Ronald P Guilmet on 9 Jan 2017 09:56:37 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Lastpass - friend of foe

I use to find MFA or 2 step sign in as a pain. Do you think other web interfaces should implement MFA or 2 step? I think I use it for two sites now, only because it's available for those sites.


On Mon, Jan 9, 2017, 12:31 PM Rich Freeman <r-plug@thefreemanclan.net> wrote:
On Mon, Jan 9, 2017 at 12:08 PM, Thomas Delrue <delrue.thomas@gmail.com> wrote:
>
> Partial security will still let you be fully compromised.
>

You're treating security as if it were binary, you're either secure or
you're not.

In reality you have different use cases, and different threat models,
and relative amounts of risk for each of these.

I gave you a list of use cases.  Sure, if I didn't have all of them I
get that it might be easier to achieve a higher level of security,
though I'd go further and say that if I never logged into anything,
anywhere, then I'd probably be even more secure.  I'd be even safer if
I never left my house.  :)

Any proposed process is going to have vulnerabilities.  Where those
vulnerabilities are and the risk of each is going to vary.  Writing
your passwords in a book will be more safe against some attacks and
more at risk for others, compared to something like Lastpass.

In the end it is important to understand the strengths and weaknesses
of whatever tools you use, and understand the risks and tradeoffs
you're implicitly accepting by using them.

Whether process A is vulnerable to threat model B is a fairly
objective determination, and we could probably agree on these
determinations.  The final decision as to the importance of a
particular threat model or the amount of risk we're willing to accept
is a value judgement, and I suspect it will be harder for individuals
to agree on them.  Hence my emphasis on education.

--
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug