On 13 April 2014 12:02, Adam D. Ruppe <destructionator@gmail.com> wrote:

> On Saturday, 12 April 2014 at 21:18:26 UTC, Nick Sabalausky wrote:
>
>> Never storing or transmitting password in plain text is not only basic, obvious and to be expected, but it is THE most basic, obvious and to-be-expected principle that exists in computer security.
>>
>
> ... and it is also the most common way passwords are sent in internet protocols.
>
> * SMTP and HTTP will base64 encode it with their basic auth but that's it
>
> * web sites typically transmit it completely open
>
>
> There's SSL now that gets more traction, but if you expect a password NOT to be sent in something trivially converted to plain text, wake up an smell the RFC.
>

There's been a migration of responsible services to https, but even without
that, I consider that a different level of negligence.
The difference is, someone has to be actively monitoring me to capture my
password in flight; if I'm a deliberate target, they'll get me somehow
anyway.
This is passive, it's _storing_ a large number of users passwords all
together in one big plain-text blob. It's basically asking to be collected.
There's no transience, I'm compromised even if I'm not a target, and even
if I don't log on. My involvement is not required.

On Saturday, 12 April 2014 at 16:41:09 UTC, Walter Bright wrote:
>> And a company whose only business goal is to keep passwords secure is probably harder
>> to hack into that companies which have a different focus and might not invest as
>> much into security.
>
> "probably" doesn't work for me when the consequences of being wrong are so awful.

True, and by being a password business which people use for important passwords it becomes a primary target. So if there are weaknesses they are more likely to be found and expolitation skillfully hidden from detection...

Besides, the weakest link is your keyboard. You could be snooped by a radiation based scanner when you are outside you Faraday cage. Master passwords for anything more important than facebook is irresponsible IMHO.

But yeah, storing passwords in the clear is no good, because MOST people reuse passwords for services that are unimportant with the assumption that they are hashed before they are compared. This is a calculated risk. Man in the middle attacks are a bit less likely than site hacking (try a traceroute), and https can also suffer from those, so I think Manu is right about being upset. Storing passwords in the clear is a lot worse than clear transmission.

On 4/13/2014 9:05 PM, "Ola Fosheim Grøstad" <ola.fosheim.grostad+dlang@gmail.com>" wrote:
> so I think Manu is right about being upset.

I agree. If a product has a password system in it, it is reasonable to expect it to have some basic level of security, despite what the disclaimer says.

I also think that it is reasonable to expect an knowledgeable user to use a different password for every account. After all, password security is only as good as the weakest system it is used on.

On Monday, 14 April 2014 at 04:35:34 UTC, Walter Bright wrote:
> I also think that it is reasonable to expect an knowledgeable user to use a different password for every account.

I don't think it is reasonable to assume that all users of D have to be that knowledgable, or to make it a prerequisite for participation.

> After all, password security is only as good as the weakest system it is used on.

Yes, and under that assumption all passwords should be created by drawing letters from a box an memorized and NEVER be written down in any shape or form. And using a paper shredders is quite also insufficient for maculating, you should shred, burn and then stir the ashes. I know, I learned this in the army as a teletypist.

I don't practice it everywhere though... I think Manu's expectations were reasonable. I think it is reasonable to take some risk for hobbystuff, an unreasonable to unneccessarily increase the risk by storing in the clear for no good reason.

On 12 April 2014 22:28, Nick Sabalausky <SeeWebsiteToContactMe@semitwist.com> wrote:
> On 4/12/2014 7:41 AM, Iain Buclaw wrote:
>>
>>
>> http://privatekeycheck.com/
>>
>> :o)
>>
>
> LOL! An interesting way to check the security of a sysadmin, really. :)
>

Or to see if your sysadmin is a smart-ass...  In the 2 minutes I spent looking, I don't think there's any other easter eggs apart from 'yes', 'nope' and 'maybe' ;-)

On 4/13/2014 10:11 PM, "Ola Fosheim Grøstad" <ola.fosheim.grostad+dlang@gmail.com>" wrote:
> Yes, and under that assumption all passwords should be created by drawing
> letters from a box an memorized and NEVER be written down in any shape or form.

Writing it on paper is not subject to hacking. Having your house burgled or black bagged is an entirely different problem. Hackers from a foreign country aren't going to do that, and the government is incapable of dragnet black bagging of residences.

I suspect that using the same password for multiple accounts is far more risky than using paper.

On Sat, 12 Apr 2014 12:38:15 +0300, Manu <turkeyman@gmail.com> wrote:

> On 12 April 2014 19:31, John Colvin <john.loughran.colvin@gmail.com> wrote:
>
>> On Saturday, 12 April 2014 at 09:06:48 UTC, Manu wrote:
>>
>>> On 12 April 2014 17:56, Marco Nembrini <marco.nembrini.co@gmail.com>
>>> wrote:
>>>
>>>  On 12.04.2014 03:16, Manu wrote:
>>>>
>>>>  On 12 April 2014 11:11, Brad Anderson <eco@gnuk.net
>>>>>
>>>>> <mailto:eco@gnuk.net>> wrote:
>>>>>
>>>>>     On Saturday, 12 April 2014 at 01:09:45 UTC, Manu wrote:
>>>>>
>>>>>         This. Also, I have more than 1 computer (including a phone)...
>>>>>         what's the
>>>>>         solution there?
>>>>>
>>>>>
>>>>>     LastPass is cloud synced (including with phones).
>>>>>
>>>>>
>>>>> ... how does that work?
>>>>>
>>>>>
>>>>
>>>> Encryption and decryption is only client-side so they only store an
>>>> encrypted database of your passwords.
>>>>
>>>>
>>> I mean, how does it run on all of your devices, and integrate with all of
>>> your software?
>>>
>>
>> A variety of apps and plugins.
>>
>
> And for any software/services that don't support plugins?

Copy and paste.
-- 
Using Opera's mail client: http://www.opera.com/mail/

---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com

On Monday, 14 April 2014 at 06:32:35 UTC, Walter Bright wrote:
> Writing it on paper is not subject to hacking. Having your house burgled or black bagged is an entirely different problem. Hackers from a foreign country aren't going to do that, and the government is incapable of dragnet black bagging of residences.

Well, some people leave their houses when doing their computerstuff, so they need to bring their passwords with them. I frequently carry passwords in my wallet, but only the few ones I need. And only until I manage to memorize. :)

> I suspect that using the same password for multiple accounts is far more risky than using paper.

Yes, but if you use combination of phrases so that hackers need more than one instance of your password then I think it is more safe than a single master password if most sites are reasonable. (I use randomized passwords where it matters)

Seriously, storing and comparing hashed passwords rather than clear ones takes about 15 minutes to implement correctly if the hash function is available as a library.

On Sat, 12 Apr 2014 02:02:18 -0400, Walter Bright <newshound2@digitalmars.com> wrote:

> On 4/11/2014 8:30 PM, Steven Schveighoffer wrote:
>> Of course, it means you have to accept their word, and trust their competency. I
>> tend to doubt that somehow this is all a ruse and they are in cahoots with the NSA.
>
> I agree that it is pretty unlikely they are in league with the devil. But what would happen to you if all your passwords got lost or compromised? How much trouble would it be? All your bank accounts? All your email accounts? All your professional accounts? All your accounting stuff? Suddenly you're cut off from all of it? The risk may be small, but the potential damage could be very high.

I agree, it would be bad if all of these accounts were compromised. Funny though, that I trust LastPass's system way more than I trust any of the accounts that are stored in it. In LastPass, their server does not do any authentication, just the application on your system. Your passwords are never decrypted on their server, only on your computer. I probably am not as protected against a local attack as I would like, but I am protected against a wide-spread attack such as the ones that happen all the time. But in order for a local attack to work, the villains must target me specifically. I really don't know why they would.

Probably the most secure way to store the passwords is with a secondary hardware-based authentication, which LastPass does support, but you have to (a) buy a hardware device that you can use to unlock your vault, and (b) it's not as convenient.

But this discussion has changed what I will store in my vault, I will likely remove some things from it that are more a convenience than anything (I know the information, it's just convenient to have my browser auto-fill that).

> The company itself may not be malicious. But they may be incompetent. And they may have a rogue employee. And they may succumb to pressure from the government. And they may get hacked. And they may change managers. And they may get acquired by Evil Corp X.

If they are incompetent, I would be in trouble. I have to trust that they are competent. I have to trust they will not succumb to government pressure (they have been pretty clear on that one). I have to trust that they review changes to their code so a malicious employee could not alter the browser software. I have to have trust in the company. What I don't have to do is worry about anyone cracking my vault without my password. And that is what I think makes LastPass attractive.

It all depends on the level of trust you have, and I think that's a personal choice. There is the 2-factor hardware authentication option if you have less trust.

> What is your recourse if it all goes bad? What is your Plan B?

What is anyone's recourse? You work as hard as you can to get your accounts under your control. Banks are typically not tied only to your online presence, your credit card numbers can be changed, new cards issued. Other accounts like email, you have less control over. Perhaps its best to remember 2 passwords -- one for your lastpass vault which protects your not-as-critical online accounts (like, say, your d forum password), and one for your critical accounts that you don't want stored anywhere, like your email password. The risk is still that an online account's password is compromised, an easier-to-remember password is easier-to-crack. The passwords LastPass generates are probably safer than any ones I could come up with.

> When I went skydiving, I had a backup chute. There are two independent braking systems on my car. I don't invest everything in one company stock. I store backups off site.

I'm not concerned about "losing" my online passwords. The data is stored locally on my PC backed up, on my phone, on my other computers I use. I can get the old data back.

>  > you typically get what you pay for.
>
> Typically, yes. What do you really expect to get for $12/year? That buys about 5 minutes of some entry level person's time. There's just no way I'm going to put all my hundreds of accounts into that one box.

I expect it, along with the hundreds of thousands of other customers, to pay for the 40 person company that is LastPass. It's a reasonable fee for the service IMO. Software is strange in that an app developer can charge only $1, yet make millions, because production is nearly free.

> I strongly suggest, at a bare minimum, that you have LastPass print out all the passwords it holds on a sheet a paper, and put that paper in your safety deposit box.

If I was to do this, I'd store the encrypted vault on a key inside the SDB. The app can be configured to run in "offline" mode, which means it will not contact the server to get any updates to your vault. Any changes a malicious user has made to my online vault would be ignored.

I'd rather just keep the backup somewhere close by than have to go into a bank to get it.

-Steve

On Sat, 12 Apr 2014 20:26:14 -0400, Kapps <opantm2+spam@gmail.com> wrote:

> On Saturday, 12 April 2014 at 09:06:48 UTC, Manu wrote:
>>> Encryption and decryption is only client-side so they only store an
>>> encrypted database of your passwords.
>>>
>>
>> I mean, how does it run on all of your devices, and integrate with all of
>> your software?
>
> It only really works well for desktop browsers in my experience. I haven't tried the Android app, but from what I understand it's basically an app that acts as a browser since it can't integrate within the system browser, which is quite a lousy solution.

I use it with copy/paste. Yes, it is slightly annoying, but actually not that bad (I use iOS). Essentially, instead of typing in the password into the app that I want to use, which I may have to struggle to remember, or copy from a paper, I just go to LastPass app, type in my master password, and then I can copy/paste the password to the other app. I rarely use the browser part of it.

In the last year, the app has been so much improved, it's actually not a chore to use.

Integrating it with the phone's default browser may help a bit, but typically, online accounts have their own app for their site. The only way to integrate it that would be useful is to integrate it with the OS itself.

-Steve