Fwd: confirm 9a85e83e9531356d37cfd8581573d167b99c16f8
Steven Schveighoffer
schveiguy at yahoo.com
Mon Apr 14 06:24:06 PDT 2014
On Sat, 12 Apr 2014 02:02:18 -0400, Walter Bright
<newshound2 at digitalmars.com> wrote:
> On 4/11/2014 8:30 PM, Steven Schveighoffer wrote:
>> Of course, it means you have to accept their word, and trust their
>> competency. I
>> tend to doubt that somehow this is all a ruse and they are in cahoots
>> with the NSA.
>
> I agree that it is pretty unlikely they are in league with the devil.
> But what would happen to you if all your passwords got lost or
> compromised? How much trouble would it be? All your bank accounts? All
> your email accounts? All your professional accounts? All your accounting
> stuff? Suddenly you're cut off from all of it? The risk may be small,
> but the potential damage could be very high.
I agree, it would be bad if all of these accounts were compromised. Funny
though, that I trust LastPass's system way more than I trust any of the
accounts that are stored in it. In LastPass, their server does not do any
authentication, just the application on your system. Your passwords are
never decrypted on their server, only on your computer. I probably am not
as protected against a local attack as I would like, but I am protected
against a wide-spread attack such as the ones that happen all the time.
But in order for a local attack to work, the villains must target me
specifically. I really don't know why they would.
Probably the most secure way to store the passwords is with a secondary
hardware-based authentication, which LastPass does support, but you have
to (a) buy a hardware device that you can use to unlock your vault, and
(b) it's not as convenient.
But this discussion has changed what I will store in my vault, I will
likely remove some things from it that are more a convenience than
anything (I know the information, it's just convenient to have my browser
auto-fill that).
> The company itself may not be malicious. But they may be incompetent.
> And they may have a rogue employee. And they may succumb to pressure
> from the government. And they may get hacked. And they may change
> managers. And they may get acquired by Evil Corp X.
If they are incompetent, I would be in trouble. I have to trust that they
are competent. I have to trust they will not succumb to government
pressure (they have been pretty clear on that one). I have to trust that
they review changes to their code so a malicious employee could not alter
the browser software. I have to have trust in the company. What I don't
have to do is worry about anyone cracking my vault without my password.
And that is what I think makes LastPass attractive.
It all depends on the level of trust you have, and I think that's a
personal choice. There is the 2-factor hardware authentication option if
you have less trust.
> What is your recourse if it all goes bad? What is your Plan B?
What is anyone's recourse? You work as hard as you can to get your
accounts under your control. Banks are typically not tied only to your
online presence, your credit card numbers can be changed, new cards
issued. Other accounts like email, you have less control over. Perhaps its
best to remember 2 passwords -- one for your lastpass vault which protects
your not-as-critical online accounts (like, say, your d forum password),
and one for your critical accounts that you don't want stored anywhere,
like your email password. The risk is still that an online account's
password is compromised, an easier-to-remember password is
easier-to-crack. The passwords LastPass generates are probably safer than
any ones I could come up with.
> When I went skydiving, I had a backup chute. There are two independent
> braking systems on my car. I don't invest everything in one company
> stock. I store backups off site.
I'm not concerned about "losing" my online passwords. The data is stored
locally on my PC backed up, on my phone, on my other computers I use. I
can get the old data back.
> > you typically get what you pay for.
>
> Typically, yes. What do you really expect to get for $12/year? That buys
> about 5 minutes of some entry level person's time. There's just no way
> I'm going to put all my hundreds of accounts into that one box.
I expect it, along with the hundreds of thousands of other customers, to
pay for the 40 person company that is LastPass. It's a reasonable fee for
the service IMO. Software is strange in that an app developer can charge
only $1, yet make millions, because production is nearly free.
> I strongly suggest, at a bare minimum, that you have LastPass print out
> all the passwords it holds on a sheet a paper, and put that paper in
> your safety deposit box.
If I was to do this, I'd store the encrypted vault on a key inside the
SDB. The app can be configured to run in "offline" mode, which means it
will not contact the server to get any updates to your vault. Any changes
a malicious user has made to my online vault would be ignored.
I'd rather just keep the backup somewhere close by than have to go into a
bank to get it.
-Steve
More information about the Digitalmars-d
mailing list