Rich Freeman wrote: > On Mon, Feb 4, 2019 at 5:12 PM Dale <rdalek1...@gmail.com> wrote: >> Neil Bothwick wrote: >>> On Mon, 4 Feb 2019 15:59:02 -0500, Rich Freeman wrote: >>> >>>>> One reason I use LastPass, it is mobile. I can go to someone else's >>>>> computer, use LastPass to say make use of Paypal, Newegg, Ebay etc, >>>>> logoff and it is like I was never there. >>>> As much as I like Lastpass I would never do that. It isn't magic - it >>>> is javascript. If there is a compromise on your computer, then your >>>> password database will be compromised. This is true of other >>>> solutions like KeePassX and so on - if something roots your box then >>>> it will be compromised. >>> I don't see what root has to do with it. If someone gains access to your >>> box, they can copy the database file and then take their time trying to >>> crack the password, but you don't need to be root to do that. > Correct, it just needs access to the user's data or browser process, > which could mean running as root, or that user. > >> I might point out, LastPass encrypts the password before sticking it in >> a file. It isn't visible or plain text. Even getting the file would >> still require some tools and cracking to get the password itself. > That assumes you're attacking the password file directly. > > If you're using lastpass on a compromised system then there are many > ways that can be used to bypass the encryptions. They could sniff > your master password when you key it in, or read it directly from the > browser's memory. These things are protected from sandboxed code in > your browser, but not from processes running outside the browser > (unless again you're using a non-conventional privilege system like > selinux/android/etc). >
One could argue the same thing with any password tool out there tho, right? After all, at some point, all password tools have to decrypt the password even if it is only in memory. At that point, it can be 'sniffed' out. Thing is, if my system or any system I use is compromised, I'll have the same issue no matter what I do or what tool I use. Even if I use the password tool included in Firefox or any other browser, wouldn't I run into the same problem? Wouldn't I run into some other security problem if I used no password tool at all and just typed in the same password for say 20 or 30 different sites? The solution is, be reasonably secure. Nothing is 100% secure unless it is turned off completely, maybe not even then. I'm sure even selinux has its security issues as well. It is after all a OS that runs a lot of code and only needs one flaw in it. As I've pointed out before on different topics, if a person gets physical access or control of a machine and is able to install things on it, it doesn't really matter what one does unless they can detect it somehow before ever using anything. Given I only install things from trusted sources, the odds of that happening are likely very small. Even my neighbors don't install much of anything because they mostly use it to access financial sites and to check their email. They are a older pair so they don't use it like even someone my age does. Still, if I did have to use it in a situation, such as ordering computer parts to rebuild, I'd likely change my more important passwords just to be sure ASAP. I already do that regularly anyway especially for my financial sites. That's another thing LastPass tracks, how long a password has been in use for a site. It reminds me of that sort of thing. While I'm trying to come up with a good password, I don't expect it to cover every possible case. While I use LastPass, I don't expect it to be a perfect solution. I wouldn't expect it of any other tool either. Thing is, LastPass does what I need and is likely as secure as other tools that can do the same things. I get that one can be hacked as you describe but once a person is able to do what you describe, it really doesn't matter what tool I use. Even a simple keylogger can do the job if I use no password tool at all. I'm just trying to be reasonably secure. If everyone or even most everyone would do the same, those little script kiddys would have to work much harder. That's one thing I read about while googling for ways to come up with passwords. Over half the people using passwords use some really awful ones. Some use the same one for a lot of sites as well. Something we both know is bad. If everyone would put in even a tenth of the effort I am, the internet would be a much safer place. Dale :-) :-)
