- #Play myst online uru live password
- #Play myst online uru live plus
- #Play myst online uru live download
One of the points you brought up is extremely valid though: LastPass is closed-source, so it's nearly impossible to truly validate the crypto.
The only valid point I see it make is about garbage collection and potential for reading decrypted memory directly (MANY languages have this problem, not just JS). The article is just completely wrong in many ways.
Plus, modern browsers now have "window.crypto" which provides a PRNG. Once you package the client code, it can be just as hard to break as something like KeePass (assuming the add-on itself has a decent security policy, ie don't eval()code from random places). Is this method flawed? Only if you do a web-app instead of a browser add-on.
#Play myst online uru live download
It doesn't address using browser add-ons to do AES encryption, have your data stored on the server in encrypted form, and only decrypted when you download it again.
#Play myst online uru live plus
Plus that article attacks JS doing crypto that the server will decrypt (which, yes is useless, use TLS). The part of the article that attacks extensions just makes a bunch of assumptions (like, you're going to download scripts and eval them from your extension). You can do crypto in JS, just don't download it every time (distribute signed packages via browser add-ons).
#Play myst online uru live password
You have no idea when someone takes a picture of your password sheet :)Įhh, going to come out and say Matasano is wrong here. This goes directly against your initial point that you don't know when your passwords have been compromised. > for this reason I recommend writing your passwords down on a piece of paper you keep in your wallet or purse. As someone who had their BTC stolen while using what would be considered a secure password, I can say that password cracking against a stolen database dump is not a theoretical threat. That assumption has been proven time and again to be completely false. if they do that, and you use lastpass, then they have all of your passwords. > assuming that every place you use a password is both competent and honest (which is a stretch), the only way for someone to get your passwords is to compromise your computer. I am not saying that LastPass is the end-all-be-all of security, but compared to what 99.999% of people are doing, it is a huge win. There is no way that I am going to remember the 300 or so passwords I have stored in LastPass and I will certainly not be able to change them as fast as I sometimes have to. However, I trust the browser and LastPass more than I trust my ability to keep the passwords secure. This is bad since the browser can be compromised. For example, you can log into their website and enter your master password, to retrieve any other password. LastPass has made certain compromises in security to give you more functionality. Aside from my main bank account and my email, I do not know any of them as they are long random single use strings.
As almost anyone online, I have a lot of different accounts. LastPass is a huge net gain in security compared to almost anything else you could reasonably do. Actually Chrome probably does better since it won't automatically push your passwords to the cloud unless you sync. Mine as well just store all your passwords in Chrome. I don't know, I don't like the idea of a digital store of all of my most critical information put behind a password that doesn't even pop-up on your computer. LastPass can be compromised every single way that my memorized passwords can, in addition to being compromisable on any computer you use it on, and the LastPass services stores all of your passwords offsite, all of them, adding in another huge vector for attack against your entire catalog- in a way that my memory can never be attacked (without say, interrogation/force). I started this thread asking if there was a better solution that memorizing 5-10 passwords and using some variable of a throwaway for the majority of everything else, and I'm still not convinced that my method isn't the best outside of just hard memorizing a unique password for every site.įact is: my memorized passwords can only be compromised where they are stored on servers (or through a keylogger). Memorizing a few unique passwords for mission critical services while using generic throwaways for low-priority sites is more secure than LastPass can ever be.
0 kommentar(er)
