On Fri, 11 Apr 2014 21:00:39 -0400, Walter Bright <newshound2@digitalmars.com> wrote:

> On 4/11/2014 5:24 PM, Steven Schveighoffer wrote:
>> [...]
>
> All I can say is, relying on LastPass for everything and assuming it'll all be fine sounds like famous last words. I have an ingrained distrust of anything with a single point of failure, and the consequences of LastPass failing are pretty severe.

I can't argue with that, to each his own. I actually have more trust in LastPass than my own brain, which can't remember sometimes what I was supposed to do from 2 minutes ago. The convenience also is quite a perk.

-Steve

On 4/11/2014 8:30 PM, Steven Schveighoffer wrote:
> Of course, it means you have to accept their word, and trust their competency. I
> tend to doubt that somehow this is all a ruse and they are in cahoots with the NSA.

I agree that it is pretty unlikely they are in league with the devil. But what would happen to you if all your passwords got lost or compromised? How much trouble would it be? All your bank accounts? All your email accounts? All your professional accounts? All your accounting stuff? Suddenly you're cut off from all of it? The risk may be small, but the potential damage could be very high.

The company itself may not be malicious. But they may be incompetent. And they may have a rogue employee. And they may succumb to pressure from the government. And they may get hacked. And they may change managers. And they may get acquired by Evil Corp X.

What is your recourse if it all goes bad? What is your Plan B?

When I went skydiving, I had a backup chute. There are two independent braking systems on my car. I don't invest everything in one company stock. I store backups off site.

> you typically get what you pay for.

Typically, yes. What do you really expect to get for $12/year? That buys about 5 minutes of some entry level person's time. There's just no way I'm going to put all my hundreds of accounts into that one box.

I strongly suggest, at a bare minimum, that you have LastPass print out all the passwords it holds on a sheet a paper, and put that paper in your safety deposit box.

On Friday, 11 April 2014 at 22:19:32 UTC, Nick Sabalausky wrote:
> On 4/11/2014 3:37 PM, Brad Roberts wrote:
>>
>> Yup, mailman sucks.  But so do all the other list managers out there.
>> :)  With all the accurate and well placed righteous indignation on this
>> thread.. surely someone has the drive to actually fix the problem.
>
> I'm actually [indirectly] working on that sort of thing by developing libs intended to make using proper security best-practices far too convenient for anyone to NOT use them. The first part of that:
>
> http://forum.dlang.org/thread/lhr7kb$17f2$1@digitalmars.com

That reminds me I need to investigate integrating external
providers like Dauth into Cmsed. It already will "upgrade" a
hashed password for a user if a newer algorithm is provided.

> On 4/11/2014 8:30 PM, Steven Schveighoffer wrote:
> Of course, it means you have to accept their word, and trust their
> competency. I
> tend to doubt that somehow this is all a ruse and they are in cahoots with
> the NSA.

I remember reading about companies not being allowed to even disclose that they had to turn over data to the authorities. It's a scary world for sure.

On Saturday, 12 April 2014 at 01:33:10 UTC, Manu wrote:
> On 12 April 2014 11:16, Manu <turkeyman@gmail.com> wrote:
>
> Anyway, this is all beside the point, the issue is _I got an email that
> TOLD ME MY PASSWORD_. Which is completely inexcusable, ammateur, and
> offensive. When will it be fixed?

Barry Warsaw is a kind person, and has spent a lot of effort in offering the community something like mailman: what's the problem with people about reading instruction of what they are doing, before doing it? Is'n that the first rule for being conscious about security?

/Paolo

On 12.04.2014 03:16, Manu wrote:
> On 12 April 2014 11:11, Brad Anderson <eco@gnuk.net
> <mailto:eco@gnuk.net>> wrote:
>
>     On Saturday, 12 April 2014 at 01:09:45 UTC, Manu wrote:
>
>         This. Also, I have more than 1 computer (including a phone)...
>         what's the
>         solution there?
>
>
>     LastPass is cloud synced (including with phones).
>
>
> ... how does that work?


Encryption and decryption is only client-side so they only store an encrypted database of your passwords.

On 12.04.2014 08:02, Walter Bright wrote:
> On 4/11/2014 8:30 PM, Steven Schveighoffer wrote:
>> Of course, it means you have to accept their word, and trust their
>> competency. I
>> tend to doubt that somehow this is all a ruse and they are in cahoots
>> with the NSA.
>
> I agree that it is pretty unlikely they are in league with the devil.
> But what would happen to you if all your passwords got lost or
> compromised? How much trouble would it be? All your bank accounts? All
> your email accounts? All your professional accounts? All your accounting
> stuff? Suddenly you're cut off from all of it? The risk may be small,
> but the potential damage could be very high.

True. But that could happen with any of those sites individually too. And a company whose only business goal is to keep passwords secure is probably harder to hack into that companies which have a different focus and might not invest as much into security.

Most accounts you could get back through password recovery, so the only important ones are your email and bank accounts, where imo you should really have two-factor authentication.

Security is always a tradeoff between convenience and protection. I find lastpass is a good one, being super convenient and with good enough protection, but I think it's good to think about all the possible scenarios and decide if you are willing to take the corresponding risks.

Ultimately there's no right answer, everybody has to decide on the tradeoff on his own.

On 12.04.2014 04:22, Brad Roberts wrote:
> On 4/11/14, 6:32 PM, Manu wrote:
>> Anyway, this is all beside the point, the issue is _I got an email
>> that TOLD ME MY PASSWORD_. Which
>> is completely inexcusable, ammateur, and offensive. When will it be
>> fixed?
>
> In mailman 3 from what I've read, but it's been years in the coming.  As
> host of the mail/news gateway, I plan on taking no particular actions
> here, other than to agree that it's a rather unfortunately bad security
> stance.  If someone finds a better mail/news gateway and list manager
> that solves more problems than it causes and can spend some time testing
> it to make sure it's actually better rather than just claims to be, then
> I'll consider switching to it.
>

Could you then change the text that appears at signup and make the disclaimer about the plain text password more visible?
 I seem to remember that it was towards the end of the page, maybe moving it to the beginning and make it bold would be a good enough stopgap measure?

On Saturday, 12 April 2014 at 08:17:28 UTC, Marco Nembrini wrote:
>
> Could you then change the text that appears at signup and make the disclaimer about the plain text password more visible?
>  I seem to remember that it was towards the end of the page, maybe moving it to the beginning and make it bold would be a good enough stopgap measure?

It's in the middle of the page, just above the point where you digit the password... and 'Do not use a valuable password' is bolded...

/Paolo

On 4/12/2014 3:47 AM, Paolo Invernizzi wrote:
> On Saturday, 12 April 2014 at 01:33:10 UTC, Manu wrote:
>> On 12 April 2014 11:16, Manu <turkeyman@gmail.com> wrote:
>>
>> Anyway, this is all beside the point, the issue is _I got an email that
>> TOLD ME MY PASSWORD_. Which is completely inexcusable, ammateur, and
>> offensive. When will it be fixed?
>
> Barry Warsaw is a kind person, and has spent a lot of effort in offering
> the community something like mailman: what's the problem with people
> about reading instruction of what they are doing, before doing it? Is'n
> that the first rule for being conscious about security?
>
> /Paolo

I shouldn't have to read a label just to know whether or not my food contains dog shit. Some things are basic and obvious enough to just be *expected*.