Fwd: confirm 9a85e83e9531356d37cfd8581573d167b99c16f8
Nick Sabalausky
SeeWebsiteToContactMe at semitwist.com
Fri Apr 11 15:05:26 PDT 2014
On 4/11/2014 12:55 PM, Steven Schveighoffer wrote:
> On Fri, 11 Apr 2014 12:42:31 -0400, Walter Bright
> <newshound2 at digitalmars.com> wrote:
>
>> On 4/11/2014 5:18 AM, Steven Schveighoffer wrote:
>>> If, after the last year of hacking, and the heartbleed bug, people
>>> are not using
>>> password tracker/generators, you haven't learned anything :)
>>
>> But those pw managers are a single point of failure. One mistake and
>> you've compromised or lost everything.
>
> What mistake?
>
Pretty much anything? Letting the wrong person see you type your pass.
Using it on a system (even your own) that secretly has a keylogger or is
compromised in any number of other ways. Getting bit by an ecryption
library vulnerability. Using a master pass that turns out not to be
quite good enough. Relying on NSA-backed "encryption". Just off the top
of my head.
>> If your machine it is installed on is stolen, you've lost all your
>> passwords. Etc.
>
> Read about LastPass. Your last-pass vault is encrypted and stored in the
> cloud.
>
No, it's stored on a server. On the internet. *cough*
Due to LastPass's closed-ness, all we can do is blindly trust whatever
they claim (yea, companies are great at never lying to users), *and*
blindly trust all of their software to not contain exploitable
vulnerabilities[*]. Look how great that works out for users of
Google/Microsoft/etc.
[*] I guess we could reverse-engineer, but closed-source is a great way
to ensure most of the people auditing your code are blackhats. Not what
I want from software I'd use to store all my passwords.
More information about the Digitalmars-d
mailing list