Educause Security Discussion mailing list archives
Re: SECURITY Digest - 15 Oct 2009 to 16 Oct 2009 (#2009-236)
From: Gary Dobbins <dobbins () ND EDU>
Date: Sun, 18 Oct 2009 13:43:12 -0400
On their site is a Q&A forum where someone posed just that question. Their answer implies a proper use of crypto, along with the [proper] philosophy that they do not consider their mechanisms and algorithms a secret; only your crypto key is a secret known only to you. According to that thread: All the server stores, and thus has access to, is the fully-encrypted blob of ciphertext. Their crypto happens in the JavaScript that runs in your browser, not on the server.
-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin Shalla Sent: Sunday, October 18, 2009 11:56 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] SECURITY Digest - 15 Oct 2009 to 16 Oct 2009 (#2009- 236) That sounds really handy, but I'd be afraid that the system administrator at that web site would have back-door access to all your passwords. At 06:15 PM 10/17/2009, Gary Dobbins wrote:Has anyone else tried lastpass (.com)? I've found it to be an option for handling these problems. It will randomly generate passwords, remember them all, one for each place you visit, and (presuming their answers to how they handle the data are true) the storehouse of your passwords never leaves your computer unencrypted by a master password only you know. I'd be interested to hear if others find this valid, or if the service has a serious Achilles Heel.-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Geoff Nathan Sent: Saturday, October 17, 2009 6:37 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] SECURITY Digest - 15 Oct 2009 to 16 Oct2009 (#2009-236) Matt said:I tend use truly random passwords from a generator or those similar in style to what Don mentioned.It's of course ideal to use long, random, meaningless strings aspasswords. It'salso ideal to have a different password for each application(server, e-mail,banking site, etc. etc.) that we log into. But I have two e-mailaccounts (three ifwe include the one that AT&T gives me as part of my home setup), a Wayne State single sign-on password, my bank, my credit card, myretirement accounts,and then the less risky ones like Amazon, Zagat, CooksIllustrated, Tripit, and Icould go on (as in fact I have...) It's simply impossible to remember all these, unless I repeat thepasswords, oruse a password wallet (which itself is clumsy, and requires itsown password). Asothers have said, the password paradigm is broken, and, as longas two-factor istoo expensive we're going to continue to have trouble, and it'snot the users'fault. We can't ask them to do twelve impossible things beforebreakfast and slaptheir wrists when they don't. Eventually they will slap back, andthey will beright. Geoffrey S. Nathan Faculty Liaison, C&IT
Current thread:
- Re: SECURITY Digest - 15 Oct 2009 to 16 Oct 2009 (#2009-236) Geoff Nathan (Oct 17)
- <Possible follow-ups>
- Re: SECURITY Digest - 15 Oct 2009 to 16 Oct 2009 (#2009-236) Gary Dobbins (Oct 17)
- Re: SECURITY Digest - 15 Oct 2009 to 16 Oct 2009 (#2009-236) Kevin Shalla (Oct 18)
- Re: SECURITY Digest - 15 Oct 2009 to 16 Oct 2009 (#2009-236) Gary Dobbins (Oct 18)