[Lex Computer & Tech Group/LCTG] LastPass confirms users' password vaults were stolen by hackers

[Jon Dreyer]

My approach is a bit more work, but it makes me feel safe despite how 
theoretically easy it would be to break it.

I have a text file in an unlinked, and trivially password protected, Web 
page. That file looks like a list of my passwords, but it isn't quite. 
Each password in the file is a randomly generated string, but what the 
attacker (except for you all) doesn't know is that the actual passwords 
are those random strings but with my own personal tweak. When I log in 
to, say, my bank account, I copy/paste the string from the file into the 
password field and then tweak it.

So the only way I'm screwed is if they find this file and figure out my 
ttweak (and there's no clue that one is needed except that the passwords 
don't work). Cryptographically unsafe, but it feels pragmatically pretty 
safe to me, since you can break into millions of accounts if you hack 
lastpass, but you can only get my accounts if you hack this.

Somebody who doesn't have their own Web site could do this with 
something like a google doc or google sheet.

And I also use 2FA for important sites as well.

-- 

Jon "I Don't Have To Outrun The Bear; I Just Have To Outrun You" Dreyer
Math Tutor/Computer Science Tutor <http://www.passionatelycurious.com>
Jon Dreyer Music <http://music.jondreyer.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.toku.us/pipermail/lctg-toku.us/attachments/20221229/e062c889/attachment.htm>