Re: [cryptography] LastPass have been hacked, so it seems.
keeping something safe in the cloudinherently requires trusting a third party. yeah, that says it all. no access safe. access not safe. cloud computing is good for non critical stuff and stuff you want ppl to see anyway. like your web page. even then, _javascript_ injection jacking your page, blah, blah. if the cloud is not good for HIPAA, banks, financial institutions, that should be a clue. Sent:Monday, June 15, 2015 at 6:46 PM From:Moti m...@cyberia.org.il To:cryptography@randombit.net Subject:[cryptography] LastPass have been hacked, so it seems. I always had my doubts about keeping my passwords in the cloud. Lets hope for LastPass users that their data is as secure as LastPass claims it is. No reason to think otherwise of course, but still. If i read correctly between the lines, some peoples (sensitive) data maybe on the wrong hands. I mean, what if Chinese hackers got it? (Yeah, it feels like i sound a bit Paranoid, but in this day and age, Chinese hackers are actually a thing:) are we sure that the Chinese government dont have enough computing power to unhash whatever was taken? just saying... https://blog.lastpass.com/2015/06/lastpass-security-notice.html/ Cheers, Moti. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] LastPass have been hacked, so it seems.
Are there any password managers that let the user specify where to store a remote copy of the passwords (FTP server, scp, Dropbox, whatever) while keeping the crypto and the master password on the end devices? Take a look at http://www.passwordstore.org/ Your GPG key encrypts all of the credentials individually. You can push the keys to a git repo if you like, which could be in the cloud. Don't like git? Well, just back up the .password-store directory some other way, keeping it separate from your .gpg dir. You don't need to worry about losing your keys due to password database corruption, commercialization of the tool or whatever, since they are all in separate files that you can decrypt with GPG by hand if needed. tim ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] LastPass have been hacked, so it seems.
On 6/15/2015 6:46 PM, Moti wrote: I always had my doubts about keeping my passwords in the cloud. Let's hope for LastPass users that their data is as secure as LastPass claims it is. No reason to think otherwise of course, but still. If i read correctly between the lines, some people's (sensitive) data maybe on the wrong hands. I mean, what if Chinese hackers got it? (Yeah, it feels like i sound a bit Paranoid, but in this day and age, Chinese hackers are actually a thing:) are we sure that the Chinese government don't have enough computing power to unhash whatever was taken? just saying... https://blog.lastpass.com/2015/06/lastpass-security-notice.html/ Cheers, Moti. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography Well, if Chinese hackers can listen in on the Tor network they can get at the cloud. We really need to patch everything if we hope to feel somewhat safe. --- This email is free from viruses and malware because avast! Antivirus protection is active. https://www.avast.com/antivirus ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] LastPass have been hacked, so it seems.
Are there any password managers that let the user specify where to store a remote copy of the passwords (FTP server, scp, Dropbox, whatever) while keeping the crypto and the master password on the end devices? Seems to me that would limit the cloudy trust problem while still addresssing the very real problem of a zillion accounts used from multiple devices. R's, John ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] LastPass have been hacked, so it seems.
Are there any password managers that let the user specify where to store a remote copy of the passwords (FTP server, scp, Dropbox, whatever) while keeping the crypto and the master password on the end devices? Seems to me that would limit the cloudy trust problem while still addresssing the very real problem of a zillion accounts used from multiple devices. I get by fine with KeePass. It's just a program that keeps your passwords in an encrypted file using your password. You can install it on multiple plaforms (I have PC, Mac and Android clients) and I put the file on Google Drive. The UI is fit for purpose. It might be one better if I could mix in multiple hardware tokens (one per device), so I wasn't just relying on a password. This may be possible. I haven't checked. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] LastPass have been hacked, so it seems.
John R. Levine wrote: Are there any password managers that let the user specify where to store a remote copy of the passwords (FTP server, scp, Dropbox, whatever) while keeping the crypto and the master password on the end devices? Nobody has mentioned STRIP yet, but it fits the bill: https://www.zetetic.net/strip/ This and other password managers are analyzed in the 2014 USENIX paper “The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers” by Zhiwei Li, Warren He, Devdatta Akhawe, and Dawn Song. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/li_zhiwei – Harald ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] LastPass have been hacked, so it seems.
From the department of ironic timing comes this recent posting on Hacker News: https://news.ycombinator.com/item?id=9727297 On Jun 16, 2015, at 9:59 AM, d...@deadhat.com wrote: Are there any password managers that let the user specify where to store a remote copy of the passwords (FTP server, scp, Dropbox, whatever) while keeping the crypto and the master password on the end devices? Seems to me that would limit the cloudy trust problem while still addresssing the very real problem of a zillion accounts used from multiple devices. I get by fine with KeePass. It's just a program that keeps your passwords in an encrypted file using your password. You can install it on multiple plaforms (I have PC, Mac and Android clients) and I put the file on Google Drive. The UI is fit for purpose. It might be one better if I could mix in multiple hardware tokens (one per device), so I wasn't just relying on a password. This may be possible. I haven't checked. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] LastPass have been hacked, so it seems.
[Disclosure: I work for AgileBits, the makers of 1Password] On 2015-06-16, at 10:53 AM, John R. Levine jo...@iecc.com wrote: Are there any password managers that let the user specify where to store a remote copy of the passwords (FTP server, scp, Dropbox, whatever) while keeping the crypto and the master password on the end devices? With 1Password the answer is technically “yes”, but in practice it is more of “sort of”. If you are just using 1Password on desktop machines, then you can sync however you wish using anything that will look like a filesystem. But when you need to sync with 1Password on mobile devices the choices are reduced because 1Password doesn’t get to see a normal filesystem. For “cloud” based synching, there is Dropbox and iCloud on iOS and Dropbox on Android. However, there is a local “wifi sync” mechanism that lets you sync between desktop and mobile over a local wifi network. Seems to me that would limit the cloudy trust problem while still addresssing the very real problem of a zillion accounts used from multiple devices. Genuine efficient and reliable sync is hard. We’ve worked so that as much sync and conflict resolution can happen on fully encrypted data so that the slow part can be done even when 1Password is locked. But some conflict resolution has to wait until the user unlocks one password. At any rate, we never have any of your data in any form whatsoever. Our goal as been “we can’t lose, use, or abuse” data that we don’t have. However to make synching work smoothly, we do end up strongly encouraging the use of Dropbox, but at the same time we’ve designed 1Password with the expectation that attacks will capture your encrypted data one way or the other, and that sync services (and your own hard drives) can be compromised. I should point out that while we get some very nice security properties by not being a service you log into (your master password is only ever used for encryption), it does mean that we can’t offer some of the flexibility that something like LastPass can. Cheers, -j ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] LastPass have been hacked, so it seems.
On Tue, Jun 16, 2015 at 9:24 AM, Givon Zirkind givo...@gmx.com wrote: keeping something safe in the cloud inherently requires trusting a third party. yeah, that says it all. Right. And third parties cannot protect against the threat posed by officers of the court/legal jurisdiction. (Are National Security Letters considered in this threat, or are they a new threat due to operating outside the law in the US?). cloud computing is good for non critical stuff and stuff you want ppl to see anyway. like your web page. even then, javascript injection jacking your page, blah, blah. if the cloud is not good for HIPAA, banks, financial institutions, that should be a clue. Studies are showing medical data is less safe in the cloud. See, for example, Study: Healthcare Industry Contains Most Cloud Data Breaches, http://talkincloud.com/cloud-computing-security/06152015/study-healthcare-industry-contains-most-cloud-data-breaches. And remember, Apple moved user Keychains to its iCloud and they were subsequently breached. Apparently, Apple does not feel its important enough to ensure it meets its own secure coding standards or properly QA it. Confer, CVE-2015-1065. Jeff Sent: Monday, June 15, 2015 at 6:46 PM From: Moti m...@cyberia.org.il To: cryptography@randombit.net Subject: [cryptography] LastPass have been hacked, so it seems. I always had my doubts about keeping my passwords in the cloud. Let's hope for LastPass users that their data is as secure as LastPass claims it is. No reason to think otherwise of course, but still. If i read correctly between the lines, some people's (sensitive) data maybe on the wrong hands. I mean, what if Chinese hackers got it? (Yeah, it feels like i sound a bit Paranoid, but in this day and age, Chinese hackers are actually a thing:) are we sure that the Chinese government don't have enough computing power to unhash whatever was taken? just saying... https://blog.lastpass.com/2015/06/lastpass-security-notice.html/ ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] LastPass have been hacked, so it seems.
On 06/16/2015 06:20 PM, Tim wrote: Are there any password managers that let the user specify where to store a remote copy of the passwords (FTP server, scp, Dropbox, whatever) while keeping the crypto and the master password on the end devices? Take a look at http://www.passwordstore.org/ I had a look at it. At first the idea of gpg locally + git sync seems fine and simple. However, I didn't like the pass shell-script, so I tried to use QtPass, the Qt wrapper of pass. I couldn't make the Qt app work (gpg complained that given public key cannot be encrypted to, etc.). Don't know about the usability and quality of the other apps (Android/iOS ones). The pass script is short, but hard to read (in bash). QtPass just wraps this script along with exec()ing gpg/git binaries and puts it into not-so-well designed GUI. The plain pass might be for people who like command-line tools. In theory pass allows other transports like (s)ftp, scp for synchronization. Ondrej ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography