On Thursday 23 Jul 2015 00:09:09 Dale wrote: > You seem to miss my point. I still have to type my passwords into a > browser. If as you say, that is not secure, then what point is there to > having a password or accessing my bank or other sites via the internet?
I don't know if I am missing your point, or you mine. :-) Your browser's risk exposure to vulnerabilities and attacks is not constant, but it changes. If it has not been patched, or an unpublished vulnerability is lurking around for a month or two then you are more exposed. If you have another web page open at the same time you are visiting your bank and the other web page is running some suspicious script, you are again temporarily exposed. I can't give you a statistical chance of the risk you might be exposed to on an average day, but although I expect it to be very low, it is still greater than zero. > I have to put that password in my browser to access my bank, credit card > or other websites. The point is, that exact same browser has to have > that exact same password typed into it. That's one passwd at a time, rather than all of them EACH time. I appreciate that in the minimal hypothetical case of possessing only a single account passwd, then there is no discernible difference in risk exposure. In this case, if you master passwd is compromised you would only lose one passwd. > I might also add, copy & paste > would then leave my password in my Klipper program that manages copy & > paste unencrypted. Click on the Klipper icon and there sits my password > in PLAIN text. How secure is that exactly? I understand that klipper saves entries on disk and therefore it is less secure than the *nix cliboard, which you should clear once you middle clicked to paste its sensitive content. > Lastpass already encrypts the password ON MY MACHINE not on their end. > Why would I want to disable and stop using Lastpass just to do the same > thing but harder and more time consuming locally and lose the ability to > use Lastpass while I am somewhere else? Because you are reducing the risk by keeping your whole keyring off line, although I acknowledged that in this way you are also reducing your convenience. > I would also lose the ability > to access that info in the case of say a computer meltdown. I might > add, if I do it your way and lose that USB stick or whatever, I'm still > toast. Heck, I may be in even worse shape than I would be by losing my > Lastpass password. Meltdown and the like brings us to the Disaster Recovery scenario, which I have covered. > Sorry, I have had USB sticks go bad to much for me to trust with this > sort of thing, not to mention the ones I have lost. I'm not going out > and buy a whole bunch of those things and then depending on them to hold > the keys to my financial and every other password. I also don't have > time to make sure they are all kept up to date and such either. You need more than one USB stick/off line storage to reduce the chance of your regular USB stick going bad, or being lost. Look I am not trying to convince you to change your habits. I am just stating that I would not store all *my* sensitive data online and in a single place. If you think that the risk is low enough for you and the convenience of Lastpass quite high, then carrying on with your approach clearly makes sense. I didn't mean to hijack the OP's thread and I think we've covered this topic to death, so I'll shut up now. :-) -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
