On Wednesday 22 Jul 2015 19:43:43 Dale wrote: > So, don't use something that is within your browser but then go and type > that password . . . in your browser? Yea, that'll work. Heck, if I > really wanted something that secure, I'd unplug the ethernet cable and > turn off my modem. Then I might be secure.
LOL! No, I meant that you decrypt your passwd containing text file, sql file, localc file, or whatever file you use. Then you use something like cat, or less, or localc to view/search it. It can all be scripted so that you run a single command alias in a terminal and it asks you for your gpg passphrase, before it opens the file for you. A terminal is unlikely to suffer from XSS, javascript injection, sql injection, et al. but a browser could. Then you can copy & paste whichever account passwd you needed into a browser, but this will NOT be your master passphrase. Even if the passwd you paste into a browser ends up being compromised, it will only be one passwd and a single account, rather than your master passphrase and all your accounts. > Just how many of these sticks do I need? Are we looking at a dozen or > more which will have to be all kept up to date as well? Come on, be > realistic here. I doubt anyone is going to spend the time to do all that. You need more than one, if you want to keep your passwds file stored off your machine. I keep mine on a PC which is air-gapped and a second copy on a USB stick. You may need a third copy kept at different premises, if you want to guard against DR. > But with Lastpass, I don't have to worry about that. I can go to my > brothers house, put my email and password in Lastpass and carry on with > life. No need for a USB stick at all or having to wonder when was the > last time I updated the passwords on it either. > > I'm trying to be realistic here. I try to be as secure as I can but > within REASON. As I mentioned above, if I really need and must be that > secure, I'd unplug the ethernet cable and turn off my modem. Then I > wouldn't have to worry about it unless someone broke into my home. Of > course, I wouldn't have the benefit of using the internet either. Sure, security and convenience are not always best bedfellows. We are discussing about hypothetical risks here and different users' risk tolerances. If you encrypt the file separately with a strong key before you upload it, and this encryption key is different to your authentication key on the Lastpass website, then the risk of your encrypted file being cracked is rather low. When people discovered that their Lastpass account had been compromised, this did not necessarily mean that their encrypted file had been compromised too. However, I don't know exactly what the security architecture of Lastpass is to comment on the specifics. All I'm saying is that I wouldn't trust storing my passwds on the cloud for the sake of convenience. YMMV. :-) -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
