Ubuntu Forums - FYI

[Patrick Asselman]

On 2013-07-24 10:31, Sajan Parikh wrote:
> On 07/24/2013 03:00 AM, pete smout wrote:
>> You are right, until last year I still held by what I was taught 
>> 15-20
>> years ago, not to write psswd's down! I learnt the hard way!!! Now I
>> never use the same password twice and have a note book (paper one 
>> very
>> 19th century) sat next to my PC with ALL psswd's noted in it, and 
>> all
>> the important ones in my head (which of course you can never 
>> remember at
>> the correct time, but that is my faulty software, and I am still 
>> trying
>> to debug).
>>
>> Please I urge anyone on this list to change their passwords To 
>> something
>> unique, it is *FAR LESS HASSLE THAN HAVING EVERYTHING HACKED* by 
>> some
>> individual / company :)
>>
>> Pete
>
> Why not use a service like LastPass?  Everything is
> encrypted/decrypted client-side using your own, strong master
> password.  This makes it ridiculously easy to have strong, 18
> character, Alpha-numeric + symbols passwords unique to each service
> and site.
>
> We use LastPass enterprise and the secure notes feature to easily,
> and securely share credentials.
>
> I'm fairly sure we pay less than $30/yr or something as well.
>
> **Before anyone replies to this with the inevitable, "why would you
> give all your passwords to one company" response, please alleviate
> yourself of ignorance and learn how LastPass actually works, and if
> you're not too familiar with software and/or cryptography, please
> don't hate on LastPass with some tinfoil hat theory.

I've done a little bit of reading on this LastPass, and it all sounds 
very nice, but in the end you still need to trust them.

For those who haven't read up on it: Basically you use their(!) 
software (either a javascript or a browser plugin) to first encrypt and 
then send your password their way. So the claim is that the password 
never leaves your computer unencrypted and they themselves cannot even 
see your password because all they do is store the encrypted version of 
it.

The problem remains that they are an American company, bound by 
American law. The infamous Patriot Act can force companies to deliver 
data to the government unencrypted (this may be accompanied with a "gag 
order", preventing them to say anything about this).

This *may* mean that they have a backdoor in their software (javascript 
or plugin) so that they can comply with this law. If that is the case, 
the security is only as good as the security of that back door. (Even if 
they were not American, you would have to trust that there is no 
backdoor or flaw in their software.)

An offline password storage program (for example KeePass) is safer in 
the sense that no data is ever sent to the company. But it is also less 
user friendly because you will need to carry the software around with 
you (or synchronise the data somehow, with all due risks). And of course 
this software may also contain a back door.

So in the end, writing a password on a piece of paper is not such a bad 
idea at all. As long as the paper is not compromised everything is okay. 
And the compromising of the paper is probably easier to check than the 
compromising of a local stored keychain, let alone data stored in "the 
cloud". It is not the most user friendly, and not 100% safe, but 
security and user friendliness usually seem to be in contradiction with 
each other. You just need to decide how much of one you want, and how 
much of the other you are willing to sacrifice ;-)

Best regards,
Patrick Asselman