[Cryptography] Lastpass hacked.
Tom Mitchell
mitch at niftyegg.com
Wed Jun 17 01:52:10 EDT 2015
On Tue, Jun 16, 2015 at 8:39 PM, Theodore Ts'o <tytso at mit.edu> wrote:
> On Tue, Jun 16, 2015 at 10:34:03PM -0400, Jerry Leichter wrote:
> >
> > I have no problem storing encrypted data even on publicly accessible
> > systems if the key never leaves systems I control.
>
> At least in theory, LastPass can be configured
>
Since we have different security profiles (needs), data
values and access patterns the answers will differ.
My first password manager was a 4x6 photo album from
Walmart Instead of photos I inserted 4x6 note cards with
purpose and passwords. At a later time the data involved
was not mine so the password was protected with tricks
less secure than ROT13 at first.
Companies have different issues. No one individual can
be permitted to keep critical keys in his head. People do
come and go on good terms and bad so policy, recovery and audit
procedures are needed.
The most critical aspect is the need for audit and early discovery
of attack. Some services are happy to use a web cookie and
an SMS message to the user.
In this case the service seemed to have many of the right tools
and designs in place but as a user I think I need a local
work sheet check list of sites to change.
Next with a password service the quality of the passwords
that a tool suggests can be critical. Password generators
are notorious with their problems.
Interesting tangle.
--
T o m M i t c h e l l
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150616/a8b7dfbc/attachment.html>
More information about the cryptography
mailing list