From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 64582138334 for ; Tue, 5 Feb 2019 07:55:57 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D986DE0DEC; Tue, 5 Feb 2019 07:55:51 +0000 (UTC) Received: from mail-ot1-x32b.google.com (mail-ot1-x32b.google.com [IPv6:2607:f8b0:4864:20::32b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 54A8CE0A45 for ; Tue, 5 Feb 2019 07:55:51 +0000 (UTC) Received: by mail-ot1-x32b.google.com with SMTP id w25so4169840otm.13 for ; Mon, 04 Feb 2019 23:55:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:openpgp:autocrypt:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=XAejoM2i8Q4+09kVqOEubHiXQXPVLyIEmmy8VrE8CZo=; b=Oh0KYh52c9Ma2UeLGZEODkScgkAc7OU9g55In2/jc2qZRQGsWvT24ZpAiJbsBdT6Pe 5p8SMBU5Xn0ZdB9s6V+gOhgyb8eQeaDf3ugouhH+zpNIOAX3o/BQbdRdZGnHVoy+ajye FHrW0gDxNCPkbth4fCDIA19wTQTwirP9cEW2viPN1aFlU6HRa1EvtmZ77djwCoyj0arR bjmA+at3fnvS9RyPazH5RbvRsh2QpGO6sAHuuZVg/9kO/f66Ty1qchIrNgUp5SVvHU5J cM3UwUf68bDpwT/CpvhknbVkfsFeERQaP4wr9t3iahwf8HVQwidPvparhrRKy6vU7iy+ 6vUA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:openpgp:autocrypt :message-id:date:user-agent:mime-version:in-reply-to :content-transfer-encoding; bh=XAejoM2i8Q4+09kVqOEubHiXQXPVLyIEmmy8VrE8CZo=; b=FaN047J+3bHaSKWSjxYt3xCn2lsQ/zeMmP0WPkueRs0zlwzgRDP2SYKX6KevFmPI0k 01omOXbJAA/OEWO2JosoJJh/xrQDykmjcKwXJQb4GYgIQc+zEON8HQdY/8Pn3xe4EErk 297c+A4+mkJWcWb/L1FddLPny9BpQAXrrh8v2MefpPTTTOT39hldgwu8K2ibdfh+ybQh cqSV03f4m7KwVtkzjDQlHx0CF2/elu9Quta3Ixw3fZ/Cadh62wu8gJqXPzRxaSardk3R i/WiRNvQnCr0r+ITN6sEkm6FUlzxsFx/KF3iYs40kOHJmYMClhzirl69HdlkaN9ejr4b IzLw== X-Gm-Message-State: AHQUAuaVwF0mBJS6owhqRxQrZrTZfm6vcib6YERj0NdnQqb6jGwpn0XO fbdH2stnItsgp51og8nNod+0SQxb X-Google-Smtp-Source: AHgI3IaN27R1d5ktogb7C6Ki9JCwcB03MpmzCdXeWHVbSr9FGfxiKgyWAyQ0dZyRkd/mczKGo+Ibeg== X-Received: by 2002:a9d:715d:: with SMTP id y29mr1955811otj.148.1549353350148; Mon, 04 Feb 2019 23:55:50 -0800 (PST) Received: from [192.168.2.5] (adsl-68-19-235-101.bna.bellsouth.net. [68.19.235.101]) by smtp.gmail.com with ESMTPSA id z9sm8643182oiz.21.2019.02.04.23.55.48 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 04 Feb 2019 23:55:49 -0800 (PST) Subject: Re: [gentoo-user] Re: Coming up with a password that is very strong. To: gentoo-user@lists.gentoo.org References: <8d027455-f210-c399-f5a7-bfb05692cc5f@gmail.com> <20190204210643.59a8636a@digimed.co.uk> <97abe0dc-3fa8-fe52-6b8d-abc0b5c29f96@gmail.com> <3852215.FY7U17W6id@dell_xps> From: Dale Openpgp: preference=signencrypt Autocrypt: addr=rdalek1967@gmail.com; prefer-encrypt=mutual; keydata= mQINBFpEtdQBEADI51WaryP3FJlDfmCQx2aPQpSppEKxqWhCTA8KFEcOVFmIIfiFAeekqMMD mhUxgZTtlQh7dsNqha6ioaYDqGKTv7oeJlPJw4hmIMJX3WYVSOHlsJUNM2jpDIAFeEKfup/T zDzFpuU2Qtr/Y0ji35wHyOAZLRckeNk705oRvE9wqi6noTP15Gxmw/U6aMzEfvu+wGEfCjgs 9bERmu+CS75PZEaFAv8RnsXUv1UcvQ45jmk/8ni/ogxE2h53OIp6c/hOlgJkSVRQWPZZyKZw lDiSUKCtMXPMdZ9w0X6RltQxtIQXO0KxAKaAp+tnL8z+0piafF5uW4RIglhT922RXKxxdZyx SjRgtE4V1IPtUcwPAeqVUZw2P1b4pjfPv7tNtMoFsIiY0ZnT+ua4ps6KOUeocRPKAX14mZkL jt/sZM7aIKiwyoteshRgWNNkxh4OiSxGCRUKNQI8M42cRSidvJZ6SGZXM3WpV28RPyF7+0Ba 0stEQwBGNF8uxgytY9rOJ7obmIpEZKx1p3W1O1hadOjBo2110jMDirRXtktMDfBDvVKkOZ06 vLu16uZLb0O52euhl2dMcEI3ZoCAFTKtdwMITIDj1TcMBZar6+bcwOicSFFogOLHQLJZRO5q I5szOIYW7+c0yNqPRLT3Sq7HzDyuyTUjmPZSAcqOwzX8GwUFkwARAQABtBtEYWxlIDxyZGFs ZWsxOTY3QGdtYWlsLmNvbT6JAlQEEwEIAD4WIQSUDVlCt0m0Z/PsCaxgB5lCagHqugUCWkS1 1AIbIwUJCWYBgAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRBgB5lCagHqurR7D/45/q20 vXdrJGxrkNphotmlBtTpNbVauu5A2NDv3E1Il6yqRBfh4Xw7xFuwhz9DqThuvByU6566vr0z 7oVCK33dxRm4WA7YaogRQZy4VVIbHdrksnh2f702CFllqtn5Y29M2JtXG5jiiL3aZNEhoyP9 eMtzLPGs56yZ3eMkz4U7DEmWCAUr8bbuXW+eq/A0V5djcFdHfmanuDZSxzg+cZTpVOLolS2b pmNsPTSMkJ2MDY2Kfdg3gPhSaawo2agQfgnf9E7vSm7z/rlk8bBUWcPAP/XTN9ndVwOO3x74 EQv/M4EiCTtNpw3yapVZI2NhA1wqW648D7RxIPD8Y3nkJVDS4x5g54xDe1IUFOtVUSDAh+vY wUJt7vgbCeRjyT8XbuGW9RokIos3ALNaPoq/FDNEqefbmop0CPRih6aLFHWT4YBA6xQjLJuP LSNvalNqE5mef0giCtnLxo/lkjnP9Sv+t/5VSHda5zkVuN0+2w46SbGvXIHRkSoSi6XH3ccq KayJC+oTqo4xf9J30c7CV4rEcYnJcnxMw0vcYmU3DwjGfKxuKcLHgPr9mDNWvhteroA5wNWw NzQ72yAj7rsZVUXCxZgiPldSH3SXZJ/Jo6E9JouzQgRb/I4Vy4jx0Yw8rJLDx/ha82fn+FVe cFbiodVV5UD0inw488IAAtJE+Zi0t7kCDQRaRLXUARAA38iHcF7M7GnkS73dazdLBgz2YJsu fpix/N/x4CvoHMqTuwi4ASz1WroYjl3KajeH0DSybyPdEQ7nffxIUt48deT3j/rwsJkPRvCF BpmcwxErd/Mbq0BgikYxXvO68aEAs4jBDR26YtONfjobEfd+Juhxci9UN9vTOCgSPhY+dxHs MZ0gHRzvMnpM3o3+oht/XRZr05RQx83DvTIqWnjDQlCseYYlbFp+rFTZi7ro71ULDThfCE0p +f+IQ3zX0cRKOcJGtNRvyWH6PxmN4td6Q7gPHfAsFPLsCpg7nZwOejtAktPejtSEXlN6QOKv bmRQxNtzgMtjzJNNJW2NtBz0DIW394+9stchQRKLqH8n8GnB6tlkfPg4vgf/kq14QQSZcb0F M36wk+i1Hk+TWYWbOBoUw9+X941Pw1JnglJ3tzpBh+36+pdG02Lbm2v6SaZ69zkDfzJ2Sfhb E+KQLibLkiCOhuSDLDWUgUeb0lJ/0qlo3vcQMTBuG5eiWiwBkp4C+ACb1f1Akq0mFvim+gCJ qJOTu0IDK9DjKLKglA3Z6sbeepnXq8fxB2Mo/SFSYEsGqUu4MLxgwnPg7zi+rKg7MhqdiBBE fqugmNguCEYZjJrGCCzwuqPXAZAcyzEYTGFKwI6NdEZ6v8Xc3om9MJomB3y1uzG6K7T9ue5H aw/2aqEAEQEAAYkCPAQYAQgAJhYhBJQNWUK3SbRn8+wJrGAHmUJqAeq6BQJaRLXUAhsMBQkJ ZgGAAAoJEGAHmUJqAeq6/ykP/ib6xEHednaXvzZvvj854PB5ffBqKkphbf51g6pxPvFBWMwY E7Bu/kq8e3hkp3rzX42BjqiUmfEe2OyfZCabXLybP8i/QRkHTzD5nLoIYLeL+62N/WQFW1NU VhqdfQbMhphNgP1mvG2Ib5R6S+Fb+vkw776oq6jLwUBP/o6PPpp62GyvFvFb9ekxV9+sE4yG V3DTqURBY+aXfc/MTzlCXp4u4QzFW9odfcb/kb9f1m/gZbWGihAqeMd1HViXQoMzTx6IuP13 eQAkKj4FlA2QMzbEOOKO6fliSt1JweJoh0OLCEAM/3q+LaflMvvjhl9ht00IUT/ySj3/dZdf EdTpuUAtnC3A3flwgK/aetkkOhrkx9hx4SKn6UHtAl+eCqP1Mae+nWzkisBL0/hBPEz713md 5I+4Y4QjIokRiz/5l/TFwpGu26zmDfDUkZmxZR/iNCW0VAmZE2YdyRm3PYcFcVXuZ1f/ff0D us9xGsO8V6F5EIwx/9Y6AWQdW7PoKHA21ri93PoRgjv+QoOifXEkhJwTKg5k5b1Tr7h9eRU/ Se2XigPVODjrN9FRfkx/JxlJcCs/igGJS05BmiZNIIRDKBGdXy/Fj5HQB2q5v5DfvrLMNTwK Aa8pn/em1SKC/l9aV9ygpN+cQPKoQjGxPPaId/rwX+GVxKl2vakjHLPLQmm3 Message-ID: <221dcef6-c774-7ee1-1846-41819bb8c060@gmail.com> Date: Tue, 5 Feb 2019 01:55:41 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.9.1 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 In-Reply-To: <3852215.FY7U17W6id@dell_xps> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Archives-Salt: 3d8db03c-fd3b-497f-86f1-840c9a45da8c X-Archives-Hash: 3a4f099f5d380161b3e5edaa6e9a343a Mick wrote: > On Monday, 4 February 2019 22:12:16 GMT Dale wrote: >> Neil Bothwick wrote: >>> On Mon, 4 Feb 2019 15:59:02 -0500, Rich Freeman wrote: >>>>> One reason I use LastPass, it is mobile. I can go to someone else's >>>>> computer, use LastPass to say make use of Paypal, Newegg, Ebay etc, >>>>> logoff and it is like I was never there. >>>> As much as I like Lastpass I would never do that. It isn't magic - it >>>> is javascript. If there is a compromise on your computer, then your >>>> password database will be compromised. This is true of other >>>> solutions like KeePassX and so on - if something roots your box then >>>> it will be compromised. >>> I don't see what root has to do with it. If someone gains access to your >>> box, they can copy the database file and then take their time trying to >>> crack the password, but you don't need to be root to do that. >> I might point out, LastPass encrypts the password before sticking it in >> a file. It isn't visible or plain text. Even getting the file would >> still require some tools and cracking to get the password itself. >> Cracking the master password would likely be much easier and doesn't >> even require access to the box itself, Linux or windoze. Also, LastPass >> only stores the encrypted password on its servers. Even if LastPass is >> hacked, the passwords are still encrypted. It's one reason LastPass >> shouldn't have to worry about getting court orders to turn over >> passwords. It doesn't really have them. I would suspect that cracking >> a encrypted password is as difficult as is just poking at a password >> until it is guessed. >> >> Even if a person is using a perfect tool, cracking a password is always >> going to be possible. The tougher the password, the harder it will be >> and the longer it will take. Still, it can be done. Using these tools >> just makes it harder. I'm not aware of a perfect password tool. I >> doubt one exists or ever will either. ;-) It's still good to pick one, >> use it and try to be as secure as one can. >> >> Dale >> >> :-) :-) > A solution like LastPass et al., using a browser's javascript to access it, > under a single master passwd, theoretically would have so many side-channel > attacks no one would be wasting time to brute force anything. > > https://en.wikipedia.org/wiki/LastPass#Security_issues > > You could use gpg/openssl to encrypt a number of files, which would contain > your different website/application passwds. For paranoid use cases you can > use asymmetric keys and store your private key out-of-band. Sure, it won't be > as convenient as LastPass, but I expect it would be more secure and unlikely > to be compromised by XSS vulnerabilities. > >From what I read, no users had their passwords compromised in those.  As I pointed out earlier, the passwords are already encrypted when they are sent to LastPass.  If I called LastPass, could prove I am who I claim to be and asked them for a password to a site, they couldn't give it to me because it is encrypted when it leaves my machine.  The only breach I recall is when they said that users email addresses were taken.  There was once where they asked everyone to change their master password as a precaution several years ago.  They had no info that showed anything was hacked but they wanted users to change them anyway.  Since I get emails as a user, I've never received a email that said their service was hacked and that passwords were known to be taken decrypted.  I do get emails when something needs to be changed or I changed something.  As I pointed out to Rich, I don't expect these tools to be 100%.  There is no perfect password tool or a perfect way to manage them either.  No matter what you do, someone can come along and poke a hole in it.  If you use a tool, the tool is hackable.  If you use the same password that is 40 characters long for several dozen sites, then the site can be hacked and they have the password for those other sites as well.  The list could go on for ages but it doesn't really change anything.  We do the best we can and then hope it is enough.  Using tools is in my opinion better than not using a tool at all.  At the least, they will have a hard time breaking into a site directly without my password.  It beats the alternative which is cutting off the computer and unplugging it.  :-(  Still can't get cracklib to work right.  < scratches head >  Dale :-)  :-)