I understand the concerns about password vaults. I've never used them go
the very concerns you all have but I find lastpass different from all the
others. Lastpass CANNOT see your passwords. They use a combination of your
username and paraphrase to encrypt your passwords locally before sending
the blob to them. They NEVER see your key. If you change your userid or
password, it gets encrypted locally again. You can also use second
authentication services like a Ubikey.

https://lastpass.com/how-it-works/

Again, I submit as soon as you've connected a machine to the Internet you
have already lost control. The OpenSSL bug has been around for two years.
Apple had a bug that wasn't checking certificates for awhile. RSA was
bought off by the NSA. You just one buffer overflow away from being pwned.

So unless you move to something like this, the only way to be safe on the
Internet is to disconnect.

http://www.owlcti.com/contact/faqs.html

Mark W.
On Apr 14, 2014 11:43 AM, "Bahrs, Art" <[log in to unmask]> wrote:

> Hi Stan and All :)
>     Stan is ABSOLUTELY correct on this one!
>
>    Pick your "password vault" program/app of choice... but NEVER EVER NOT
> EVEN ONCE (did I mention never?) use a service that stores your password
> for you!!!
>
>    These are services ... and they are run by humans... the same species
> as the ones who are stealing identities.... So, they may or may not be
> honest... they may or may not decide to take a look at what you store with
> them.... Google is under lawsuit for "data mining" student emails in an
> educational environment they were hosting... (see URL below)  Also,
> remember .... Security types like me at a lot of companies block password
> services from working!  LastPass is deliberately blocked at our sites.
>
>    Some things to look for in selecting how to secure your passwords and
> such:
>       - Solid encryption (at least AES-256)
>       - Allow you to use a passphrase with special characters to secure
> the data (ie password you enter to open the app)
>       - Does NOT autocorrect your spelling on the password fields (some do
> :( )
>       - Allows for some method of securely backing up your data (ie
> passwords)
>
>    Some things that are niceties:
>       - Allows for hard copy print out
>          - You need to have a copy of all passwords in your safety deposit
> box for your estate to make use of after your end...
>       - Allow for migration/porting to a new device
>       - Multi-platform support
>          - So when you switch from iPhone to Android to Windows to ?? you
> don't have to re-enter things...
>
>    Also, Remember, to come up with a way to remember the password you set
> up for this password vault app!!! (forgetting it is a real bummer, hehehe)
>
>    The only control of your data is when it is physically under your
> physical control.
>
>    Please note that even paper in your home is not totally secure... Some
> identity thieves do burglary as well...
>
>
> http://www.theguardian.com/technology/2014/mar/19/google-lawsuit-email-scanning-student-data-apps-education
>
> Art "maybe quill and ink wasn't so bad after all?" Bahrs
>
> Art Bahrs, CISSP
> Security Engineer (Oregon Region)
> (971) 282-0927
>
> -----Original Message-----
> From: HP-3000 Systems Discussion [mailto:[log in to unmask]] On
> Behalf Of Stan Sieler
> Sent: Sunday, April 13, 2014 12:40 PM
> To: [log in to unmask]
> Subject: Re: OT OpenSSL-1.0.1 Heartbeat exploit named heartbleed
>
> Re:
> > Lastpass.com
> >
> > You have one master password and it will generate high entropy passwords.
> > They are encrypted locally and stored at lastpass.com.
>
> I don't want *any* computer outside my control to have my
> passwords,encrypted or not!
>
> That's why I was a happy SplashID user for years (Palm, iOS, Mac, Windows,
> Android, and others) ...
> I could share my password locker (database) between my devices, and there
> was absolutely *NO* moving of my data to a server in the cloud (or anywhere
> else outside my control).
>
> Then they went and screwed it up with their version 7, which
> unconditionally loads stuff to the cloud.  I'm on version 6.2, and have to
> constantly tell my iPhone and iPad "no, don't do an 'update all'", and
> manually update my other iOS apps.  At least on Android, I can install what
> I want *and* I can turn off auto-update for selected apps.
>
> Other options:
>
>    1password
>
>       Although it allows for syncing via the cloud, it also supports
> local-only sync,
>       so you can keep your data private.
>
>    keepass
>
>       No cloud, no worry.
>       And, it's open source!
>
> Both support iOS, Mac, Windows, and Android.  (keepass supports a few more)
>
> Stan
>
> * To join/leave the list, search archives, change list settings, *
> * etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
>
>
> ________________________________
>
> This message is intended for the sole use of the addressee, and may
> contain information that is privileged, confidential and exempt from
> disclosure under applicable law. If you are not the addressee you are
> hereby notified that you may not use, copy, disclose, or distribute to
> anyone the message or any information contained in the message. If you have
> received this message in error, please immediately advise the sender by
> reply email and delete this message.
>
> * To join/leave the list, search archives, change list settings, *
> * etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
>

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *