Mick wrote: > On Wednesday 22 Jul 2015 01:32:10 Dale wrote: >> Mick wrote: >>> On Tuesday 21 Jul 2015 18:35:27 Dale wrote: >>>> From what I recall about Lasspass, it does encrypt the data locally then >>>> uploads it. I recall reading that if you lose your master password, >>>> they can't get in it either. All they get is encrypted data. Of all >>>> the things I read about when looking for a password manager, Lastpass >>>> was the only thing that came close to what I wanted. After using it a >>>> while, it is all I need. >>>> >>>> https://lastpass.com/how-it-works >>> Right, your data may be encrypted locally, but if you use a browser to >>> decrypt it (after it is downloaded to your PC) then there are attack >>> vectors (e.g. XSS) for the decrypted data to be leaked out of your >>> machine. >> Well, couldn't the same be said if it is encrypted on a USB stick? >> Anytime you encrypt something, you have decrypt it to use it and that >> has to be done somewhere. > Of course, but if it is done using an application which its main purpose is > not to connect to the Internet (i.e. your browser) the real estate exposed to > a potential attack reduces significantly. >
So, don't use something that is within your browser but then go and type that password . . . in your browser? Yea, that'll work. Heck, if I really wanted something that secure, I'd unplug the ethernet cable and turn off my modem. Then I might be secure. >>>> I've had USB sticks break before. They are also easy to lose. I'd >>>> prefer not to store something that important on a USB stick. >>>> >>>> Dale >>>> >>>> :-) :-) >>> I didn't clarify that you should use something like gpg to encrypt your >>> file(s) on the USB stick, as I do this with all sensitive files not just >>> passwords. I more or less assumed that it is the done thing. Broken USB >>> sticks you can drive a drill through, or throw in a fire. Stolen USB >>> sticks will at least be encrypted. >>> >>> If you are really paranoid you could also use dm-crypt to additionally >>> encrypt the whole USB partition. >> My point is, if you put the info on a USB stick and lose it, you have >> now lost all your passwords. If it fails, same problem. > In either of these failure modes your solution is to forget about your first > USB stick and go dig out your second USB stick. Just how many of these sticks do I need? Are we looking at a dozen or more which will have to be all kept up to date as well? Come on, be realistic here. I doubt anyone is going to spend the time to do all that. > >> The way >> Lastpass works, even if your computer dies from say a house fire, once >> you login to Lastpass with your new puter, you are back in business. >> >> Dale > In the case of a house fire we are in a DR scenario. You head straight to > your brother's place. You'll need a place to stay anyway, if your house > burnt > down, you might as well check that back up USB you left there. ;-) > But with Lastpass, I don't have to worry about that. I can go to my brothers house, put my email and password in Lastpass and carry on with life. No need for a USB stick at all or having to wonder when was the last time I updated the passwords on it either. I'm trying to be realistic here. I try to be as secure as I can but within REASON. As I mentioned above, if I really need and must be that secure, I'd unplug the ethernet cable and turn off my modem. Then I wouldn't have to worry about it unless someone broke into my home. Of course, I wouldn't have the benefit of using the internet either. Dale :-) :-)
