Am 17.01.2012 12:29, schrieb Dale: > Neil Bothwick wrote: >> On Tue, 17 Jan 2012 04:27:09 -0600, Dale wrote: >> >>>>> I use Lastpass which does about the same as other password >>>>> managers. >>>> Doesn't LastPass store your passwords on their servers, and weren't >>>> they compromised last year? I'll stick with KeePassX, the password >>>> database is stored and encrypted locally. Even if I put it on >>>> DropBox, hacking that will only give the encrypted database. >>>> >>>> >>> None of the passwords were lost tho. >> This time. > > And maybe not the next time either, or the next time, or the next time. > Point is, can you state for a fact that no site will ever be broke into, > ever? > >> >>> They got everyone to change them >>> just in case but according to what I read, the hackers didn't get >>> anything. >> This time. > > See above. > >> >>> Keep in mind, they are encrypted locally, then sent to >>> them. They can't see the passwords either. >> How is it encrypted? If the encryption system is not open source, it is >> not trustworthy. > > The guy that owns it posted on this list a good while back. This was > before the hack job. According to the things I have read, it has been > improved even more than it was. I agree open source can be good but > that doesn't mean closed can't be since we don't know what it does. If > we don't know, neither does the hackers. >
That last argument is flawed. What you describe is called security through obscurity. That violates Kerckhoffs's principle, one of the foundations of cryptography. I agree that the crypto system doesn't necessarily need to be open-source, depending on how much you trust the vendor. However, a good percentage of all security breaks are inside-jobs. This is far harder to pull off when the publish the source code or have some kind of certification process. Heck, even that might not protect you. See for example this thing: http://arstechnica.com/business/news/2012/01/device-turns-any-laptop-storage-into-a-self-encrypted-drive.ars It is NIST FIPS 140-2 level 1 certified. However, it used AES-ECB, something that is known to be far too weak for full disk encryption. It still got certified since it "works as expected." In conclusion: There are lots of pitfalls and using "secret" crypto systems makes it impossible to check for them, even if you know your stuff. Regards, Florian Philipp
signature.asc
Description: OpenPGP digital signature
