<html><head></head><body><div class="ydp59284cd3yahoo-style-wrap" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:13px;"><div></div>
<div dir="ltr" data-setdir="false">True, Adam, about a well managed Cloud Service and a well-defended (encrypted, salted) database. Unfortunately, it appears that LastPass has neither of these.</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">Also, at least one of the LastPass breaches involved customer account data, which has nothing to do with the LastPass storage system. Different servers. And even more cause for concern about the company's security practices. Financial and personal information has leaked, unencrypted. Probably back-end thefts. Yet another issue with subscription services and apps. And these days, everyone is going over to subscriptions. </div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">I prefer to choose my Cloud Storage providers for this sort of reason. So I start with my own local database, and upload it from there.</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">That's all I was really saying. </div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">-- Bob Primak </div><div dir="ltr" data-setdir="false"><br></div><div><br></div>
</div><div id="yahoo_quoted_2455955976" class="yahoo_quoted">
<div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;">
<div>
On Friday, December 30, 2022 at 09:56:30 AM EST, Adam Broun <abroun@gmail.com> wrote:
</div>
<div><br></div>
<div><br></div>
<div><div id="yiv3056660116"><div>Here is a different take from Jeremy Gosney <a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="https://infosec.exchange/@epixoip/109585049354200263" class="yiv3056660116">https://infosec.exchange/@epixoip/109585049354200263</a> <div class="yiv3056660116"><br clear="none" class="yiv3056660116"></div><div class="yiv3056660116">In particular:<div class="yiv3056660116"><br clear="none" class="yiv3056660116"></div><div class="yiv3056660116">"Is the cloud the problem? No. The vast majority of issues LastPass has
had have nothing to do with the fact that it is a cloud-based solution.
Further, consider the fact that the threat model for a cloud-based
password management solution should *start* with the vault being
compromised. In fact, if password management is done correctly, I should
be able to host my vault anywhere, even openly downloadable (open S3
bucket, unauthenticated HTTPS, etc.) without concern. I wouldn't do
that, of course, but the point is the vault should be just that -- a
vault, not a lockbox.”</div><div class="yiv3056660116"><br clear="none" class="yiv3056660116"></div><div class="yiv3056660116"><br clear="none" class="yiv3056660116"><div class="yiv3056660116"><div><br clear="none" class="yiv3056660116"><blockquote type="cite" class="yiv3056660116"><div id="yiv3056660116yqt11480" class="yiv3056660116yqt0527573613"><div class="yiv3056660116">On Dec 29, 2022, at 20:27, Robert Primak <<a rel="nofollow noopener noreferrer" shape="rect" ymailto="mailto:bobprimak@yahoo.com" target="_blank" href="mailto:bobprimak@yahoo.com" class="yiv3056660116">bobprimak@yahoo.com</a>> wrote:</div><br clear="none" class="yiv3056660116Apple-interchange-newline"><div class="yiv3056660116"><div class="yiv3056660116"><div style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:13px;" class="yiv3056660116ydpf0306db7yahoo-style-wrap"><div class="yiv3056660116"></div>
<div dir="ltr" class="yiv3056660116">In light of all this discussion, I think I see where the Lastpass breach(-es) happened. It's not front-end account cracking or browser hacking. It's back-end data theft from servers owned by a Cloud Service. These servers either have outside vendors who have way too much privileged access, or else they have really wicked-bad security to begin with. </div><div dir="ltr" class="yiv3056660116"><br clear="none" class="yiv3056660116"></div><div dir="ltr" class="yiv3056660116">If this is the case, I would recommend NEVER using cloud-based password managers. DO NOT allow anyone to keep your database on THEIR servers. This is where local database creation where YOU control where and how the database is stored (local-only, or on someplace like Google Drive, knowing it is likely eventually to be stolen) looks to me like the best solution. Keepass and the cross-platform KeepassX (no connection between these two products, BTW) are examples of this sort of password manager. Your database is YOUR property, not the property of some vendor. </div><div dir="ltr" class="yiv3056660116"><br clear="none" class="yiv3056660116"></div><div dir="ltr" class="yiv3056660116">Where you store your vault is up to you. But YOU need to be in control of this choice, NOT your password manager's vendor.</div><div dir="ltr" class="yiv3056660116"><br clear="none" class="yiv3056660116"></div><div dir="ltr" class="yiv3056660116">And don't keep unprotected password information anywhere where someone can find it. But then again, your heirs and sometimes others will need to be able to get at your passwords to access your accounts if need be. </div><div dir="ltr" class="yiv3056660116"><br clear="none" class="yiv3056660116"></div><div dir="ltr" class="yiv3056660116">In the near future, here's hoping passwords will be sunsetted in favor of more secure login methods. Microsoft and several other vendors are working on finalizing the protocols for paskeys:</div><div dir="ltr" class="yiv3056660116"><a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="https://fidoalliance.org/passkeys/" class="yiv3056660116">https://fidoalliance.org/passkeys/</a><br clear="none" class="yiv3056660116"></div><div dir="ltr" class="yiv3056660116"><br clear="none" class="yiv3056660116"></div><div dir="ltr" class="yiv3056660116">This is where we are headed, and this latest LastPass breach only highlights the urgency of converting sooner than later.</div><div dir="ltr" class="yiv3056660116"><br clear="none" class="yiv3056660116"></div><div dir="ltr" class="yiv3056660116">-- Bob Primak</div><div dir="ltr" class="yiv3056660116"><br clear="none" class="yiv3056660116"></div>
</div><div id="yiv3056660116yahoo_quoted_2863282240" class="yiv3056660116yahoo_quoted">
<div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;" class="yiv3056660116">
<div class="yiv3056660116">
On Thursday, December 29, 2022 at 04:14:51 PM EST, Alan Millner <<a rel="nofollow noopener noreferrer" shape="rect" ymailto="mailto:armillner48@gmail.com" target="_blank" href="mailto:armillner48@gmail.com" class="yiv3056660116">armillner48@gmail.com</a>> wrote:
</div>
<div class="yiv3056660116"><br clear="none" class="yiv3056660116"></div>
<div class="yiv3056660116"><br clear="none" class="yiv3056660116"></div>
<div class="yiv3056660116"><div id="yiv3056660116" class="yiv3056660116"><div class="yiv3056660116">I put my passwords on my paper rolodex.<div class="yiv3056660116">It has never been hacked.</div><div class="yiv3056660116"><br clear="none" class="yiv3056660116"><div class="yiv3056660116">
<div style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;word-wrap:break-word;" class="yiv3056660116"><div style="word-wrap:break-word;" class="yiv3056660116"><div style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;" class="yiv3056660116">Alan Millner</div><div style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;" class="yiv3056660116"><a rel="nofollow noopener noreferrer" shape="rect" ymailto="mailto:amillner@alum.mit.edu" target="_blank" href="mailto:amillner@alum.mit.edu" class="yiv3056660116">amillner@alum.mit.edu</a></div><div style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;" class="yiv3056660116">781-862-7893</div><div style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;" class="yiv3056660116">48 North St., Lexington MA 02420</div></div></div><br clear="none" class="yiv3056660116"><br clear="none" class="yiv3056660116Apple-interchange-newline">
</div>
<div id="yiv3056660116yqt45327" class="yiv3056660116yqt2316743458"><div class="yiv3056660116"><br clear="none" class="yiv3056660116"><div class="yiv3056660116">On Dec 29, 2022, at 3:55 PM, Jon Dreyer <<a rel="nofollow noopener noreferrer" shape="rect" ymailto="mailto:jon@jondreyer.org" target="_blank" href="mailto:jon@jondreyer.org" class="yiv3056660116">jon@jondreyer.org</a>> wrote:</div><br clear="none" class="yiv3056660116Apple-interchange-newline"><div class="yiv3056660116">
</div></div></div></div></div><div id="yiv3056660116yqt16151" class="yiv3056660116yqt2316743458"><div class="yiv3056660116"><div class="yiv3056660116"><p class="yiv3056660116">My approach is a bit more work, but it makes me feel safe despite
how theoretically easy it would be to break it.</p><p class="yiv3056660116">I have a text file in an unlinked, and trivially password
protected, Web page. That file looks like a list of my passwords,
but it isn't quite. Each password in the file is a randomly
generated string, but what the attacker (except for you all)
doesn't know is that the actual passwords are those random strings
but with my own personal tweak. When I log in to, say, my bank
account, I copy/paste the string from the file into the password
field and then tweak it.<br clear="none" class="yiv3056660116">
</p><p class="yiv3056660116">So the only way I'm screwed is if they find this file and figure
out my ttweak (and there's no clue that one is needed except that
the passwords don't work). Cryptographically unsafe, but it feels
pragmatically pretty safe to me, since you can break into millions
of accounts if you hack lastpass, but you can only get my accounts
if you hack this.<br clear="none" class="yiv3056660116">
</p><p class="yiv3056660116">Somebody who doesn't have their own Web site could do this with
something like a google doc or google sheet.<br clear="none" class="yiv3056660116">
</p><p class="yiv3056660116">And I also use 2FA for important sites as well.<br clear="none" class="yiv3056660116">
</p>
<div class="yiv3056660116moz-signature">-- <br clear="none" class="yiv3056660116"><p style="font-family:Times, serif;" class="yiv3056660116">
Jon "I Don't Have To Outrun The Bear; I Just Have To Outrun You"
Dreyer<br clear="none" class="yiv3056660116">
<a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="http://www.passionatelycurious.com/" class="yiv3056660116">Math Tutor/Computer
Science Tutor</a><br clear="none" class="yiv3056660116">
<a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="http://music.jondreyer.com/" class="yiv3056660116">Jon Dreyer Music</a>
</p>
</div>
</div>
===============================================<br clear="none" class="yiv3056660116">::The Lexington Computer and Technology Group Mailing List::<br clear="none" class="yiv3056660116">Reply goes to sender only; Reply All to send to list.<br clear="none" class="yiv3056660116">Send to the list: <a rel="nofollow noopener noreferrer" shape="rect" ymailto="mailto:LCTG@lists.toku.us" target="_blank" href="mailto:LCTG@lists.toku.us" class="yiv3056660116">LCTG@lists.toku.us</a> Message archives: <a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="http://lists.toku.us/pipermail/lctg-toku.us/" class="yiv3056660116">http://lists.toku.us/pipermail/lctg-toku.us/</a><br clear="none" class="yiv3056660116">To subscribe: <a rel="nofollow noopener noreferrer" shape="rect" ymailto="mailto:lctg-subscribe@toku.us" target="_blank" href="mailto:lctg-subscribe@toku.us" class="yiv3056660116">email lctg-subscribe@toku.us</a> To unsubscribe: <a rel="nofollow noopener noreferrer" shape="rect" ymailto="mailto:lctg-unsubscribe@toku.us" target="_blank" href="mailto:lctg-unsubscribe@toku.us" class="yiv3056660116">email lctg-unsubscribe@toku.us</a><br clear="none" class="yiv3056660116">Future and Past meeting information: <a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="http://LCTG.toku.us" class="yiv3056660116">http://LCTG.toku.us</a><br clear="none" class="yiv3056660116">List information: <a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="http://lists.toku.us/listinfo.cgi/lctg-toku.us" class="yiv3056660116">http://lists.toku.us/listinfo.cgi/lctg-toku.us</a><br clear="none" class="yiv3056660116">This message was sent to <a rel="nofollow noopener noreferrer" shape="rect" ymailto="mailto:armillner48@gmail.com" target="_blank" href="mailto:armillner48@gmail.com" class="yiv3056660116">armillner48@gmail.com</a>.<br clear="none" class="yiv3056660116">Set your list options: <a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="http://lists.toku.us/options.cgi/lctg-toku.us/armillner48@gmail.com" class="yiv3056660116">http://lists.toku.us/options.cgi/lctg-toku.us/armillner48@gmail.com</a><br clear="none" class="yiv3056660116"><br clear="none" class="yiv3056660116"></div></div></div><div id="yiv3056660116yqt65036" class="yiv3056660116yqt2316743458">===============================================<br clear="none" class="yiv3056660116">::The Lexington Computer and Technology Group Mailing List::<br clear="none" class="yiv3056660116">Reply goes to sender only; Reply All to send to list.<br clear="none" class="yiv3056660116">Send to the list: <a rel="nofollow noopener noreferrer" shape="rect" ymailto="mailto:LCTG@lists.toku.us" target="_blank" href="mailto:LCTG@lists.toku.us" class="yiv3056660116">LCTG@lists.toku.us</a> Message archives: <a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="http://lists.toku.us/pipermail/lctg-toku.us/" class="yiv3056660116">http://lists.toku.us/pipermail/lctg-toku.us/</a><br clear="none" class="yiv3056660116">To subscribe: email <a rel="nofollow noopener noreferrer" shape="rect" ymailto="mailto:lctg-subscribe@toku.us" target="_blank" href="mailto:lctg-subscribe@toku.us" class="yiv3056660116">lctg-subscribe@toku.us</a> To unsubscribe: email <a rel="nofollow noopener noreferrer" shape="rect" ymailto="mailto:lctg-unsubscribe@toku.us" target="_blank" href="mailto:lctg-unsubscribe@toku.us" class="yiv3056660116">lctg-unsubscribe@toku.us</a><br clear="none" class="yiv3056660116">Future and Past meeting information: <a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="http://lctg.toku.us/" class="yiv3056660116">http://LCTG.toku.us</a><br clear="none" class="yiv3056660116">List information: <a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="http://lists.toku.us/listinfo.cgi/lctg-toku.us" class="yiv3056660116">http://lists.toku.us/listinfo.cgi/lctg-toku.us</a><br clear="none" class="yiv3056660116">This message was sent to <a rel="nofollow noopener noreferrer" shape="rect" ymailto="mailto:bobprimak@yahoo.com." target="_blank" href="mailto:bobprimak@yahoo.com." class="yiv3056660116">bobprimak@yahoo.com.</a><br clear="none" class="yiv3056660116">Set your list options: <a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="http://lists.toku.us/options.cgi/lctg-toku.us/bobprimak@yahoo.com" class="yiv3056660116">http://lists.toku.us/options.cgi/lctg-toku.us/bobprimak@yahoo.com</a><br clear="none" class="yiv3056660116"></div></div>
</div>
</div></div>===============================================<br clear="none" class="yiv3056660116">::The Lexington Computer and Technology Group Mailing List::<br clear="none" class="yiv3056660116">Reply goes to sender only; Reply All to send to list.<br clear="none" class="yiv3056660116">Send to the list: <a rel="nofollow noopener noreferrer" shape="rect" ymailto="mailto:LCTG@lists.toku.us" target="_blank" href="mailto:LCTG@lists.toku.us" class="yiv3056660116">LCTG@lists.toku.us</a> Message archives: <a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="http://lists.toku.us/pipermail/lctg-toku.us/" class="yiv3056660116">http://lists.toku.us/pipermail/lctg-toku.us/</a><br clear="none" class="yiv3056660116">To subscribe: <a rel="nofollow noopener noreferrer" shape="rect" ymailto="mailto:lctg-subscribe@toku.us" target="_blank" href="mailto:lctg-subscribe@toku.us" class="yiv3056660116">email lctg-subscribe@toku.us</a> To unsubscribe: <a rel="nofollow noopener noreferrer" shape="rect" ymailto="mailto:lctg-unsubscribe@toku.us" target="_blank" href="mailto:lctg-unsubscribe@toku.us" class="yiv3056660116">email lctg-unsubscribe@toku.us</a><br clear="none" class="yiv3056660116">Future and Past meeting information: <a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="http://LCTG.toku.us" class="yiv3056660116">http://LCTG.toku.us</a><br clear="none" class="yiv3056660116">List information: <a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="http://lists.toku.us/listinfo.cgi/lctg-toku.us" class="yiv3056660116">http://lists.toku.us/listinfo.cgi/lctg-toku.us</a><br clear="none" class="yiv3056660116">This message was sent to <a rel="nofollow noopener noreferrer" shape="rect" ymailto="mailto:abroun@gmail.com" target="_blank" href="mailto:abroun@gmail.com" class="yiv3056660116">abroun@gmail.com</a>.<br clear="none" class="yiv3056660116">Set your list options: <a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="http://lists.toku.us/options.cgi/lctg-toku.us/abroun@gmail.com" class="yiv3056660116">http://lists.toku.us/options.cgi/lctg-toku.us/abroun@gmail.com</a><br clear="none" class="yiv3056660116"></div></div></blockquote></div><br clear="none" class="yiv3056660116"></div></div></div></div></div></div>
</div>
</div></body></html>