[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dropbox security situation

On Thu 12 Dec 2019 at 22:39:13 -0500, Celejar wrote:

> On Thu, 12 Dec 2019 23:29:28 +0000
> Brian <ad44@cityscape.co.uk> wrote:
> 
> > On Thu 12 Dec 2019 at 21:13:06 +0100, l0f4r0@tuta.io wrote:
> > 
> > > Hi,
> > > 
> > > 10 déc. 2019 à 23:11 de ad44@cityscape.co.uk:
> > > 
> > > > On Tue 10 Dec 2019 at 22:34:07 +0100, l0f4r0@tuta.io wrote:
> > > >
> > > >> 9 déc. 2019 à 19:13 de ad44@cityscape.co.uk:
> > > >>
> > > >> > How about not having to remember (or write down) any passwords for
> > > >> > the places you log in to?
> > > >> >
> > > >> > https://masterpassword.app/
> > > >> >
> > > >> > Not in Debian, unfortunately.
> > > >> >
> > > >> Interesting.
> > > >> However, I presume that a specific password modification should not be very
> > > >> easy because it seems you rely on a rather fixed encryption seed...
> > > >>
> > > >
> > > > Modifying a password with the masterpassword app is simplicity
> > > > itself. There is no fixed encryption seed.
> > > >
> > > I've read the documentation. User needs to remember all of
> > > this:
> 
> ...
> 
> > > site-counter
> > 
> > I'll give you this. But it would be very unusual to want it. The
> > default is generally good enough.
> 
> "Very unusual"? Actually, IIUC, you're almost always going to maintain
> a whole table of these. As per the documentation:
> 
> "The site counter ensures you can easily create new keys for the site
> should a key become compromised."
> 
> IOW, whenever you need to change the password for a given site, e.g,
> because it has suffered a breach, or because of an expiration policy,
> you have to either change your master password (and then update every
> single password managed by the system), or else increment the site
> counter for that site. You then have to keep track of all non-default
> site counters.
> 
> Of course, these values are not that sensitive, so you can still argue
> that this system is safer than storing actual passwords - but it's
> still not the stateless utopia promised by the developer.

That's a fair analysis, although I am never quite sure what is meant by
"stateless". The only password change I have had to make was forced on
me by MBNA. They required that I reduce my 20 character high-entropy
password to 16 chars and knock off some of the funny symbols. Then they
tell me they are doing lots of things to make me safer. What a strange
world!

> > Your device is stolen or destroyed? You can recover your passwords if
> > you can remember your own name and the master password. How about that?
> 
> And your site counters - although I suppose trial and error would work
> if you haven't changed a password too many times.

I think that that is the recommended technique. Although, in line with
other points raised in this thread, it could be written down.

-- 
Brian.
Reply to: