Mick wrote: > On Tuesday 21 Jul 2015 18:35:27 Dale wrote: >> Mick wrote: >>> On Tuesday 21 Jul 2015 02:40:54 Dale wrote: >>>> I use the random generator too. Some older sites, forums or something >>>> that isn't really sensitive, may still have my old passwords but sites >>>> like banking and such each have their own random generated one. I also >>>> try to generate the longest and most complex password the site will >>>> allow. Some sites don't allow the characters above the number keys. >>>> >>>> Another thing, I was at my brothers once and needed to login to a site. >>>> I installed lastpass, typed in my email and master password and I could >>>> go anywhere I wanted just as if I was sitting at my own puter. If it >>>> wasn't for lastpass, I would have had to come home and do what needed >>>> doing. >>>> >>>> So far, this is the best solution I have found and I only use the free >>>> part. ;-) >>>> >>>> Dale >>>> >>>> :-) :-) >>> A better, as in more secure, solution should involve local encryption >> and IMHO >> >>> local air-gapped storage. A USB key will do nicely and you can have a >> second >> >>> USB key stored in your brother's premises, for disaster recovery >> scenarios. >> >>> This is because cloud storage: >>> a) creates a honey pot which attracts attacks[1] and >>> b) most of cloud storage is in the US. >>> >>> [1] https://en.wikipedia.org/wiki/LastPass#Security_issues >> From what I recall about Lasspass, it does encrypt the data locally then >> uploads it. I recall reading that if you lose your master password, >> they can't get in it either. All they get is encrypted data. Of all >> the things I read about when looking for a password manager, Lastpass >> was the only thing that came close to what I wanted. After using it a >> while, it is all I need. >> >> https://lastpass.com/how-it-works > Right, your data may be encrypted locally, but if you use a browser to > decrypt > it (after it is downloaded to your PC) then there are attack vectors (e.g. > XSS) for the decrypted data to be leaked out of your machine. >
Well, couldn't the same be said if it is encrypted on a USB stick? Anytime you encrypt something, you have decrypt it to use it and that has to be done somewhere. >> I've had USB sticks break before. They are also easy to lose. I'd >> prefer not to store something that important on a USB stick. >> >> Dale >> >> :-) :-) > I didn't clarify that you should use something like gpg to encrypt your > file(s) on the USB stick, as I do this with all sensitive files not just > passwords. I more or less assumed that it is the done thing. Broken USB > sticks you can drive a drill through, or throw in a fire. Stolen USB sticks > will at least be encrypted. > > If you are really paranoid you could also use dm-crypt to additionally > encrypt > the whole USB partition. > My point is, if you put the info on a USB stick and lose it, you have now lost all your passwords. If it fails, same problem. The way Lastpass works, even if your computer dies from say a house fire, once you login to Lastpass with your new puter, you are back in business. Dale :-) :-)
