Useless Conversation

[Hammond]

Shrug all you would need to do is compromise the webpage for a short period.  When I was working in the ISP / webhosting world I saw more than a few websites compromised over the years without people noticing.  Heck l have seen servers owned 3 ways to Sunday without people noticing for months.  You could make the change in the backend in such a way that antivirus scanners would never be triggered.   So it would be up to the hoster / sysadmins to catch it.  That being said you are right it is probably a small chance of it happening. 

Really you have to weight the risk / rewards to figure out if it is worth it to  you.  The benefits of a cloud based password manager is essentially nil to me so I do not see creating any risk of potentially getting compromised.

On that note thank god this week is done.  I am going to sit down and enjoy a beer and some TSW

[Lantyssa]

I can see how a completely server-side solution (which sounds like Lastpass) would be a little more troubling since in theory somebody could hack Lastpass and replace their server software with something that steals your master password when you enter it.  That's a pretty big stretch from any security breach we've seen so far, though (it's one thing to get a copy of a database, entirely another to actually replace the live page that clients use without anyone noticing).  While it's possible for something like that to happen, I can't imagine that it'd go for very long before someone pulled the plug, and you as a user would only be compromised if you had the bad luck to access the site and give it your master password during that window.  Since, again, assuming they at all know what they're doing, the database is all encrypted.

If they brute-force your master password, then they'll have everything.  These programs may not store the password itself, but the hash is reproduceable if they get the correct phrase.  Maybe some are better than others, but I know with Password Safe if I move the file from machine to machine, I can open it using the individually installed programs.

[bhodi]

Shrug all you would need to do is compromise the webpage for a short period.... Lastpass and replace their server software with something that steals your master password when you enter it.

You still aren't understanding the technology or even basic cryptography. No passwords are uploaded or transmitted in raw form. The file is encrypted on the client and then the encrypted file is uploaded. The entire point of modern cryptography is that without the password, the bits are useless. You must have the master password to unencrypt and the ONLY way to get it is through a local keylogger when you type it in, someone looking over your shoulder, or a lead pipe to your knee.

It literally does not matter if they man in the middle, hijack your session, redirect through DNS poisoning, or even break into the server room and flat out steal the hard drives containing the file in which your passwords are stored. It doesn't matter if you email the file to yourself at mailinator.com or print it out in hex and put it on craigslist. Without a NSA supercomputer brute forcing it (or an undisclosed flaw in the encryption technology) your shit is safe once it's encrypted and the file is closed and out of memory. Period.

Because memory reading and keyloggers are basically the only realistic vector, most of the programs go the extra step to watch for and defeat the common hooks those programs use. Nothing is absolutely safe, but you continue to dwell on a security threat that literally does not exist. You now have THREE people trying to explain this to you.

[Furiously]

Why is this better than me using a different, hard to figure out password, writing them on a piece of paper and putting them all into a Steven King book on my bookshelf?

[Morat20]

Two-factor authentication or some variant of asymmetric keys. And sooner or later, biometrics. I suspect the future of password security is closer to how we handle certificates than passwords.

Wherein basically anyone wanting to know "Is this Morat" goes to the certificate authority and verifies me against that, using the (partial) key I gave it.  Which is effectively what those password managers use, but designed correctly each and every password for each and every website would be different (basically public-key encryption, just large scale).

I know my private key, I shake hands with the certificate authority who knows (say) Amazon's public key. Amazon has a public/private key with the certificate authority.

Kinda a monopoly (or very few centers) solution, though. Of course if you steal my private key I'm fucked, but if you add to the private key a token (like an RSA ID or biometric) they'd have to have my private key AND my token -- or fingers or whatnot).

If the Password authority is hacked you're fucked, since a hack there fucks everyone, but at least the response would (theoretically) be swift and encompassing, and a reset would at least resecure everything, including places you haven't used in years.

[Hammond]

Bhodi,

I think there is a mis-understanding somewhere.   My last response was to Samwise which was on the previous page.  iI was his comments on how to compromise the website itself.  As far as the technology behind lastpass  I understand it just fine and I understand both the strengths and the weaknesses.  

In my statement  I am talking about is them capturing your password to the lastpass.com website itself and getting a copy of your encrypted data.  This is only a problem if someone is using a weak password of course which someone could then bruteforce.  

On a side note why did you merge both samwise and my quotes?

Shrug all you would need to do is compromise the webpage for a short period.... Lastpass and replace their server software with something that steals your master password when you enter it.

Edit to add
Apparently Lastpass could have been a victim of hacking last year.  No details but this is a interview with the CEO.
http://www.pcworld.com/article/227268/lastpass_ceo_explains_possible_hack.html
Looks like it was just a few people that had potentially been hacked.  I cannot for the life of me find a followup article with a better explanation. 

[Hammond]

Why is this better than me using a different, hard to figure out password, writing them on a piece of paper and putting them all into a Steven King book on my bookshelf?

Convenience really. You have one place on your computer to store the passwords so you can paste them directly into website if you want.

[Yegolev]

Maybe KeePass requires a bit of reading to set up, but the convenience of pressing CTRL-V and it logging me into things is pretty nice.  I do still put some passwords into text files; it's all relative.

[Ironwood]

I forgot our anniversary.

Shit.

[Trippy]

[Signe]

I forgive you.  Don't know if your wife will though.

[Ironwood]

Indeed.

I'm in such trouble.

[Signe]

I  my new shoes.




Didn't there used to be a shoe thread around here?  There must have been.  I never go anywhere without shoes.

[Furiously]

What socks would you wear with those?

[IainC]

Holy shit it's Signe!

 

[Lantyssa]

Sweet walk.

[MuffinMan]

I don't think I'd wear shoes if I were a zombie. I probably wouldn't even wear clothes, fuck it.

[Yegolev]

I forgot our anniversary.

Shit.

I'd love to give advice, but frankly you're inside the event horizon and my voice would seem unintelligible as you are spaghettified in your descent.  From my experience, there isn't a card for "Sorry I Forgot Your Birthday" or a "Sorry I Forgot Our Anniversary" or "You Said You Didn't Want A Gift".

[JWIV]

Holy shit it's Signe!

 

 

[Signe]

What socks would you wear with those?

?

[Soln]

Holy shit it's Signe!

 

 

Wow.   Welcome back :)

[RhyssaFireheart]

Holy shit it's Signe!

 

I thought I was seeing things and had to double-check the date.

[proudft]

It's not even 2014 anymore.

[Nebu]

Holy shit it's Signe!

 

YAY!  Heya Signe! 

[cmlancas]

Weird.  Signe and I come back in the same week?

Granted, I'm nowhere near an f13 superhero like she is.   

[Signe]

  I'm not a superhero, YOU'RE a superhero.

[Xuri]

Welcome back to the both of you! :)

[cmlancas]

I'm not a superhero, YOU'RE a superhero.

Was I inadvertently sexist there?  Fine, fine.  Superheroine!   

[Strazos]

I thought I was seeing things and had to double-check the date.

Heh. +1 

[proudft]

I thought Nerf's dog was the superhero?

[Lantyssa]

Nah, he's Wonder Mutt.

[Yegolev]

Weird.  Signe and I come back in the same week?

Same day.

[Sky]

Don't forget tonight is peak Perseids, best just before dawn.

[murdoc]

Holy shit it's Signe!

 

 

[Xanthippe]

I forgot our anniversary.

Shit.

Both my spouse and I forgot our 20th. We usually forget anniversaries, so we forgive each other.

You could try "Every day is an anniversary" and bring her flowers at irregular intervals.