Lastpass Vulnerability
XSS flaw explanation (don't really understand this)
Quote
Yep... I'd have left LastPass immediately if they'd revealed passwords. I'm not that bothered about someone potentially knowing the sites I got to. Most of them are stuff like forums (where you can see my username anyway) and Facebook (which are obvious sites for just about everyone).
What you said about password variations is fine, but it doesn't take into account this wouldn't work in practice. Most, if not all, sites I go to will lock you out for 10 to 30 minutes after 3 to 5 password fails. The only way any type of brute force (even a variation guessing) attack would work is if they had access to the database itself, which would be extremely rare and while possible (Gawker!) is very unlikely. Also, my example of adding "123" was just an example, and would probably be very early in any list of variations. You could use something better which would be harder to guess as a variation.
(A) is true, but there are also risks with not using such a service that you have to weigh up. For example, password re-use, tending to use predictable passwords versus random passwords, risk of phishing (LP would only enter the pw on the real site), keyloggers, being watched/recorded typing pw in, etc.
(B) + (C) exactly what I do. I can't (I don't think anyway) use LP for my bank as it asks for random characters from two passphrases. I don't use it for Gmail or PayPal (I use 2-factor though for both). I already use Facebooks login from new computer notification. All good advice.
What you said about password variations is fine, but it doesn't take into account this wouldn't work in practice. Most, if not all, sites I go to will lock you out for 10 to 30 minutes after 3 to 5 password fails. The only way any type of brute force (even a variation guessing) attack would work is if they had access to the database itself, which would be extremely rare and while possible (Gawker!) is very unlikely. Also, my example of adding "123" was just an example, and would probably be very early in any list of variations. You could use something better which would be harder to guess as a variation.
(A) is true, but there are also risks with not using such a service that you have to weigh up. For example, password re-use, tending to use predictable passwords versus random passwords, risk of phishing (LP would only enter the pw on the real site), keyloggers, being watched/recorded typing pw in, etc.
(B) + (C) exactly what I do. I can't (I don't think anyway) use LP for my bank as it asks for random characters from two passphrases. I don't use it for Gmail or PayPal (I use 2-factor though for both). I already use Facebooks login from new computer notification. All good advice.
Source
Open source desktop password manager vs. Proprietary Cloud-based password manager food for thought discussion:
Quote
Why would anyone trust a proprietary security tool? Have we learned nothing?
Quote
Essential parts of their code can be reviewed.
Incentives matter. LastPass has every incentive to keep their system secure -- one serious breach and their business is dead.
While open source has advantages, it doesn't help if there are not enough people maintaining it, and if security patches are not pushed to you automatically. Peer review is not the only factor in the game.
Incentives matter. LastPass has every incentive to keep their system secure -- one serious breach and their business is dead.
While open source has advantages, it doesn't help if there are not enough people maintaining it, and if security patches are not pushed to you automatically. Peer review is not the only factor in the game.
Source
Logged
