On 4/11/2014 8:45 PM, Steven Schveighoffer wrote:
On Fri, 11 Apr 2014 18:05:26 -0400, Nick Sabalausky
<[email protected]> wrote:
On 4/11/2014 12:55 PM, Steven Schveighoffer wrote:
On Fri, 11 Apr 2014 12:42:31 -0400, Walter Bright
<[email protected]> wrote:
On 4/11/2014 5:18 AM, Steven Schveighoffer wrote:
If, after the last year of hacking, and the heartbleed bug, people
are not using
password tracker/generators, you haven't learned anything :)
But those pw managers are a single point of failure. One mistake and
you've compromised or lost everything.
What mistake?
Pretty much anything? Letting the wrong person see you type your pass.
Not likely.
Using it on a system (even your own) that secretly has a keylogger or
is compromised in any number of other ways.
This would be a problem with any password scheme.
Getting bit by an ecryption library vulnerability.
No doubt, that would be a temporary issue.
Using a master pass that turns out not to be quite good enough.
This can be mitigated with multi-factor or hardware authentication. But
I'm not that paranoid. My password is pretty good.
Relying on NSA-backed "encryption".
It's based on open standards for encryption, not NSA-backed. What
encryption do you trust?
You can nitpick arbitrary examples all you want, but it changes nothing:
We're both fully aware there are plenty of ways password authentication
can go wrong. Whether or the password auth is used to protect other
passwords or something else does nothing to change that. It just means
when it does go wrong, other accounts are automatically compromised too.
Read about LastPass. Your last-pass vault is encrypted and stored in the
cloud.
No, it's stored on a server. On the internet. *cough*
Encrypted.
Nevermind, I was diverging off to a separate point with that. Not
relevant to this discussion anyway.
Due to LastPass's closed-ness, all we can do is blindly trust whatever
they claim (yea, companies are great at never lying to users), *and*
blindly trust all of their software to not contain exploitable
vulnerabilities[*]. Look how great that works out for users of
Google/Microsoft/etc.
It's based on open standards, and you just have to trust them to have a
rock-solid implementation, sure. It all depends on who you are willing
to trust. I don't have enough time in my life to learn encryption
theory, audit all their code, to prove it to myself. I choose to trust
experts. YMMV.
[*] I guess we could reverse-engineer, but closed-source is a great
way to ensure most of the people auditing your code are blackhats. Not
what I want from software I'd use to store all my passwords.
It has been audited, but not by the entire community. Again, it all
depends on who you trust.
It does come down to trust, but open security audits are vastly easier
to trust than some single cherry-picked behind-closed-doors audit. At
the very *least* it's more eyes on the code.
