Re: [PLUG] Lastpass - friend of foe

Lee H. Marzke on 7 Jan 2017 16:24:51 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Lastpass - friend of foe

From: "Lee H. Marzke" <lee@marzke.net>
To: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Subject: Re: [PLUG] Lastpass - friend of foe
Date: Sun, 8 Jan 2017 00:24:44 +0000 (GMT)
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
Thread-index: a41+rJ26k26dsvAzK6rWkMpC0gGQ4A==
Thread-topic: Lastpass - friend of foe

See below.

----- Original Message -----
> From: "Rich Freeman" <r-plug@thefreemanclan.net>
> To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
> Sent: Saturday, January 7, 2017 5:03:35 PM
> Subject: Re: [PLUG] Lastpass - friend of foe

> On Sat, Jan 7, 2017 at 3:53 PM, Paul Walker <pjwalker76@gmail.com> wrote:
>> It seems intuitive to just memorize extremely difficult to crack passwords.
> 
> No argument that this is far more secure, but right now Lastpass is
> tracking 426 different passwords for me, almost all of which are
> strong and random and unique to a single site.


I also use LastPass for hundreds of passwords myself and for Enterprise implementation at some of my clients.

When I found out a manager at a client was putting data center passwords un-encrypted on their phone, it
was easy to get them to adopt Lastpass to to address that huge risk,   and we share the passwords between the
few users that need them.

Also,  LastPass allow text notes, or binary attachments to vault items.   This can be useful for storing
important spreadsheets etc,  if you don't have a real DR site.


> 
> If you can keep that in your head, this is of course better.
> 
> You can always use a tiered approach, like memorize a few strong
> passwords and use those for your most critical sites (banking/etc),
> and then let lastpass/etc manage the bazillion web forums you
> occasionally browse, which probably is more secure than just using one
> password across all of them.
> 
> You could also do things like "salt" your passwords with the site
> name.  If somebody steals the password file from fancyforum.com and
> sees that your password is "L33tH@x-fancyforum" they would probably
> guess that your password on dullforum is "L33tH@x-dullforum."
> However, that assumes that a human bothers to read your individual
> password.  In the more likely case that they're scripting things and
> trying the 1M passwords they stole against 5k other sites then they
> probably wouldn't defeat this the way they would if your passwords
> were identical.
> 
>> However, once your requirements are more complex - for instance, you need to
>> transfer passwords between trusted users, manage access to different
>> passwords for different groups of people, etc, then well-conceived
>> third-party solutions like Lastpass begin to make a lot of sense.

The sharing is key....   I use Client's Enterprise version linked to my personal version, so both my personal work
keys and the clients shared keys are visible to me with a single login.

The Enterprise version allow me to require two-factor authentication ( any of several )
for all Enterprise accounts.

I provide a Yubikey device for new client users as the default 2nd factor,  but they can use Google or Duo or others.
Yubikey rocks for this.  I wish it worked for more services.


> 
> Yeah, I wasn't even thinking of this use case but Lastpass does
> support this.  I'm not sure how they do it with local encryption
> though, since normally all the passwords are encrypted before they're
> uploaded (so if somebody wants to steal your passwords they can't just
> steal them server-side, but they'd have to get people to use modified
> clients that will leak the keys).  You could certainly do it with RSA
> if each user has a public key, and hopefully this is how they're
> actually doing it (or similar), vs storing the keys server-side with
> asymmetric crypto.
> 

Lastpass has no keys on their server.  256 bit AES, with RSA public keys to share between users.  See:
https://lastpass.com/support.php?cmd=showfaq&id=6926

> 
> --
> Rich
> ___________________________________________________________________________
> Philadelphia Linux Users Group         --        http://www.phillylinux.org
> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

-- 
"Between subtle shading and the absence of light lies the nuance of iqlusion..." - Kryptos 

Lee Marzke, lee@marzke.net http://marzke.net/lee/ 
IT Consultant, VMware, VCenter, SAN storage, infrastructure, SW CM 
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

References:
- [PLUG] XKCD: Team Chat
  - From: Greg Helledy <gregsonh@gra-inc.com>
- Re: [PLUG] XKCD: Team Chat
  - From: Rich Kulawiec <rsk@gsp.org>
- Re: [PLUG] XKCD: Team Chat
  - From: Andrew Libby <andrew.libby@gmail.com>
- [PLUG] Lastpass - friend of foe
  - From: Timothy Marion <timothy.marion@marion.systems>
- Re: [PLUG] Lastpass - friend of foe
  - From: Paul Walker <pjwalker76@gmail.com>
- Re: [PLUG] Lastpass - friend of foe
  - From: Rich Freeman <r-plug@thefreemanclan.net>

Prev by Date: Re: [PLUG] Lastpass - friend of foe
Next by Date: Re: [PLUG] Lastpass - friend of foe
Previous by thread: Re: [PLUG] Lastpass - friend of foe
Next by thread: Re: [PLUG] Lastpass - friend of foe
Index(es):
- Date
- Thread