
|
| 121 |
Of course, right now, I'm just trying to generate a good master |
| 122 |
password. I'd like to test the thing a bit but most tools just aren't |
| 123 |
up to the task. Since the NSA saves all our emails, maybe they will |
| 124 |
offer some help. Howdy you nosy things. lol You enjoying our password |
| 125 |
talks? |
| 126 |
|
| 127 |
Dale |
| 128 |
|
| 129 |
:-) :-) |
Archives