|
Mr Chips posted:If no-one ITT works for them, can we stop talking about it? Absolutely.
|
# ? Dec 18, 2015 03:37 |
|
|
# ? May 10, 2024 01:25 |
|
Nobody should feel good about their posts in this thread, FYI.
|
# ? Dec 18, 2015 04:33 |
|
Mr Chips posted:Can you explain the mathematics for the first bit for everyone else who's interested in understanding why? Hey man, the mathematical proof for it was written by Euclid (back in 300bc believe it or not) and you can read about the formal proof here: https://en.wikipedia.org/wiki/Euclid%27s_theorem The proof goes like this: You assume you have a finite set of prime numbers, in this case we'll say we have found every prime in the range of 0-1000, and the primes are denoted as p1, p2, p3,...,pn where pn is the last prime in the set Then you multiply all of those primes together to get a large composite number, we'll call x We know that any prime in the set of 0-1000 can divide this number and give us an integer result since x = p1 * p2 * p3 *...* pn (Thanks to formal definitions of divisibility) The contradiction to the original assumption that only a limited number of primes exists happens when we add 1 to the composite number. so y = x + 1 Since we made a composite number of ALL primes, then there must exist some pi (i is the index number) that can divide y, right? (again due to formal definitions of divisibility) However this is not the case since we know y = x + 1 = (p1 * p2 * p3 *...* pn) + 1, thus there exists no pi in our original set that divides y, so y must be a prime. You can do this again, and again (this is called a proof by induction) for every new prime you find (like c, d, e,...etc), Therefore there are infinitely many primes. I know this was posted a while ago, but I hope it helps. elite_garbage_man fucked around with this message at 07:14 on Dec 18, 2015 |
# ? Dec 18, 2015 04:54 |
|
elite_garbage_man posted:I know this was posted a while ago, but I hope it helps. cheers, thanks for answering that question (and the others who did)
|
# ? Dec 18, 2015 05:41 |
|
elite_garbage_man posted:I know this was posted a while ago, but I hope it helps. OK, you can be proud of your posting.
|
# ? Dec 18, 2015 05:55 |
|
I'm just gonna note that it's possible to disagree without being dicks to eachother, so let's all work on making this thread about security and not nerds arguing.
|
# ? Dec 18, 2015 15:18 |
|
Alereon posted:I'm just gonna note that it's possible to disagree without being dicks to eachother, so let's all work on making this thread about security and not nerds arguing. thanks also thanks for the av babyface nerd, whoever it was RISCy Business fucked around with this message at 16:13 on Dec 18, 2015 |
# ? Dec 18, 2015 15:50 |
|
Alereon posted:I'm just gonna note that it's possible to disagree without being dicks to eachother, so let's all work on making this thread about security and not nerds arguing.
|
# ? Dec 18, 2015 18:41 |
|
|
# ? Dec 18, 2015 20:46 |
|
Best recommendations for password managers? Surely keeping them all in a Google Spreadsheet isn't considered best practice. I'm not interested in spending money on a service though. How is Safewin Cloud?
|
# ? Dec 20, 2015 22:32 |
|
FunOne posted:Best recommendations for password managers? Surely keeping them all in a Google Spreadsheet isn't considered best practice. I'm not interested in spending money on a service though. How is Safewin Cloud? Local only KeePass/PasswordSafe are decent. Online I'd say lastpass.
|
# ? Dec 20, 2015 22:41 |
|
FunOne posted:Best recommendations for password managers? Surely keeping them all in a Google Spreadsheet isn't considered best practice. I'm not interested in spending money on a service though. How is Safewin Cloud?
|
# ? Dec 20, 2015 22:53 |
|
I like LastPass with two-factor authentication. $12 a year is great, I looked at 1Password but it seemed very expensive for the amount of licenses I'd need to buy.
|
# ? Dec 20, 2015 23:22 |
|
Lastpass 2-factor doesn't actually do anything, so I wouldn't bother turning it on. Last I checked, anyway.
|
# ? Dec 20, 2015 23:32 |
|
bobbilljim posted:Lastpass 2-factor doesn't actually do anything, so I wouldn't bother turning it on. Last I checked, anyway.
|
# ? Dec 20, 2015 23:46 |
|
In all honesty my main use for a password manager is to easily track unique, complex passwords for each online account I use. I'm happy to make the trade off that someone stealing one of my devices and managing to log into it might not get asked for a second factor of authentication.
|
# ? Dec 20, 2015 23:58 |
|
Alereon posted:I guess you're talking about it not actually being required in all scenarios by default, like when offline? If security is more important than usability you can disable trusted devices and caching of credentials/vault contents, but that doesn't seem to be a good trade for most people. Could just be certain client apps, but last I checked if you have it enabled in Firefox you can sign in with the password and it will autofill any open web page you have, then you can tell the second factor popup to piss off and you still have the password filled in on whatever page. So I don't think its actually enforced, rather its up to the client app. e: this is when I had it set to not work offline
|
# ? Dec 21, 2015 00:16 |
|
bobbilljim posted:Could just be certain client apps, but last I checked if you have it enabled in Firefox you can sign in with the password and it will autofill any open web page you have, then you can tell the second factor popup to piss off and you still have the password filled in on whatever page. So I don't think its actually enforced, rather its up to the client app.
|
# ? Dec 21, 2015 01:13 |
|
Lastpass has had too many dumb security issues. Use 1password or KeePass.
|
# ? Dec 21, 2015 10:25 |
|
Wiggly Wayne DDS posted:Lastpass has had too many dumb security issues. Use 1password or KeePass.
|
# ? Dec 21, 2015 15:58 |
|
I also only know of one "breach" that Lastpass has had, and all it did was release stuff that's already encrypted up the wazoo.
|
# ? Dec 21, 2015 16:00 |
|
Inspector_666 posted:I also only know of one "breach" that Lastpass has had, and all it did was release stuff that's already encrypted up the wazoo. Alereon posted:KeePass requires your own db management solution and 1password requires you to purchase a separate license for every platform, both of which are dealbreakers for most normal people. If you are a nerd and a local db works for you then not trusting anyone else with your data is obviously safest.
|
# ? Dec 21, 2015 16:24 |
|
Wiggly Wayne DDS posted:Here's a rundown of an audit publicised last month: http://www.martinvigo.com/even-the-lastpass-will-be-stolen-deal-with-it/
|
# ? Dec 21, 2015 16:43 |
|
Alereon posted:Lastpass isn't insecure, it just makes intelligent default choices to balance security and convenience for its users. Most people want features like trusted devices and offline access to their vault., and if you don't no one makes you keep them enabled.
|
# ? Dec 21, 2015 16:44 |
|
Wiggly Wayne DDS posted:Those are issues for people needing multi-platform solutions, I doubt that is the majority of the userbase and doesn't excuse using an insecure manager. Isn't the entire draw of cloud-based password managers multi-platform support? I've thought about going back to just KeePass from Lastpass, but I figure if the biggest threat to my Lastpass info requires somebody have local control over my computer I'm hosed either way.
|
# ? Dec 21, 2015 16:45 |
|
Inspector_666 posted:Isn't the entire draw of cloud-based password managers multi-platform support?
|
# ? Dec 21, 2015 16:46 |
|
Wiggly Wayne DDS posted:Did you read the audit at all?
|
# ? Dec 21, 2015 16:59 |
|
Alereon posted:Yes, it says that if credentials are saved locally to your machine, then an attacker with access to your machine may be able to gain access to your Lastpass vault data and account. This is not the threat model most people care about, and anyone that does can mitigate it by making changes to their account settings. Honestly dude you are making mountains out of molehills, Lastpass is compellingly better than the alternatives for everyone that isn't an autist and doesn't want to buy an app once for every platform they own.
|
# ? Dec 21, 2015 17:24 |
|
Alereon posted:Lastpass is compellingly better than the alternatives [...] doesn't want to buy an app once for every platform they own. KeePass doesn't cost money and works on virtually every platform out there. It works great with Dropbox and works fine for autists and non-autists alike.
|
# ? Dec 21, 2015 18:00 |
|
Alereon posted:KeePass requires your own db management solution and 1password requires you to purchase a separate license for every platform, both of which are dealbreakers for most normal people. If you are a nerd and a local db works for you then not trusting anyone else with your data is obviously safest. I have no idea what you're talking about with KeePass. I've used KeePass2 for years now, and I've never set up a database. It asks you how many PBKDF2 (I think) rounds you want to use but also provides a helpful "optimize for 1 second" button. I just throw it in a Dropbox after that. Nowadays it can even helpfully merge changes if its been modified elsewhere since it was opened. I use it on Linux with Wine, there's freeware Android implementations, etc. SeaFile is probably better than Dropbox from a security standpoint. Paul MaudDib fucked around with this message at 20:58 on Dec 21, 2015 |
# ? Dec 21, 2015 20:55 |
|
I feel like if you think LastPass is insecure "just throw your entire password DB into Dropbox!" isn't really much better...
|
# ? Dec 21, 2015 20:59 |
|
Inspector_666 posted:I feel like if you think LastPass is insecure "just throw your entire password DB into Dropbox!" isn't really much better... Please explain how you have come to this conclusion. You're (mostly) in control and provided that you don't set your KeePass file to some dumb password, putting it on Dropbox or some other hosting service is far better than trusting that the algorithm used on LastPass isn't being hobbled by any inadequately written software. Hell, you can combine it with a keyfile if you're even less trusting of this method. You can at least inspect how KeePass is treating your passwords whereas you're trusting a blackbox with LastPass that has had a number of problems in the past five years.
|
# ? Dec 21, 2015 21:04 |
|
OSI bean dip posted:Please explain how you have come to this conclusion. You're (mostly) in control and provided that you don't set your KeePass file to some dumb password, putting it on Dropbox or some other hosting service is far better than trusting that the algorithm used on LastPass isn't being hobbled by any inadequately written software. Hell, you can combine it with a keyfile if you're even less trusting of this method. Last time there was a discussion about this the overwhelming opinion from goons was that Dropbox was a security joke and your data might as well just be publically accessible. Then again that conversation was just as dripping with toxic condescension as this thread has been so maybe I missed something.
|
# ? Dec 21, 2015 21:07 |
They're not advocating putting your passwords on dropbox, but to use it to hold the encrypted container that KeePass needs so you can keep it synched between devices. As long as you feel that the container is secure then the risk you're taking hosting it on dropbox is minimized by rotating passwords.
|
|
# ? Dec 21, 2015 21:13 |
|
Inspector_666 posted:Last time there was a discussion about this the overwhelming opinion from goons was that Dropbox was a security joke and your data might as well just be publically accessible. Dropbox security is a complete joke because as the data is stored in plaintext when at rest. There is no argument from me on this at all. However, you're telling me that is worse than trusting that LastPass, a service that stores passwords for millions of users? A service that has been in a supposed targeted attack in the past year? A service that has had issues with credentials being stolen from the browser last year? A service that has had its users change their master password in the past? And we're going on about Dropbox being insecure because someone could read the password file on your system? At least if you're saving the KeePass (or 1Password) file via Dropbox that you don't have to be as concerned about someone modifying the application to allow others to read the data. The type of attack on Juniper's VPN source-code is far more likely with LastPass than with KeePass to say the least. Have you given any consideration to this?
|
# ? Dec 21, 2015 21:17 |
|
Wiggly Wayne DDS posted:If your password manager, by default, has an unencrypted key stored (dOTP) that can be used to authenticate, obtain the encrypted vault key, decrypt the vault key, bypass IP restrictions, bypass 2FA and relies on local storage being impenetrable then you've got a bit of a design flaw. We've seen the damage in the past when Lastpass had an XSS problem that let an attacker grab any plaintext passwords from a vault silently. You're not storing your vault on a single system by virtue of using Lastpass so that is not the only possible angle of attack, and based on prior issues I can't comfortably advise people to use it for secure password storage. Especially given their response to the issues presented. OSI bean dip posted:KeePass doesn't cost money and works on virtually every platform out there. It works great with Dropbox and works fine for autists and non-autists alike. Alereon fucked around with this message at 21:21 on Dec 21, 2015 |
# ? Dec 21, 2015 21:19 |
|
Alereon posted:KeePass is worthless for average users because it requires you to roll your own db storage and synchronization solution. Saying "just use dropbox" is great for autists who want to live independently, but it's absolutely not a solution that Just Works in the way Lastpass does. You're a smart guy, you know all this, so I don't get why you won't accept that LastPass offers the best balance between security and usability for most people. My post above adequately demonstrates why using LastPass is a terrible suggestion and should be avoided at all costs. If you're the kind of person that has come to the conclusion that LastPass is necessary, you're the kind of person that is capable of setting up a cloud-based file distribution service.
|
# ? Dec 21, 2015 21:21 |
|
Alereon posted:You are inventing fake concerns. The default configuration of Lastpass does not protect you from an attacker with access to your machine, because that is not a relevant threat for most users and changing the way the software works to protect against that would require usability compromises that are unacceptable to most users. Users for whom those compromises ARE acceptable can change their account settings, or hell just use KeePass if they care that much. quote:KeePass is worthless for average users because it requires you to roll your own db storage and synchronization solution. Saying "just use dropbox" is great for autists who want to live independently, but it's absolutely not a solution that Just Works in the way Lastpass does. You're a smart guy, you know all this, so I don't get why you won't accept that LastPass offers the best balance between security and usability for most people. Let's be real, features like offline access
|
# ? Dec 21, 2015 21:28 |
|
OSI bean dip posted:My post above adequately demonstrates why using LastPass is a terrible suggestion and should be avoided at all costs. If you're the kind of person that has come to the conclusion that LastPass is necessary, you're the kind of person that is capable of setting up a cloud-based file distribution service. Wiggly Wayne DDS posted:"Just Works" isn't a security concept. You may like those features but that doesn't make them the main reason a user uses software - accessibility and prominence in the landscape are major considerations. Consider how often you've pushed LastPass without finding out if a user needs to have vault access on more than one machine. Is the user making an informed decision across these products, or is their decision making impacted by other peoples' biases? Alereon fucked around with this message at 21:35 on Dec 21, 2015 |
# ? Dec 21, 2015 21:29 |
|
|
# ? May 10, 2024 01:25 |
|
Alereon posted:Your post describes some very vague and not-at-all-compelling reasons why people should be cautious about trusting their data to Lastpass. And yes, any security professional (or someone who plays one on the Internet) is perfectly capable of setting up their own cloud-based db synch solution, but those security professionals aren't asking for advice on how to manage their passwords. Someone who asks security professionals what password management solution to use should be directed to Lastpass. quote:Here's the problem. Convenience is so vastly more important than your theoretical security concerns that I am stunned we are still having this discussion. This fact has been a foundational principle of information security practices for quite some time. This is because users will work around inconvenient practices with MUCH less secure practices, such as how users respond to strong password requirements by reusing passwords. This is why the priority when creating a process for users MUST be that the process be so convenient users will never be tempted to work around it.
|
# ? Dec 21, 2015 21:41 |