Re: [gentoo-user] Re: Coming up with a password that is very strong.

[Dale <rdalek1967@gmail.com>]

Rich Freeman wrote:
> On Tue, Feb 5, 2019 at 2:34 AM Dale <rdalek1967@gmail.com> wrote:
>> Rich Freeman wrote:
>>> On Mon, Feb 4, 2019 at 5:12 PM Dale <rdalek1967@gmail.com> wrote:
>>>> Neil Bothwick wrote:
>>>>> On Mon, 4 Feb 2019 15:59:02 -0500, Rich Freeman wrote:
>>>>>
>>>>>>> One reason I use LastPass, it is mobile.  I can go to someone else's
>>>>>>> computer, use LastPass to say make use of Paypal, Newegg, Ebay etc,
>>>>>>> logoff and it is like I was never there.
>>>>>> As much as I like Lastpass I would never do that.  It isn't magic - it
>>>>>> is javascript.  If there is a compromise on your computer, then your
>>>>>> password database will be compromised.  This is true of other
>>>>>> solutions like KeePassX and so on - if something roots your box then
>>>>>> it will be compromised.
>>>> I might point out, LastPass encrypts the password before sticking it in
>>>> a file.  It isn't visible or plain text.  Even getting the file would
>>>> still require some tools and cracking to get the password itself.
>>> That assumes you're attacking the password file directly.
>>>
>>> If you're using lastpass on a compromised system then there are many
>>> ways that can be used to bypass the encryptions.  They could sniff
>>> your master password when you key it in, or read it directly from the
>>> browser's memory.  These things are protected from sandboxed code in
>>> your browser, but not from processes running outside the browser
>>> (unless again you're using a non-conventional privilege system like
>>> selinux/android/etc).
>> One could argue the same thing with any password tool out there tho,
>> right?
> Of course.  This is by no means specific to Lastpass.  I wasn't
> reacting to your use of Lastpass (I use it myself).  I was reacting to
> your statement that you can go to someone else's computer and use
> lastpass on that computer and then log off and it is as if you were
> never there.

What I meant was, they couldn't use it without knowing my password. 
Sure, I may leave something, like LastPass installed but disabled, on
their computer but no one can use it without it being logged in.  Once I
logout and close the browser, that pretty much ends the session.  Most
sites I visit are not set to remember me anyway and some don't allow
it.  I also logout before leaving a site especially when I'm on a
computer other than mine.  So, once I logout, they can't login as me
without my password.  We sort of went in different directions. 

If I really wanted to, I could use some bootable media like Knoppix.  I
think it comes with Firefox already installed. I could boot that,
install LastPass, do my thing, reboot into the OS and not have to worry
about anything they have installed at all.  I do keep copies of those
around and try to update every once in a while.  I certainly keep
sysrescue up to date.  I don't think it has a browser tho.  It may but
I'm not sure. 


>> Given I only install things from
>> trusted sources, the odds of that happening are likely very small.
> Not if you go typing your Lastpass master password into computers
> owned by people who aren't as careful as you are...
>
> If you do want the benefits of a password manager on an untrusted
> computer then you might want to look into the hardware/USB-based
> solutions, or alternatives like U2F and so on.
>
> Now, you're still vulnerable to MITM attacks and so on against the
> sites you're actually logging into, but your credentials for other
> sites would not be at risk since they stay on the hardware device,
> which is going to be hardened against USB attacks (well, at least you
> hope it would be).  If you're using conventional passwords then of
> course something could still sniff that password since it has to pass
> through the untrusted computer.  If you're using OTPs or U2F/etc then
> you may still be vulnerable to some cookie-based attacks and MITM and
> so on, but if you log off at the end of your session that at least
> limits their duration.
>
> Personally I would like to switch to a hardware-based solution, but
> they have their own set of downsides:
>
> 1.  Less convenience - you have to physically have the device on you
> (I don't carry my keys around in the hosue/etc), and plug it in when
> you want to use it.
> 2.  Recovery options aren't always great.  Often these devices don't
> really have their own recovery solution, and you're stuck following
> the recovery options on each individual site.  Many of these are
> pretty lousy.
> 3.  Often no support for multiple hardware devices (and keeping them
> in sync).  Again you're stuck with what individual sites allow, and
> many sites don't let you have multiple hardware tokens registered.
> 4.  Lack of convenience features like auto-changing passwords.  Some
> software-based solutions have this.  Though, to be honest, I rarely
> trust these because if something goes wrong I could lose account
> access and this can be difficult or impossible to recover from in many
> situations.
>
> A big advantage (and disadvantage) of the software-based solutions is
> that they're just data files and you can back them up trivially.
>
> Really though a lot of this boils down to the fact that PKI is a hard
> problem without a trusted and convenient mediator, and this largely
> doesn't exist in the world of free online services.
>

This is what was mentioned in another post.  No matter what we use, it
is a trade off.  While it may be rare that I need it, I like the idea of
my passwords being stored somewhere that can be available if I'm
somewhere else or my computer blows a gasket.  No matter what is used,
there is some risk involved unless we don't use a computer at all. 
Heck, even having a computer that is unplugged from the internet can
still have security issues.  At one point, that used to be a option but
then you have to bring media in for updates or other data to be added. 
If it is compromised, well, there you go. 

I saw a link on a link posted here that lists password tools on the wiki
thing.  LastPass and one other that is dead now was the only two that
seemed to fit what I like having.  Given that the other is no longer a
option, LastPass is the only one that works like I want it too.  Now
later on something better may come along but for the moment, LastPass is
the set of trade-offs that has to be dealt with.  Some of that is
because I just don't have time to try to figure out how to store things
encrypted on USB sticks and such as well.  I still haven't had time to
play with the kodi thing for my videos either. 

Of course, right now, I'm just trying to generate a good master
password.  I'd like to test the thing a bit but most tools just aren't
up to the task.  Since the NSA saves all our emails, maybe they will
offer some help.  Howdy you nosy things.  lol  You enjoying our password
talks?

Dale

:-)  :-)