| Thomas Delrue on 5 Jan 2016 07:58:44 -0800 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] password safe |
You make some good points. I don't agree with everything but that's my problem. I apologize for my rant... I didn't intend to come of that rude, but I did so I'm sorry. I take OpSec a bit to seriously sometimes... Sorry... On 01/05/2016 10:27 AM, Rich Freeman wrote: > On Tue, Jan 5, 2016 at 9:39 AM, Thomas Delrue <delrue.thomas@gmail.com> wrote: >> >> I'm always surprised and flabbergasted at anyone (I'm not picking on you >> specifically, Rich) who uploads their passwords to anything online. Has >> no-one heard of OpSec and ComSec anymore? > > I don't work with any data which is sensitive to national security. I > don't need the same level of security as somebody whose data is being > actively pursued by the KGB. > >> P.S.: Don't retort with "it's not so bad if someone grabs my login data" >> unless you are willing to share at least the following with this mailing >> list over cleartext: you SSN, your birth date, login credentials to all >> your e-mail accounts, bank accounts, and social media accounts. > > Don't post on this thread at all without letting me screen your post > in advance. Yup, it sounds just as rude when I dictate what you > are/aren't allowed to say in a discussion. > > The reality is that if I didn't use Lastpass I'd probably end up doing > something far less secure, like using the same password on multiple > sites. I have no idea what those sites do with my password when I hit > submit on a form. I have no reason to believe my login credentials > are any more secure in Facebook's hands than they are in Lastpass's. > > I certainly don't consider Lastpass the most secure way to handle > passwords. I certainly don't consider passwords themselves the most > secure way to handle authentication. > >> But I guess it's /convenient/, right? > > That's the thing. ALL security is in conflict with both convenience > and cost. There is nothing scandalous about trading off security for > convenience, because that is something we do every day. We should > certainly make an informed decision about such compromises, but you're > always making them. > > For example, the fact that you're even using a password is a > compromise. You do realize that you could use RSA or two-factor > (which is typically just a user-friendly version of RSA/etc)? Just > exclusively online service providers that allow this method of > authentication and you'll be more secure. Of course, that is highly > inconvenient, so we compromise. > > By using Lastpass I can easily use random passwords for all of my > accounts, and easily change them. I still have some old legacy > accounts that have less secure passwords, and when I'm feeling bored > on a weekend I'll take half a dozen of them and change them to random > passwords, which are my preferred way to handle new accounts. I don't > care if the mobile app wants to prompt me for my 15-char random > password every time I use it, because it auto-fills. > > So, while I wouldn't say that Lastpass is the most secure solution > around, I would say that it is probably the most secure solution 99% > of users would be willing to use. For $12/yr or whatever it is a > pretty good deal, IMO. They've also been very transparent about past > breaches. It remains to be seen if the change in ownership changes > this, and I'll certainly be keeping my else open. If there is a > better FOSS solution that can handle both Android application password > prompts and chrome browser fields (on a Chromebook) I'm certainly > interested. > > -- > Rich > ___________________________________________________________________________ > Philadelphia Linux Users Group -- http://www.phillylinux.org > Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce > General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug > ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug