Fwd: confirm 9a85e83e9531356d37cfd8581573d167b99c16f8

Steven Schveighoffer schveiguy at yahoo.com
Mon Apr 14 06:24:06 PDT 2014 

On Sat, 12 Apr 2014 02:02:18 -0400, Walter Bright  
<newshound2 at digitalmars.com> wrote:

> On 4/11/2014 8:30 PM, Steven Schveighoffer wrote:
>> Of course, it means you have to accept their word, and trust their  
>> competency. I
>> tend to doubt that somehow this is all a ruse and they are in cahoots  
>> with the NSA.
>
> I agree that it is pretty unlikely they are in league with the devil.  
> But what would happen to you if all your passwords got lost or  
> compromised? How much trouble would it be? All your bank accounts? All  
> your email accounts? All your professional accounts? All your accounting  
> stuff? Suddenly you're cut off from all of it? The risk may be small,  
> but the potential damage could be very high.

I agree, it would be bad if all of these accounts were compromised. Funny  
though, that I trust LastPass's system way more than I trust any of the  
accounts that are stored in it. In LastPass, their server does not do any  
authentication, just the application on your system. Your passwords are  
never decrypted on their server, only on your computer. I probably am not  
as protected against a local attack as I would like, but I am protected  
against a wide-spread attack such as the ones that happen all the time.  
But in order for a local attack to work, the villains must target me  
specifically. I really don't know why they would.

Probably the most secure way to store the passwords is with a secondary  
hardware-based authentication, which LastPass does support, but you have  
to (a) buy a hardware device that you can use to unlock your vault, and  
(b) it's not as convenient.

But this discussion has changed what I will store in my vault, I will  
likely remove some things from it that are more a convenience than  
anything (I know the information, it's just convenient to have my browser  
auto-fill that).

> The company itself may not be malicious. But they may be incompetent.  
> And they may have a rogue employee. And they may succumb to pressure  
> from the government. And they may get hacked. And they may change  
> managers. And they may get acquired by Evil Corp X.

If they are incompetent, I would be in trouble. I have to trust that they  
are competent. I have to trust they will not succumb to government  
pressure (they have been pretty clear on that one). I have to trust that  
they review changes to their code so a malicious employee could not alter  
the browser software. I have to have trust in the company. What I don't  
have to do is worry about anyone cracking my vault without my password.  
And that is what I think makes LastPass attractive.

It all depends on the level of trust you have, and I think that's a  
personal choice. There is the 2-factor hardware authentication option if  
you have less trust.

> What is your recourse if it all goes bad? What is your Plan B?

What is anyone's recourse? You work as hard as you can to get your  
accounts under your control. Banks are typically not tied only to your  
online presence, your credit card numbers can be changed, new cards  
issued. Other accounts like email, you have less control over. Perhaps its  
best to remember 2 passwords -- one for your lastpass vault which protects  
your not-as-critical online accounts (like, say, your d forum password),  
and one for your critical accounts that you don't want stored anywhere,  
like your email password. The risk is still that an online account's  
password is compromised, an easier-to-remember password is  
easier-to-crack. The passwords LastPass generates are probably safer than  
any ones I could come up with.

> When I went skydiving, I had a backup chute. There are two independent  
> braking systems on my car. I don't invest everything in one company  
> stock. I store backups off site.

I'm not concerned about "losing" my online passwords. The data is stored  
locally on my PC backed up, on my phone, on my other computers I use. I  
can get the old data back.

>  > you typically get what you pay for.
>
> Typically, yes. What do you really expect to get for $12/year? That buys  
> about 5 minutes of some entry level person's time. There's just no way  
> I'm going to put all my hundreds of accounts into that one box.

I expect it, along with the hundreds of thousands of other customers, to  
pay for the 40 person company that is LastPass. It's a reasonable fee for  
the service IMO. Software is strange in that an app developer can charge  
only $1, yet make millions, because production is nearly free.

> I strongly suggest, at a bare minimum, that you have LastPass print out  
> all the passwords it holds on a sheet a paper, and put that paper in  
> your safety deposit box.

If I was to do this, I'd store the encrypted vault on a key inside the  
SDB. The app can be configured to run in "offline" mode, which means it  
will not contact the server to get any updates to your vault. Any changes  
a malicious user has made to my online vault would be ignored.

I'd rather just keep the backup somewhere close by than have to go into a  
bank to get it.

-Steve

More information about the Digitalmars-d mailing list