Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function

[Dale <rdalek1967@gmail.com>]

Mick wrote:
> On Wednesday 22 Jul 2015 19:43:43 Dale wrote:
>
>> So, don't use something that is within your browser but then go and type
>> that password . . . in your browser?  Yea, that'll work.  Heck, if I
>> really wanted something that secure, I'd unplug the ethernet cable and
>> turn off my modem.  Then I might be secure.
> LOL!  No, I meant that you decrypt your passwd containing text file, sql file, 
> localc file, or whatever file you use.  Then you use something like cat, or 
> less, or localc to view/search it.  It can all be scripted so that you run a 
> single command alias in a terminal and it asks you for your gpg passphrase, 
> before it opens the file for you.
>
> A terminal is unlikely to suffer from XSS, javascript injection, sql 
> injection, et al. but a browser could.  Then you can copy & paste whichever 
> account passwd you needed into a browser, but this will NOT be your master 
> passphrase.  Even if the passwd you paste into a browser ends up being 
> compromised, it will only be one passwd and a single account, rather than your 
> master passphrase and all your accounts.
>


You seem to miss my point.   I still have to type my passwords into a
browser.  If as you say, that is not secure, then what point is there to
having a password or accessing my bank or other sites via the internet? 
I have to put that password in my browser to access my bank, credit card
or other websites.  The point is, that exact same browser has to have
that exact same password typed into it.   I might also add, copy & paste
would then leave my password in my Klipper program that manages copy &
paste unencrypted.  Click on the Klipper icon and there sits my password
in PLAIN text.  How secure is that exactly? 

Lastpass already encrypts the password ON MY MACHINE not on their end. 
Why would I want to disable and stop using Lastpass just to do the same
thing but harder and more time consuming locally and lose the ability to
use Lastpass while I am somewhere else?  I would also lose the ability
to access that info in the case of say a computer meltdown.  I might
add, if I do it your way and lose that USB stick or whatever, I'm still
toast.  Heck, I may be in even worse shape than I would be by losing my
Lastpass password. 


>> Just how many of these sticks do I need?  Are we looking at a dozen or
>> more which will have to be all kept up to date as well?  Come on, be
>> realistic here.  I doubt anyone is going to spend the time to do all that.
> You need more than one, if you want to keep your passwds file stored off your 
> machine.  I keep mine on a PC which is air-gapped and a second copy on a USB 
> stick.  You may need a third copy kept at different premises, if you want to 
> guard against DR.
>

Sorry, I have had USB sticks go bad to much for me to trust with this
sort of thing, not to mention the ones I have lost.  I'm not going out
and buy a whole bunch of those things and then depending on them to hold
the keys to my financial and every other password.  I also don't have
time to make sure they are all kept up to date and such either. 


>> But with Lastpass, I don't have to worry about that.  I can go to my
>> brothers house, put my email and password in Lastpass and carry on with
>> life.  No need for a USB stick at all or having to wonder when was the
>> last time I updated the passwords on it either.
>>
>> I'm trying to be realistic here.  I try to be as secure as I can but
>> within REASON.  As I mentioned above, if I really need and must be that
>> secure, I'd unplug the ethernet cable and turn off my modem.  Then I
>> wouldn't have to worry about it unless someone broke into my home.  Of
>> course, I wouldn't have the benefit of using the internet either.
> Sure, security and convenience are not always best bedfellows.  We are 
> discussing about hypothetical risks here and different users' risk tolerances.  
> If you encrypt the file separately with a strong key before you upload it, and 
> this encryption key is different to your authentication key on the Lastpass 
> website, then the risk of your encrypted file being cracked is rather low.  
> When people discovered that their Lastpass account had been compromised, this 
> did not necessarily mean that their encrypted file had been compromised too.  
> However, I don't know exactly what the security architecture of Lastpass is to 
> comment on the specifics.  All I'm saying is that I wouldn't trust storing my 
> passwds on the cloud for the sake of convenience.
>
> YMMV.  :-)
>


Well again, if I am not going to trust my passwords anywhere then I need
to unplug from the internet all together and tell my bank, credit card
company, social sites and everything else that requires a password to be
disabled all together.  Then, I would be secure because even I can't
access my info, password or not.  That would make it so that I am not at
risk and secure.  Thing is, that's not a situation that I plan to be in
if I can help it.

I actually went through this with my brother many years ago.  He didn't
trust going online to his bank.  Thing is, for ages, he didn't even have
it set up.  If a person went to the bank's website, knew enough about
him to get past the security questions, they could set it up and control
his account and him never know anything about until his statement came
in.  What I told him to do is this.  Call the bank and disable internet
access to your account and he did.  They then disabled any and all
internet access to his account.  If he changed his mind, he would have
to go in person to get them to enable that access.  That made him secure. 

Interesting read:

https://blog.flameeyes.eu/#gsc.tab=0 

Dale

:-)  :-)