Mick wrote: > On Thursday 23 Jul 2015 00:09:09 Dale wrote: > >> You seem to miss my point. I still have to type my passwords into a >> browser. If as you say, that is not secure, then what point is there to >> having a password or accessing my bank or other sites via the internet? > > I don't know if I am missing your point, or you mine. :-) > > Your browser's risk exposure to vulnerabilities and attacks is not constant, > but it changes. If it has not been patched, or an unpublished vulnerability > is lurking around for a month or two then you are more exposed. If you have > another web page open at the same time you are visiting your bank and the > other web page is running some suspicious script, you are again temporarily > exposed. I can't give you a statistical chance of the risk you might be > exposed to on an average day, but although I expect it to be very low, it is > still greater than zero. >
But I suspect it is closer to zero than some other high number that I'm not worried about. > >> I have to put that password in my browser to access my bank, credit card >> or other websites. The point is, that exact same browser has to have >> that exact same password typed into it. > > That's one passwd at a time, rather than all of them EACH time. I appreciate > that in the minimal hypothetical case of possessing only a single account > passwd, then there is no discernible difference in risk exposure. In this > case, if you master passwd is compromised you would only lose one passwd. > > Well, as I have said, if I can't trust my browser even that much, I need to unplug. >> I might also add, copy & paste >> would then leave my password in my Klipper program that manages copy & >> paste unencrypted. Click on the Klipper icon and there sits my password >> in PLAIN text. How secure is that exactly? > > I understand that klipper saves entries on disk and therefore it is less > secure than the *nix cliboard, which you should clear once you middle clicked > to paste its sensitive content. > Thing is, I never clear that history because I use that history for other things. I even have it set to remember the last 30 or 40 entries. Again, that would be inconvenient for me. > >> Lastpass already encrypts the password ON MY MACHINE not on their end. >> Why would I want to disable and stop using Lastpass just to do the same >> thing but harder and more time consuming locally and lose the ability to >> use Lastpass while I am somewhere else? > > Because you are reducing the risk by keeping your whole keyring off line, > although I acknowledged that in this way you are also reducing your > convenience. > > For me, it is about convenience as much as it is about security. Before Lastpass, I had three passwords. One for financial stuff, one for important but not crucial stuff and one for stuff I could care less about like social sites or something. Now, I have a unique password for each site. I'm already more secure than I once was. >> I would also lose the ability >> to access that info in the case of say a computer meltdown. I might >> add, if I do it your way and lose that USB stick or whatever, I'm still >> toast. Heck, I may be in even worse shape than I would be by losing my >> Lastpass password. > > Meltdown and the like brings us to the Disaster Recovery scenario, which I > have covered. > And as I said, I don't have time to be running around updating USB sticks that I don't trust anyway. For me, that is NOT a option. > >> Sorry, I have had USB sticks go bad to much for me to trust with this >> sort of thing, not to mention the ones I have lost. I'm not going out >> and buy a whole bunch of those things and then depending on them to hold >> the keys to my financial and every other password. I also don't have >> time to make sure they are all kept up to date and such either. > > You need more than one USB stick/off line storage to reduce the chance of your > regular USB stick going bad, or being lost. > > Look I am not trying to convince you to change your habits. I am just stating > that I would not store all *my* sensitive data online and in a single place. > If you think that the risk is low enough for you and the convenience of > Lastpass quite high, then carrying on with your approach clearly makes sense. > > I didn't mean to hijack the OP's thread and I think we've covered this topic > to death, so I'll shut up now. :-) > Again, I don't trust them or myself that much with a USB stick. Heck, I've lost a couple and have no clue where they are. Plus, it takes time and energy to keep all that up to date. Lastpass does what I need and then some plus it is very convenient as well. I might add, all the people got from what I read is the encrypted password. Basically, once people change their master password, what they have is useless. I don't know how long it would take to crack those passwords but I suspect that by the time they do, they won't have anything of use. Dale :-) :-)
