Password Security Catch-All Thread

Bah, I guess I need to move to Keypass and figure out a way to integrate it into my mobile browser in a secure way.

Edwin wrote:

Bah, I guess I need to move to Keypass and figure out a way to integrate it into my mobile browser in a secure way.

/Popcorn

With regards to LastPass, bear in mind that:

1) The bookmarklet is used by very few LP users, as almost everyone uses browser extensions. This issue does not affect users of the browser extension.

2) The second issue is more serious, but understand what it is. The outcome of exploiting this issue is that an attacker can get a copy of your encrypted vault. This is the same data you send across the wire, with the understanding that it could be sniffed out by anyone listening. Provided the vault is encrypted with a strong password, cracking it would be an ordeal, if it is in fact even realistic at all.

While it is bad for getting a copy of the encrypted blob to be something that is easy to do, at no point should hiding the blob be considered "security". It's the chunk of data you ship out onto the big bad Internet, with the realization that it could at some point end up in the hands of someone besides LastPass. What makes it secure is it being hard to crack. Regularly changing passwords also mitigates the danger of a theoretically captured-and-attacked encrypted blob - if you rotate your passwords more regularly than someone could crack the encryption of a captured blob, the cracked blob would be of little value by the time someone gets inside of it, because all the passwords would be old.

It's even better, of course, to never ship the blob out on the wire. The NSA et al will be highly interested in that data.

Depending on encryption alone is not a good idea; maintaining data hygiene is also important. If you're doing things really well, it should be possible to keep your password file unencrypted. Not that I recommend that, but the encryption should be a safety net, not your main line of defense.

In terms of security, the cloud is your enemy. Drum that into your head. The cloud is the enemy, the cloud is the enemy, the cloud is the enemy. It has been compromised by both corporations and governments. Do not trust it.

Malor wrote:

It's even better, of course, to never ship the blob out on the wire. The NSA et al will be highly interested in that data.

What I don't like about this attitude is that it overinflates one threat at the expense of more common, everyday threats.

For most people, the choice they're making isn't between LastPass and even more secure solutions. It's between LastPass and the absolutely horrible way they do things now.

For almost everyone reading this, your repeated passwords represent a FAR FAR FAR FAR FAR greater threat than the NSA.

For almost everyone reading this, your repeated passwords represent a FAR FAR FAR FAR FAR greater threat than the NSA.

But if you can solve the problem with a local solution, that's better than solving it with one over the wire.

Remember, the NSA saves encrypted data forever, because they think they'll someday be able to break it. Social mores change, and you may not want to be held responsible for actions today, judged by whatever craziness they've come up with to stigmatize or criminalize 20 years from now.

The cloud is better then repeated passwords, but local data, backed up regularly, is MUCH better than the cloud. As far as I know, they still have to have an actual warrant to break into your house.

Plus, depending on the continued goodwill and non-Security Lettered status of an American corporation is probably one of the dumbest things you can do, from a security perspective.

Malor wrote:

But if you can solve the problem with a local solution, that's better than solving it with one over the wire.

There is a significant trade-off when it comes to everyday usability. If the local solution was half as usable, the cloud one would not exist.

You could potentially 'usable' yourself into some very unpleasant circumstances.

If you actually care about security, the cloud is your enemy. Usability does not change that truth by one iota.

But Legion's right. If Keypass was more usable than LastPass, I would've been using that from the beginning and would have been recommending it to everyone versus LastPass.

The cloud is also probably a chem trail.

For anyone looking for alternatives, it's actually called KeePass. When I decided to go with better password security, I chose it over LastPass because it seemed like keeping all of that in a web-based service was defeating the purpose. My philosophy was that I may have been sacrificing a little ease-of-use, but gaining way more by not transmitting anything anywhere it didn't have to go.

Malor wrote:
For almost everyone reading this, your repeated passwords represent a FAR FAR FAR FAR FAR greater threat than the NSA.

But if you can solve the problem with a local solution, that's better than solving it with one over the wire.

Remember, the NSA saves encrypted data forever, because they think they'll someday be able to break it. Social mores change, and you may not want to be held responsible for actions today, judged by whatever craziness they've come up with to stigmatize or criminalize 20 years from now.

The cloud is better then repeated passwords, but local data, backed up regularly, is MUCH better than the cloud. As far as I know, they still have to have an actual warrant to break into your house.

Plus, depending on the continued goodwill and non-Security Lettered status of an American corporation is probably one of the dumbest things you can do, from a security perspective.

And lets not forget the snowden revelation that the NSA have actively worked to weaken or add backdoors to standard crypto algorithms. And given the whole lavabit shenanigans can you really be sure that the LastPass system is fully secure (which is of course the issue with closed source cryto)?

Gravey wrote:

The cloud is also probably a chem trail.

Have you even been paying attention, for the last year?

Sheesh.

What I use is GPG and copy/paste.

Malor wrote:
Gravey wrote:

The cloud is also probably a chem trail.

Have you even been paying attention, for the last year?

Sheesh.

I'm going with Legion on this. I'll stick with LastPass, and yes I even use the bookmarklet sometimes, so nice to know that's been fixed. I'm more concerned about being hacked (which has happened) than about being thrown in the back of a black van (which has yet to happen). Besides, if the CIA really wants to pack me off to the Gulag, I assume they already have full access to my Gmail.

I appreciate your principles, but practicality wins for me, the average schmo. If you want to discuss my paranoia, I combat this problem by just staying out of the States for as long as possible.

I appreciate your principles, but practicality wins for me, the average schmo. If you want to discuss my paranoia, I combat this problem by just staying out of the States for as long as possible.

The comparison to "chem trails" was utter bullsh*t.

Lol, this thread is over

Yeah, I stick with KeePass too. I keep a copy of my password DB on a thumb drive and on my phone, for the KeePass free app.

Edwin wrote:

But Legion's right. If Keypass was more usable than LastPass, I would've been using that from the beginning and would have been recommending it to everyone versus LastPass.

LastPass is certainly a whole lot more convenient but I'm not convinced it is any more useable. That conceptual barrier for entry (getting on board with the whole password safe thing) and setting up the password db is about the same amount of 'work' in either case.

I store my KeePass db on my mobile phone. I have a keePass client installed on all the machines that I would ever enter passwords in to (my work PC, my home PC, my Mac, my iPAD, my phone). If I need to open my password safe I connect my phone to one of my machines and open it. As my mobile is almost always already connected to the machine I'm working at then the process is already pretty streamlined

It is a little annoying having to enter a password on a machine I don't control as I'll have to copy it from my mobile screen. But that happens so incredibly rarely these days that it is little burden, so that is the price I pay for managing my own password safe.

edit: for the record I set up my own keyPass and my partner's LastPass so I've seen both processes. Having seen how she struggled with the whole idea/notion and how she now uses it I remain unconvinced that LastPass is more useable for the actually average schmo (and she's pretty damn smart), unlike the kind of schmo engaged in this thread.

DanB wrote:
Edwin wrote:

But Legion's right. If Keypass was more usable than LastPass, I would've been using that from the beginning and would have been recommending it to everyone versus LastPass.

LastPass is cedrtainly a whole lot more convenient but I'm not convinced it is any more useable. That conceptual barrier for entry (getting on board with the whole password safe thing) and setting up the password db is about the same amount of 'work' in either case.

I store my KeePass db on my mobile phone. I have a keePass client installed on all the machines that I would ever enter passwords in to (my work PC, my home PC, my Mac, my iPAD, my phone). If I need to open my password safe I connect my phone to one of my machines and open it. As my mobile is almost always already connected to the machine I'm working at then the process is already pretty streamlined

It is a little annoying having to enter a password on a machine I don't control as I'll have to copy it from my mobile screen. But that happens so incredibly rarely these days that it is little burden, so that is the price I pay for managing my own password safe.

edit: for the record I set up my own keyPass and my partner's LastPass so I've seen both processes. Having seen how she struggled with the whole idea/notion and how she now uses it I remain unconvinced that LastPass is more useable for the actually average schmo (and she's pretty damn smart), unlike the kind of schmo engaged in this thread.

You have to keep in mind, that I'm trying to get folks who don't even know basic computer/phone functionality to be doing this. LastPass is easier for non-techies than KeePass is.

Malor wrote:
I appreciate your principles, but practicality wins for me, the average schmo. If you want to discuss my paranoia, I combat this problem by just staying out of the States for as long as possible.

The comparison to "chem trails" was utter bullsh*t.

Of course it was. I'm adding a little levity before dejanzie is completely scared off.

Gravey wrote:
Malor wrote:
I appreciate your principles, but practicality wins for me, the average schmo. If you want to discuss my paranoia, I combat this problem by just staying out of the States for as long as possible.

The comparison to "chem trails" was utter bullsh*t.

Of course it was. I'm adding a little levity before dejanzie is completely scared off.

IMAGE(http://heycisco.com/wp-content/uploads/scared.jpg)

No problemo, I've known Malor for a while now

Malor, you're not wrong, even though I'm unsure whether NSA reaches across the ocean into tiny Belgistan.

But I'm mostly with Legion and Gravey: LastPass (which I use) is at least a big step forward from manual passwords. And a 30 minute crash course was all it took to get my just-make-it-work wife aboard. My neighbors and a colleague are next

Judging from the last few years of tech news, the most prominent password security issues are with database thefts. Having a password slightly better than your neighbor grants enough time to change it before it's too late.

Thanks all for the advice.

Malor, you're not wrong, even though I'm unsure whether NSA reaches across the ocean into tiny Belgistan.

We just saw links a day or two ago that they have authority to operate in basically every country on the planet. I think it's unlikely that they aren't.

You may have less to fear from than we do, but that's not necessarily the case. Particularly if you're politically active, if you're championing causes the US doesn't like, well.....

Half-assed security is worse than no security, because you feel safe when you aren't.

I do not feel safe from the NSA or the Belgian National Security. Shielding myself from their intrusion is beyond my technical skills though, and I am honestly far more concerned with someone hacking into my e-mail to steal my identity/money/...

...waffles/beer

...patates frites/puntzakken...

Quintin_Stone wrote:

Yeah, I stick with KeePass too. I keep a copy of my password DB on a thumb drive and on my phone, for the KeePass free app.

There's a KeePass app? I've been wondering if anything like that existed so I wouldn't have to migrate to a cloud solution if I ever got tired of having to put my .kdb file on a thumb drive.

On iOS I've used MiniKeePass, and KeePassDroid on Android.

shoptroll wrote:
Quintin_Stone wrote:

Yeah, I stick with KeePass too. I keep a copy of my password DB on a thumb drive and on my phone, for the KeePass free app.

There's a KeePass app? I've been wondering if anything like that existed so I wouldn't have to migrate to a cloud solution if I ever got tired of having to put my .kdb file on a thumb drive.

Yeah, I've been using it for at least a year I think.

It'd be easy to sync the DB using Dropbox, though I'm sure some would not consider that ironclad secure.

Quintin_Stone wrote:

...waffles/beer

When you come after my waffles, you best not miss.

NSMike wrote:

On iOS I've used MiniKeePass, and KeePassDroid on Android.

i use KyPass on iOS, its good