Mick wrote: > On Tuesday, 5 February 2019 07:55:41 GMT Dale wrote: >> Mick wrote: >>> https://en.wikipedia.org/wiki/LastPass#Security_issues >>> >> From what I read, no users had their passwords compromised in those. > I read it differently. LastPass didn't know if any passwds were compromised > (or wouldn't tell you). As a precaution they asked users to change their > master passwd, while they changed their server's salt. In addition, there > were XSS vulnerabilities later on, which is probably to be expected with > JavaScript and similar technologies. >
I recall the email vaguely. It said there was nothing that showed the passwords were compromised. I did change passwords for things like my bank etc but left the others alone. Of course, I change those passwords on a fairly regular basis anyway. Thing is, when it comes to financial stuff, I don't leave as much to chance. I found the email notice. Here is a bit of it: "No encrypted user vault data was taken, however other data, including email addresses and password reminders, was compromised." So, the encrypted stuff such as passwords was not compromised. They only got email addys and such which isn't a big deal. >> As >> I pointed out earlier, the passwords are already encrypted when they are >> sent to LastPass. If I called LastPass, could prove I am who I claim to >> be and asked them for a password to a site, they couldn't give it to me >> because it is encrypted when it leaves my machine. > I don't know exactly how the LastPass architecture is configured, other than > it relies on device based encryption activated with JavaScript, but anomalies > they observed in incoming and outgoing traffic on the 2011 incident indicate > someone was interfering with their data streams. Given Diffie-Hellman could > be compromised (e.g. as per Logjam) by precomputing some of the most commonly > used primes in factoring large integers, it may be someone was undertaking > comparative analysis to deduce ciphers and what not. If the server salt was > obtained, then one layer of encryption was compromised. > > All this is juxtaposition and my hypothesizing does not mean LastPass is not > useful, or not secure. It just means its design is not as secure as locally > run simpler encryption mechanisms, which do not leave your PC and are not > stored somewhere else. > > The greater surface area a security system exposes, the higher likelihood > someone will take a punt at cracking it. A browser, sandboxed or not, has > far > too many moving parts and exposed flanks to keep crackers and state actors > busy. I expect with advances in AI this effort will accelerate > logarithmically. This is why I don't use the built in password manager in Firefox. Firefox most likely concentrates on the browser since its main job is being a browser. A password tool is a little lower on the list I would think. However, LastPass and other password tools, it is their main function to be password tools that are secure but can still work with the browser as well. > >> As I pointed out to Rich, I don't expect these tools to be 100%. There >> is no perfect password tool or a perfect way to manage them either. No >> matter what you do, someone can come along and poke a hole in it. If >> you use a tool, the tool is hackable. If you use the same password that >> is 40 characters long for several dozen sites, then the site can be >> hacked and they have the password for those other sites as well. The >> list could go on for ages but it doesn't really change anything. We do >> the best we can and then hope it is enough. Using tools is in my >> opinion better than not using a tool at all. At the least, they will >> have a hard time breaking into a site directly without my password. It >> beats the alternative which is cutting off the computer and unplugging >> it. :-( > Yes, well said. A disconnected and switched off PC is probably quite secure, > but what use is this to anybody. LOL! The effectiveness of PC security is > challenged on a daily basis and you eventually have to arrive at a personal > trade-off between security and usability. > This is what I run into with this new password project. I want one that is easy for me to remember, easy to type and such but I also want it to where some script kiddy can't crack it in like 10 seconds while laughing his/her fool head off at me. The decision to use a tool like LastPass, or any other tool for that matter, also means a trade off. Anything we use will expose us to something. That said, not using one exposes us to something else, even if it is just bad ways to deal with passwords. Using one password on several sites is one thing that jumps to my mind. We just have to try to be reasonable about it. One thing about this, I'm putting more effort into one password than most do for every password they have. Now to play with the strength meters some more. Dale :-) :-)
