Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
«159 »
  • Post
  • Reply
Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.


Taco Defender

Mr Chips posted:

If no-one ITT works for them, can we stop talking about it?

Absolutely.

Adbot
ADBOT LOVES YOU

Subjunctive
Sep 12, 2006

careful now


Cybernetic Crumb

Nobody should feel good about their posts in this thread, FYI.

elite_garbage_man
Apr 3, 2010


ELITE PENS FOR AN ELITE GARBAGE MAN

SKILCRAFT
QUALITY BLIND MADE PRODUCTS

Mr Chips posted:

Can you explain the mathematics for the first bit for everyone else who's interested in understanding why?

Hey man, the mathematical proof for it was written by Euclid (back in 300bc believe it or not) and you can read about the formal proof here: https://en.wikipedia.org/wiki/Euclid%27s_theorem

The proof goes like this:

You assume you have a finite set of prime numbers, in this case we'll say we have found every prime in the range of 0-1000, and the primes are denoted as p1, p2, p3,...,pn where pn is the last prime in the set
Then you multiply all of those primes together to get a large composite number, we'll call x
We know that any prime in the set of 0-1000 can divide this number and give us an integer result since x = p1 * p2 * p3 *...* pn (Thanks to formal definitions of divisibility)
The contradiction to the original assumption that only a limited number of primes exists happens when we add 1 to the composite number. so y = x + 1
Since we made a composite number of ALL primes, then there must exist some pi (i is the index number) that can divide y, right? (again due to formal definitions of divisibility)
However this is not the case since we know y = x + 1 = (p1 * p2 * p3 *...* pn) + 1, thus there exists no pi in our original set that divides y, so y must be a prime.

You can do this again, and again (this is called a proof by induction) for every new prime you find (like c, d, e,...etc),
Therefore there are infinitely many primes.

I know this was posted a while ago, but I hope it helps.

elite_garbage_man fucked around with this message at Dec 18, 2015 around 06:14

Mr Chips
Jun 27, 2007
Whose arse do I have to blow smoke up to get rid of this baby?


elite_garbage_man posted:

I know this was posted a while ago, but I hope it helps.

cheers, thanks for answering that question (and the others who did)

Subjunctive
Sep 12, 2006

careful now


Cybernetic Crumb

elite_garbage_man posted:

I know this was posted a while ago, but I hope it helps.

OK, you can be proud of your posting.

Alereon
Feb 6, 2004

Dehumanize yourself and face to Trumpshed

College Slice

I'm just gonna note that it's possible to disagree without being dicks to eachother, so let's all work on making this thread about security and not nerds arguing.

RISCy Business
Jun 17, 2015

bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork


Fun Shoe

Alereon posted:

I'm just gonna note that it's possible to disagree without being dicks to eachother, so let's all work on making this thread about security and not nerds arguing.

thanks

also thanks for the av babyface nerd, whoever it was

RISCy Business fucked around with this message at Dec 18, 2015 around 15:13

wyoak
Feb 14, 2005

a glass case of emotion


Fallen Rib

Alereon posted:

I'm just gonna note that it's possible to disagree without being dicks to eachother, so let's all work on making this thread about security and not nerds arguing.
The only real victories in infosec are for the blackhats, so everyone else is left to argue with each other over definitions of words

Optimus_Rhyme
Apr 15, 2007

are you that mainframe hacker guy?



FunOne
Aug 20, 2000
I am a slimey vat of concentrated stupidity



Fun Shoe

Best recommendations for password managers? Surely keeping them all in a Google Spreadsheet isn't considered best practice. I'm not interested in spending money on a service though. How is Safewin Cloud?

PBS
Sep 21, 2015


FunOne posted:

Best recommendations for password managers? Surely keeping them all in a Google Spreadsheet isn't considered best practice. I'm not interested in spending money on a service though. How is Safewin Cloud?

Local only KeePass/PasswordSafe are decent.

Online I'd say lastpass.

Alereon
Feb 6, 2004

Dehumanize yourself and face to Trumpshed

College Slice

FunOne posted:

Best recommendations for password managers? Surely keeping them all in a Google Spreadsheet isn't considered best practice. I'm not interested in spending money on a service though. How is Safewin Cloud?
I think LastPass is the best choice for personal use. Make sure to enable 2 Factor Authentication via Google Authenticator or something.

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

I like LastPass with two-factor authentication. $12 a year is great, I looked at 1Password but it seemed very expensive for the amount of licenses I'd need to buy.

bobbilljim
May 29, 2013

this christmas feels like the very first christmas to me


Lastpass 2-factor doesn't actually do anything, so I wouldn't bother turning it on. Last I checked, anyway.

Alereon
Feb 6, 2004

Dehumanize yourself and face to Trumpshed

College Slice

bobbilljim posted:

Lastpass 2-factor doesn't actually do anything, so I wouldn't bother turning it on. Last I checked, anyway.
I guess you're talking about it not actually being required in all scenarios by default, like when offline? If security is more important than usability you can disable trusted devices and caching of credentials/vault contents, but that doesn't seem to be a good trade for most people.

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

In all honesty my main use for a password manager is to easily track unique, complex passwords for each online account I use. I'm happy to make the trade off that someone stealing one of my devices and managing to log into it might not get asked for a second factor of authentication.

bobbilljim
May 29, 2013

this christmas feels like the very first christmas to me


Alereon posted:

I guess you're talking about it not actually being required in all scenarios by default, like when offline? If security is more important than usability you can disable trusted devices and caching of credentials/vault contents, but that doesn't seem to be a good trade for most people.

Could just be certain client apps, but last I checked if you have it enabled in Firefox you can sign in with the password and it will autofill any open web page you have, then you can tell the second factor popup to piss off and you still have the password filled in on whatever page. So I don't think its actually enforced, rather its up to the client app.

e: this is when I had it set to not work offline

Alereon
Feb 6, 2004

Dehumanize yourself and face to Trumpshed

College Slice

bobbilljim posted:

Could just be certain client apps, but last I checked if you have it enabled in Firefox you can sign in with the password and it will autofill any open web page you have, then you can tell the second factor popup to piss off and you still have the password filled in on whatever page. So I don't think its actually enforced, rather its up to the client app.

e: this is when I had it set to not work offline
That's the "locally cached credentials" case. If it is important to you that data not be accessible without authenticating, don't cache it locally.

Wiggly Wayne DDS
Sep 11, 2010





Nap Ghost

Lastpass has had too many dumb security issues. Use 1password or KeePass.

Alereon
Feb 6, 2004

Dehumanize yourself and face to Trumpshed

College Slice

Wiggly Wayne DDS posted:

Lastpass has had too many dumb security issues. Use 1password or KeePass.
KeePass requires your own db management solution and 1password requires you to purchase a separate license for every platform, both of which are dealbreakers for most normal people. If you are a nerd and a local db works for you then not trusting anyone else with your data is obviously safest.

Inspector_666
Oct 7, 2003

benny with the good hair


I also only know of one "breach" that Lastpass has had, and all it did was release stuff that's already encrypted up the wazoo.

Wiggly Wayne DDS
Sep 11, 2010





Nap Ghost

Inspector_666 posted:

I also only know of one "breach" that Lastpass has had, and all it did was release stuff that's already encrypted up the wazoo.
Here's a rundown of an audit publicised last month: http://www.martinvigo.com/even-the-...n-deal-with-it/

Alereon posted:

KeePass requires your own db management solution and 1password requires you to purchase a separate license for every platform, both of which are dealbreakers for most normal people. If you are a nerd and a local db works for you then not trusting anyone else with your data is obviously safest.
Those are issues for people needing multi-platform solutions, I doubt that is the majority of the userbase and doesn't excuse using an insecure manager.

Alereon
Feb 6, 2004

Dehumanize yourself and face to Trumpshed

College Slice

Wiggly Wayne DDS posted:

Here's a rundown of an audit publicised last month: http://www.martinvigo.com/even-the-...n-deal-with-it/

Those are issues for people needing multi-platform solutions, I doubt that is the majority of the userbase and doesn't excuse using an insecure manager.
Lastpass isn't insecure, it just makes intelligent default choices to balance security and convenience for its users. Most people want features like trusted devices and offline access to their vault., and if you don't no one makes you keep them enabled.

Wiggly Wayne DDS
Sep 11, 2010





Nap Ghost

Alereon posted:

Lastpass isn't insecure, it just makes intelligent default choices to balance security and convenience for its users. Most people want features like trusted devices and offline access to their vault., and if you don't no one makes you keep them enabled.
Did you read the audit at all?

Inspector_666
Oct 7, 2003

benny with the good hair


Wiggly Wayne DDS posted:

Those are issues for people needing multi-platform solutions, I doubt that is the majority of the userbase and doesn't excuse using an insecure manager.

Isn't the entire draw of cloud-based password managers multi-platform support? I've thought about going back to just KeePass from Lastpass, but I figure if the biggest threat to my Lastpass info requires somebody have local control over my computer I'm hosed either way.

Wiggly Wayne DDS
Sep 11, 2010





Nap Ghost

Inspector_666 posted:

Isn't the entire draw of cloud-based password managers multi-platform support?
We were talking about password managers in general, not specifically narrow cases where your software options are limited.

Alereon
Feb 6, 2004

Dehumanize yourself and face to Trumpshed

College Slice

Wiggly Wayne DDS posted:

Did you read the audit at all?
Yes, it says that if credentials are saved locally to your machine, then an attacker with access to your machine may be able to gain access to your Lastpass vault data and account. This is not the threat model most people care about, and anyone that does can mitigate it by making changes to their account settings. Honestly dude you are making mountains out of molehills, Lastpass is compellingly better than the alternatives for everyone that isn't an autist and doesn't want to buy an app once for every platform they own.

Wiggly Wayne DDS
Sep 11, 2010





Nap Ghost

Alereon posted:

Yes, it says that if credentials are saved locally to your machine, then an attacker with access to your machine may be able to gain access to your Lastpass vault data and account. This is not the threat model most people care about, and anyone that does can mitigate it by making changes to their account settings. Honestly dude you are making mountains out of molehills, Lastpass is compellingly better than the alternatives for everyone that isn't an autist and doesn't want to buy an app once for every platform they own.
If your password manager, by default, has an unencrypted key stored (dOTP) that can be used to authenticate, obtain the encrypted vault key, decrypt the vault key, bypass IP restrictions, bypass 2FA and relies on local storage being impenetrable then you've got a bit of a design flaw. We've seen the damage in the past when Lastpass had an XSS problem that let an attacker grab any plaintext passwords from a vault silently. You're not storing your vault on a single system by virtue of using Lastpass so that is not the only possible angle of attack, and based on prior issues I can't comfortably advise people to use it for secure password storage. Especially given their response to the issues presented.

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.


Taco Defender

Alereon posted:

Lastpass is compellingly better than the alternatives [...] doesn't want to buy an app once for every platform they own.

KeePass doesn't cost money and works on virtually every platform out there. It works great with Dropbox and works fine for autists and non-autists alike.

Paul MaudDib
May 2, 2006

"Tell me of your home world, Usul"


Alereon posted:

KeePass requires your own db management solution and 1password requires you to purchase a separate license for every platform, both of which are dealbreakers for most normal people. If you are a nerd and a local db works for you then not trusting anyone else with your data is obviously safest.

I have no idea what you're talking about with KeePass. I've used KeePass2 for years now, and I've never set up a database. It asks you how many PBKDF2 (I think) rounds you want to use but also provides a helpful "optimize for 1 second" button.

I just throw it in a Dropbox after that. Nowadays it can even helpfully merge changes if its been modified elsewhere since it was opened. I use it on Linux with Wine, there's freeware Android implementations, etc.

SeaFile is probably better than Dropbox from a security standpoint.

Paul MaudDib fucked around with this message at Dec 21, 2015 around 19:58

Inspector_666
Oct 7, 2003

benny with the good hair


I feel like if you think LastPass is insecure "just throw your entire password DB into Dropbox!" isn't really much better...

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.


Taco Defender

Inspector_666 posted:

I feel like if you think LastPass is insecure "just throw your entire password DB into Dropbox!" isn't really much better...

Please explain how you have come to this conclusion. You're (mostly) in control and provided that you don't set your KeePass file to some dumb password, putting it on Dropbox or some other hosting service is far better than trusting that the algorithm used on LastPass isn't being hobbled by any inadequately written software. Hell, you can combine it with a keyfile if you're even less trusting of this method.

You can at least inspect how KeePass is treating your passwords whereas you're trusting a blackbox with LastPass that has had a number of problems in the past five years.

Inspector_666
Oct 7, 2003

benny with the good hair


OSI bean dip posted:

Please explain how you have come to this conclusion. You're (mostly) in control and provided that you don't set your KeePass file to some dumb password, putting it on Dropbox or some other hosting service is far better than trusting that the algorithm used on LastPass isn't being hobbled by any inadequately written software. Hell, you can combine it with a keyfile if you're even less trusting of this method.

You can at least inspect how KeePass is treating your passwords whereas you're trusting a blackbox with LastPass that has had a number of problems in the past five years.

Last time there was a discussion about this the overwhelming opinion from goons was that Dropbox was a security joke and your data might as well just be publically accessible.

Then again that conversation was just as dripping with toxic condescension as this thread has been so maybe I missed something.

M_Gargantua
Oct 16, 2006

STOMPIN' ON INTO THE POWER LINES

Toilet Rascal

They're not advocating putting your passwords on dropbox, but to use it to hold the encrypted container that KeePass needs so you can keep it synched between devices. As long as you feel that the container is secure then the risk you're taking hosting it on dropbox is minimized by rotating passwords.

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.


Taco Defender

Inspector_666 posted:

Last time there was a discussion about this the overwhelming opinion from goons was that Dropbox was a security joke and your data might as well just be publically accessible.

Then again that conversation was just as dripping with toxic condescension as this thread has been so maybe I missed something.

Dropbox security is a complete joke because as the data is stored in plaintext when at rest. There is no argument from me on this at all.

However, you're telling me that is worse than trusting that LastPass, a service that stores passwords for millions of users? A service that has been in a supposed targeted attack in the past year? A service that has had issues with credentials being stolen from the browser last year? A service that has had its users change their master password in the past?

And we're going on about Dropbox being insecure because someone could read the password file on your system? At least if you're saving the KeePass (or 1Password) file via Dropbox that you don't have to be as concerned about someone modifying the application to allow others to read the data. The type of attack on Juniper's VPN source-code is far more likely with LastPass than with KeePass to say the least.

Have you given any consideration to this?

Alereon
Feb 6, 2004

Dehumanize yourself and face to Trumpshed

College Slice

Wiggly Wayne DDS posted:

If your password manager, by default, has an unencrypted key stored (dOTP) that can be used to authenticate, obtain the encrypted vault key, decrypt the vault key, bypass IP restrictions, bypass 2FA and relies on local storage being impenetrable then you've got a bit of a design flaw. We've seen the damage in the past when Lastpass had an XSS problem that let an attacker grab any plaintext passwords from a vault silently. You're not storing your vault on a single system by virtue of using Lastpass so that is not the only possible angle of attack, and based on prior issues I can't comfortably advise people to use it for secure password storage. Especially given their response to the issues presented.
You are inventing fake concerns. The default configuration of Lastpass does not protect you from an attacker with access to your machine, because that is not a relevant threat for most users and changing the way the software works to protect against that would require usability compromises that are unacceptable to most users. Users for whom those compromises ARE acceptable can change their account settings, or hell just use KeePass if they care that much.

OSI bean dip posted:

KeePass doesn't cost money and works on virtually every platform out there. It works great with Dropbox and works fine for autists and non-autists alike.
KeePass is worthless for average users because it requires you to roll your own db storage and synchronization solution. Saying "just use dropbox" is great for autists who want to live independently, but it's absolutely not a solution that Just Works in the way Lastpass does. You're a smart guy, you know all this, so I don't get why you won't accept that LastPass offers the best balance between security and usability for most people. Let's be real, features like trusted devices and offline access to a cached db that seem like anathema to you and Wiggly Wayne are incredibly valuable to users.

Alereon fucked around with this message at Dec 21, 2015 around 20:21

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.


Taco Defender

Alereon posted:

KeePass is worthless for average users because it requires you to roll your own db storage and synchronization solution. Saying "just use dropbox" is great for autists who want to live independently, but it's absolutely not a solution that Just Works in the way Lastpass does. You're a smart guy, you know all this, so I don't get why you won't accept that LastPass offers the best balance between security and usability for most people.

My post above adequately demonstrates why using LastPass is a terrible suggestion and should be avoided at all costs. If you're the kind of person that has come to the conclusion that LastPass is necessary, you're the kind of person that is capable of setting up a cloud-based file distribution service.

Wiggly Wayne DDS
Sep 11, 2010





Nap Ghost

Alereon posted:

You are inventing fake concerns. The default configuration of Lastpass does not protect you from an attacker with access to your machine, because that is not a relevant threat for most users and changing the way the software works to protect against that would require usability compromises that are unacceptable to most users. Users for whom those compromises ARE acceptable can change their account settings, or hell just use KeePass if they care that much.
Lastpass is explicitly made to have your vault stored on more than one device, with them having a copy. There is more than a single machine at risk, and users are not the ones who should be trusted to set security policies. This is why secure defaults are increasingly becoming the norm as it turns out no one reads the manual or understands the risks involved. If you're going to say I'm "inventing fake concerns", then back up your "most users" statements over the last page as I think one of us has a stronger basis for reality than the other.

quote:

KeePass is worthless for average users because it requires you to roll your own db storage and synchronization solution. Saying "just use dropbox" is great for autists who want to live independently, but it's absolutely not a solution that Just Works in the way Lastpass does. You're a smart guy, you know all this, so I don't get why you won't accept that LastPass offers the best balance between security and usability for most people. Let's be real, features like offline access
"Just Works" isn't a security concept. You may like those features but that doesn't make them the main reason a user uses software - accessibility and prominence in the landscape are major considerations. Consider how often you've pushed LastPass without finding out if a user needs to have vault access on more than one machine. Is the user making an informed decision across these products, or is their decision making impacted by other peoples' biases?

Alereon
Feb 6, 2004

Dehumanize yourself and face to Trumpshed

College Slice

OSI bean dip posted:

My post above adequately demonstrates why using LastPass is a terrible suggestion and should be avoided at all costs. If you're the kind of person that has come to the conclusion that LastPass is necessary, you're the kind of person that is capable of setting up a cloud-based file distribution service.
Your post describes some very vague and not-at-all-compelling reasons why people should be cautious about trusting their data to Lastpass. And yes, any security professional (or someone who plays one on the Internet) is perfectly capable of setting up their own cloud-based db synch solution, but those security professionals aren't asking for advice on how to manage their passwords. Someone who asks security professionals what password management solution to use should be directed to Lastpass.

Wiggly Wayne DDS posted:

"Just Works" isn't a security concept. You may like those features but that doesn't make them the main reason a user uses software - accessibility and prominence in the landscape are major considerations. Consider how often you've pushed LastPass without finding out if a user needs to have vault access on more than one machine. Is the user making an informed decision across these products, or is their decision making impacted by other peoples' biases?
Here's the problem. Convenience is so vastly more important than your theoretical security concerns that I am stunned we are still having this discussion. This fact has been a foundational principle of information security practices for quite some time. This is because users will work around inconvenient practices with MUCH less secure practices, such as how users respond to strong password requirements by reusing passwords. This is why the priority when creating a process for users MUST be that the process be so convenient users will never be tempted to work around it.

Alereon fucked around with this message at Dec 21, 2015 around 20:35

Adbot
ADBOT LOVES YOU

Wiggly Wayne DDS
Sep 11, 2010





Nap Ghost

Alereon posted:

Your post describes some very vague and not-at-all-compelling reasons why people should be cautious about trusting their data to Lastpass. And yes, any security professional (or someone who plays one on the Internet) is perfectly capable of setting up their own cloud-based db synch solution, but those security professionals aren't asking for advice on how to manage their passwords. Someone who asks security professionals what password management solution to use should be directed to Lastpass.
They absolutely should not and security professionals do talk to each other about security products - they're users too.

quote:

Here's the problem. Convenience is so vastly more important than your theoretical security concerns that I am stunned we are still having this discussion. This fact has been a foundational principle of information security practices for quite some time. This is because users will work around inconvenient practices with MUCH less secure practices, such as how users respond to strong password requirements by reusing passwords. This is why the priority when creating a process for users MUST be that the process be so convenient users will never be tempted to work around it.
Well no poo poo, the problem is at no point have you backed up that the average user needs this particular feature set - or that leaving a file in a dropbox folder is requiring technical proficiency of an autist. For all my fake concerns, you aren't showing any of yours to be real.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
«159 »