From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 411D313904E for ; Wed, 22 Jul 2015 00:32:30 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C48A7E08D2; Wed, 22 Jul 2015 00:32:14 +0000 (UTC) Received: from mail-yk0-f178.google.com (mail-yk0-f178.google.com [209.85.160.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 842BEE08CA for ; Wed, 22 Jul 2015 00:32:13 +0000 (UTC) Received: by ykax123 with SMTP id x123so180573434yka.1 for ; Tue, 21 Jul 2015 17:32:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=4bujnQ6p7RTpGKWttwoFZfN0FLIQKmjobADrzIbAraQ=; b=FW/5kpc6uAi6goKsL1bcztz4sTgKQWNAhBvErZb+bXVQAlZW1G9G0+XEAypncNqr/K yIx86qyQ+hKtWDoIG5ypBsBVOH1NcpBhtAbguw1Ds6wiFjtMU+Qg51BFkM5JqIO57fbq uP8C9j9rRFZ0tXunrvcl8c4esVdBOZswjALFPIbGYFfAAzaKCrPkTU1M81AB8iw+HFVy rHZ7hNCHz59H7VMji+5Hw+XmHsXHZh9yBRS0x7h2qfaFK7dHn6ZD5SIsYoZ6H1nLpwKW zz2Wcr0aN7+ry1Vcpx/4M2WkIrZct/2bYY/NdVWus/1PwIVn+K1lhwesvgD1hnWcJj7h W9qw== X-Received: by 10.129.77.213 with SMTP id a204mr37451276ywb.40.1437525132755; Tue, 21 Jul 2015 17:32:12 -0700 (PDT) Received: from [192.168.2.5] (adsl-65-0-116-207.jan.bellsouth.net. [65.0.116.207]) by smtp.gmail.com with ESMTPSA id j127sm24883708ywd.51.2015.07.21.17.32.11 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 21 Jul 2015 17:32:11 -0700 (PDT) Message-ID: <55AEE48A.8040301@gmail.com> Date: Tue, 21 Jul 2015 19:32:10 -0500 From: Dale User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 SeaMonkey/2.33.1 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function References: <20150720161844.1db1d485@a6> <201507210853.59492.michaelkintzios@gmail.com> <55AE82DF.6070603@gmail.com> <201507212120.34766.michaelkintzios@gmail.com> In-Reply-To: <201507212120.34766.michaelkintzios@gmail.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Archives-Salt: ec5b494c-66e7-460f-a1b6-60c5b896b893 X-Archives-Hash: e923d00fc47e6b0ef9bfaa7c0021c0d0 Mick wrote: > On Tuesday 21 Jul 2015 18:35:27 Dale wrote: >> Mick wrote: >>> On Tuesday 21 Jul 2015 02:40:54 Dale wrote: >>>> I use the random generator too. Some older sites, forums or something >>>> that isn't really sensitive, may still have my old passwords but sites >>>> like banking and such each have their own random generated one. I also >>>> try to generate the longest and most complex password the site will >>>> allow. Some sites don't allow the characters above the number keys. >>>> >>>> Another thing, I was at my brothers once and needed to login to a site. >>>> I installed lastpass, typed in my email and master password and I could >>>> go anywhere I wanted just as if I was sitting at my own puter. If it >>>> wasn't for lastpass, I would have had to come home and do what needed >>>> doing. >>>> >>>> So far, this is the best solution I have found and I only use the free >>>> part. ;-) >>>> >>>> Dale >>>> >>>> :-) :-) >>> A better, as in more secure, solution should involve local encryption >> and IMHO >> >>> local air-gapped storage. A USB key will do nicely and you can have a >> second >> >>> USB key stored in your brother's premises, for disaster recovery >> scenarios. >> >>> This is because cloud storage: >>> a) creates a honey pot which attracts attacks[1] and >>> b) most of cloud storage is in the US. >>> >>> [1] https://en.wikipedia.org/wiki/LastPass#Security_issues >> From what I recall about Lasspass, it does encrypt the data locally then >> uploads it. I recall reading that if you lose your master password, >> they can't get in it either. All they get is encrypted data. Of all >> the things I read about when looking for a password manager, Lastpass >> was the only thing that came close to what I wanted. After using it a >> while, it is all I need. >> >> https://lastpass.com/how-it-works > Right, your data may be encrypted locally, but if you use a browser to decrypt > it (after it is downloaded to your PC) then there are attack vectors (e.g. > XSS) for the decrypted data to be leaked out of your machine. > Well, couldn't the same be said if it is encrypted on a USB stick? Anytime you encrypt something, you have decrypt it to use it and that has to be done somewhere. >> I've had USB sticks break before. They are also easy to lose. I'd >> prefer not to store something that important on a USB stick. >> >> Dale >> >> :-) :-) > I didn't clarify that you should use something like gpg to encrypt your > file(s) on the USB stick, as I do this with all sensitive files not just > passwords. I more or less assumed that it is the done thing. Broken USB > sticks you can drive a drill through, or throw in a fire. Stolen USB sticks > will at least be encrypted. > > If you are really paranoid you could also use dm-crypt to additionally encrypt > the whole USB partition. > My point is, if you put the info on a USB stick and lose it, you have now lost all your passwords. If it fails, same problem. The way Lastpass works, even if your computer dies from say a house fire, once you login to Lastpass with your new puter, you are back in business. Dale :-) :-)