Fwd: confirm 9a85e83e9531356d37cfd8581573d167b99c16f8
Steven Schveighoffer
schveiguy at yahoo.com
Fri Apr 11 17:45:56 PDT 2014
On Fri, 11 Apr 2014 18:05:26 -0400, Nick Sabalausky
<SeeWebsiteToContactMe at semitwist.com> wrote:
> On 4/11/2014 12:55 PM, Steven Schveighoffer wrote:
>> On Fri, 11 Apr 2014 12:42:31 -0400, Walter Bright
>> <newshound2 at digitalmars.com> wrote:
>>
>>> On 4/11/2014 5:18 AM, Steven Schveighoffer wrote:
>>>> If, after the last year of hacking, and the heartbleed bug, people
>>>> are not using
>>>> password tracker/generators, you haven't learned anything :)
>>>
>>> But those pw managers are a single point of failure. One mistake and
>>> you've compromised or lost everything.
>>
>> What mistake?
>>
>
> Pretty much anything? Letting the wrong person see you type your pass.
Not likely.
> Using it on a system (even your own) that secretly has a keylogger or is
> compromised in any number of other ways.
This would be a problem with any password scheme.
> Getting bit by an ecryption library vulnerability.
No doubt, that would be a temporary issue.
> Using a master pass that turns out not to be quite good enough.
This can be mitigated with multi-factor or hardware authentication. But
I'm not that paranoid. My password is pretty good.
> Relying on NSA-backed "encryption".
It's based on open standards for encryption, not NSA-backed. What
encryption do you trust?
>>> If your machine it is installed on is stolen, you've lost all your
>>> passwords. Etc.
>>
>> Read about LastPass. Your last-pass vault is encrypted and stored in the
>> cloud.
>>
>
> No, it's stored on a server. On the internet. *cough*
Encrypted.
> Due to LastPass's closed-ness, all we can do is blindly trust whatever
> they claim (yea, companies are great at never lying to users), *and*
> blindly trust all of their software to not contain exploitable
> vulnerabilities[*]. Look how great that works out for users of
> Google/Microsoft/etc.
It's based on open standards, and you just have to trust them to have a
rock-solid implementation, sure. It all depends on who you are willing to
trust. I don't have enough time in my life to learn encryption theory,
audit all their code, to prove it to myself. I choose to trust experts.
YMMV.
> [*] I guess we could reverse-engineer, but closed-source is a great way
> to ensure most of the people auditing your code are blackhats. Not what
> I want from software I'd use to store all my passwords.
It has been audited, but not by the entire community. Again, it all
depends on who you trust.
-Steve
More information about the Digitalmars-d
mailing list