Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function

[Mick <michaelkintzios@gmail.com>]

[-- Attachment #1: Type: Text/Plain, Size: 3027 bytes --]

On Wednesday 22 Jul 2015 19:43:43 Dale wrote:

> So, don't use something that is within your browser but then go and type
> that password . . . in your browser?  Yea, that'll work.  Heck, if I
> really wanted something that secure, I'd unplug the ethernet cable and
> turn off my modem.  Then I might be secure.

LOL!  No, I meant that you decrypt your passwd containing text file, sql file, 
localc file, or whatever file you use.  Then you use something like cat, or 
less, or localc to view/search it.  It can all be scripted so that you run a 
single command alias in a terminal and it asks you for your gpg passphrase, 
before it opens the file for you.

A terminal is unlikely to suffer from XSS, javascript injection, sql 
injection, et al. but a browser could.  Then you can copy & paste whichever 
account passwd you needed into a browser, but this will NOT be your master 
passphrase.  Even if the passwd you paste into a browser ends up being 
compromised, it will only be one passwd and a single account, rather than your 
master passphrase and all your accounts.


> Just how many of these sticks do I need?  Are we looking at a dozen or
> more which will have to be all kept up to date as well?  Come on, be
> realistic here.  I doubt anyone is going to spend the time to do all that.

You need more than one, if you want to keep your passwds file stored off your 
machine.  I keep mine on a PC which is air-gapped and a second copy on a USB 
stick.  You may need a third copy kept at different premises, if you want to 
guard against DR.


> But with Lastpass, I don't have to worry about that.  I can go to my
> brothers house, put my email and password in Lastpass and carry on with
> life.  No need for a USB stick at all or having to wonder when was the
> last time I updated the passwords on it either.
> 
> I'm trying to be realistic here.  I try to be as secure as I can but
> within REASON.  As I mentioned above, if I really need and must be that
> secure, I'd unplug the ethernet cable and turn off my modem.  Then I
> wouldn't have to worry about it unless someone broke into my home.  Of
> course, I wouldn't have the benefit of using the internet either.

Sure, security and convenience are not always best bedfellows.  We are 
discussing about hypothetical risks here and different users' risk tolerances.  
If you encrypt the file separately with a strong key before you upload it, and 
this encryption key is different to your authentication key on the Lastpass 
website, then the risk of your encrypted file being cracked is rather low.  
When people discovered that their Lastpass account had been compromised, this 
did not necessarily mean that their encrypted file had been compromised too.  
However, I don't know exactly what the security architecture of Lastpass is to 
comment on the specifics.  All I'm saying is that I wouldn't trust storing my 
passwds on the cloud for the sake of convenience.

YMMV.  :-)

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 473 bytes --]