Firefox saved passwords?
Just wondering, how is that better than Firefox's saved passwords and Master password, especially if you're using the Firefox sync extension to sync your passwords on several machines?
Password management site LastPass has plugged a security hole in its website that created a means to extract the email addresses - though not the passwords - of enrolled users. The cross-site scripting bug meant that logged-in users induced to visit a malicious site would disclose their email addresses and sites associated …
Presumably you're one of the people who would also call people out for the use and reuse of simple passwords.
I'm going to go out on a limb and assume that I am not the only one who uses a variety of machines, operating systems and browsers.
This requires some form of central management for passwords, given that they are long and randomly generated and I lack the ability to remember them. The alternative is for me to not have access to sites/services.
Off the top of my head, I think there are only two ways for this to be achieved. One is the 'local' option - carry a USB stick with you everywhere you go, with a password manager on or a portable browser with the passwords stored in it.
As everyone well knows, it's easy to forget to bring your USB stick with you, or even lose it.
The former is an inconvenience. The latter is a disaster.
The other is the 'cloud' option. This has the same pitfall as the first option - all eggs in one basket. However, I'd hazard a guess at saying the chance of losing a USB stick is greater than the loss of cloud data.
With this option, it doesn't matter if your machine dies or is stolen as your passwords are all online, readily accessible for you on another machine.
If you look at how Lastpass actually works it only stores the encrypted data in the cloud. All encryption and decryption of your passwords happens on the local client.
Lastpass also take this kind of stuff seriously, you can use multifactor authentication to access your account (Yuibikey or they have even developed a "one time" password grid system). I use a hybrid system of lastpass and keepass. The advantage of having everything sync nicely arround my pc's is great (I use mesh to sync my keepass database).
It's all a matter of assessing risk isn't it..
I cycle to work rather than getting public transport because I feel that the time saved and benefit to my health outweighs the greater risk of my being involved in an accident while commuting.
As has been said, only a USB stick style system (or an incredible memory) is really more secure when you need to have unique non dictionary based passwords made up of upper/lower case, numbers and symbols and that has weaknesses of being, lost / stolen / put through washing machine.
On top of that since the (de/en)cryption happens locally its only ever encrypted data that goes into the cloud. And the exploit discovered was not even able to get hold of that, just email addresses.
finally, I know that all really critical sites I use ie, banking, have more secure login systems that require me to enter additional information from dropdown boxes or use a card reader, this isn't in my lastpass info so even if someone did get hold of my password they'd still need physical access to my card / my brain..
Biting the hand that feeds IT © 1998–2019