»Q« wrote:
In <news:[email protected]>,
Rufus <[email protected]> wrote:
Hartmut Figge wrote:
Rufus:
»Q« wrote:
Setting the master password to the empty string is a workaround
for a specific problem the OP has. The OP doesn't want to use a
master password in the first place, so using the empty string as
the password won't decrease the OP's security.
Maybe, but I'm very surprised a user would be able do that without
still wiping out his password list - simply changing the Master to
a null string once it has been set is still a change; I question
if that will actually work...and quite hope it doesn't work,
really...for all of the reasons above.
But you need the old master password to accomplish that. ;)
Which can also be easily hacked, if someone is smart enough to
accomplish the foregoing.
Not any more easily hacked than other encrypted stuff. A dictionary
attack or some other brute force method would work if the master
password is weak enough, and I guess most people use pretty weak ones.
But if a malicious hacker has physical access to your computer, you're
in a world of trouble anyway, no matter what choices have been made. A
master password is more useful against "casual" tampering, in which
some nosey cow orker (for example) sits down at your workstation to see
what he can do just by clicking around.
It's very easy for me to control physical access to my machine, I'm more
concerned about an outside attack, from the net. Depending on where
you live (like in an IT center, or an area which might be targeted at a
higher incidence like a financial or governmental center or such) that
seems to be a far greater problem. Economic espionage is on the rise as
well, and depending on one's career choice one could be a target above
and beyond what one might expect.
I've been warned against using the password managers in browsers by
our IT security folks at work (and I never do, at work)...I think I'm
going to start paying closer attention to them.
That's a valid choice, for sure. The next thing would be to find a way
to avoid ever typing any passwords, since keyloggers will pick them up
that way. An on-screen keyboard to click on is one way to do that, but
it's too annoying for most people to put up with.
...even on-screen boards can be key-logged, if an attacker is savvy. We
whole disk encrypt our laptops and desktops at work, ever since my
company had a HUGE PII spill due to the loss of a laptop about a decade ago.
I may give some thought to doing that at home now...at least on my
laptop. Or using the File Vault option built into OS X - that at least
gives me a "safe area" without resorting to whole-disk.
--
- Rufus
_______________________________________________
support-seamonkey mailing list
[email protected]
https://lists.mozilla.org/listinfo/support-seamonkey
