On Mon, Feb 4, 2019 at 5:12 PM Dale <rdalek1...@gmail.com> wrote: > > Neil Bothwick wrote: > > On Mon, 4 Feb 2019 15:59:02 -0500, Rich Freeman wrote: > > > >>> One reason I use LastPass, it is mobile. I can go to someone else's > >>> computer, use LastPass to say make use of Paypal, Newegg, Ebay etc, > >>> logoff and it is like I was never there. > >> As much as I like Lastpass I would never do that. It isn't magic - it > >> is javascript. If there is a compromise on your computer, then your > >> password database will be compromised. This is true of other > >> solutions like KeePassX and so on - if something roots your box then > >> it will be compromised. > > I don't see what root has to do with it. If someone gains access to your > > box, they can copy the database file and then take their time trying to > > crack the password, but you don't need to be root to do that.
Correct, it just needs access to the user's data or browser process, which could mean running as root, or that user. > > I might point out, LastPass encrypts the password before sticking it in > a file. It isn't visible or plain text. Even getting the file would > still require some tools and cracking to get the password itself. That assumes you're attacking the password file directly. If you're using lastpass on a compromised system then there are many ways that can be used to bypass the encryptions. They could sniff your master password when you key it in, or read it directly from the browser's memory. These things are protected from sandboxed code in your browser, but not from processes running outside the browser (unless again you're using a non-conventional privilege system like selinux/android/etc). -- Rich
