On Fri, 11 Apr 2014 18:05:26 -0400, Nick Sabalausky
<[email protected]> wrote:
On 4/11/2014 12:55 PM, Steven Schveighoffer wrote:
On Fri, 11 Apr 2014 12:42:31 -0400, Walter Bright
<[email protected]> wrote:
On 4/11/2014 5:18 AM, Steven Schveighoffer wrote:
If, after the last year of hacking, and the heartbleed bug, people
are not using
password tracker/generators, you haven't learned anything :)
But those pw managers are a single point of failure. One mistake and
you've compromised or lost everything.
What mistake?
Pretty much anything? Letting the wrong person see you type your pass.
Not likely.
Using it on a system (even your own) that secretly has a keylogger or is
compromised in any number of other ways.
This would be a problem with any password scheme.
Getting bit by an ecryption library vulnerability.
No doubt, that would be a temporary issue.
Using a master pass that turns out not to be quite good enough.
This can be mitigated with multi-factor or hardware authentication. But
I'm not that paranoid. My password is pretty good.
Relying on NSA-backed "encryption".
It's based on open standards for encryption, not NSA-backed. What
encryption do you trust?
If your machine it is installed on is stolen, you've lost all your
passwords. Etc.
Read about LastPass. Your last-pass vault is encrypted and stored in the
cloud.
No, it's stored on a server. On the internet. *cough*
Encrypted.
Due to LastPass's closed-ness, all we can do is blindly trust whatever
they claim (yea, companies are great at never lying to users), *and*
blindly trust all of their software to not contain exploitable
vulnerabilities[*]. Look how great that works out for users of
Google/Microsoft/etc.
It's based on open standards, and you just have to trust them to have a
rock-solid implementation, sure. It all depends on who you are willing to
trust. I don't have enough time in my life to learn encryption theory,
audit all their code, to prove it to myself. I choose to trust experts.
YMMV.
[*] I guess we could reverse-engineer, but closed-source is a great way
to ensure most of the people auditing your code are blackhats. Not what
I want from software I'd use to store all my passwords.
It has been audited, but not by the entire community. Again, it all
depends on who you trust.
-Steve
