Rich Freeman on 7 Jan 2017 11:57:03 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] XKCD: Team Chat

On Sat, Jan 7, 2017 at 2:41 PM, Andrew Libby <> wrote:
> On 1/7/17 1:52 PM, Rich Freeman wrote:
>> On Sat, Jan 7, 2017 at 7:54 AM, Andrew Libby <> wrote:
>>> This is precisely why I don't use any of those fancy password management
>>> services.  To my stuffs, you need to specifically attack me and break
>>> the method I use to keep my passwords secure (gnupg).  It's less
>>> efficient than just clicking submit in a browser with a plugin that
>>> manages it all.
>>> Only semi-related to the topic here is that I gave up on remembering
>>> passwords, but at least now I use super long (16 - 32 characters) and
>>> every password I use is different and completely random.  My experience
>>> is that banks are the worst and reject much punctuation.  Banks....
>> So, how do you manage logging into sites on your phone this way?
> A good question - I don't.  Frustrates me that I gotta type in my
> password every time I go into my bank app, so I just do it all on
> my PC.  I like going to the bank and seeing the tellers for deposits
> anyway.  I'm old fashioned like that I guess.

Personally I use lastpass.

The various options all have their pros and cons, and I'm not ignorant
of both in the case of lastpass.  However, I find it more secure than
what I'd probably be doing otherwise.  This is why I tend to recommend
it to others.  The average person isn't going to run
keepass+gnupg+cloud-sync and they're definitely not going to keep a
code book on their bookshelf.  They're more likely to follow the
Podesta school of security.  :)

If you can live without access on anything other than
OSX+Linux/X11+Windows then the keepass route is going to be more
secure.  However, don't kid yourself, some of the exploits that would
work on lastpass (like sandbox escapes) would probably work just as
well against keepass the way most people actually use it.

As with any other security-related topic (backups, encryption, etc) I
think the important thing is to truly understand the risks every
option involves, and to understand the value of their data, and to
understand the priority of each threat-model for them, and to make a
well-informed choice.  It is also fine to have a multi-tiered
strategy, where perhaps you use a tool like lastpass/etc for most
stuff, and then for higher-risk stuff you use a different approach.

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --