Re: [PLUG] password safe

["Keith C. Perry" <kperry@daotechnologies.com>]

That's why I everyone is different on this  :D.  I take OpSec and CommSec very seriously too which is why security that is convenient tends to not interest me (though convenient is subjective, convenient for me could mean convenient for another human).  I use "good" passwords for the things that require passwords and things that require encryption I use strong passphrases and own security approaches that are appropriate for the task.

>From what I saw on lastpass's website their encrypted value mechanisms would be acceptable to me but it's still not something I would use.


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ 
Keith C. Perry, MS E.E. 
Owner, DAO Technologies LLC 
(O) +1.215.525.4165 x2033 
(M) +1.215.432.5167 
www.daotechnologies.com

----- Original Message -----
From: "Thomas Delrue" <delrue.thomas@gmail.com>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Sent: Tuesday, January 5, 2016 10:58:37 AM
Subject: Re: [PLUG] password safe

You make some good points. I don't agree with everything but that's my
problem.
I apologize for my rant... I didn't intend to come of that rude, but I
did so I'm sorry.

I take OpSec a bit to seriously sometimes...

Sorry...

On 01/05/2016 10:27 AM, Rich Freeman wrote:
> On Tue, Jan 5, 2016 at 9:39 AM, Thomas Delrue <delrue.thomas@gmail.com> wrote:
>>
>> I'm always surprised and flabbergasted at anyone (I'm not picking on you
>> specifically, Rich) who uploads their passwords to anything online. Has
>> no-one heard of OpSec and ComSec anymore?
> 
> I don't work with any data which is sensitive to national security.  I
> don't need the same level of security as somebody whose data is being
> actively pursued by the KGB.
> 
>> P.S.: Don't retort with "it's not so bad if someone grabs my login data"
>> unless you are willing to share at least the following with this mailing
>> list over cleartext: you SSN, your birth date, login credentials to all
>> your e-mail accounts, bank accounts, and social media accounts.
> 
> Don't post on this thread at all without letting me screen your post
> in advance.  Yup, it sounds just as rude when I dictate what you
> are/aren't allowed to say in a discussion.
> 
> The reality is that if I didn't use Lastpass I'd probably end up doing
> something far less secure, like using the same password on multiple
> sites.  I have no idea what those sites do with my password when I hit
> submit on a form.  I have no reason to believe my login credentials
> are any more secure in Facebook's hands than they are in Lastpass's.
> 
> I certainly don't consider Lastpass the most secure way to handle
> passwords.  I certainly don't consider passwords themselves the most
> secure way to handle authentication.
> 
>> But I guess it's /convenient/, right?
> 
> That's the thing.  ALL security is in conflict with both convenience
> and cost.  There is nothing scandalous about trading off security for
> convenience, because that is something we do every day.  We should
> certainly make an informed decision about such compromises, but you're
> always making them.
> 
> For example, the fact that you're even using a password is a
> compromise.  You do realize that you could use RSA or two-factor
> (which is typically just a user-friendly version of RSA/etc)?  Just
> exclusively online service providers that allow this method of
> authentication and you'll be more secure.  Of course, that is highly
> inconvenient, so we compromise.
> 
> By using Lastpass I can easily use random passwords for all of my
> accounts, and easily change them.  I still have some old legacy
> accounts that have less secure passwords, and when I'm feeling bored
> on a weekend I'll take half a dozen of them and change them to random
> passwords, which are my preferred way to handle new accounts.  I don't
> care if the mobile app wants to prompt me for my 15-char random
> password every time I use it, because it auto-fills.
> 
> So, while I wouldn't say that Lastpass is the most secure solution
> around, I would say that it is probably the most secure solution 99%
> of users would be willing to use.  For $12/yr or whatever it is a
> pretty good deal, IMO.  They've also been very transparent about past
> breaches.  It remains to be seen if the change in ownership changes
> this, and I'll certainly be keeping my else open.  If there is a
> better FOSS solution that can handle both Android application password
> prompts and chrome browser fields (on a Chromebook) I'm certainly
> interested.
> 
> --
> Rich
> ___________________________________________________________________________
> Philadelphia Linux Users Group         --        http://www.phillylinux.org
> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
> 
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug