Re: [gentoo-user] Re: Coming up with a password that is very strong.

[Mick <michaelkintzios@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 3108 bytes --]

On Tuesday, 5 February 2019 07:55:41 GMT Dale wrote:
> Mick wrote:

> > https://en.wikipedia.org/wiki/LastPass#Security_issues
> > 

> From what I read, no users had their passwords compromised in those.

I read it differently.  LastPass didn't know if any passwds were compromised 
(or wouldn't tell you).  As a precaution they asked users to change their 
master passwd, while they changed their server's salt.  In addition, there 
were XSS vulnerabilities later on, which is probably to be expected with 
JavaScript and similar technologies.


> As
> I pointed out earlier, the passwords are already encrypted when they are
> sent to LastPass.  If I called LastPass, could prove I am who I claim to
> be and asked them for a password to a site, they couldn't give it to me
> because it is encrypted when it leaves my machine. 

I don't know exactly how the LastPass architecture is configured, other than 
it relies on device based encryption activated with JavaScript, but anomalies 
they observed in incoming and outgoing traffic on the 2011 incident indicate 
someone was interfering with their data streams.  Given Diffie-Hellman could 
be compromised (e.g. as per Logjam) by precomputing some of the most commonly 
used primes in factoring large integers, it may be someone was undertaking 
comparative analysis to deduce ciphers and what not.  If the server salt was 
obtained, then one layer of encryption was compromised.

All this is juxtaposition and my hypothesizing does not mean LastPass is not 
useful, or not secure.  It just means its design is not as secure as locally 
run simpler encryption mechanisms, which do not leave your PC and are not 
stored somewhere else.

The greater surface area a security system exposes, the higher likelihood 
someone will take a punt at cracking it.  A browser, sandboxed or not, has far 
too many moving parts and exposed flanks to keep crackers and state actors 
busy.  I expect with advances in AI this effort will accelerate 
logarithmically.


> As I pointed out to Rich, I don't expect these tools to be 100%.  There
> is no perfect password tool or a perfect way to manage them either.  No
> matter what you do, someone can come along and poke a hole in it.  If
> you use a tool, the tool is hackable.  If you use the same password that
> is 40 characters long for several dozen sites, then the site can be
> hacked and they have the password for those other sites as well.  The
> list could go on for ages but it doesn't really change anything.  We do
> the best we can and then hope it is enough.  Using tools is in my
> opinion better than not using a tool at all.  At the least, they will
> have a hard time breaking into a site directly without my password.  It
> beats the alternative which is cutting off the computer and unplugging
> it.  :-( 

Yes, well said.  A disconnected and switched off PC is probably quite secure, 
but what use is this to anybody.  LOL!  The effectiveness of PC security is 
challenged on a daily basis and you eventually have to arrive at a personal 
trade-off between security and usability.

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]