[prev in list] [next in list] [prev in thread] [next in thread]
List: cryptography
Subject: Re: [Cryptography] Lastpass hacked.
From: Tom Mitchell <mitch () niftyegg ! com>
Date: 2015-06-17 5:52:10
Message-ID: CAAMy4UTWwAn2CTsup+iFc5Ey_z7Cyu=UL_fOrksTRa9ZeyHftQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On Tue, Jun 16, 2015 at 8:39 PM, Theodore Ts'o <tytso@mit.edu> wrote:
> On Tue, Jun 16, 2015 at 10:34:03PM -0400, Jerry Leichter wrote:
> >
> > I have no problem storing encrypted data even on publicly accessible
> > systems if the key never leaves systems I control.
>
> At least in theory, LastPass can be configured
>
Since we have different security profiles (needs), data
values and access patterns the answers will differ.
My first password manager was a 4x6 photo album from
Walmart Instead of photos I inserted 4x6 note cards with
purpose and passwords. At a later time the data involved
was not mine so the password was protected with tricks
less secure than ROT13 at first.
Companies have different issues. No one individual can
be permitted to keep critical keys in his head. People do
come and go on good terms and bad so policy, recovery and audit
procedures are needed.
The most critical aspect is the need for audit and early discovery
of attack. Some services are happy to use a web cookie and
an SMS message to the user.
In this case the service seemed to have many of the right tools
and designs in place but as a user I think I need a local
work sheet check list of sites to change.
Next with a password service the quality of the passwords
that a tool suggests can be critical. Password generators
are notorious with their problems.
Interesting tangle.
--
T o m M i t c h e l l
[Attachment #5 (text/html)]
<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Tue, Jun 16, 2015 \
at 8:39 PM, Theodore Ts'o <span dir="ltr"><<a href="mailto:tytso@mit.edu" \
target="_blank">tytso@mit.edu</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><span class="">On Tue, Jun 16, 2015 at 10:34:03PM -0400, \
Jerry Leichter wrote:<br> ><br>
> I have no problem storing encrypted data even on publicly accessible<br>
> systems if the key never leaves systems I control.<br>
<br>
</span>At least in theory, LastPass can be configured<br> \
</blockquote></div><br>Since we have different security profiles (needs), data \
</div><div class="gmail_extra">values and access patterns the answers will \
differ.</div><div class="gmail_extra"><br></div><div class="gmail_extra">My first \
password manager was a 4x6 photo album from </div><div class="gmail_extra">Walmart \
Instead of photos I inserted 4x6 note cards with</div><div \
class="gmail_extra">purpose and passwords. At a later time the data \
involved</div><div class="gmail_extra">was not mine so the password was protected \
with tricks </div><div class="gmail_extra">less secure than ROT13 at first. \
</div><div class="gmail_extra"><br></div><div class="gmail_extra">Companies have \
different issues. No one individual can</div><div class="gmail_extra">be permitted \
to keep critical keys in his head. People do</div><div class="gmail_extra">come \
and go on good terms and bad so policy, recovery and audit</div><div \
class="gmail_extra">procedures are needed.<br><br>The most critical aspect is the \
need for audit and early discovery</div><div class="gmail_extra">of attack. Some \
services are happy to use a web cookie and </div><div class="gmail_extra">an SMS \
message to the user.<br><br>In this case the service seemed to have many of the right \
tools</div><div class="gmail_extra">and designs in place but as a user I think I need \
a local </div><div class="gmail_extra">work sheet check list of sites to \
change.</div><div class="gmail_extra"><br></div><div class="gmail_extra">Next with a \
password service the quality of the passwords </div><div class="gmail_extra">that a \
tool suggests can be critical. Password generators</div><div \
class="gmail_extra">are notorious with their problems. <br><br>Interesting \
tangle.<br><br><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"> T \
o m M i t c h e l l</div></div> </div></div>
[Attachment #6 (text/plain)]
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic