Rich Freeman on 7 Jan 2017 14:03:41 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Lastpass - friend of foe

On Sat, Jan 7, 2017 at 3:53 PM, Paul Walker <> wrote:
> It seems intuitive to just memorize extremely difficult to crack passwords.

No argument that this is far more secure, but right now Lastpass is
tracking 426 different passwords for me, almost all of which are
strong and random and unique to a single site.

If you can keep that in your head, this is of course better.

You can always use a tiered approach, like memorize a few strong
passwords and use those for your most critical sites (banking/etc),
and then let lastpass/etc manage the bazillion web forums you
occasionally browse, which probably is more secure than just using one
password across all of them.

You could also do things like "salt" your passwords with the site
name.  If somebody steals the password file from and
sees that your password is "L33tH@x-fancyforum" they would probably
guess that your password on dullforum is "L33tH@x-dullforum."
However, that assumes that a human bothers to read your individual
password.  In the more likely case that they're scripting things and
trying the 1M passwords they stole against 5k other sites then they
probably wouldn't defeat this the way they would if your passwords
were identical.

> However, once your requirements are more complex - for instance, you need to
> transfer passwords between trusted users, manage access to different
> passwords for different groups of people, etc, then well-conceived
> third-party solutions like Lastpass begin to make a lot of sense.

Yeah, I wasn't even thinking of this use case but Lastpass does
support this.  I'm not sure how they do it with local encryption
though, since normally all the passwords are encrypted before they're
uploaded (so if somebody wants to steal your passwords they can't just
steal them server-side, but they'd have to get people to use modified
clients that will leak the keys).  You could certainly do it with RSA
if each user has a public key, and hopefully this is how they're
actually doing it (or similar), vs storing the keys server-side with
asymmetric crypto.

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --