Re: [PLUG] password safe

[JP Vossen <jp@jpsdomain.org>]

I agree with Keith, I don't trust a browser with anything important. 
That's one reason I like Password Safe.  It is less convenient; I have 
to open it, possibly enter the master password if that has timed-out, 
and find the right record.  Then I can hit CTRL-T to auto-type it into 
the browser, or I can manually copy&paste a few ways or I could re-type 
it, but since they are all 15 random characters that's painful.

But *I* trigger it and manual steps are involved so the browser can't do 
anything.  (OK, a really hacked browser/OS could re-transmit data 
elsewhere.)

I see the point of the more integrated tools, but I'm personally willing 
to put up with the few extra steps.  There's that trade-off thing...  I 
also use No-Script, which breaks a LOT of stuff, but my wife will not. 
Same thing.


On 01/05/2016 12:59 PM, Keith C. Perry wrote:
> Ok, thanks for re-explaining.  For me, browsers are too powerful today to be involved in doing security related things automagically but I can see the attraction to the system for many people.  On Linux we're able to be more deliberative in implemented real multiple layers of security so the risk level isn't going to be as high as it might be elsewhere :D
>
>
> ----- Original Message -----
> From: "Rich Freeman" <r-plug@thefreemanclan.net>
> To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
> Sent: Tuesday, January 5, 2016 12:35:48 PM
> Subject: Re: [PLUG] password safe
>
> On Tue, Jan 5, 2016 at 11:56 AM, Keith C. Perry
> <kperry@daotechnologies.com> wrote:
> > Wait... if passwords can be "skimmed" then are you saying that the communication between the the lastpass client and their servers is NOT encrypted?
>
> No.  The server stores an encrypted password database.  The client
> authenticates to the server (I'm not sure what the details of this are
> - it is based on your master password but I'm pretty sure the master
> password itself isn't sent).  The server sends the client the
> encrypted password database over SSL or such (so, double-encrypted at
> that point).  Then the client uses your password to decrypt the
> database and use it.  Their server never sees the plaintext passwords.
>
> However, this all depends on the client behaving as advertised.  The
> client is just a browser extension.  I'm not sure what if any code is
> loaded from the server at runtime.  Presumably if the servers are
> compromises they could just update your client to not behave in a
> secure fashion, such as having it transmit your master password to the
> server, allowing the server to decrypt your local password database.
>
> It is no different than sticking a cracked package on Debian's servers
> that transmits your Keepass database in plaintext to some random
> server when you use it.  If you compromise the client and the client
> has access to the plaintext, then you can get the plaintext.
>
> However, if the chrome extension doesn't download any code at runtime
> but instead relies on the Chrome Store for updates then it would be
> harder to crack, since the company could keep their credentials for
> the chrome store offline so that the clients are not easy to
> compromise.  I don't know exactly how they do things.
>
> For the most part my sense is that Lastpass is doing things the right
> way, but as with any service outside your control there is really no
> way to be certain.  The fact is that when they have had compromises in
> the past they've been limited in scope which suggests that they
> compartmentalize their systems, which is a good way to protect against
> attacks.
>
> As long as the client isn't tampered with somebody can in theory have
> full access to all of Lastpass's servers and not be able to get your
> passwords, short of brute forcing your master password.  I don't know
> how many rounds they use either, and how easy it would be to brute
> force as a result.  But, they'd have to brute force everybody's keys
> independently most likely.  On this front the biggest question I'd
> have is how they authenticate since the client only prompts for a
> single password which is used both to authenticate to their servers
> and encrypt local keys.  Depending on how this is implemented it might
> make it easier to brute-force the password if you had all the
> server-side data.  With proper salting/etc it might not be any easier.
>
> And on a side note as you might guess from my email address on my
> posts, I also use distinct email addresses for every service.  Useful
> for filtering, and also to see who is selling addresses to who.


Later,
JP
--  -------------------------------------------------------------------
JP Vossen, CISSP | http://www.jpsdomain.org/ | http://bashcookbook.com/
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug