|
OSI bean dip posted:How can we have this discussion about "people who play as a security professionals on the Internet" yet then turn around and go on about "convenience [trumping] security"? Hold on, in the other thread you personally vouch for 1Password, which as far as I can tell is also closed-source and also not routinely audited by 3rd parties. And Lastpass seems to subscribe to a paranoid, transparent philosophy in their blog posts about data breaches, where they disclose and advise password changes even for suspicious activity where they have no reason to think user vaults were exposed. If you use a 3rd party host like Dropbox are you really expecting to get full disclosure of potential breaches? By these arguments, shouldn't you be against everything except Keepass vaults, only stored locally? If you want to argue against any kind of cloud vault storage then do it, and acknowledge that you're leaving out a lot of users who just won't use a password manager that can't easily sync between multiple devices, including phones. But it sounds very disingenuous to ding one company for server security that is equally problematic for your preferred solutions (that is: not very problematic, as long as you use a strong password, right?) Wiggly Wayne DDS posted:If your password manager, by default, has an unencrypted key stored (dOTP) that can be used to authenticate, obtain the encrypted vault key, decrypt the vault key, bypass IP restrictions, bypass 2FA and relies on local storage being impenetrable then you've got a bit of a design flaw. We've seen the damage in the past when Lastpass had an XSS problem that let an attacker grab any plaintext passwords from a vault silently. You're not storing your vault on a single system by virtue of using Lastpass so that is not the only possible angle of attack, and based on prior issues I can't comfortably advise people to use it for secure password storage. Especially given their response to the issues presented. This, on the other hand, is a reasonable argument that they have exhibited some questionable security judgement w/r/t local attacks, and given their past transparency about possible server-side breaches, I was very disappointed in the detail of that response and exactly what mitigation strategies were put into place since being notified of the issues. Only tangentially related, but I've also always been uncomfortable with Lastpass' suggestion that they can keep your vault and passwords safe on questionable computers, like those at an internet cafe, using OTPs. I don't know if anyone's directly tested how much of your info some malware could grab in this scenario, but the assertion seems wildly naive and liable to give users a false sense of security. I've been using Lastpass for a few years and I'm not imminently terrified, but between this and the uncertainty surrounding the LogMeIn acquisition, I am looking at alternatives. I just tried installing 1Password for OS X and it errors out immediately upon opening it. Not exactly inspiring confidence here..
|
# ¿ Dec 29, 2015 21:49 |
|
|
# ¿ May 4, 2024 22:11 |
|
Guys my motorcycle has lovely brakes so what's the use in wearing a helmet?
|
# ¿ Dec 6, 2016 16:26 |