dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
17

Kilroy
MVM
join:2002-11-21
Saint Paul, MN

1 recommendation

Kilroy to antdude

MVM

to antdude

Re: My first foray into password management

LastPass user here. I have a Yubikey attached to it for two factor authentication. Steve Gibson covered how it works on Security Now! - Episode 256 - LastPass. One of the main features that sold me is that LastPass can't give up your passwords, because they only store an encrypted version and you hold the key.

Another great feature one time use passwords which can be revoked at any time. I've printed up 10 to be used in case of my death to access my accounts.

mackey
Premium Member
join:2007-08-20

mackey

Premium Member

said by Kilroy:

LastPass can't give up your passwords, because they only store an encrypted version and you hold the key.

(The first part at least) is just not true. Even if they only have an encrypted version, there's no reason to believe they don't have a 2nd key that can also decrypt all the passwords. The fact that you can "share" a site and either person can change the password / site info is proof that there's an another way to encrypt/decrypt passwords. Even if both of the above were not true, there's nothing preventing them from adding a "phone home" feature that sends them your "unlock" password. With the way tor was compromised it wouldn't surprise me to find browser malware that swipes both your pass and your password database as well.

/M

Kilroy
MVM
join:2002-11-21
Saint Paul, MN

Kilroy

MVM

The only perfect password solution is the one you have complete control of the total solution. In the real world this doesn't exist for most of us and we have to select a solution that works for us.

Because you can share a site only proves that there is a way to the ability to connect to a site that you select with your credentials with individuals you trust. Here is how it is done.

You're right, they could all have phone home solutions, actually storing your unlock code would be sufficient, and be hosted by the NSA. If that is the case you'd be better off staying off the Internet all together and investing in tinfoil. LastPass has been very up front in how their product functions.