| Christopher Barry on 7 Jan 2017 14:38:54 -0800 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] Lastpass - friend of foe |
On Sat, 7 Jan 2017 17:03:35 -0500 Rich Freeman <r-plug@thefreemanclan.net> wrote: >On Sat, Jan 7, 2017 at 3:53 PM, Paul Walker <pjwalker76@gmail.com> >wrote: >> It seems intuitive to just memorize extremely difficult to crack >> passwords. > >No argument that this is far more secure, but right now Lastpass is >tracking 426 different passwords for me, almost all of which are >strong and random and unique to a single site. > >If you can keep that in your head, this is of course better. > >You can always use a tiered approach, like memorize a few strong >passwords and use those for your most critical sites (banking/etc), >and then let lastpass/etc manage the bazillion web forums you >occasionally browse, which probably is more secure than just using one >password across all of them. > >You could also do things like "salt" your passwords with the site >name. If somebody steals the password file from fancyforum.com and >sees that your password is "L33tH@x-fancyforum" they would probably >guess that your password on dullforum is "L33tH@x-dullforum." >However, that assumes that a human bothers to read your individual >password. In the more likely case that they're scripting things and >trying the 1M passwords they stole against 5k other sites then they >probably wouldn't defeat this the way they would if your passwords >were identical. > >> However, once your requirements are more complex - for instance, you >> need to transfer passwords between trusted users, manage access to >> different passwords for different groups of people, etc, then >> well-conceived third-party solutions like Lastpass begin to make a >> lot of sense. > >Yeah, I wasn't even thinking of this use case but Lastpass does >support this. I'm not sure how they do it with local encryption >though, since normally all the passwords are encrypted before they're >uploaded (so if somebody wants to steal your passwords they can't just >steal them server-side, but they'd have to get people to use modified >clients that will leak the keys). You could certainly do it with RSA >if each user has a public key, and hopefully this is how they're >actually doing it (or similar), vs storing the keys server-side with >asymmetric crypto. > > Meh, I just use 'P@ssw0rd123' everywhere. ...oops. -- Regards, Christopher ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug