- Marinmo
- Jan 23, 2005
-
Prisoner #95H522 Augustus Hill
|
How many people who had a friend recommend KeePass/Dropbox are going to upgrade KeePass if a vuln is discovered?
his gospel the very audit he posted [EDIT: sorry, that wasn't him, to be fair they kinda seem to agree though], the part where it says "To finish, we want to point out that the security team at LastPass responded very quickly to all our reports and lot of the issues were fixed in just a couple days. It was very easy to communicate and work with them.". That's professional - no system is 100 % secure and the response to the flaws discovered in it tells you a lot about how you can expect those and future issues to be addressed. Convenience and security will always be polar opposites, but too much of either will just tip the scale towards less security anyway. Lastpass generally strikes the perfect balance for everyone who doesn't fancy child pornography or work for the NSA.
Marinmo fucked around with this message at 23:37 on Dec 21, 2015
|
#
¿
Dec 21, 2015 23:29
|
|
- Adbot
-
ADBOT LOVES YOU
|
|
|
#
¿
Apr 19, 2024 07:05
|
|
- Marinmo
- Jan 23, 2005
-
Prisoner #95H522 Augustus Hill
|
If this is going into arguments over auto-updating then:
Otherwise the arguments devolves into implementation differences and how similar vulnerabilities on each platform have different impacts.
Convenience and security are not polar opposites. There's a balancing act on the high-end of the spectrum, but you can design a system that is secure by default, and is convenient for the end-user. If they were polar opposites then browsers would be getting far more inconvenient as security's improved, when the opposite has happened. As far as the statement you quoted it's a standard blurb for showing that the company receiving the report didn't immediately bring out the lawyers, and that other researchers don't need to worry when coming forward. It doesn't answer the response where they ignored half the issues.
If you're looking for a password manager there are far better alternatives, but if you're that much of a fan of the product that you ignore security issues in a security thread then we're well past the point of discussion.
I have no idea what you're saying about browsers. Seriously, it doesn't make any sense at all. They are constantly balancing between security and convenience for crying out loud. Bundling flash isn't really the epitome of security is it? And they are constantly hit with different exploits - all of them (Chrome, Firefox etc). In your rationale then, we'd all be using lynx or some poo poo because god forbid our browser could run JS (which I reckon is where most exploits originate). The post on the lastpass blog is general security hints which the researcher himself points to as good ways to mitigate the exploit he found - what else do you want? Chances are - and no, we don't know this for sure but snooping around in the source of the non-binary extension will give us a good idea - that the other issues were fixed as well. But I'm sure you don't care either way, you just want to rant and rave and ignore the security issues and inconveniences with the solutions you prefer.
Marinmo fucked around with this message at 01:34 on Dec 22, 2015
|
|
#
¿
Dec 22, 2015 01:30
|
|
- Marinmo
- Jan 23, 2005
-
Prisoner #95H522 Augustus Hill
|
On the other hand having security software automatically install itself from across the internet is also a thing that gives people heartburn.
It's one thing in the context of a secure package-management system like APT. That infrastructure doesn't exist on Windows, the infrastructure used by the majority of the KeePass userbase.
|
|
#
¿
Dec 22, 2015 01:37
|
|
- Marinmo
- Jan 23, 2005
-
Prisoner #95H522 Augustus Hill
|
Let me explain a little further.
The goal is to log into X website, the website login page has two fields. One field is UserID, the other is Passcode.
The passcode itself is something you generate. You generate the passcode by entering your PIN into an RSA SecureID token client, either on a phone or computer.
So if your PIN is 123456, you input this into the SecureID token client and it will spit out something like 01923227.
Go back to the webpage, enter userid in userid field, enter 01923227 in the passcode field, hit login.
|
|
#
¿
Feb 16, 2016 21:03
|
|
#
¿
Dec 21, 2015 23:29
