Rich Freeman on 5 Jan 2016 07:27:15 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] password safe


On Tue, Jan 5, 2016 at 9:39 AM, Thomas Delrue <delrue.thomas@gmail.com> wrote:
>
> I'm always surprised and flabbergasted at anyone (I'm not picking on you
> specifically, Rich) who uploads their passwords to anything online. Has
> no-one heard of OpSec and ComSec anymore?

I don't work with any data which is sensitive to national security.  I
don't need the same level of security as somebody whose data is being
actively pursued by the KGB.

> P.S.: Don't retort with "it's not so bad if someone grabs my login data"
> unless you are willing to share at least the following with this mailing
> list over cleartext: you SSN, your birth date, login credentials to all
> your e-mail accounts, bank accounts, and social media accounts.

Don't post on this thread at all without letting me screen your post
in advance.  Yup, it sounds just as rude when I dictate what you
are/aren't allowed to say in a discussion.

The reality is that if I didn't use Lastpass I'd probably end up doing
something far less secure, like using the same password on multiple
sites.  I have no idea what those sites do with my password when I hit
submit on a form.  I have no reason to believe my login credentials
are any more secure in Facebook's hands than they are in Lastpass's.

I certainly don't consider Lastpass the most secure way to handle
passwords.  I certainly don't consider passwords themselves the most
secure way to handle authentication.

> But I guess it's /convenient/, right?

That's the thing.  ALL security is in conflict with both convenience
and cost.  There is nothing scandalous about trading off security for
convenience, because that is something we do every day.  We should
certainly make an informed decision about such compromises, but you're
always making them.

For example, the fact that you're even using a password is a
compromise.  You do realize that you could use RSA or two-factor
(which is typically just a user-friendly version of RSA/etc)?  Just
exclusively online service providers that allow this method of
authentication and you'll be more secure.  Of course, that is highly
inconvenient, so we compromise.

By using Lastpass I can easily use random passwords for all of my
accounts, and easily change them.  I still have some old legacy
accounts that have less secure passwords, and when I'm feeling bored
on a weekend I'll take half a dozen of them and change them to random
passwords, which are my preferred way to handle new accounts.  I don't
care if the mobile app wants to prompt me for my 15-char random
password every time I use it, because it auto-fills.

So, while I wouldn't say that Lastpass is the most secure solution
around, I would say that it is probably the most secure solution 99%
of users would be willing to use.  For $12/yr or whatever it is a
pretty good deal, IMO.  They've also been very transparent about past
breaches.  It remains to be seen if the change in ownership changes
this, and I'll certainly be keeping my else open.  If there is a
better FOSS solution that can handle both Android application password
prompts and chrome browser fields (on a Chromebook) I'm certainly
interested.

--
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug