Christopher Barry on 7 Jan 2017 14:38:54 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Lastpass - friend of foe

On Sat, 7 Jan 2017 17:03:35 -0500
Rich Freeman <> wrote:

>On Sat, Jan 7, 2017 at 3:53 PM, Paul Walker <>
>> It seems intuitive to just memorize extremely difficult to crack
>> passwords.  
>No argument that this is far more secure, but right now Lastpass is
>tracking 426 different passwords for me, almost all of which are
>strong and random and unique to a single site.
>If you can keep that in your head, this is of course better.
>You can always use a tiered approach, like memorize a few strong
>passwords and use those for your most critical sites (banking/etc),
>and then let lastpass/etc manage the bazillion web forums you
>occasionally browse, which probably is more secure than just using one
>password across all of them.
>You could also do things like "salt" your passwords with the site
>name.  If somebody steals the password file from and
>sees that your password is "L33tH@x-fancyforum" they would probably
>guess that your password on dullforum is "L33tH@x-dullforum."
>However, that assumes that a human bothers to read your individual
>password.  In the more likely case that they're scripting things and
>trying the 1M passwords they stole against 5k other sites then they
>probably wouldn't defeat this the way they would if your passwords
>were identical.
>> However, once your requirements are more complex - for instance, you
>> need to transfer passwords between trusted users, manage access to
>> different passwords for different groups of people, etc, then
>> well-conceived third-party solutions like Lastpass begin to make a
>> lot of sense.  
>Yeah, I wasn't even thinking of this use case but Lastpass does
>support this.  I'm not sure how they do it with local encryption
>though, since normally all the passwords are encrypted before they're
>uploaded (so if somebody wants to steal your passwords they can't just
>steal them server-side, but they'd have to get people to use modified
>clients that will leak the keys).  You could certainly do it with RSA
>if each user has a public key, and hopefully this is how they're
>actually doing it (or similar), vs storing the keys server-side with
>asymmetric crypto.

Meh, I just use 'P@ssw0rd123' everywhere.


Philadelphia Linux Users Group         --
Announcements -
General Discussion  --