<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>FWIW, I am a Dashlane user as I have stated before.</p>
<p>The Dashlane architecture ( as others might be as well) provided
cloud based storage of password vaults that are <i><u><b>encrypted
locally.</b></u></i> That is the local device downloads the
current version of the vault and locally decrypts it. The local
program provides security by time stamping the encryption and
forcing a refresh periodically on the local device.</p>
<p>In my opinion, this architecture limits the exposure of hacking
or threat as the unencrypted data exists only for a short time on
any individual device. In the cloud, your personal vault is just a
blob of data that would be subject to decryption with your
personal credentials. Stealing this data seems to me to be
particularly ineffective in that each "blob" would need to be
individually hacked.</p>
<p>So much for my two cents ...</p>
<p>Peter <br>
</p>
<div class="moz-cite-prefix">On 12/30/2022 9:56 AM, Adam Broun
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:C4163B85-84E8-460C-B747-B62CF71D761C@gmail.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
Here is a different take from Jeremy Gosney <a
href="https://infosec.exchange/@epixoip/109585049354200263"
class="moz-txt-link-freetext" moz-do-not-send="true">https://infosec.exchange/@epixoip/109585049354200263</a>
<div class=""><br class="">
</div>
<div class="">In particular:
<div class=""><br class="">
</div>
<div class="">"Is the cloud the problem? No. The vast majority
of issues LastPass has had have nothing to do with the fact
that it is a cloud-based solution. Further, consider the fact
that the threat model for a cloud-based password management
solution should *start* with the vault being compromised. In
fact, if password management is done correctly, I should be
able to host my vault anywhere, even openly downloadable (open
S3 bucket, unauthenticated HTTPS, etc.) without concern. I
wouldn't do that, of course, but the point is the vault should
be just that -- a vault, not a lockbox.”</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
<div class="">
<div><br class="">
<blockquote type="cite" class="">
<div class="">On Dec 29, 2022, at 20:27, Robert Primak
<<a href="mailto:bobprimak@yahoo.com"
class="moz-txt-link-freetext" moz-do-not-send="true">bobprimak@yahoo.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div class="">
<div class="ydpf0306db7yahoo-style-wrap"
style="font-family:Helvetica Neue, Helvetica,
Arial, sans-serif;font-size:13px;">
<div dir="ltr" data-setdir="false" class="">In
light of all this discussion, I think I see
where the Lastpass breach(-es) happened. It's
not front-end account cracking or browser
hacking. It's back-end data theft from servers
owned by a Cloud Service. These servers either
have outside vendors who have way too much
privileged access, or else they have really
wicked-bad security to begin with. </div>
<div dir="ltr" data-setdir="false" class=""><br
class="">
</div>
<div dir="ltr" data-setdir="false" class="">If
this is the case, I would recommend NEVER using
cloud-based password managers. DO NOT allow
anyone to keep your database on THEIR servers.
This is where local database creation where YOU
control where and how the database is stored
(local-only, or on someplace like Google Drive,
knowing it is likely eventually to be stolen)
looks to me like the best solution. Keepass and
the cross-platform KeepassX (no connection
between these two products, BTW) are examples of
this sort of password manager. Your database is
YOUR property, not the property of some vendor. </div>
<div dir="ltr" data-setdir="false" class=""><br
class="">
</div>
<div dir="ltr" data-setdir="false" class="">Where
you store your vault is up to you. But YOU need
to be in control of this choice, NOT your
password manager's vendor.</div>
<div dir="ltr" data-setdir="false" class=""><br
class="">
</div>
<div dir="ltr" data-setdir="false" class="">And
don't keep unprotected password information
anywhere where someone can find it. But then
again, your heirs and sometimes others will need
to be able to get at your passwords to access
your accounts if need be. </div>
<div dir="ltr" data-setdir="false" class=""><br
class="">
</div>
<div dir="ltr" data-setdir="false" class="">In the
near future, here's hoping passwords will be
sunsetted in favor of more secure login methods.
Microsoft and several other vendors are working
on finalizing the protocols for paskeys:</div>
<div dir="ltr" data-setdir="false" class=""><a
href="https://fidoalliance.org/passkeys/"
rel="nofollow" target="_blank"
class="moz-txt-link-freetext"
moz-do-not-send="true">https://fidoalliance.org/passkeys/</a><br
class="">
</div>
<div dir="ltr" data-setdir="false" class=""><br
class="">
</div>
<div dir="ltr" data-setdir="false" class="">This
is where we are headed, and this latest LastPass
breach only highlights the urgency of converting
sooner than later.</div>
<div dir="ltr" data-setdir="false" class=""><br
class="">
</div>
<div dir="ltr" data-setdir="false" class="">-- Bob
Primak</div>
<div dir="ltr" data-setdir="false" class=""><br
class="">
</div>
</div>
<div id="yahoo_quoted_2863282240"
class="yahoo_quoted">
<div style="font-family:'Helvetica Neue',
Helvetica, Arial,
sans-serif;font-size:13px;color:#26282a;"
class="">
<div class=""> On Thursday, December 29, 2022 at
04:14:51 PM EST, Alan Millner <<a
href="mailto:armillner48@gmail.com"
class="moz-txt-link-freetext"
moz-do-not-send="true">armillner48@gmail.com</a>>
wrote: </div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">
<div id="yiv9982887180" class="">
<div class="">I put my passwords on my paper
rolodex.
<div class="">It has never been hacked.</div>
<div class=""><br class="" clear="none">
<div class="">
<div style="font-family: Helvetica;
font-size: 12px; font-style: normal;
font-weight: normal; letter-spacing:
normal; text-indent: 0px;
text-transform: none; white-space:
normal; word-spacing: 0px;
text-decoration: none; word-wrap:
break-word;" class="">
<div style="word-wrap:break-word;"
class="">
<div style="font-family:
Helvetica; font-size: 12px;
font-style: normal; font-weight:
normal; letter-spacing: normal;
text-indent: 0px;
text-transform: none;
white-space: normal;
word-spacing: 0px;
text-decoration: none;" class="">Alan
Millner</div>
<div style="font-family:
Helvetica; font-size: 12px;
font-style: normal; font-weight:
normal; letter-spacing: normal;
text-indent: 0px;
text-transform: none;
white-space: normal;
word-spacing: 0px;
text-decoration: none;" class=""><a
href="mailto:amillner@alum.mit.edu" class="moz-txt-link-freetext"
moz-do-not-send="true">amillner@alum.mit.edu</a></div>
<div style="font-family:
Helvetica; font-size: 12px;
font-style: normal; font-weight:
normal; letter-spacing: normal;
text-indent: 0px;
text-transform: none;
white-space: normal;
word-spacing: 0px;
text-decoration: none;" class="">781-862-7893</div>
<div style="font-family:
Helvetica; font-size: 12px;
font-style: normal; font-weight:
normal; letter-spacing: normal;
text-indent: 0px;
text-transform: none;
white-space: normal;
word-spacing: 0px;
text-decoration: none;" class="">48
North St., Lexington MA 02420</div>
</div>
</div>
<br class="" clear="none">
<br
class="yiv9982887180Apple-interchange-newline"
clear="none">
</div>
<div id="yiv9982887180yqt45327"
class="yiv9982887180yqt2316743458">
<div class=""><br class=""
clear="none">
<div class="">On Dec 29, 2022, at
3:55 PM, Jon Dreyer <<a
href="mailto:jon@jondreyer.org"
class="moz-txt-link-freetext"
moz-do-not-send="true">jon@jondreyer.org</a>>
wrote:</div>
<br
class="yiv9982887180Apple-interchange-newline"
clear="none">
<div class=""> </div>
</div>
</div>
</div>
</div>
<div id="yiv9982887180yqt16151"
class="yiv9982887180yqt2316743458">
<div class="">
<div class="">
<p class="">My approach is a bit more
work, but it makes me feel safe
despite how theoretically easy it
would be to break it.</p>
<p class="">I have a text file in an
unlinked, and trivially password
protected, Web page. That file looks
like a list of my passwords, but it
isn't quite. Each password in the
file is a randomly generated string,
but what the attacker (except for
you all) doesn't know is that the
actual passwords are those random
strings but with my own personal
tweak. When I log in to, say, my
bank account, I copy/paste the
string from the file into the
password field and then tweak it.<br
class="" clear="none">
</p>
<p class="">So the only way I'm
screwed is if they find this file
and figure out my ttweak (and
there's no clue that one is needed
except that the passwords don't
work). Cryptographically unsafe, but
it feels pragmatically pretty safe
to me, since you can break into
millions of accounts if you hack
lastpass, but you can only get my
accounts if you hack this.<br
class="" clear="none">
</p>
<p class="">Somebody who doesn't have
their own Web site could do this
with something like a google doc or
google sheet.<br class=""
clear="none">
</p>
<p class="">And I also use 2FA for
important sites as well.<br class=""
clear="none">
</p>
<div
class="yiv9982887180moz-signature">--
<br class="" clear="none">
<p style="font-family:Times, serif;"
class=""> Jon "I Don't Have To
Outrun The Bear; I Just Have To
Outrun You" Dreyer<br class=""
clear="none">
<a rel="nofollow noopener
noreferrer" shape="rect"
target="_blank"
href="http://www.passionatelycurious.com/"
class="" moz-do-not-send="true">Math
Tutor/Computer Science Tutor</a><br
class="" clear="none">
<a rel="nofollow noopener
noreferrer" shape="rect"
target="_blank"
href="http://music.jondreyer.com/"
class="" moz-do-not-send="true">Jon
Dreyer Music</a> </p>
</div>
</div>
===============================================<br class="" clear="none">
::The Lexington Computer and Technology
Group Mailing List::<br class=""
clear="none">
Reply goes to sender only; Reply All to
send to list.<br class="" clear="none">
Send to the list: <a
href="mailto:LCTG@lists.toku.us"
class="moz-txt-link-freetext"
moz-do-not-send="true">LCTG@lists.toku.us</a>
Message archives: <a
href="http://lists.toku.us/pipermail/lctg-toku.us/"
class="moz-txt-link-freetext"
moz-do-not-send="true">http://lists.toku.us/pipermail/lctg-toku.us/</a><br
class="" clear="none">
To subscribe: <a
href="mailto:lctg-subscribe@toku.us"
class="" moz-do-not-send="true">email
lctg-subscribe@toku.us</a> To
unsubscribe: <a
href="mailto:lctg-unsubscribe@toku.us"
class="" moz-do-not-send="true">email
lctg-unsubscribe@toku.us</a><br
class="" clear="none">
Future and Past meeting information: <a
href="http://LCTG.toku.us" class=""
moz-do-not-send="true">http://LCTG.toku.us</a><br
class="" clear="none">
List information: <a
href="http://lists.toku.us/listinfo.cgi/lctg-toku.us"
class="moz-txt-link-freetext"
moz-do-not-send="true">http://lists.toku.us/listinfo.cgi/lctg-toku.us</a><br
class="" clear="none">
This message was sent to <a
href="mailto:armillner48@gmail.com"
class="moz-txt-link-freetext"
moz-do-not-send="true">armillner48@gmail.com</a>.<br
class="" clear="none">
Set your list options: <a
href="http://lists.toku.us/options.cgi/lctg-toku.us/armillner48@gmail.com"
class="moz-txt-link-freetext"
moz-do-not-send="true">http://lists.toku.us/options.cgi/lctg-toku.us/armillner48@gmail.com</a><br
class="" clear="none">
<br class="" clear="none">
</div>
</div>
</div>
<div class="yqt2316743458" id="yqt65036">===============================================<br
class="" clear="none">
::The Lexington Computer and Technology
Group Mailing List::<br class=""
clear="none">
Reply goes to sender only; Reply All to send
to list.<br class="" clear="none">
Send to the list: <a shape="rect"
ymailto="mailto:LCTG@lists.toku.us"
href="mailto:LCTG@lists.toku.us"
class="moz-txt-link-freetext"
moz-do-not-send="true">LCTG@lists.toku.us</a>
Message archives: <a shape="rect"
href="http://lists.toku.us/pipermail/lctg-toku.us/"
target="_blank"
class="moz-txt-link-freetext"
moz-do-not-send="true">http://lists.toku.us/pipermail/lctg-toku.us/</a><br
class="" clear="none">
To subscribe: email <a shape="rect"
ymailto="mailto:lctg-subscribe@toku.us"
href="mailto:lctg-subscribe@toku.us"
class="moz-txt-link-freetext"
moz-do-not-send="true">lctg-subscribe@toku.us</a>
To unsubscribe: email <a shape="rect"
ymailto="mailto:lctg-unsubscribe@toku.us"
href="mailto:lctg-unsubscribe@toku.us"
class="moz-txt-link-freetext"
moz-do-not-send="true">lctg-unsubscribe@toku.us</a><br
class="" clear="none">
Future and Past meeting information: <a
shape="rect" href="http://lctg.toku.us/"
target="_blank" class=""
moz-do-not-send="true">http://LCTG.toku.us</a><br
class="" clear="none">
List information: <a shape="rect"
href="http://lists.toku.us/listinfo.cgi/lctg-toku.us"
target="_blank"
class="moz-txt-link-freetext"
moz-do-not-send="true">http://lists.toku.us/listinfo.cgi/lctg-toku.us</a><br
class="" clear="none">
This message was sent to <a shape="rect"
ymailto="mailto:bobprimak@yahoo.com."
href="mailto:bobprimak@yahoo.com."
class="moz-txt-link-freetext"
moz-do-not-send="true">bobprimak@yahoo.com.</a><br
class="" clear="none">
Set your list options: <a shape="rect"
href="http://lists.toku.us/options.cgi/lctg-toku.us/bobprimak@yahoo.com"
target="_blank"
class="moz-txt-link-freetext"
moz-do-not-send="true">http://lists.toku.us/options.cgi/lctg-toku.us/bobprimak@yahoo.com</a><br
class="" clear="none">
</div>
</div>
</div>
</div>
</div>
===============================================<br
class="">
::The Lexington Computer and Technology Group Mailing
List::<br class="">
Reply goes to sender only; Reply All to send to list.<br
class="">
Send to the list: <a href="mailto:LCTG@lists.toku.us"
class="moz-txt-link-freetext" moz-do-not-send="true">LCTG@lists.toku.us</a>
Message archives: <a
href="http://lists.toku.us/pipermail/lctg-toku.us/"
class="moz-txt-link-freetext" moz-do-not-send="true">http://lists.toku.us/pipermail/lctg-toku.us/</a><br
class="">
To subscribe: <a href="mailto:lctg-subscribe@toku.us"
class="" moz-do-not-send="true">email
lctg-subscribe@toku.us</a> To unsubscribe: <a
href="mailto:lctg-unsubscribe@toku.us" class=""
moz-do-not-send="true">email
lctg-unsubscribe@toku.us</a><br class="">
Future and Past meeting information: <a
href="http://LCTG.toku.us" class=""
moz-do-not-send="true">http://LCTG.toku.us</a><br
class="">
List information: <a
href="http://lists.toku.us/listinfo.cgi/lctg-toku.us"
class="moz-txt-link-freetext" moz-do-not-send="true">http://lists.toku.us/listinfo.cgi/lctg-toku.us</a><br
class="">
This message was sent to <a
href="mailto:abroun@gmail.com"
class="moz-txt-link-freetext" moz-do-not-send="true">abroun@gmail.com</a>.<br
class="">
Set your list options: <a
href="http://lists.toku.us/options.cgi/lctg-toku.us/abroun@gmail.com"
class="moz-txt-link-freetext" moz-do-not-send="true">http://lists.toku.us/options.cgi/lctg-toku.us/abroun@gmail.com</a><br
class="">
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">===============================================
::The Lexington Computer and Technology Group Mailing List::
Reply goes to sender only; Reply All to send to list.
Send to the list: <a class="moz-txt-link-abbreviated" href="mailto:LCTG@lists.toku.us">LCTG@lists.toku.us</a> Message archives: <a class="moz-txt-link-freetext" href="http://lists.toku.us/pipermail/lctg-toku.us/">http://lists.toku.us/pipermail/lctg-toku.us/</a>
To subscribe: email <a class="moz-txt-link-abbreviated" href="mailto:lctg-subscribe@toku.us">lctg-subscribe@toku.us</a> To unsubscribe: email <a class="moz-txt-link-abbreviated" href="mailto:lctg-unsubscribe@toku.us">lctg-unsubscribe@toku.us</a>
Future and Past meeting information: <a class="moz-txt-link-freetext" href="http://LCTG.toku.us">http://LCTG.toku.us</a>
List information: <a class="moz-txt-link-freetext" href="http://lists.toku.us/listinfo.cgi/lctg-toku.us">http://lists.toku.us/listinfo.cgi/lctg-toku.us</a>
This message was sent to <a class="moz-txt-link-abbreviated" href="mailto:palbin24@yahoo.com">palbin24@yahoo.com</a>.
Set your list options: <a class="moz-txt-link-freetext" href="http://lists.toku.us/options.cgi/lctg-toku.us/palbin24@yahoo.com">http://lists.toku.us/options.cgi/lctg-toku.us/palbin24@yahoo.com</a>
</pre>
</blockquote>
</body>
</html>