On Tue, Feb 5, 2019 at 2:34 AM Dale <rdalek1...@gmail.com> wrote: > > Rich Freeman wrote: > > On Mon, Feb 4, 2019 at 5:12 PM Dale <rdalek1...@gmail.com> wrote: > >> Neil Bothwick wrote: > >>> On Mon, 4 Feb 2019 15:59:02 -0500, Rich Freeman wrote: > >>> > >>>>> One reason I use LastPass, it is mobile. I can go to someone else's > >>>>> computer, use LastPass to say make use of Paypal, Newegg, Ebay etc, > >>>>> logoff and it is like I was never there. > >>>> As much as I like Lastpass I would never do that. It isn't magic - it > >>>> is javascript. If there is a compromise on your computer, then your > >>>> password database will be compromised. This is true of other > >>>> solutions like KeePassX and so on - if something roots your box then > >>>> it will be compromised. > > > >> I might point out, LastPass encrypts the password before sticking it in > >> a file. It isn't visible or plain text. Even getting the file would > >> still require some tools and cracking to get the password itself. > > That assumes you're attacking the password file directly. > > > > If you're using lastpass on a compromised system then there are many > > ways that can be used to bypass the encryptions. They could sniff > > your master password when you key it in, or read it directly from the > > browser's memory. These things are protected from sandboxed code in > > your browser, but not from processes running outside the browser > > (unless again you're using a non-conventional privilege system like > > selinux/android/etc). > > One could argue the same thing with any password tool out there tho, > right?
Of course. This is by no means specific to Lastpass. I wasn't reacting to your use of Lastpass (I use it myself). I was reacting to your statement that you can go to someone else's computer and use lastpass on that computer and then log off and it is as if you were never there. > Given I only install things from > trusted sources, the odds of that happening are likely very small. Not if you go typing your Lastpass master password into computers owned by people who aren't as careful as you are... If you do want the benefits of a password manager on an untrusted computer then you might want to look into the hardware/USB-based solutions, or alternatives like U2F and so on. Now, you're still vulnerable to MITM attacks and so on against the sites you're actually logging into, but your credentials for other sites would not be at risk since they stay on the hardware device, which is going to be hardened against USB attacks (well, at least you hope it would be). If you're using conventional passwords then of course something could still sniff that password since it has to pass through the untrusted computer. If you're using OTPs or U2F/etc then you may still be vulnerable to some cookie-based attacks and MITM and so on, but if you log off at the end of your session that at least limits their duration. Personally I would like to switch to a hardware-based solution, but they have their own set of downsides: 1. Less convenience - you have to physically have the device on you (I don't carry my keys around in the hosue/etc), and plug it in when you want to use it. 2. Recovery options aren't always great. Often these devices don't really have their own recovery solution, and you're stuck following the recovery options on each individual site. Many of these are pretty lousy. 3. Often no support for multiple hardware devices (and keeping them in sync). Again you're stuck with what individual sites allow, and many sites don't let you have multiple hardware tokens registered. 4. Lack of convenience features like auto-changing passwords. Some software-based solutions have this. Though, to be honest, I rarely trust these because if something goes wrong I could lose account access and this can be difficult or impossible to recover from in many situations. A big advantage (and disadvantage) of the software-based solutions is that they're just data files and you can back them up trivially. Really though a lot of this boils down to the fact that PKI is a hard problem without a trusted and convenient mediator, and this largely doesn't exist in the world of free online services. -- Rich
