On Tuesday 21 Jul 2015 18:35:27 Dale wrote: > Mick wrote: > > On Tuesday 21 Jul 2015 02:40:54 Dale wrote: > >> I use the random generator too. Some older sites, forums or something > >> that isn't really sensitive, may still have my old passwords but sites > >> like banking and such each have their own random generated one. I also > >> try to generate the longest and most complex password the site will > >> allow. Some sites don't allow the characters above the number keys. > >> > >> Another thing, I was at my brothers once and needed to login to a site. > >> I installed lastpass, typed in my email and master password and I could > >> go anywhere I wanted just as if I was sitting at my own puter. If it > >> wasn't for lastpass, I would have had to come home and do what needed > >> doing. > >> > >> So far, this is the best solution I have found and I only use the free > >> part. ;-) > >> > >> Dale > >> > >> :-) :-) > > > > A better, as in more secure, solution should involve local encryption > > and IMHO > > > local air-gapped storage. A USB key will do nicely and you can have a > > second > > > USB key stored in your brother's premises, for disaster recovery > > scenarios. > > > This is because cloud storage: > > a) creates a honey pot which attracts attacks[1] and > > b) most of cloud storage is in the US. > > > > [1] https://en.wikipedia.org/wiki/LastPass#Security_issues > > From what I recall about Lasspass, it does encrypt the data locally then > uploads it. I recall reading that if you lose your master password, > they can't get in it either. All they get is encrypted data. Of all > the things I read about when looking for a password manager, Lastpass > was the only thing that came close to what I wanted. After using it a > while, it is all I need. > > https://lastpass.com/how-it-works
Right, your data may be encrypted locally, but if you use a browser to decrypt it (after it is downloaded to your PC) then there are attack vectors (e.g. XSS) for the decrypted data to be leaked out of your machine. > I've had USB sticks break before. They are also easy to lose. I'd > prefer not to store something that important on a USB stick. > > Dale > > :-) :-) I didn't clarify that you should use something like gpg to encrypt your file(s) on the USB stick, as I do this with all sensitive files not just passwords. I more or less assumed that it is the done thing. Broken USB sticks you can drive a drill through, or throw in a fire. Stolen USB sticks will at least be encrypted. If you are really paranoid you could also use dm-crypt to additionally encrypt the whole USB partition. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
