1 |
Rich Freeman wrote: |
2 |
> On Tue, Feb 5, 2019 at 2:34 AM Dale <rdalek1967@×××××.com> wrote: |
3 |
>> Rich Freeman wrote: |
4 |
>>> On Mon, Feb 4, 2019 at 5:12 PM Dale <rdalek1967@×××××.com> wrote: |
5 |
>>>> Neil Bothwick wrote: |
6 |
>>>>> On Mon, 4 Feb 2019 15:59:02 -0500, Rich Freeman wrote: |
7 |
>>>>> |
8 |
>>>>>>> One reason I use LastPass, it is mobile. I can go to someone else's |
9 |
>>>>>>> computer, use LastPass to say make use of Paypal, Newegg, Ebay etc, |
10 |
>>>>>>> logoff and it is like I was never there. |
11 |
>>>>>> As much as I like Lastpass I would never do that. It isn't magic - it |
12 |
>>>>>> is javascript. If there is a compromise on your computer, then your |
13 |
>>>>>> password database will be compromised. This is true of other |
14 |
>>>>>> solutions like KeePassX and so on - if something roots your box then |
15 |
>>>>>> it will be compromised. |
16 |
>>>> I might point out, LastPass encrypts the password before sticking it in |
17 |
>>>> a file. It isn't visible or plain text. Even getting the file would |
18 |
>>>> still require some tools and cracking to get the password itself. |
19 |
>>> That assumes you're attacking the password file directly. |
20 |
>>> |
21 |
>>> If you're using lastpass on a compromised system then there are many |
22 |
>>> ways that can be used to bypass the encryptions. They could sniff |
23 |
>>> your master password when you key it in, or read it directly from the |
24 |
>>> browser's memory. These things are protected from sandboxed code in |
25 |
>>> your browser, but not from processes running outside the browser |
26 |
>>> (unless again you're using a non-conventional privilege system like |
27 |
>>> selinux/android/etc). |
28 |
>> One could argue the same thing with any password tool out there tho, |
29 |
>> right? |
30 |
> Of course. This is by no means specific to Lastpass. I wasn't |
31 |
> reacting to your use of Lastpass (I use it myself). I was reacting to |
32 |
> your statement that you can go to someone else's computer and use |
33 |
> lastpass on that computer and then log off and it is as if you were |
34 |
> never there. |
35 |
|
36 |
What I meant was, they couldn't use it without knowing my password. |
37 |
Sure, I may leave something, like LastPass installed but disabled, on |
38 |
their computer but no one can use it without it being logged in. Once I |
39 |
logout and close the browser, that pretty much ends the session. Most |
40 |
sites I visit are not set to remember me anyway and some don't allow |
41 |
it. I also logout before leaving a site especially when I'm on a |
42 |
computer other than mine. So, once I logout, they can't login as me |
43 |
without my password. We sort of went in different directions. |
44 |
|
45 |
If I really wanted to, I could use some bootable media like Knoppix. I |
46 |
think it comes with Firefox already installed. I could boot that, |
47 |
install LastPass, do my thing, reboot into the OS and not have to worry |
48 |
about anything they have installed at all. I do keep copies of those |
49 |
around and try to update every once in a while. I certainly keep |
50 |
sysrescue up to date. I don't think it has a browser tho. It may but |
51 |
I'm not sure. |
52 |
|
53 |
|
54 |
>> Given I only install things from |
55 |
>> trusted sources, the odds of that happening are likely very small. |
56 |
> Not if you go typing your Lastpass master password into computers |
57 |
> owned by people who aren't as careful as you are... |
58 |
> |
59 |
> If you do want the benefits of a password manager on an untrusted |
60 |
> computer then you might want to look into the hardware/USB-based |
61 |
> solutions, or alternatives like U2F and so on. |
62 |
> |
63 |
> Now, you're still vulnerable to MITM attacks and so on against the |
64 |
> sites you're actually logging into, but your credentials for other |
65 |
> sites would not be at risk since they stay on the hardware device, |
66 |
> which is going to be hardened against USB attacks (well, at least you |
67 |
> hope it would be). If you're using conventional passwords then of |
68 |
> course something could still sniff that password since it has to pass |
69 |
> through the untrusted computer. If you're using OTPs or U2F/etc then |
70 |
> you may still be vulnerable to some cookie-based attacks and MITM and |
71 |
> so on, but if you log off at the end of your session that at least |
72 |
> limits their duration. |
73 |
> |
74 |
> Personally I would like to switch to a hardware-based solution, but |
75 |
> they have their own set of downsides: |
76 |
> |
77 |
> 1. Less convenience - you have to physically have the device on you |
78 |
> (I don't carry my keys around in the hosue/etc), and plug it in when |
79 |
> you want to use it. |
80 |
> 2. Recovery options aren't always great. Often these devices don't |
81 |
> really have their own recovery solution, and you're stuck following |
82 |
> the recovery options on each individual site. Many of these are |
83 |
> pretty lousy. |
84 |
> 3. Often no support for multiple hardware devices (and keeping them |
85 |
> in sync). Again you're stuck with what individual sites allow, and |
86 |
> many sites don't let you have multiple hardware tokens registered. |
87 |
> 4. Lack of convenience features like auto-changing passwords. Some |
88 |
> software-based solutions have this. Though, to be honest, I rarely |
89 |
> trust these because if something goes wrong I could lose account |
90 |
> access and this can be difficult or impossible to recover from in many |
91 |
> situations. |
92 |
> |
93 |
> A big advantage (and disadvantage) of the software-based solutions is |
94 |
> that they're just data files and you can back them up trivially. |
95 |
> |
96 |
> Really though a lot of this boils down to the fact that PKI is a hard |
97 |
> problem without a trusted and convenient mediator, and this largely |
98 |
> doesn't exist in the world of free online services. |
99 |
> |
100 |
|
101 |
This is what was mentioned in another post. No matter what we use, it |
102 |
is a trade off. While it may be rare that I need it, I like the idea of |
103 |
my passwords being stored somewhere that can be available if I'm |
104 |
somewhere else or my computer blows a gasket. No matter what is used, |
105 |
there is some risk involved unless we don't use a computer at all. |
106 |
Heck, even having a computer that is unplugged from the internet can |
107 |
still have security issues. At one point, that used to be a option but |
108 |
then you have to bring media in for updates or other data to be added. |
109 |
If it is compromised, well, there you go. |
110 |
|
111 |
I saw a link on a link posted here that lists password tools on the wiki |
112 |
thing. LastPass and one other that is dead now was the only two that |
113 |
seemed to fit what I like having. Given that the other is no longer a |
114 |
option, LastPass is the only one that works like I want it too. Now |
115 |
later on something better may come along but for the moment, LastPass is |
116 |
the set of trade-offs that has to be dealt with. Some of that is |
117 |
because I just don't have time to try to figure out how to store things |
118 |
encrypted on USB sticks and such as well. I still haven't had time to |
119 |
play with the kodi thing for my videos either. |
120 |
|
121 |
Of course, right now, I'm just trying to generate a good master |
122 |
password. I'd like to test the thing a bit but most tools just aren't |
123 |
up to the task. Since the NSA saves all our emails, maybe they will |
124 |
offer some help. Howdy you nosy things. lol You enjoying our password |
125 |
talks? |
126 |
|
127 |
Dale |
128 |
|
129 |
:-) :-) |