On Monday, 4 February 2019 22:12:16 GMT Dale wrote: > Neil Bothwick wrote: > > On Mon, 4 Feb 2019 15:59:02 -0500, Rich Freeman wrote: > >>> One reason I use LastPass, it is mobile. I can go to someone else's > >>> computer, use LastPass to say make use of Paypal, Newegg, Ebay etc, > >>> logoff and it is like I was never there. > >> > >> As much as I like Lastpass I would never do that. It isn't magic - it > >> is javascript. If there is a compromise on your computer, then your > >> password database will be compromised. This is true of other > >> solutions like KeePassX and so on - if something roots your box then > >> it will be compromised. > > > > I don't see what root has to do with it. If someone gains access to your > > box, they can copy the database file and then take their time trying to > > crack the password, but you don't need to be root to do that. > > I might point out, LastPass encrypts the password before sticking it in > a file. It isn't visible or plain text. Even getting the file would > still require some tools and cracking to get the password itself. > Cracking the master password would likely be much easier and doesn't > even require access to the box itself, Linux or windoze. Also, LastPass > only stores the encrypted password on its servers. Even if LastPass is > hacked, the passwords are still encrypted. It's one reason LastPass > shouldn't have to worry about getting court orders to turn over > passwords. It doesn't really have them. I would suspect that cracking > a encrypted password is as difficult as is just poking at a password > until it is guessed. > > Even if a person is using a perfect tool, cracking a password is always > going to be possible. The tougher the password, the harder it will be > and the longer it will take. Still, it can be done. Using these tools > just makes it harder. I'm not aware of a perfect password tool. I > doubt one exists or ever will either. ;-) It's still good to pick one, > use it and try to be as secure as one can. > > Dale > > :-) :-)
A solution like LastPass et al., using a browser's javascript to access it, under a single master passwd, theoretically would have so many side-channel attacks no one would be wasting time to brute force anything. https://en.wikipedia.org/wiki/LastPass#Security_issues You could use gpg/openssl to encrypt a number of files, which would contain your different website/application passwds. For paranoid use cases you can use asymmetric keys and store your private key out-of-band. Sure, it won't be as convenient as LastPass, but I expect it would be more secure and unlikely to be compromised by XSS vulnerabilities. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
