On Tuesday, 5 February 2019 07:55:41 GMT Dale wrote: > Mick wrote: > > https://en.wikipedia.org/wiki/LastPass#Security_issues > > > From what I read, no users had their passwords compromised in those. I read it differently. LastPass didn't know if any passwds were compromised (or wouldn't tell you). As a precaution they asked users to change their master passwd, while they changed their server's salt. In addition, there were XSS vulnerabilities later on, which is probably to be expected with JavaScript and similar technologies. > As > I pointed out earlier, the passwords are already encrypted when they are > sent to LastPass. If I called LastPass, could prove I am who I claim to > be and asked them for a password to a site, they couldn't give it to me > because it is encrypted when it leaves my machine. I don't know exactly how the LastPass architecture is configured, other than it relies on device based encryption activated with JavaScript, but anomalies they observed in incoming and outgoing traffic on the 2011 incident indicate someone was interfering with their data streams. Given Diffie-Hellman could be compromised (e.g. as per Logjam) by precomputing some of the most commonly used primes in factoring large integers, it may be someone was undertaking comparative analysis to deduce ciphers and what not. If the server salt was obtained, then one layer of encryption was compromised. All this is juxtaposition and my hypothesizing does not mean LastPass is not useful, or not secure. It just means its design is not as secure as locally run simpler encryption mechanisms, which do not leave your PC and are not stored somewhere else. The greater surface area a security system exposes, the higher likelihood someone will take a punt at cracking it. A browser, sandboxed or not, has far too many moving parts and exposed flanks to keep crackers and state actors busy. I expect with advances in AI this effort will accelerate logarithmically. > As I pointed out to Rich, I don't expect these tools to be 100%. There > is no perfect password tool or a perfect way to manage them either. No > matter what you do, someone can come along and poke a hole in it. If > you use a tool, the tool is hackable. If you use the same password that > is 40 characters long for several dozen sites, then the site can be > hacked and they have the password for those other sites as well. The > list could go on for ages but it doesn't really change anything. We do > the best we can and then hope it is enough. Using tools is in my > opinion better than not using a tool at all. At the least, they will > have a hard time breaking into a site directly without my password. It > beats the alternative which is cutting off the computer and unplugging > it. :-( Yes, well said. A disconnected and switched off PC is probably quite secure, but what use is this to anybody. LOL! The effectiveness of PC security is challenged on a daily basis and you eventually have to arrive at a personal trade-off between security and usability. -- Regards, Mick