From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 502EF1390EB for ; Wed, 22 Jul 2015 23:09:25 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 5D528E08B5; Wed, 22 Jul 2015 23:09:13 +0000 (UTC) Received: from mail-yk0-f171.google.com (mail-yk0-f171.google.com [209.85.160.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 9C2AEE07A3 for ; Wed, 22 Jul 2015 23:09:11 +0000 (UTC) Received: by ykdu72 with SMTP id u72so205841379ykd.2 for ; Wed, 22 Jul 2015 16:09:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=+qsczxZuhoHUx+2sajJy53lW3Ul/OWgYmEQ5bGGbT+I=; b=Qe+t59pVR+AzuyvP95jzw8f23WPs2WXGDSYtN2xXNverQS1iKYUB1Ia016caMgY3so VupBWzNWurRlhc/K+xLmv6awJ8xJTZBGMiUS0Gbb/bjCnMPuFIGXS1zm4kM9nj0x55zN lXIqU0rg0KKBlOqYsve0a4T4v+dAuwbzYQC6ViZAkNmclW2LI55Rp7fUJv1ZqjotXm2w mbGJqFxgVxdHXpZJNg1gy+up05hYBO5TyIsNCYZtgxh5CAoi/fghR5UrneGweUiynvCf so7bVq7kcy+AO0V847kv9Mi0As8XTOud+t5qiqGtlKSb+oCuWwVtwggLI3kvK7Mb4hE/ kycA== X-Received: by 10.170.149.68 with SMTP id q65mr5034932ykc.33.1437606550770; Wed, 22 Jul 2015 16:09:10 -0700 (PDT) Received: from [192.168.2.5] (adsl-65-0-117-196.jan.bellsouth.net. [65.0.117.196]) by smtp.gmail.com with ESMTPSA id p81sm2846069ywe.19.2015.07.22.16.09.09 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 22 Jul 2015 16:09:10 -0700 (PDT) Message-ID: <55B02295.90101@gmail.com> Date: Wed, 22 Jul 2015 18:09:09 -0500 From: Dale User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 SeaMonkey/2.33.1 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function References: <20150720161844.1db1d485@a6> <201507221841.27230.michaelkintzios@gmail.com> <55AFE45F.4040108@gmail.com> <201507222318.30379.michaelkintzios@gmail.com> In-Reply-To: <201507222318.30379.michaelkintzios@gmail.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Archives-Salt: 0b5a97ee-cf4a-4325-9143-9703a8760e61 X-Archives-Hash: 9c23e3e7df3b1709161432409df5917a Mick wrote: > On Wednesday 22 Jul 2015 19:43:43 Dale wrote: > >> So, don't use something that is within your browser but then go and ty= pe >> that password . . . in your browser? Yea, that'll work. Heck, if I >> really wanted something that secure, I'd unplug the ethernet cable and= >> turn off my modem. Then I might be secure. > LOL! No, I meant that you decrypt your passwd containing text file, sq= l file,=20 > localc file, or whatever file you use. Then you use something like cat= , or=20 > less, or localc to view/search it. It can all be scripted so that you = run a=20 > single command alias in a terminal and it asks you for your gpg passphr= ase,=20 > before it opens the file for you. > > A terminal is unlikely to suffer from XSS, javascript injection, sql=20 > injection, et al. but a browser could. Then you can copy & paste which= ever=20 > account passwd you needed into a browser, but this will NOT be your mas= ter=20 > passphrase. Even if the passwd you paste into a browser ends up being = > compromised, it will only be one passwd and a single account, rather th= an your=20 > master passphrase and all your accounts. > You seem to miss my point. I still have to type my passwords into a browser. If as you say, that is not secure, then what point is there to having a password or accessing my bank or other sites via the internet?=20 I have to put that password in my browser to access my bank, credit card or other websites. The point is, that exact same browser has to have that exact same password typed into it. I might also add, copy & paste would then leave my password in my Klipper program that manages copy & paste unencrypted. Click on the Klipper icon and there sits my password in PLAIN text. How secure is that exactly?=20 Lastpass already encrypts the password ON MY MACHINE not on their end.=20 Why would I want to disable and stop using Lastpass just to do the same thing but harder and more time consuming locally and lose the ability to use Lastpass while I am somewhere else? I would also lose the ability to access that info in the case of say a computer meltdown. I might add, if I do it your way and lose that USB stick or whatever, I'm still toast. Heck, I may be in even worse shape than I would be by losing my Lastpass password.=20 >> Just how many of these sticks do I need? Are we looking at a dozen or= >> more which will have to be all kept up to date as well? Come on, be >> realistic here. I doubt anyone is going to spend the time to do all t= hat. > You need more than one, if you want to keep your passwds file stored of= f your=20 > machine. I keep mine on a PC which is air-gapped and a second copy on = a USB=20 > stick. You may need a third copy kept at different premises, if you wa= nt to=20 > guard against DR. > Sorry, I have had USB sticks go bad to much for me to trust with this sort of thing, not to mention the ones I have lost. I'm not going out and buy a whole bunch of those things and then depending on them to hold the keys to my financial and every other password. I also don't have time to make sure they are all kept up to date and such either.=20 >> But with Lastpass, I don't have to worry about that. I can go to my >> brothers house, put my email and password in Lastpass and carry on wit= h >> life. No need for a USB stick at all or having to wonder when was the= >> last time I updated the passwords on it either. >> >> I'm trying to be realistic here. I try to be as secure as I can but >> within REASON. As I mentioned above, if I really need and must be tha= t >> secure, I'd unplug the ethernet cable and turn off my modem. Then I >> wouldn't have to worry about it unless someone broke into my home. Of= >> course, I wouldn't have the benefit of using the internet either. > Sure, security and convenience are not always best bedfellows. We are = > discussing about hypothetical risks here and different users' risk tole= rances. =20 > If you encrypt the file separately with a strong key before you upload = it, and=20 > this encryption key is different to your authentication key on the Last= pass=20 > website, then the risk of your encrypted file being cracked is rather l= ow. =20 > When people discovered that their Lastpass account had been compromised= , this=20 > did not necessarily mean that their encrypted file had been compromised= too. =20 > However, I don't know exactly what the security architecture of Lastpas= s is to=20 > comment on the specifics. All I'm saying is that I wouldn't trust stor= ing my=20 > passwds on the cloud for the sake of convenience. > > YMMV. :-) > Well again, if I am not going to trust my passwords anywhere then I need to unplug from the internet all together and tell my bank, credit card company, social sites and everything else that requires a password to be disabled all together. Then, I would be secure because even I can't access my info, password or not. That would make it so that I am not at risk and secure. Thing is, that's not a situation that I plan to be in if I can help it. I actually went through this with my brother many years ago. He didn't trust going online to his bank. Thing is, for ages, he didn't even have it set up. If a person went to the bank's website, knew enough about him to get past the security questions, they could set it up and control his account and him never know anything about until his statement came in. What I told him to do is this. Call the bank and disable internet access to your account and he did. They then disabled any and all internet access to his account. If he changed his mind, he would have to go in person to get them to enable that access. That made him secure.= =20 Interesting read: https://blog.flameeyes.eu/#gsc.tab=3D0=20 Dale :-) :-)=20