From: Dale <rdalek1967@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
Date: Tue, 21 Jul 2015 19:32:10 -0500 [thread overview]
Message-ID: <55AEE48A.8040301@gmail.com> (raw)
In-Reply-To: <201507212120.34766.michaelkintzios@gmail.com>
Mick wrote:
> On Tuesday 21 Jul 2015 18:35:27 Dale wrote:
>> Mick wrote:
>>> On Tuesday 21 Jul 2015 02:40:54 Dale wrote:
>>>> I use the random generator too. Some older sites, forums or something
>>>> that isn't really sensitive, may still have my old passwords but sites
>>>> like banking and such each have their own random generated one. I also
>>>> try to generate the longest and most complex password the site will
>>>> allow. Some sites don't allow the characters above the number keys.
>>>>
>>>> Another thing, I was at my brothers once and needed to login to a site.
>>>> I installed lastpass, typed in my email and master password and I could
>>>> go anywhere I wanted just as if I was sitting at my own puter. If it
>>>> wasn't for lastpass, I would have had to come home and do what needed
>>>> doing.
>>>>
>>>> So far, this is the best solution I have found and I only use the free
>>>> part. ;-)
>>>>
>>>> Dale
>>>>
>>>> :-) :-)
>>> A better, as in more secure, solution should involve local encryption
>> and IMHO
>>
>>> local air-gapped storage. A USB key will do nicely and you can have a
>> second
>>
>>> USB key stored in your brother's premises, for disaster recovery
>> scenarios.
>>
>>> This is because cloud storage:
>>> a) creates a honey pot which attracts attacks[1] and
>>> b) most of cloud storage is in the US.
>>>
>>> [1] https://en.wikipedia.org/wiki/LastPass#Security_issues
>> From what I recall about Lasspass, it does encrypt the data locally then
>> uploads it. I recall reading that if you lose your master password,
>> they can't get in it either. All they get is encrypted data. Of all
>> the things I read about when looking for a password manager, Lastpass
>> was the only thing that came close to what I wanted. After using it a
>> while, it is all I need.
>>
>> https://lastpass.com/how-it-works
> Right, your data may be encrypted locally, but if you use a browser to decrypt
> it (after it is downloaded to your PC) then there are attack vectors (e.g.
> XSS) for the decrypted data to be leaked out of your machine.
>
Well, couldn't the same be said if it is encrypted on a USB stick?
Anytime you encrypt something, you have decrypt it to use it and that
has to be done somewhere.
>> I've had USB sticks break before. They are also easy to lose. I'd
>> prefer not to store something that important on a USB stick.
>>
>> Dale
>>
>> :-) :-)
> I didn't clarify that you should use something like gpg to encrypt your
> file(s) on the USB stick, as I do this with all sensitive files not just
> passwords. I more or less assumed that it is the done thing. Broken USB
> sticks you can drive a drill through, or throw in a fire. Stolen USB sticks
> will at least be encrypted.
>
> If you are really paranoid you could also use dm-crypt to additionally encrypt
> the whole USB partition.
>
My point is, if you put the info on a USB stick and lose it, you have
now lost all your passwords. If it fails, same problem. The way
Lastpass works, even if your computer dies from say a house fire, once
you login to Lastpass with your new puter, you are back in business.
Dale
:-) :-)
next prev parent reply other threads:[~2015-07-22 0:32 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-20 23:18 [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function walt
2015-07-20 23:59 ` wabenbau
2015-07-21 0:20 ` Dale
2015-07-21 1:17 ` Rich Freeman
2015-07-21 1:40 ` Dale
2015-07-21 7:53 ` Mick
2015-07-21 9:38 ` Neil Bothwick
2015-07-21 10:27 ` wraeth
2015-07-21 10:41 ` Neil Bothwick
2015-07-21 11:09 ` wraeth
2015-07-21 13:59 ` Neil Bothwick
2015-07-21 19:35 ` Chris Spackman
2015-07-21 20:31 ` covici
2015-07-21 23:51 ` Neil Bothwick
2015-07-22 2:05 ` covici
2015-07-22 3:00 ` wraeth
2015-07-22 9:28 ` Neil Bothwick
2015-07-22 9:26 ` Neil Bothwick
2015-07-22 20:15 ` covici
2015-07-23 0:34 ` wraeth
2015-07-21 17:35 ` Dale
2015-07-21 20:20 ` Mick
2015-07-22 0:32 ` Dale [this message]
2015-07-22 17:41 ` Mick
2015-07-22 18:43 ` Dale
2015-07-22 22:18 ` Mick
2015-07-22 23:09 ` Dale
2015-07-23 23:24 ` [gentoo-user] Re: [gone O/T] " Mick
2015-07-24 9:38 ` Dale
2015-07-21 23:52 ` [gentoo-user] " Neil Bothwick
2015-07-22 0:34 ` Dale
2015-07-21 22:51 ` [gentoo-user] " walt
2015-07-21 1:45 ` [gentoo-user] " Jc García
2015-07-21 4:14 ` [gentoo-user] " »Q«
2015-07-22 0:23 ` [gentoo-user] " Volker Armin Hemmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55AEE48A.8040301@gmail.com \
--to=rdalek1967@gmail.com \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox