| Rich Freeman on 7 Jan 2017 14:03:41 -0800 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] Lastpass - friend of foe |
On Sat, Jan 7, 2017 at 3:53 PM, Paul Walker <pjwalker76@gmail.com> wrote: > It seems intuitive to just memorize extremely difficult to crack passwords. No argument that this is far more secure, but right now Lastpass is tracking 426 different passwords for me, almost all of which are strong and random and unique to a single site. If you can keep that in your head, this is of course better. You can always use a tiered approach, like memorize a few strong passwords and use those for your most critical sites (banking/etc), and then let lastpass/etc manage the bazillion web forums you occasionally browse, which probably is more secure than just using one password across all of them. You could also do things like "salt" your passwords with the site name. If somebody steals the password file from fancyforum.com and sees that your password is "L33tH@x-fancyforum" they would probably guess that your password on dullforum is "L33tH@x-dullforum." However, that assumes that a human bothers to read your individual password. In the more likely case that they're scripting things and trying the 1M passwords they stole against 5k other sites then they probably wouldn't defeat this the way they would if your passwords were identical. > However, once your requirements are more complex - for instance, you need to > transfer passwords between trusted users, manage access to different > passwords for different groups of people, etc, then well-conceived > third-party solutions like Lastpass begin to make a lot of sense. Yeah, I wasn't even thinking of this use case but Lastpass does support this. I'm not sure how they do it with local encryption though, since normally all the passwords are encrypted before they're uploaded (so if somebody wants to steal your passwords they can't just steal them server-side, but they'd have to get people to use modified clients that will leak the keys). You could certainly do it with RSA if each user has a public key, and hopefully this is how they're actually doing it (or similar), vs storing the keys server-side with asymmetric crypto. -- Rich ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug