On Fri, 11 Apr 2014 17:40:36 -0400, Walter Bright <newshound2@digitalmars.com> wrote:

> On 4/11/2014 9:55 AM, Steven Schveighoffer wrote:
>> On Fri, 11 Apr 2014 12:42:31 -0400, Walter Bright <newshound2@digitalmars.com>
>> wrote:
>>
>>> On 4/11/2014 5:18 AM, Steven Schveighoffer wrote:
>>>> If, after the last year of hacking, and the heartbleed bug, people are not using
>>>> password tracker/generators, you haven't learned anything :)
>>>
>>> But those pw managers are a single point of failure. One mistake and you've
>>> compromised or lost everything.
>>
>> What mistake?
>
> Having a single password for everything. Heck, you could simply forget that password.

There are dual-factor authentication options, including hardware-based ones.

Forgetting the password is unlikely. I only have to remember one.

>>> If your machine it is installed on is stolen, you've lost all your passwords.
>>> Etc.
>>
>> Read about LastPass. Your last-pass vault is encrypted and stored in the cloud.
>
> Or there could be a bug in LastPass that makes it crackable. Not like something like that has never happened before (cough, cough), again, a single point of failure and everything is lost.

Again, read up.

> I remember a while back about someone with a Mac password vault lost his whole online life when the vault got compromised.

I'm sure there are a couple anecdotes about people who aren't very careful with their master password. I'm also quite sure the number of people who use the same password everywhere that have been compromised is far greater.

I'm not one who has the memory for remembering lots of passwords, so this is a much better solution for me. I used to be one of those who uses the same password everywhere. Not any more. I still think the password manager's drawbacks are not as bad as the alternative's.

-Steve

On Fri, 11 Apr 2014 18:05:26 -0400, Nick Sabalausky <SeeWebsiteToContactMe@semitwist.com> wrote:

> On 4/11/2014 12:55 PM, Steven Schveighoffer wrote:
>> On Fri, 11 Apr 2014 12:42:31 -0400, Walter Bright
>> <newshound2@digitalmars.com> wrote:
>>
>>> On 4/11/2014 5:18 AM, Steven Schveighoffer wrote:
>>>> If, after the last year of hacking, and the heartbleed bug, people
>>>> are not using
>>>> password tracker/generators, you haven't learned anything :)
>>>
>>> But those pw managers are a single point of failure. One mistake and
>>> you've compromised or lost everything.
>>
>> What mistake?
>>
>
> Pretty much anything? Letting the wrong person see you type your pass.

Not likely.

> Using it on a system (even your own) that secretly has a keylogger or is compromised in any number of other ways.

This would be a problem with any password scheme.

> Getting bit by an ecryption library vulnerability.

No doubt, that would be a temporary issue.

> Using a master pass that turns out not to be quite good enough.

This can be mitigated with multi-factor or hardware authentication. But I'm not that paranoid. My password is pretty good.

> Relying on NSA-backed "encryption".

It's based on open standards for encryption, not NSA-backed. What encryption do you trust?

>>> If your machine it is installed on is stolen, you've lost all your
>>> passwords. Etc.
>>
>> Read about LastPass. Your last-pass vault is encrypted and stored in the
>> cloud.
>>
>
> No, it's stored on a server. On the internet. *cough*

Encrypted.

> Due to LastPass's closed-ness, all we can do is blindly trust whatever they claim (yea, companies are great at never lying to users), *and* blindly trust all of their software to not contain exploitable vulnerabilities[*]. Look how great that works out for users of Google/Microsoft/etc.

It's based on open standards, and you just have to trust them to have a rock-solid implementation, sure. It all depends on who you are willing to trust. I don't have enough time in my life to learn encryption theory, audit all their code, to prove it to myself. I choose to trust experts. YMMV.

> [*] I guess we could reverse-engineer, but closed-source is a great way to ensure most of the people auditing your code are blackhats. Not what I want from software I'd use to store all my passwords.

It has been audited, but not by the entire community. Again, it all depends on who you trust.

-Steve

On 4/11/2014 5:24 PM, Steven Schveighoffer wrote:
> [...]

All I can say is, relying on LastPass for everything and assuming it'll all be fine sounds like famous last words. I have an ingrained distrust of anything with a single point of failure, and the consequences of LastPass failing are pretty severe.

On 12 April 2014 01:39, Dicebot <public@dicebot.lv> wrote:

> On Friday, 11 April 2014 at 12:18:38 UTC, Steven Schveighoffer wrote:
>
>> If, after the last year of hacking, and the heartbleed bug, people are not using password tracker/generators, you haven't learned anything :)
>>
>
> Remembering 15-20 different passwords is less of a burden to me than regularly verifying the code of password tracker browser extensions and infrastructure involved. And blindly using 3d-part tool for something that critical just does not make sense.
>

This. Also, I have more than 1 computer (including a phone)... what's the
solution there?

On Saturday, 12 April 2014 at 01:09:45 UTC, Manu wrote:
> This. Also, I have more than 1 computer (including a phone)... what's the
> solution there?

LastPass is cloud synced (including with phones).

On 12 April 2014 11:11, Brad Anderson <eco@gnuk.net> wrote:

> On Saturday, 12 April 2014 at 01:09:45 UTC, Manu wrote:
>
>> This. Also, I have more than 1 computer (including a phone)... what's the
>> solution there?
>>
>
> LastPass is cloud synced (including with phones).
>

... how does that work?

On 12 April 2014 11:16, Manu <turkeyman@gmail.com> wrote:

> On 12 April 2014 11:11, Brad Anderson <eco@gnuk.net> wrote:
>
>> On Saturday, 12 April 2014 at 01:09:45 UTC, Manu wrote:
>>
>>> This. Also, I have more than 1 computer (including a phone)... what's the
>>> solution there?
>>>
>>
>> LastPass is cloud synced (including with phones).
>>
>
> ... how does that work?
>

On 12 April 2014 11:16, Manu <turkeyman@gmail.com> wrote:

> On 12 April 2014 11:11, Brad Anderson <eco@gnuk.net> wrote:
>
>> On Saturday, 12 April 2014 at 01:09:45 UTC, Manu wrote:
>>
>>> This. Also, I have more than 1 computer (including a phone)... what's the
>>> solution there?
>>>
>>
>> LastPass is cloud synced (including with phones).
>>
>
> ... how does that work?
>

Ummm, yeah no, I'm soooo not enthusiastic about *paying* some closed-source
company to hold every password I have for everything I am.
Re: Walter's single point of failure comment. And once money's on the
table, all bets are off wrt ethical behaviour.

Are they an american, canadian, australian, NZ, UK company? The NSA probably insists a backdoor. If not, I bet NSA already has known exploits in their infrastructure... they'd be one of the hottest targets out there!

Anyway, this is all beside the point, the issue is _I got an email that TOLD ME MY PASSWORD_. Which is completely inexcusable, ammateur, and offensive. When will it be fixed?

On 4/11/14, 6:32 PM, Manu wrote:
> Anyway, this is all beside the point, the issue is _I got an email that TOLD ME MY PASSWORD_. Which
> is completely inexcusable, ammateur, and offensive. When will it be fixed?

In mailman 3 from what I've read, but it's been years in the coming.  As host of the mail/news gateway, I plan on taking no particular actions here, other than to agree that it's a rather unfortunately bad security stance.  If someone finds a better mail/news gateway and list manager that solves more problems than it causes and can spend some time testing it to make sure it's actually better rather than just claims to be, then I'll consider switching to it.

With a little luck the recent flurry of activity surrounding the yahoo kerfuffle will kick the right people into gear and some real progress will be made.  But I won't be holding my breath.

On Fri, 11 Apr 2014 21:32:57 -0400, Manu <turkeyman@gmail.com> wrote:

> On 12 April 2014 11:16, Manu <turkeyman@gmail.com> wrote:
>
>> On 12 April 2014 11:11, Brad Anderson <eco@gnuk.net> wrote:
>>
>>> On Saturday, 12 April 2014 at 01:09:45 UTC, Manu wrote:
>>>
>>>> This. Also, I have more than 1 computer (including a phone)... what's the
>>>> solution there?
>>>>
>>>
>>> LastPass is cloud synced (including with phones).
>>>
>>
>> ... how does that work?
>>
>
> Ummm, yeah no, I'm soooo not enthusiastic about *paying* some closed-source
> company to hold every password I have for everything I am.
> Re: Walter's single point of failure comment. And once money's on the
> table, all bets are off wrt ethical behaviour.

I know this topic is going into the weeds, but I have to say, there is quite the aversion to money on this thread, even for those of us who get paid to write code.

I find it interesting that I have the exact OPPOSITE view. Paying for something gives a company incentive NOT to f*** their customers over. People who *require* money for service are not automatically corrupt, and IMO are less likely to be corrupt. The software industry is an oddball, where people are willing in droves to do free work, but people are still people, and you typically get what you pay for.

> Are they an american, canadian, australian, NZ, UK company? The NSA
> probably insists a backdoor. If not, I bet NSA already has known exploits
> in their infrastructure... they'd be one of the hottest targets out there!

They have a statement on that, I'll post it again: http://blog.lastpass.com/2013/09/lastpass-and-nsa-controversy.html

Of course, it means you have to accept their word, and trust their competency. I tend to doubt that somehow this is all a ruse and they are in cahoots with the NSA.

And the final irony of course, is that I have heard several people tout their aversion to anything they are not able to scrutinize the source code to the encryption, to see if any NSA back doors exist, etc. And some of these same people did not scrutinize the disclosure statement before signing up for a service that emails them their password in clear-text. Keep in mind that even if the system is 'fixed' not to email you your clear-text password, where do you think it got that password from?

-Steve