Re: SECURITY Digest - 15 Oct 2009 to 16 Oct 2009 (#2009-236)

[Gary Dobbins <dobbins () ND EDU>]

On their site is a Q&A forum where someone posed just that question.  Their answer implies a proper use of crypto, 
along with the [proper] philosophy that they do not consider their mechanisms and algorithms a secret; only your crypto 
key is a secret known only to you.

According to that thread:  All the server stores, and thus has access to, is the fully-encrypted blob of ciphertext.  
Their crypto happens in the JavaScript that runs in your browser, not on the server.



> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin Shalla
> Sent: Sunday, October 18, 2009 11:56 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] SECURITY Digest - 15 Oct 2009 to 16 Oct 2009 (#2009-
> 236)
>
> That sounds really handy, but  I'd be afraid that the system
> administrator at that web site would have back-door access to all
> your passwords.
>
> At 06:15 PM 10/17/2009, Gary Dobbins wrote:
> > Has anyone else tried lastpass (.com)?  I've found it to be an
> > option for handling these problems.  It will randomly generate
> > passwords, remember them all, one for each place you visit, and
> > (presuming their answers to how they handle the data are true) the
> > storehouse of your passwords never leaves your computer unencrypted
> > by a master password only you know.
> >
> > I'd be interested to hear if others find this valid, or if the
> > service has a serious Achilles Heel.
> >
> >
> >
> > > -----Original Message-----
> > > From: The EDUCAUSE Security Constituent Group Listserv
> > > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Geoff Nathan
> > > Sent: Saturday, October 17, 2009 6:37 PM
> > > To: SECURITY () LISTSERV EDUCAUSE EDU
> > > Subject: Re: [SECURITY] SECURITY Digest - 15 Oct 2009 to 16 Oct
> > 2009 (#2009-
> > > 236)
> > >
> > > Matt said:
> > >
> > > > I tend use truly random passwords from a
> > > > generator or those similar in style to what Don
> > > > mentioned.
> > >
> > > It's of course ideal to use long, random, meaningless strings as
> > passwords. It's
> > > also ideal to have a different password for each application
> > (server, e-mail,
> > > banking site, etc. etc.) that we log into. But I have two e-mail
> > accounts (three if
> > > we include the one that AT&T gives me as part of my home setup), a Wayne
> > > State single sign-on password, my bank, my credit card, my
> > retirement accounts,
> > > and then the less risky ones like Amazon, Zagat, Cooks
> > Illustrated, Tripit, and I
> > > could go on (as in fact I have...)
> > > It's simply impossible to remember all these, unless I repeat the
> > passwords, or
> > > use a password wallet (which itself is clumsy, and requires its
> > own password). As
> > > others have said, the password paradigm is broken, and, as long
> > as two-factor is
> > > too expensive we're going to continue to have trouble, and it's
> > not the users'
> > > fault. We can't ask them to do twelve impossible things before
> > breakfast and slap
> > > their wrists when they don't. Eventually they will slap back, and
> > they will be
> > > right.
> > >
> > > Geoffrey S. Nathan
> > > Faculty Liaison, C&IT