Re: [gentoo-user] Re: [OT] Seamonkey and LastPass
On Mon, Nov 30, 2009 at 09:29:30PM -0600, Penguin Lover Dale squawked: chrome://messenger/locale/messengercompose/composeMsgs.properties: There is a tool I've used in the past called PasswordMaker. It uses a master password and a flexible set of parameters to generate passwords and if necessary, enter them on a site. snip Once you enter the master password and select the appropriate settings (length, character set, hashing algorithm etc etc), the password will be generated. You can also use the current website as a salt, so using the same settings will yield a different password for different sites. Isn't this just security by obscurity? You still use the same master password: so finding out the one password is enough to break into ALL your sites. The only additional protection you gain is by that the Bad Guys do not know that you are using the tool. The salt hardly matters: to make sure the plugin will behave the same if you run firefox from different computers, they are still using the same hash function and same salt for the same site. If someone is saavy enough to know the list of websites you access and the usernames you use to access them, then that someone should also be able to find out the tool you are using for the passwords. In the end, I think it offers only marginally more protection than having the same very strong password on all your sites. The only case I think encryption/hash approach is useful is when you have a low security account (say an online game, or a MUD that you connect to via telnet) whose password is transmited in plaintext. If you insist on only using one master password, and don't want to bother memorizing a different one for the low security account, I guess by passing your password through a one-way hash makes it harder for your other accounts to be compromised. But that's about it. Just my two cents W -- Where do you get Mercury? H.G. Wells Sortir en Pantoufles: up 1089 days, 8:58
Re: [gentoo-user] Re: [OT] Seamonkey and LastPass
Willie Wong wrote: On Mon, Nov 30, 2009 at 09:29:30PM -0600, Penguin Lover Dale squawked: chrome://messenger/locale/messengercompose/composeMsgs.properties: There is a tool I've used in the past called PasswordMaker. It uses a master password and a flexible set of parameters to generate passwords and if necessary, enter them on a site. snip Once you enter the master password and select the appropriate settings (length, character set, hashing algorithm etc etc), the password will be generated. You can also use the current website as a salt, so using the same settings will yield a different password for different sites. Isn't this just security by obscurity? You still use the same master password: so finding out the one password is enough to break into ALL your sites. The only additional protection you gain is by that the Bad Guys do not know that you are using the tool. The salt hardly matters: to make sure the plugin will behave the same if you run firefox from different computers, they are still using the same hash function and same salt for the same site. If someone is saavy enough to know the list of websites you access and the usernames you use to access them, then that someone should also be able to find out the tool you are using for the passwords. In the end, I think it offers only marginally more protection than having the same very strong password on all your sites. The only case I think encryption/hash approach is useful is when you have a low security account (say an online game, or a MUD that you connect to via telnet) whose password is transmited in plaintext. If you insist on only using one master password, and don't want to bother memorizing a different one for the low security account, I guess by passing your password through a one-way hash makes it harder for your other accounts to be compromised. But that's about it. Just my two cents W Well this is where some things are not real clear. I'm not sure when the master password would be sent to the website. It may be only when doing the setup but you could be right. Of course, I also read a study done by a group of Universities a few years ago that said a LOT of the security stuff that is done doesn't really work. If a person uses common information for their password, then anything the websites do is pretty much meaningless anyway. I actually sent a link to my bank regarding the specific set up they are using. I think the point is, a good secure password is the best policy. For me tho, having a good tool that is local and secure to type that sucker in for me is really good. I'm not worried about someone stealing my computer and gaining access that way, I'm just worried that someone could keep banging away at my password until it guesses it. As mentioned before, my password is not anything related to information about me but just a random bunch of stuff. Given time tho, a hacker would eventually guess it. Dale :-) :-)
Re: [gentoo-user] Re: [OT] Seamonkey and LastPass
On Monday 30 November 2009 02:55:09 daid kahl wrote: [about LastPass] I have an alarm system in my head. It's called the Security by bullshit baffles brains Alert. It's ringing right now ;-) Hahahaha. Just make your doorknob turn the wrong way and you don't have to lock it. Or you could remap all your system filestructure, remove all PATHS and That gives me an idea. I'm going to remove the semantic layer from all my filesystems and reference my files directly by inode number. That should confuse the buggers :-) -- alan dot mckinnon at gmail dot com
Re: [gentoo-user] Re: [OT] Seamonkey and LastPass
chrome://messenger/locale/messengercompose/composeMsgs.properties: On Monday 30 November 2009 02:55:09 daid kahl wrote: [about LastPass] I have an alarm system in my head. It's called the Security by bullshit baffles brains Alert. It's ringing right now ;-) Hahahaha. Just make your doorknob turn the wrong way and you don't have to lock it. Or you could remap all your system filestructure, remove all PATHS and That gives me an idea. I'm going to remove the semantic layer from all my filesystems and reference my files directly by inode number. That should confuse the buggers :-) Naw, I like this one as far as the house goes. Buy four dead bolts and only lock two of them. You may have to think on that one for a minute. ;-) Dale :-) :-)
Re: [gentoo-user] Re: [OT] Seamonkey and LastPass
[about LastPass] I have an alarm system in my head. It's called the Security by bullshit baffles brains Alert. It's ringing right now ;-) Hahahaha. Just make your doorknob turn the wrong way and you don't have to lock it. Or you could remap all your system filestructure, remove all PATHS and That gives me an idea. I'm going to remove the semantic layer from all my filesystems and reference my files directly by inode number. That should confuse the buggers :-) Linux security: Even in the worst case, it's so broken only you know how to use it.
[gentoo-user] Re: [OT] Seamonkey and LastPass
On Sat, 28 Nov 2009 22:29:32 -0600 Dale rdalek1...@gmail.com wrote: After all, how many people see the source code for Seamonkey, thousands, maybe million or more? I don't think that many people can keep a secret like that. While anyone who wants to *can* look at it, probably only a few dozen actually look at very much of it. But every bit of new code that's checked in is reviewed by someone who's been working with Mozilla stuff for a long while and has earned a reputation as a trusted contributor. -- »Q« Kleeneness is next to Gödelness.
Re: [gentoo-user] Re: [OT] Seamonkey and LastPass
chrome://messenger/locale/messengercompose/composeMsgs.properties: Dale wrote: So, another question. Is there a tool that is local and would do something like this? I am using Seamonkey 2.0 nowadays. It seems to have some tools available to it that the old Seamonkey doesn't. Dale :-) :-) There is a tool I've used in the past called PasswordMaker. It uses a master password and a flexible set of parameters to generate passwords and if necessary, enter them on a site. It has a plugin for firefox and I believe seamonkey too. I can't check this second because their site appears to be down (bandwidth exceeded). It doesn't store the passwords anywhere and will only store the master password on your machine if you specifically ask for it. Once you enter the master password and select the appropriate settings (length, character set, hashing algorithm etc etc), the password will be generated. You can also use the current website as a salt, so using the same settings will yield a different password for different sites. Sounds like I'm advocating this very heavily, in fact I don't have much experience with it. It sounds reasonable to me, but I'll let you guys discuss it :) Matt I saw this on the plugin site. I notice it generates passwords but I'm pretty good at that myself. I doubt anyone would guess my password for my bank and credit card. They are not based on anything, not birth dates, Social Security number, account number or anything like that. I used to use a password that had some of the characters above the number keys but I got tired of typing all that mess in. It may be more secure with them but the bank chose to block my password manager from filling them in automatically. I changed it to something easier to type in. Also had a few rounds with the bank too. The changes they made do not make anything more secure than it already was. Several universities did studies and some of them said it made things worse by providing a false sense of security. I did not notice that it had a fill in feature tho. It may not work with my bank but I may try it since it appears to be a local thing and doesn't transmit anything to a third party. Lastpass seems to do this. Thanks. Dale :-) :-)
Re: [gentoo-user] Re: [OT] Seamonkey and LastPass
chrome://messenger/locale/messengercompose/composeMsgs.properties: On Sat, 28 Nov 2009 22:29:32 -0600 Dalerdalek1...@gmail.com wrote: After all, how many people see the source code for Seamonkey, thousands, maybe million or more? I don't think that many people can keep a secret like that. While anyone who wants to *can* look at it, probably only a few dozen actually look at very much of it. But every bit of new code that's checked in is reviewed by someone who's been working with Mozilla stuff for a long while and has earned a reputation as a trusted contributor. Which is why Lastpass needs to let someone outside see their code, sort of earn the peoples trust. Even tho Seamonkey 2 has a few issues right now, I still trust it. I am not worried that they are logging my keystrokes or anything like that. Lastpass, as some have pointed out, could be doing just that. We don't *really* know what they are doing other than what they claim. I like the idea behind it but lack the trust, sort of like Alan I guess. I wanted to use it but was not sure it was safe hence the thread about it. Dale :-) :-)
Re: [gentoo-user] Re: [OT] Seamonkey and LastPass
On Sat, 28 Nov 2009 20:44:48 -0600, Dale wrote: Before someone says that someone can steal my puter, well, they are stored here now anyway. Seamonkey does it for me for most sites. I have the others on post it notes stuck to my monitor. I don't type in my login/password every time I got to the forums or some other site. So, if they steal my puter, they can access whatever they want then anyway. They can boot up with /bin/bash, change the passwords and then access whatever they want. We always tell people physical access trumps about anything else. So put your home directory on an encrypted filesystem, physical access won't help much then. -- Neil Bothwick If at first you don't succeed, you must be a programmer. signature.asc Description: PGP signature
Re: [gentoo-user] Re: [OT] Seamonkey and LastPass
chrome://messenger/locale/messengercompose/composeMsgs.properties: On Sat, 28 Nov 2009 20:44:48 -0600, Dale wrote: Before someone says that someone can steal my puter, well, they are stored here now anyway. Seamonkey does it for me for most sites. I have the others on post it notes stuck to my monitor. I don't type in my login/password every time I got to the forums or some other site. So, if they steal my puter, they can access whatever they want then anyway. They can boot up with /bin/bash, change the passwords and then access whatever they want. We always tell people physical access trumps about anything else. So put your home directory on an encrypted filesystem, physical access won't help much then. True, I just have no idea how to do that. I would have to learn and play with something not so important first. That would take time but is a option. Dale :-) :-)
Re: [gentoo-user] Re: [OT] Seamonkey and LastPass
[about LastPass] I have an alarm system in my head. It's called the Security by bullshit baffles brains Alert. It's ringing right now ;-) Hahahaha. Just make your doorknob turn the wrong way and you don't have to lock it. Or you could remap all your system filestructure, remove all PATHS and ~daid
Re: [gentoo-user] Re: [OT] Seamonkey and LastPass
Dale wrote: So, another question. Is there a tool that is local and would do something like this? I am using Seamonkey 2.0 nowadays. It seems to have some tools available to it that the old Seamonkey doesn't. Dale :-) :-) There is a tool I've used in the past called PasswordMaker. It uses a master password and a flexible set of parameters to generate passwords and if necessary, enter them on a site. It has a plugin for firefox and I believe seamonkey too. I can't check this second because their site appears to be down (bandwidth exceeded). It doesn't store the passwords anywhere and will only store the master password on your machine if you specifically ask for it. Once you enter the master password and select the appropriate settings (length, character set, hashing algorithm etc etc), the password will be generated. You can also use the current website as a salt, so using the same settings will yield a different password for different sites. Sounds like I'm advocating this very heavily, in fact I don't have much experience with it. It sounds reasonable to me, but I'll let you guys discuss it :) Matt
Re: [gentoo-user] Re: [OT] Seamonkey and LastPass
On Saturday 28 November 2009 05:50:42 »Q« wrote: On Sat, 28 Nov 2009 00:57:54 +0200 Alan McKinnon alan.mckin...@gmail.com wrote: [about LastPass] What I find incredible is that people will accept the site's say-so that the site admins can't read the data. They have not proven anything, merely asserted something. The only way to do give that guarantee is to encrypt the data. Which then needs a key. Someone must keep the key and it's either you or them. If it's them, they can decrypt the data (same reason as DRM is doomed to failure) and if it's you - well if you lose the key you lose the data. Are you telling me that there are people gullible enough to actaully fall for that one? They claim that the decrypted data never leaves your computer and they they don't have a key to it. Many, many things aren't clear, such as what kind of encryption is used (same as the US gov't uses for Top Secret stuff, they say, heh), where and how the key is stored on your machine, on and on. I wouldn't dream of using them, but yeah, they have a substantial number of users. I have an alarm system in my head. It's called the Security by bullshit baffles brains Alert. It's ringing right now ;-) Mind you, I have vendors who use exactly the same throw-around-bullshit- statements-and-see-what-sticks approach. It works on the Account Managers all the time, and works on us techies none of them time. Lucky for us, techies rule around here. We get to tell the Account Managers that the vendor is talking crap, that we don't have to explain why, that we are not buying their crap and we are not using it, so please tell the vendor to leave the building and stop wasting my time :-) -- alan dot mckinnon at gmail dot com
Re: [gentoo-user] Re: [OT] Seamonkey and LastPass
28.11.2009 04:50, »Q«: They claim that the decrypted data never leaves your computer and they they don't have a key to it. Many, many things aren't clear, such as what kind of encryption is used (same as the US gov't uses for Top Secret stuff, they say, heh), That reminds me of the famous anti-gravity ball: You throw it up - and it comes down. You throw it down - and it jumps up. And it's made from the same material the US Air Force uses for the tires of their top-notch fighter jets. -- Regards mks
Re: [gentoo-user] Re: [OT] Seamonkey and LastPass
chrome://messenger/locale/messengercompose/composeMsgs.properties: On Saturday 28 November 2009 05:50:42 »Q« wrote: On Sat, 28 Nov 2009 00:57:54 +0200 Alan McKinnonalan.mckin...@gmail.com wrote: [about LastPass] What I find incredible is that people will accept the site's say-so that the site admins can't read the data. They have not proven anything, merely asserted something. The only way to do give that guarantee is to encrypt the data. Which then needs a key. Someone must keep the key and it's either you or them. If it's them, they can decrypt the data (same reason as DRM is doomed to failure) and if it's you - well if you lose the key you lose the data. Are you telling me that there are people gullible enough to actaully fall for that one? They claim that the decrypted data never leaves your computer and they they don't have a key to it. Many, many things aren't clear, such as what kind of encryption is used (same as the US gov't uses for Top Secret stuff, they say, heh), where and how the key is stored on your machine, on and on. I wouldn't dream of using them, but yeah, they have a substantial number of users. I have an alarm system in my head. It's called the Security by bullshit baffles brains Alert. It's ringing right now ;-) Mind you, I have vendors who use exactly the same throw-around-bullshit- statements-and-see-what-sticks approach. It works on the Account Managers all the time, and works on us techies none of them time. Lucky for us, techies rule around here. We get to tell the Account Managers that the vendor is talking crap, that we don't have to explain why, that we are not buying their crap and we are not using it, so please tell the vendor to leave the building and stop wasting my time :-) And to think I came here to ask others opinion BEFORE doing this. I was curious as to how this could work myself and if they can be trusted, or SHOULD be trusted. Seems everyone thinks no one should. That said, because of the way my bank and credit card site accepts the login and password, I bet it wouldn't work for them anyway. If I wanted a really long password that would be hard to guess, those two would be it. Dale :-) :-)
Re: [gentoo-user] Re: [OT] Seamonkey and LastPass
On 11/28/2009 5:03 PM, Dale wrote: chrome://messenger/locale/messengercompose/composeMsgs.properties: On Saturday 28 November 2009 05:50:42 »Q« wrote: On Sat, 28 Nov 2009 00:57:54 +0200 Alan McKinnonalan.mckin...@gmail.com wrote: [about LastPass] What I find incredible is that people will accept the site's say-so that the site admins can't read the data. They have not proven anything, merely asserted something. The only way to do give that guarantee is to encrypt the data. Which then needs a key. Someone must keep the key and it's either you or them. If it's them, they can decrypt the data (same reason as DRM is doomed to failure) and if it's you - well if you lose the key you lose the data. Are you telling me that there are people gullible enough to actaully fall for that one? They claim that the decrypted data never leaves your computer and they they don't have a key to it. Many, many things aren't clear, such as what kind of encryption is used (same as the US gov't uses for Top Secret stuff, they say, heh), where and how the key is stored on your machine, on and on. I wouldn't dream of using them, but yeah, they have a substantial number of users. I have an alarm system in my head. It's called the Security by bullshit baffles brains Alert. It's ringing right now ;-) Mind you, I have vendors who use exactly the same throw-around-bullshit- statements-and-see-what-sticks approach. It works on the Account Managers all the time, and works on us techies none of them time. Lucky for us, techies rule around here. We get to tell the Account Managers that the vendor is talking crap, that we don't have to explain why, that we are not buying their crap and we are not using it, so please tell the vendor to leave the building and stop wasting my time :-) And to think I came here to ask others opinion BEFORE doing this. I was curious as to how this could work myself and if they can be trusted, or SHOULD be trusted. Seems everyone thinks no one should. That said, because of the way my bank and credit card site accepts the login and password, I bet it wouldn't work for them anyway. If I wanted a really long password that would be hard to guess, those two would be it. Dale :-) :-) For my two cents, I would not trust anyone with my passwords, encrypted or otherwise. Anyone who falls for this kind of thing should go learn about security being a mindset, not a software package, and then check out wikipedia's page on email viruses and the like. Marcus
Re: [gentoo-user] Re: [OT] Seamonkey and LastPass
On 28 Nov 2009, at 22:03, Dale wrote: ... And to think I came here to ask others opinion BEFORE doing this. I was curious as to how this could work myself and if they can be trusted, or SHOULD be trusted. Seems everyone thinks no one should. Everyone's yakking it up because it makes them look clever. There's no reason encrypted data can't be stored on the server, then decrypted client-side in the web-browser or by using Java (or possibly even Javascript). That's not saying it IS secure, just that such an infrastructure should be possible, as much as we consider things like ssh, https c to be secure. The Why LastPass is safe page https://lastpass.com/safety.php is indeed bullet-points for idiots, and if that was the only information available on the site then I, too, might be more suspicious. If you look at the Technology summary on the site it looks far more reasonable: https://lastpass.com/technology.php. Perhaps some other commenters should have read this before posting? Would I trust LastPass with child porn or incriminating information regarding my plans to overthrow the government? No, I really think not. Would I trust it with my bank details and my Slashdot password? Why not? Those really aren't valuable enough to be worth hacking and SSL, AES RSA ought to be plenty enough to secure them. Stroller.
Re: [gentoo-user] Re: [OT] Seamonkey and LastPass
chrome://messenger/locale/messengercompose/composeMsgs.properties: On 28 Nov 2009, at 22:03, Dale wrote: ... And to think I came here to ask others opinion BEFORE doing this. I was curious as to how this could work myself and if they can be trusted, or SHOULD be trusted. Seems everyone thinks no one should. Everyone's yakking it up because it makes them look clever. There's no reason encrypted data can't be stored on the server, then decrypted client-side in the web-browser or by using Java (or possibly even Javascript). That's not saying it IS secure, just that such an infrastructure should be possible, as much as we consider things like ssh, https c to be secure. The Why LastPass is safe page https://lastpass.com/safety.php is indeed bullet-points for idiots, and if that was the only information available on the site then I, too, might be more suspicious. If you look at the Technology summary on the site it looks far more reasonable: https://lastpass.com/technology.php. Perhaps some other commenters should have read this before posting? Would I trust LastPass with child porn or incriminating information regarding my plans to overthrow the government? No, I really think not. Would I trust it with my bank details and my Slashdot password? Why not? Those really aren't valuable enough to be worth hacking and SSL, AES RSA ought to be plenty enough to secure them. Stroller. This is one reason I thought about using something like this. If I use something that would remember my passwords and type them in for me, then I can use really really strong passwords. You know, passwords like this: !#sd78826=+C0945z$ I'm not saying that is uncrackable but it would take a hacker a while to guess that thing. Me, I go to my bank site a lot so I don't want to have to type something like that in each time I go there. Having something that remembers them and types them in for me would be nice. Tho I would prefer it be local to me and not across the internet. Before someone says that someone can steal my puter, well, they are stored here now anyway. Seamonkey does it for me for most sites. I have the others on post it notes stuck to my monitor. I don't type in my login/password every time I got to the forums or some other site. So, if they steal my puter, they can access whatever they want then anyway. They can boot up with /bin/bash, change the passwords and then access whatever they want. We always tell people physical access trumps about anything else. Since my bank changed their website which doesn't let password manager in Seamonkey work like it used to, I shortened my password, a LOT. I made it something I could type in easier and faster, even in the dark. So by them doing that, it actually made mine less secure. Of course, the bank assumes a lot of that responsibility since they have a $0 risk to me. So, if someone guesses the password, they are on the hook for it. I would like to avoid the hassle tho if I could. Another situation I was thinking about. Let's say it is as secure as they CLAIM it to be. If someone stole my puter, I could go to lostpass and change the master password or just close the account. Then even my computer would be useless to them. From my understanding you have to type in the master password from time to time. If it is changed through the website, I'm sure it would require it to be re-entered. So, another question. Is there a tool that is local and would do something like this? I am using Seamonkey 2.0 nowadays. It seems to have some tools available to it that the old Seamonkey doesn't. Dale :-) :-)
[gentoo-user] Re: [OT] Seamonkey and LastPass
On Sun, 29 Nov 2009 01:49:29 + Stroller strol...@stellar.eclipse.co.uk wrote: Everyone's yakking it up because it makes them look clever. Either that, or they're 'yakking it up' in hopes of discouraging a regular user here from taking an amazing risk with his banking access passwords. The Why LastPass is safe page https://lastpass.com/safety.php is indeed bullet-points for idiots, and if that was the only information available on the site then I, too, might be more suspicious. If you look at the Technology summary on the site it looks far more reasonable: https://lastpass.com/technology.php. Perhaps some other commenters should have read this before posting? You've missed the point, which is that users have no way of verifying that the LastPass technology actually behaves the way their web site claims. For example, how would you verify that their software, installed on your own machine, doesn't make a hash of the key to your data and send it to them? Of course their web site says they don't do that, and if that's good enough for you, good luck. -- »Q« Kleeneness is next to Gödelness.
Re: [gentoo-user] Re: [OT] Seamonkey and LastPass
On Sat, 2009-11-28 at 20:44 -0600, Dale wrote: ... Another situation I was thinking about. Let's say it is as secure as they CLAIM it to be. If someone stole my puter, I could go to lostpass and change the master password or just close the account. Then even my computer would be useless to them. From my understanding you have to type in the master password from time to time. If it is changed through the website, I'm sure it would require it to be re-entered. ... Give most competent techs your machine and the data is theirs - unless you have taken some extreme precautions. Standard IBM hardware is not designed to be secure, and with the exception of some laptops (which in most cases, things like encryption via the IDE interface available on some Dell's and others, isnt even turned on!), most of those are not either. Lostpass looks ideal for those who lose/forget/do not really understand what passwords are about - its better than the alternatives such people come up with (a common, easily guessed password, or none if they can get away with it). Got something valuable/want to keep private, dont use them, or some of the google apps and others. In fact, I know of some who have a separate, locked down a/c on their machines just for banking - no browsing (and no extraneous browser plugins) to other sites etc. - safer! (and relatively simple to do and manage under nix) BillK -- William Kenworthy bi...@iinet.net.au Home in Perth!
[gentoo-user] Re: [OT] Seamonkey and LastPass
On Sat, 28 Nov 2009 20:44:48 -0600 Dale rdalek1...@gmail.com wrote: So, another question. Is there a tool that is local and would do something like this? I am using Seamonkey 2.0 nowadays. It seems to have some tools available to it that the old Seamonkey doesn't. I don't know of a tool with browser integration. For a local password safe, though, there's keepassx, in portage. -- »Q« Kleeneness is next to Gödelness.
Re: [gentoo-user] Re: [OT] Seamonkey and LastPass
chrome://messenger/locale/messengercompose/composeMsgs.properties: On Sun, 29 Nov 2009 01:49:29 + Strollerstrol...@stellar.eclipse.co.uk wrote: Everyone's yakking it up because it makes them look clever. Either that, or they're 'yakking it up' in hopes of discouraging a regular user here from taking an amazing risk with his banking access passwords. The Why LastPass is safe pagehttps://lastpass.com/safety.php is indeed bullet-points for idiots, and if that was the only information available on the site then I, too, might be more suspicious. If you look at the Technology summary on the site it looks far more reasonable:https://lastpass.com/technology.php. Perhaps some other commenters should have read this before posting? You've missed the point, which is that users have no way of verifying that the LastPass technology actually behaves the way their web site claims. For example, how would you verify that their software, installed on your own machine, doesn't make a hash of the key to your data and send it to them? Of course their web site says they don't do that, and if that's good enough for you, good luck. And that is why they need to let someone independently review their code to see exactly what it does and in some cases, can do. I trust Seamonkey for example for the reason that anyone can see their code. If there was something in the code that allowed Seamonkey to grab passwords or other information they shouldn't, then I'm sure someone would speak up and say so. After all, how many people see the source code for Seamonkey, thousands, maybe million or more? I don't think that many people can keep a secret like that. I think lostpass should open up the books so that people can see the code. Then people may trust what they claim and could even make it better at that. There is always someone out there with a better mouse trap. I did read on there somewhere that Mozilla has some of their code but it is not all of it. Not sure if it is the good stuff or what tho. Dale :-) :-)
Re: [gentoo-user] Re: [OT] Seamonkey and LastPass
chrome://messenger/locale/messengercompose/composeMsgs.properties: On Sat, 2009-11-28 at 20:44 -0600, Dale wrote: ... Another situation I was thinking about. Let's say it is as secure as they CLAIM it to be. If someone stole my puter, I could go to lostpass and change the master password or just close the account. Then even my computer would be useless to them. From my understanding you have to type in the master password from time to time. If it is changed through the website, I'm sure it would require it to be re-entered. ... Give most competent techs your machine and the data is theirs - unless you have taken some extreme precautions. Standard IBM hardware is not designed to be secure, and with the exception of some laptops (which in most cases, things like encryption via the IDE interface available on some Dell's and others, isnt even turned on!), most of those are not either. Lostpass looks ideal for those who lose/forget/do not really understand what passwords are about - its better than the alternatives such people come up with (a common, easily guessed password, or none if they can get away with it). Got something valuable/want to keep private, dont use them, or some of the google apps and others. In fact, I know of some who have a separate, locked down a/c on their machines just for banking - no browsing (and no extraneous browser plugins) to other sites etc. - safer! (and relatively simple to do and manage under nix) BillK It is true that if a person breaks in and takes your puter, they can do anything they want. I'm sure there are some that can set up their system so that grub can't be edited without a password and the file system is encrypted but then again, they may take the time to actually type in a really long secure password for each site too. Lastpass is a good start but having something on the net having access is what made me post here to begin with. I would like to have something that is close to what lastpass does but just locally or something that is confirmed my independent review. If the code was reviewed by someone we all know can be trusted, like the Seamonkey folks, or it was open source for all to see, then that would help. People that know programing can put their approval stamp on it that it works and does what it says it does and nothing else. For me, I wouldn't usually forget a password but if a person got the password for my checking account, then they would have the password for the rest. I sort of have passwords based on the strength I need. My longest and hardest to guess is my checking and credit card. Things like my email, forums, b.g.o and others could be guessed if someone wanted to try it. I would like to be able to have really long and secure for them all but I would get bored of all the typing and having to keep up with different ones for each site. It's funny, the one thing that helps us keep out stuff safe is the most difficult to manage. Dale :-) :-)
[gentoo-user] Re: [OT] Seamonkey and LastPass
On Sat, 28 Nov 2009 00:57:54 +0200 Alan McKinnon alan.mckin...@gmail.com wrote: [about LastPass] What I find incredible is that people will accept the site's say-so that the site admins can't read the data. They have not proven anything, merely asserted something. The only way to do give that guarantee is to encrypt the data. Which then needs a key. Someone must keep the key and it's either you or them. If it's them, they can decrypt the data (same reason as DRM is doomed to failure) and if it's you - well if you lose the key you lose the data. Are you telling me that there are people gullible enough to actaully fall for that one? They claim that the decrypted data never leaves your computer and they they don't have a key to it. Many, many things aren't clear, such as what kind of encryption is used (same as the US gov't uses for Top Secret stuff, they say, heh), where and how the key is stored on your machine, on and on. I wouldn't dream of using them, but yeah, they have a substantial number of users. -- »Q« Kleeneness is next to Gödelness.