Rich Freeman on 17 Jan 2017 06:24:18 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Lastpass - friend of foe

On Tue, Jan 17, 2017 at 9:03 AM, Rich Kulawiec <> wrote:
> RSA painted a bullseye on themselves large enough to be seen from space
> because they accrued information deemed sufficiently valuable by (at
> least) one adversary who had the resources to acquire it.  And then
> they started making mistakes (see above) which, in combination,
> made them sufficiently vulnerable that (at least) one adversary
> was successful.

I'd go a step further and argue that the design was flawed simply due
to the fact that RSA was ever in a position to have the credentials on
the tokens.

It would have worked far better if the TOTPs were initialized by the
customer, not by the vendor.  This is how most modern devices work,
and it avoids this issue entirely.

> I think LastPass is doing exactly the same thing.

So, this is a fair argument to make.  The problem is that there aren't
exactly a lot of alternatives right now.  CKP on Chrome seems to be
the closest option, but from what I see on it online it is read-only
(that is, you can't generate new passwords using it, which is a bit of
a non-starter for me since I can't promise I'm at a Windows/X11
desktop when generating a new password.)

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --