Thomas Delrue on 5 Jan 2016 07:58:44 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] password safe

You make some good points. I don't agree with everything but that's my
I apologize for my rant... I didn't intend to come of that rude, but I
did so I'm sorry.

I take OpSec a bit to seriously sometimes...


On 01/05/2016 10:27 AM, Rich Freeman wrote:
> On Tue, Jan 5, 2016 at 9:39 AM, Thomas Delrue <> wrote:
>> I'm always surprised and flabbergasted at anyone (I'm not picking on you
>> specifically, Rich) who uploads their passwords to anything online. Has
>> no-one heard of OpSec and ComSec anymore?
> I don't work with any data which is sensitive to national security.  I
> don't need the same level of security as somebody whose data is being
> actively pursued by the KGB.
>> P.S.: Don't retort with "it's not so bad if someone grabs my login data"
>> unless you are willing to share at least the following with this mailing
>> list over cleartext: you SSN, your birth date, login credentials to all
>> your e-mail accounts, bank accounts, and social media accounts.
> Don't post on this thread at all without letting me screen your post
> in advance.  Yup, it sounds just as rude when I dictate what you
> are/aren't allowed to say in a discussion.
> The reality is that if I didn't use Lastpass I'd probably end up doing
> something far less secure, like using the same password on multiple
> sites.  I have no idea what those sites do with my password when I hit
> submit on a form.  I have no reason to believe my login credentials
> are any more secure in Facebook's hands than they are in Lastpass's.
> I certainly don't consider Lastpass the most secure way to handle
> passwords.  I certainly don't consider passwords themselves the most
> secure way to handle authentication.
>> But I guess it's /convenient/, right?
> That's the thing.  ALL security is in conflict with both convenience
> and cost.  There is nothing scandalous about trading off security for
> convenience, because that is something we do every day.  We should
> certainly make an informed decision about such compromises, but you're
> always making them.
> For example, the fact that you're even using a password is a
> compromise.  You do realize that you could use RSA or two-factor
> (which is typically just a user-friendly version of RSA/etc)?  Just
> exclusively online service providers that allow this method of
> authentication and you'll be more secure.  Of course, that is highly
> inconvenient, so we compromise.
> By using Lastpass I can easily use random passwords for all of my
> accounts, and easily change them.  I still have some old legacy
> accounts that have less secure passwords, and when I'm feeling bored
> on a weekend I'll take half a dozen of them and change them to random
> passwords, which are my preferred way to handle new accounts.  I don't
> care if the mobile app wants to prompt me for my 15-char random
> password every time I use it, because it auto-fills.
> So, while I wouldn't say that Lastpass is the most secure solution
> around, I would say that it is probably the most secure solution 99%
> of users would be willing to use.  For $12/yr or whatever it is a
> pretty good deal, IMO.  They've also been very transparent about past
> breaches.  It remains to be seen if the change in ownership changes
> this, and I'll certainly be keeping my else open.  If there is a
> better FOSS solution that can handle both Android application password
> prompts and chrome browser fields (on a Chromebook) I'm certainly
> interested.
> --
> Rich
> ___________________________________________________________________________
> Philadelphia Linux Users Group         --
> Announcements -
> General Discussion  --
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --