Fwd: confirm 9a85e83e9531356d37cfd8581573d167b99c16f8
Nick Sabalausky
SeeWebsiteToContactMe at semitwist.com
Sat Apr 12 21:23:26 PDT 2014
On 4/11/2014 8:45 PM, Steven Schveighoffer wrote:
> On Fri, 11 Apr 2014 18:05:26 -0400, Nick Sabalausky
> <SeeWebsiteToContactMe at semitwist.com> wrote:
>
>> On 4/11/2014 12:55 PM, Steven Schveighoffer wrote:
>>> On Fri, 11 Apr 2014 12:42:31 -0400, Walter Bright
>>> <newshound2 at digitalmars.com> wrote:
>>>
>>>> On 4/11/2014 5:18 AM, Steven Schveighoffer wrote:
>>>>> If, after the last year of hacking, and the heartbleed bug, people
>>>>> are not using
>>>>> password tracker/generators, you haven't learned anything :)
>>>>
>>>> But those pw managers are a single point of failure. One mistake and
>>>> you've compromised or lost everything.
>>>
>>> What mistake?
>>>
>>
>> Pretty much anything? Letting the wrong person see you type your pass.
>
> Not likely.
>
>> Using it on a system (even your own) that secretly has a keylogger or
>> is compromised in any number of other ways.
>
> This would be a problem with any password scheme.
>
>> Getting bit by an ecryption library vulnerability.
>
> No doubt, that would be a temporary issue.
>
>> Using a master pass that turns out not to be quite good enough.
>
> This can be mitigated with multi-factor or hardware authentication. But
> I'm not that paranoid. My password is pretty good.
>
>> Relying on NSA-backed "encryption".
>
> It's based on open standards for encryption, not NSA-backed. What
> encryption do you trust?
>
You can nitpick arbitrary examples all you want, but it changes nothing:
We're both fully aware there are plenty of ways password authentication
can go wrong. Whether or the password auth is used to protect other
passwords or something else does nothing to change that. It just means
when it does go wrong, other accounts are automatically compromised too.
>>> Read about LastPass. Your last-pass vault is encrypted and stored in the
>>> cloud.
>>
>> No, it's stored on a server. On the internet. *cough*
>
> Encrypted.
>
Nevermind, I was diverging off to a separate point with that. Not
relevant to this discussion anyway.
>> Due to LastPass's closed-ness, all we can do is blindly trust whatever
>> they claim (yea, companies are great at never lying to users), *and*
>> blindly trust all of their software to not contain exploitable
>> vulnerabilities[*]. Look how great that works out for users of
>> Google/Microsoft/etc.
>
> It's based on open standards, and you just have to trust them to have a
> rock-solid implementation, sure. It all depends on who you are willing
> to trust. I don't have enough time in my life to learn encryption
> theory, audit all their code, to prove it to myself. I choose to trust
> experts. YMMV.
>
>> [*] I guess we could reverse-engineer, but closed-source is a great
>> way to ensure most of the people auditing your code are blackhats. Not
>> what I want from software I'd use to store all my passwords.
>
> It has been audited, but not by the entire community. Again, it all
> depends on who you trust.
>
It does come down to trust, but open security audits are vastly easier
to trust than some single cherry-picked behind-closed-doors audit. At
the very *least* it's more eyes on the code.
More information about the Digitalmars-d
mailing list