Welcome Guest.   Make a donation to an author on the site December 22, 2014, 01:47:49 AM  *

Please login or register.
Or did you miss your validation email?


Login with username and password (forgot your password?)
Why not become a lifetime supporting member of the site with a one-time donation of any amount? Your donation entitles you to a ton of additional benefits, including access to exclusive discounts and downloads, the ability to enter monthly free software drawings, and a single non-expiring license key for all of our programs.


You must sign up here before you can post and access some areas of the site. Registration is totally free and confidential.
 
Your Support Funds this Site: View the Supporter Yearbook.
   
   Forum Home   Thread Marks Chat! Downloads Search Login Register  
Pages: [1]   Go Down
  Reply  |  New Topic  |  Print  
Author Topic: Good week for Software Security FUD (MSE and LastPass vulnerability found)  (Read 1133 times)
Paul Keith
Member
**
Posts: 1,982


see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« on: February 27, 2011, 03:10:06 PM »

MSE vulnerability

Lastpass Vulnerability

XSS flaw explanation (don't really understand this)

Quote
Yep... I'd have left LastPass immediately if they'd revealed passwords. I'm not that bothered about someone potentially knowing the sites I got to. Most of them are stuff like forums (where you can see my username anyway) and Facebook (which are obvious sites for just about everyone).
What you said about password variations is fine, but it doesn't take into account this wouldn't work in practice. Most, if not all, sites I go to will lock you out for 10 to 30 minutes after 3 to 5 password fails. The only way any type of brute force (even a variation guessing) attack would work is if they had access to the database itself, which would be extremely rare and while possible (Gawker!) is very unlikely. Also, my example of adding "123" was just an example, and would probably be very early in any list of variations. You could use something better which would be harder to guess as a variation.
(A) is true, but there are also risks with not using such a service that you have to weigh up. For example, password re-use, tending to use predictable passwords versus random passwords, risk of phishing (LP would only enter the pw on the real site), keyloggers, being watched/recorded typing pw in, etc.
(B) + (C) exactly what I do. I can't (I don't think anyway) use LP for my bank as it asks for random characters from two passphrases. I don't use it for Gmail or PayPal (I use 2-factor though for both). I already use Facebooks login from new computer notification. All good advice.

Source

Open source desktop password manager vs. Proprietary Cloud-based password manager food for thought discussion:

Quote
Why would anyone trust a proprietary security tool? Have we learned nothing?

Quote
Essential parts of their code can be reviewed.
Incentives matter. LastPass has every incentive to keep their system secure -- one serious breach and their business is dead.
While open source has advantages, it doesn't help if there are not enough people maintaining it, and if security patches are not pushed to you automatically. Peer review is not the only factor in the game.

Source
Logged

<reserve space for the day DC can auto-generate your signature from your personal PopUp Wisdom quotes>
Deozaan
Charter Member
***
Posts: 6,537



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #1 on: February 27, 2011, 05:02:42 PM »

Grr! I just started using LastPass since the whole Gawker fiasco! Now I have to switch? Angry mad
Logged

Perry Mowbray
N.A.N.Y. Organizer
Charter Member
***
Posts: 1,807



Thoughtful Scribbles

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #2 on: February 27, 2011, 09:15:11 PM »

Grr! I just started using LastPass since the whole Gawker fiasco! Now I have to switch? Angry mad

No... I'd just keep your very sensitive passwords (banks etc) out of the cloud.

PayPal is my main issue I think as all my banks use other measures that are not stored in LP.
« Last Edit: February 27, 2011, 09:32:26 PM by Perry Mowbray » Logged

Pages: [1]   Go Up
  Reply  |  New Topic  |  Print  
 
Jump to:  
   Forum Home   Thread Marks Chat! Downloads Search Login Register  

DonationCoder.com | About Us
DonationCoder.com Forum | Powered by SMF
[ Page time: 0.045s | Server load: 0.05 ]