[Cryptography] Lastpass hacked.

[Jerry Leichter]

On Jun 16, 2015, at 7:19 PM, Randy Bush <randy at psg.com> wrote:
Apparently lastpass was hacked, What else should a password service do
>> day in and day out?  What should a customer do beyond adding something
>> not on line?
> do not store critical secrets on others' systems.  period.  then, learn
> how to secure your own system(s); this is seriousy hard.
That's too strong.  Don't store critical secrets *along with access credentials* on others' systems.

I have no problem storing encrypted data even on publicly accessible systems if the key never leaves systems I control.  For example, I use a cloud backup system which can be set so that data is encrypted before being sent and the key is kept on my own system.  (Yes, there is the problem of whether to believe the provider when he says it works this way.  That he's in fact lying a risk I choose to take.)  In doing this, I give up the possibility of accessing my backed-up files using a Web browser - a service offered if I choose a lower level of security in which the provider has a copy of my key.

I've never used a password manager, but I'm willing to store encrypted passwords out in the cloud.  I have to decrypt them by hand and copy and paste them into place - I've deliberately given up the convenience of having them auto-magically populate the relevant fields.  I've always thought that was a good security tradeoff, and I'm even more sure now.
                                                        -- Jerry