Fwd: confirm 9a85e83e9531356d37cfd8581573d167b99c16f8

Steven Schveighoffer schveiguy at yahoo.com
Fri Apr 11 17:45:56 PDT 2014


On Fri, 11 Apr 2014 18:05:26 -0400, Nick Sabalausky  
<SeeWebsiteToContactMe at semitwist.com> wrote:

> On 4/11/2014 12:55 PM, Steven Schveighoffer wrote:
>> On Fri, 11 Apr 2014 12:42:31 -0400, Walter Bright
>> <newshound2 at digitalmars.com> wrote:
>>
>>> On 4/11/2014 5:18 AM, Steven Schveighoffer wrote:
>>>> If, after the last year of hacking, and the heartbleed bug, people
>>>> are not using
>>>> password tracker/generators, you haven't learned anything :)
>>>
>>> But those pw managers are a single point of failure. One mistake and
>>> you've compromised or lost everything.
>>
>> What mistake?
>>
>
> Pretty much anything? Letting the wrong person see you type your pass.

Not likely.

> Using it on a system (even your own) that secretly has a keylogger or is  
> compromised in any number of other ways.

This would be a problem with any password scheme.

> Getting bit by an ecryption library vulnerability.

No doubt, that would be a temporary issue.

> Using a master pass that turns out not to be quite good enough.

This can be mitigated with multi-factor or hardware authentication. But  
I'm not that paranoid. My password is pretty good.

> Relying on NSA-backed "encryption".

It's based on open standards for encryption, not NSA-backed. What  
encryption do you trust?

>>> If your machine it is installed on is stolen, you've lost all your
>>> passwords. Etc.
>>
>> Read about LastPass. Your last-pass vault is encrypted and stored in the
>> cloud.
>>
>
> No, it's stored on a server. On the internet. *cough*

Encrypted.

> Due to LastPass's closed-ness, all we can do is blindly trust whatever  
> they claim (yea, companies are great at never lying to users), *and*  
> blindly trust all of their software to not contain exploitable  
> vulnerabilities[*]. Look how great that works out for users of  
> Google/Microsoft/etc.

It's based on open standards, and you just have to trust them to have a  
rock-solid implementation, sure. It all depends on who you are willing to  
trust. I don't have enough time in my life to learn encryption theory,  
audit all their code, to prove it to myself. I choose to trust experts.  
YMMV.

> [*] I guess we could reverse-engineer, but closed-source is a great way  
> to ensure most of the people auditing your code are blackhats. Not what  
> I want from software I'd use to store all my passwords.

It has been audited, but not by the entire community. Again, it all  
depends on who you trust.

-Steve


More information about the Digitalmars-d mailing list