Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 

UHD

535 posts

Ultimate Geek
+1 received by user: 222


  Reply # 1438620 1-Dec-2015 14:29
Send private message

SumnerBoy: +1 for local (I use KeyPass) and then ownCloud for private syncing between devices.


Surely this is just LastPass with a less secure online distribution method (a personal cloud service).

3303 posts

Uber Geek
+1 received by user: 967


  Reply # 1438643 1-Dec-2015 14:51
Send private message

I use lastpass for my banking passwords . I have 4 bank accounts and use the most complex passwords possible - i think all of my banks use 2-factor authentication too. 

If I did not use lastpass, they would be weaker passwords and more easily compromised. 

The risk of using lastpass is lower than the risk of using weak passwords. To date, noone has been able to steal AND decrypt user passwords. 


I wonder if the banks have official policies on password managers.  I reckon they'd probably be against them in theory but for them in practice. Fewer  password1234 passwords that way 









 
 
 
 


1577 posts

Uber Geek
+1 received by user: 176

Subscriber

  Reply # 1438644 1-Dec-2015 14:54
Send private message

UHD:
SumnerBoy: +1 for local (I use KeyPass) and then ownCloud for private syncing between devices.


Surely this is just LastPass with a less secure online distribution method (a personal cloud service).


All depends on how secure your personal cloud service is I guess. And whether you trust *it* more than you trust someone like LastPass or Dropbox to store your password database.

But yeah - I guess anything that is *online* is vulnerable, to some degree.

2915 posts

Uber Geek
+1 received by user: 414

Trusted
Subscriber

  Reply # 1438840 1-Dec-2015 20:12
Send private message

UHD:
You are right about the password database being stolen at least once. This was four years ago and to date not a single report (even unverified) of passwords being decrypted exists.

You're missing the point. The point is that this is true now. We cannot guarantee that computational ability in the future will always be insufficiently powerful to decrypt the data.

UHD:
I'm not sure what you mean about storing the passwords on the servers in a reversible manner. If you take a quick look at the LastPass design you will see that even if LastPass wanted to decrypt user passwords they would not be able to do so. All encryption is done locally, meaning LastPass only ever see hashes which are then randomly salted and PBKDF2-SHA256'd.

We don't actually know that the decryption is only local given that it's proprietary. Even if that is the case, the fact that they do not secure their infrastructure and their databases have been compromised no less than once would raise the risk that anyone compromising them would be doing so not to steal information, but to replace it (i.e. compromise the downloaded executables to introduce backdoor code). Given the visibility of LastPass and the value of the data they hold, it's not impossible.

And last but not least, LastPass has recently been acquired by LogMeIn, a company with a bad customer service record and a questionable track record of converting previously free services to subscriptions, and even spitting in the face of customers that paid for their premium app. I wouldn't touch anything from LogMeIn.

UHD

535 posts

Ultimate Geek
+1 received by user: 222


  Reply # 1438962 1-Dec-2015 23:06
Send private message

Kyanar:
UHD:
You are right about the password database being stolen at least once. This was four years ago and to date not a single report (even unverified) of passwords being decrypted exists.

You're missing the point. The point is that this is true now. We cannot guarantee that computational ability in the future will always be insufficiently powerful to decrypt the data.

UHD:
I'm not sure what you mean about storing the passwords on the servers in a reversible manner. If you take a quick look at the LastPass design you will see that even if LastPass wanted to decrypt user passwords they would not be able to do so. All encryption is done locally, meaning LastPass only ever see hashes which are then randomly salted and PBKDF2-SHA256'd.

We don't actually know that the decryption is only local given that it's proprietary. Even if that is the case, the fact that they do not secure their infrastructure and their databases have been compromised no less than once would raise the risk that anyone compromising them would be doing so not to steal information, but to replace it (i.e. compromise the downloaded executables to introduce backdoor code). Given the visibility of LastPass and the value of the data they hold, it's not impossible.

And last but not least, LastPass has recently been acquired by LogMeIn, a company with a bad customer service record and a questionable track record of converting previously free services to subscriptions, and even spitting in the face of customers that paid for their premium app. I wouldn't touch anything from LogMeIn.


I'm missing no point. Take a look at the computational complexity of the hashing algorithms used by LastPass right now and you will see that even being generous with regard to computing hardware the hashes will take thousands of years to crack. Given that every member is aware that the database has possibly been stolen, all a customer needs to do is to update their passwords and that stolen database is worthless to the hackers. Computational power in the future means nothing at all when the current database has been updated.

We do know that encryption is done locally because it is possible to review the source code of the non-binary browser extension which is Javascript. The LastPass infrastructure is incredibly secure but it also has the world's largest target painted on its back. The fact that only two real intrusions have occurred in all the time the company has been running is, frankly, incredible.

Once again, it would be trivial to review the Javascript on any new browser extensions that are downloaded to ensure a hacker hasn't managed to introduce a backdoor. Not to mention that the LastPass team would probably nuke any affected machines and rebuild from a known good code version in the case of an attack like that..

28 posts

Geek
+1 received by user: 3


  Reply # 1439231 2-Dec-2015 12:47
Send private message

I use lastpass, and have the same dilemma when it comes to trusting my bank details with it. Currenlty have not stored my back account login details in there. I have stored my Credit card details though so can auto-fill out payments sites.

Absolutely love lastpass though makes it so easy to login into sites, plus I don't have to remember 150 different logins for different sites.

5995 posts

Uber Geek
+1 received by user: 2797

Subscriber

  Reply # 1439261 2-Dec-2015 13:34
Send private message

I think an important principle is being left out of the discussion here. As soon as you delegate your password protection to any other service, the integrity of your password protection becomes dependent on that service, which may deteriorate over time, be compromised by inferior management, be taken over by another company, be the target of a rogue employee with insider information, be the victim of new decryption techniques, be subject to any number of future vagaries that can undermine it. All of this is an acceptable risk for your social media logins, but I would never entrust it with my money.
 




I reject your reality and substitute my own. - Adam Savage
 


1424 posts

Uber Geek
+1 received by user: 307


  Reply # 1439265 2-Dec-2015 13:51
Send private message

I would happily store my bank password in LastPass if I was happy with my password database being stored on their servers. If I wasn't happy with that situation then I would not use LastPass at all or I would use continue to use LastPass but add another product for my bank password only.

Anyway, my bank password is not a big concern because the financial risk is quite small and their are other security checks. At most the password gets access to thousands and perhaps tens of thousands of money. If my bank password could get access to millions of dollars then the risk-benefit goes up a thousand times which would make me consider my options more carefully. But even then my actual financial risk would still be very small.

My bank's other security which could help if my password is revealed include the following: transaction size limits; warnings for password changes, account changes and transactions over $x; checking of IP addresses; etc.

I consider a bigger risk for banking to be the actions of bank staff members or someone else in a position of responsibility such as my legal firm.


13371 posts

Uber Geek
+1 received by user: 1601


  Reply # 1439268 2-Dec-2015 13:57
Send private message

Rikkitic: I think an important principle is being left out of the discussion here. As soon as you delegate your password protection to any other service, the integrity of your password protection becomes dependent on that service, which may deteriorate over time, be compromised by inferior management, be taken over by another company, be the target of a rogue employee with insider information, be the victim of new decryption techniques, be subject to any number of future vagaries that can undermine it. All of this is an acceptable risk for your social media logins, but I would never entrust it with my money.
 

 

You would expect thy would use third party auditing to check things in real time, which would overcome all this. Also isn't have online access to banking details already, and bigger risk. I mean how good are banks online security? The fact that at least one major NZ bank still use windows XP and an old version of IE, to loginto online banking I think is more of a worry. I mean isn't windows xp less secure than windows 10? 

UHD

535 posts

Ultimate Geek
+1 received by user: 222


  Reply # 1439450 2-Dec-2015 18:25
One person supports this post
Send private message

Rikkitic: I think an important principle is being left out of the discussion here. As soon as you delegate your password protection to any other service, the integrity of your password protection becomes dependent on that service, which may deteriorate over time, be compromised by inferior management, be taken over by another company, be the target of a rogue employee with insider information, be the victim of new decryption techniques, be subject to any number of future vagaries that can undermine it. All of this is an acceptable risk for your social media logins, but I would never entrust it with my money.
 


1) Service deterioration: database is always stored locally and may be exported at any time.
2) Inferior management: see above.
3) Another company takes over: already happened, see above.
4) Rogue employee: LastPass cannot decrypt your data. 2FA, etc...
5) New decryption techniques: mathematically infeasible.
6) Any number of future vagaries: lol.

All things considered, the risks are statistically negligible when compared to the risk of a weak password or the other insecurities already present with banking online.

1 | 2 
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

New Zealand government to create digital advisory group
Posted 16-Dec-2017 08:47


Australia datum changes means whole country moving 1.8 metres north-east
Posted 16-Dec-2017 08:39


UAV Traffic Management Trial launching today in New Zealand
Posted 12-Dec-2017 16:06


UFB connections pass 460,000
Posted 11-Dec-2017 11:26


The Warehouse Group to adopt IBM Cloud to support digital transformation
Posted 11-Dec-2017 11:22


Dimension Data peeks into digital business 2018
Posted 11-Dec-2017 10:55


2018 Cyber Security Predictions
Posted 7-Dec-2017 14:55


Global Govtech Accelerator to drive public sector innovation in Wellington
Posted 7-Dec-2017 11:21


Stuff Pix media strategy a new direction
Posted 7-Dec-2017 09:37


Digital transformation is dead
Posted 7-Dec-2017 09:31


Fake news and cyber security
Posted 7-Dec-2017 09:27


Dimension Data New Zealand strengthens cybersecurity practice
Posted 5-Dec-2017 20:27


Epson NZ launches new Expression Premium Photo range
Posted 5-Dec-2017 20:26


Eventbrite and Twickets launch integration partnership in Australia and New Zealand
Posted 5-Dec-2017 20:23


New Fujifilm macro lens lands in New Zealand
Posted 5-Dec-2017 20:16



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.