From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 97E75138F14 for ; Tue, 21 Jul 2015 20:20:46 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 9ABC9E0857; Tue, 21 Jul 2015 20:20:41 +0000 (UTC) Received: from mail-wi0-f173.google.com (mail-wi0-f173.google.com [209.85.212.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 407F9E07C9 for ; Tue, 21 Jul 2015 20:20:40 +0000 (UTC) Received: by wibxm9 with SMTP id xm9so71642955wib.1 for ; Tue, 21 Jul 2015 13:20:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:reply-to:to:subject:date:user-agent:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=/ozyMqxCLnINb8UsPbUn6U19Y3m9Q531nZOy5Acctyo=; b=cfNOibbGPXneZ0hw63yXNSpEWtnkUhSvc6XBpVN0boT0J5BweWANN7V2oP9EsPM+mW XvTmhXALZU918MiqnBLnLgxD7cjD++wPc+lZCCVYBcafoZDRBH/tmqk9UEif4z+uk/k0 vrcOz4yjfSbcfyCuxYhp0mvX7r7INv/oJrhdgfkqItmlAvJWERqklbQ7r1Gmn7NbK3dK IQAxqtIkFXQ7tvpLXiQkJH2xyWDhe6bIx3PC7puCaYODw4Bhh8IgIZzTjBYjCc4+LB9p tPwnEGOogRpl6mCgDkmjOqg8g+R0hAGns/39bzvD4TRZtByIHlkOWXGNA8ROr55j5nZz ryaw== X-Received: by 10.194.185.180 with SMTP id fd20mr66552487wjc.16.1437510039205; Tue, 21 Jul 2015 13:20:39 -0700 (PDT) Received: from dell_xps.localnet (230.3.169.217.in-addr.arpa. [217.169.3.230]) by smtp.gmail.com with ESMTPSA id iy4sm4159334wic.24.2015.07.21.13.20.37 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 21 Jul 2015 13:20:38 -0700 (PDT) From: Mick To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function Date: Tue, 21 Jul 2015 21:20:24 +0100 User-Agent: KMail/1.13.7 (Linux/4.0.5-gentoo; KDE/4.14.8; x86_64; ; ) References: <20150720161844.1db1d485@a6> <201507210853.59492.michaelkintzios@gmail.com> <55AE82DF.6070603@gmail.com> In-Reply-To: <55AE82DF.6070603@gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1752564.kD4XXhevU5"; protocol="application/pgp-signature"; micalg=pgp-sha256 Content-Transfer-Encoding: 7bit Message-Id: <201507212120.34766.michaelkintzios@gmail.com> X-Archives-Salt: f1ad903c-65c4-49eb-baec-58b6cb2743bf X-Archives-Hash: 21a6b519f5563ca493aa17ad7ceff0a2 --nextPart1752564.kD4XXhevU5 Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Tuesday 21 Jul 2015 18:35:27 Dale wrote: > Mick wrote: > > On Tuesday 21 Jul 2015 02:40:54 Dale wrote: > >> I use the random generator too. Some older sites, forums or something > >> that isn't really sensitive, may still have my old passwords but sites > >> like banking and such each have their own random generated one. I also > >> try to generate the longest and most complex password the site will > >> allow. Some sites don't allow the characters above the number keys. > >>=20 > >> Another thing, I was at my brothers once and needed to login to a site. > >> I installed lastpass, typed in my email and master password and I could > >> go anywhere I wanted just as if I was sitting at my own puter. If it > >> wasn't for lastpass, I would have had to come home and do what needed > >> doing. > >>=20 > >> So far, this is the best solution I have found and I only use the free > >> part. ;-) > >>=20 > >> Dale > >>=20 > >> :-) :-) > >=20 > > A better, as in more secure, solution should involve local encryption >=20 > and IMHO >=20 > > local air-gapped storage. A USB key will do nicely and you can have a >=20 > second >=20 > > USB key stored in your brother's premises, for disaster recovery >=20 > scenarios. >=20 > > This is because cloud storage: > > a) creates a honey pot which attracts attacks[1] and > > b) most of cloud storage is in the US. > >=20 > > [1] https://en.wikipedia.org/wiki/LastPass#Security_issues >=20 > From what I recall about Lasspass, it does encrypt the data locally then > uploads it. I recall reading that if you lose your master password, > they can't get in it either. All they get is encrypted data. Of all > the things I read about when looking for a password manager, Lastpass > was the only thing that came close to what I wanted. After using it a > while, it is all I need. >=20 > https://lastpass.com/how-it-works Right, your data may be encrypted locally, but if you use a browser to decr= ypt=20 it (after it is downloaded to your PC) then there are attack vectors (e.g.= =20 XSS) for the decrypted data to be leaked out of your machine. > I've had USB sticks break before. They are also easy to lose. I'd > prefer not to store something that important on a USB stick. >=20 > Dale >=20 > :-) :-) I didn't clarify that you should use something like gpg to encrypt your=20 file(s) on the USB stick, as I do this with all sensitive files not just=20 passwords. I more or less assumed that it is the done thing. Broken USB=20 sticks you can drive a drill through, or throw in a fire. Stolen USB stick= s=20 will at least be encrypted. If you are really paranoid you could also use dm-crypt to additionally encr= ypt=20 the whole USB partition. =2D-=20 Regards, Mick --nextPart1752564.kD4XXhevU5 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAABCAAGBQJVrqmSAAoJELAdA+zwE4YeGw0H/1ginA/Vzz1RrJdx5ri3/2/3 4o2JDYGBUDy9YEABzcql+G87hxvafBN0iggY2z8Y+VXLuzvj+klq23FDM8xRvE2J dSE7yNSWIbjexa4VQaIypkSp40MqnQQW8sZ24MnMRSh5ZqS1mc0+1lgbUrHcchxM fMN4SfP5gtzwVXSAfSuP/XqyNUoI/Ecjea7u00PO+IfViVu5okH4EpvHZdFW7HWP sY/zAX3s9u4qUNAcyqUFZa12mthyWDYJo6wzUCkZ7HEohxu2GMXiRJ6aPrGnbfxH CpA1H76fcLNwfCkR1s3V7ABRP7Zjn11SN3j95l8HCWGbS6mBym73wv3d6BUz0Dc= =N7Di -----END PGP SIGNATURE----- --nextPart1752564.kD4XXhevU5--