>Steve Gibson uses it, I won't pretend to be as capable of speaking to it's benefits so I encourage you to listen to Security Now.
The last person you should take security advice is from Steve Gibson. He's done an amazing job of making himself out to be a "security expert" but his understanding of security is ... exceedingly limited.
I use lastpass sometimes, but it seems very insecure to keep passwords on my machine.
I don't like keeping lastpass with a master password because typing a strong, long master password every single time I want any password is not a use case I enjoy, and I certainly don't want to lock up my passwords with something that is easily defeatable.
And without a strong master password locking every attempt to use lastpass, it becomes far, far less secure than memorizing passwords.
LastPass has a number of features that make it more secure than you think, without having to type in the master password every time. You can tell it to trust specific machines (like your home desktop) that are highly unlikely to be compromised, and you won't need to type in your password except for information you mark as secure (for example, I require my master password to access the credit card data info I keep in lastpass). For slightly less physically secure machines (like a laptop), you can have the local login time out, so you only have to enter your master password once every N minutes/hours.
You can also get 2 factor authentication (free with google authenticator on your smartphone, or slightly less free with yubikey and others). Thus, even if someone did somehow get/break your master password (unlikely), they still wouldn't be able to use it for anything.
If somebody sees your password on a sticky note, they now know your password. If they get access to your computer with LastPass logged in, they can't get your master password.
Small distinction, but there it is.
Also, with LastPass you are just trading risks. You increase the risk of your accounts being compromised by access to your computer, but you decrease your risk of accounts being compromised because HN password database was cracked. I use LastPass because I think that trade results in less overall risk, especially because it replaced saving my passwords in Chrome's less-secure password manager.
How is Lastpass any less secure? Anyone with access to your computer could put a USB keylogger on it and get all your passwords that way. The only way to prevent that would be to use an on screen keyboard, but then all the attacker would have to do is stand behind you or remote control your computer.
Memorizing a few unique passwords for mission critical services while using generic throwaways for low-priority sites is more secure than LastPass can ever be.
I started this thread asking if there was a better solution that memorizing 5-10 passwords and using some variable of a throwaway for the majority of everything else, and I'm still not convinced that my method isn't the best outside of just hard memorizing a unique password for every site.
Fact is: my memorized passwords can only be compromised where they are stored on servers (or through a keylogger).
LastPass can be compromised every single way that my memorized passwords can, in addition to being compromisable on any computer you use it on, and the LastPass services stores all of your passwords offsite, all of them, adding in another huge vector for attack against your entire catalog--- in a way that my memory can never be attacked (without say, interrogation/force).
I don't know, I don't like the idea of a digital store of all of my most critical information put behind a password that doesn't even pop-up on your computer. Mine as well just store all your passwords in Chrome. Same amount of security. Actually Chrome probably does better since it won't automatically push your passwords to the cloud unless you sync...
I started this thread asking if there was a better solution that memorizing
5-10 passwords and using some variable of a throwaway for the majority of
everything else, and I'm still not convinced that my method isn't the best
outside of just hard memorizing a unique password for every site.
When I was younger, I had only 5-10 important accounts and I memorized unique passwords that I thought were strong. Now I have many more important accounts, including four brokerage accounts, several bank accounts, half a dozen credit card accounts, two domain registrar accounts associated with tens of thousands of dollars worth of domains, etc. I have a separate computer that I only use to access these important accounts, and my passwords for these accounts are stored in KeePass, which allows me to have unique passwords with 200+ bits of entropy.
Someone could get a hold of your wallet and take a pic of your passwords then put them back and you'd never know you'd been compromised. And Lastpass uses the trust no one mentality so you don't have to trust them. They never see your password it's encrypted using your password and yubikey if you have one.
That's also from 2005... Which isn't to say that it isn't still relevant. Most people don't understand that you really do need random passwords, which means that you must figure out how to create them properly.
Sure write them down if they don't matter, but don't write your bank account password down, or your google account. Especially if you have your ID in your wallet it'd be pretty easy to find you and get all your passwords if you lost your wallet. If you DO write them down, leave some portion of your password off.
I.E. your password is "password*&^&" only write down "password" and append the rest from memory.
Steve Gibson has some flaws, and you really shouldn't be listening to him for any kind of security advice. If you have obsolete hard drives you might find his spinrite product useful.
Then they could go to my computer and photograph my LastPass which, as this thread explains, is perfectly 'secure' to leave without a master password on 'trusted' machines.
Literally identical threat, IMO, being personally targeted for password theft.
If they can get my wallet, they can get to my desktop, I imagine.
I think that your gut is right. a problem with storing your passwords electronically (or really anything electronically) is that you don't have any notification of when they are compromised.
assuming that every place you use a password is both competent and honest (which is a stretch), the only way for someone to get your passwords is to compromise your computer. if they do that, and you use lastpass, then they have all of your passwords.
for this reason I recommend writing your passwords down on a piece of paper you keep in your wallet or purse.
LastPass is a huge net gain in security compared to almost anything else you could reasonably do. As almost anyone online, I have a lot of different accounts. Aside from my main bank account and my email, I do not know any of them as they are long random single use strings.
LastPass has made certain compromises in security to give you more functionality. For example, you can log into their website and enter your master password, to retrieve any other password. This is bad since the browser can be compromised.
However, I trust the browser and LastPass more than I trust my ability to keep the passwords secure. There is no way that I am going to remember the 300 or so passwords I have stored in LastPass and I will certainly not be able to change them as fast as I sometimes have to.
I am not saying that LastPass is the end-all-be-all of security, but compared to what 99.999% of people are doing, it is a huge win. IMHO, your statements are spreading FUD.
> assuming that every place you use a password is both competent and honest (which is a stretch), the only way for someone to get your passwords is to compromise your computer. if they do that, and you use lastpass, then they have all of your passwords.
That assumption has been proven time and again to be completely false. As someone who had their BTC stolen while using what would be considered a secure password, I can say that password cracking against a stolen database dump is not a theoretical threat.
> for this reason I recommend writing your passwords down on a piece of paper you keep in your wallet or purse.
This goes directly against your initial point that you don't know when your passwords have been compromised. You have no idea when someone takes a picture of your password sheet :)
Or don't put important passwords in lastpass. I know my bank password is the least secure password I have because it wasn't randomly generated by lastpass and is easy for me to remember. On the other hand it has the lowest risk of theft profile(not in lastpass, not written down, etc.) As a security layperson I am not sure which matters more, secure as in password strength or secure in terms of ease of discovery.
I'm not a security expert, but this seems to be a fair question. I use KeePass (have for years). One of my problems with LastPass is that the whole system is bootstrapped over HTTPS, which is has some insecurities. Essentially, LastPass sends your browser JavaScript via HTTPS which is then used to encrypt all your passwords using AES and send them over the net. The problem is that the original JavaScript payload could be compromised by third parties that have access to the root CA. I realize that revelations about HTTPS insecurity are new and limited to nation-state attacks, but we're talking about all your passwords, here.
Putting HTTPS insecurity aside, we really shouldn't be implementing crypto in JavaScript.
KeePass is both native and open-source, so it avoids many of the problems that LastPass presents, IMHO. Simply install the client program and sync via SparkleShare, git, Dropbox, UbuntuOne, Google Drive, etc.
Ehh, going to come out and say Matasano is wrong here. You can do crypto in JS, just don't download it every time (distribute signed packages via browser add-ons). The part of the article that attacks extensions just makes a bunch of assumptions (like, you're going to download scripts and eval them from your extension). It's a leap.
Plus that article attacks JS doing crypto that the server will decrypt (which, yes is useless, use TLS). It doesn't address using browser add-ons to do AES encryption, have your data stored on the server in encrypted form, and only decrypted when you download it again.
Is this method flawed? Only if you do a web-app instead of a browser add-on. Once you package the client code, it can be just as hard to break as something like KeePass (assuming the add-on itself has a decent security policy, ie don't eval()code from random places).
Plus, modern browsers now have "window.crypto" which provides a PRNG. So there goes that argument.
The article is just completely wrong in many ways. The only valid point I see it make is about garbage collection and potential for reading decrypted memory directly (MANY languages have this problem, not just JS).
One of the points you brought up is extremely valid though: LastPass is closed-source, so it's nearly impossible to truly validate the crypto. Keepass (I also use it) is a much better option, and great when paired with some sort of sync utility.
I'm not familiar with KeePass, but I can tell you that LastPass does not know your master password. They just keep an encrypted copy of your password database which gets decrypted locally when you type in the password.
For this reason, if you lose your master password, LastPass can't unlock your passwords for you. You'll have to go to the NSA for that.
You don't need to take the brain-space — use a password manager like 1Password or LastPass, plus a YubiKey for two-factor auth, and you can use unique passwords everywhere.
I used to use a site called bugmenot to get accounts like these but now as the passwords there have stopped working i have started to use throwaways.
Also my throw away password is 123456789 :P.
I was just thinking if my account is not publicly listed then I can just have a really complicated username and use a really simple password.
(Complicated as in a SHA 2 or MD5 hash of your real name ). (Just thinking loud)
What throwaway password do you use for sites with password complexity restrictions? (You know, requiring 1 uppercase, 1 lowercase, 1 special character, etc.)
Aye, but people do. Often. I suggest to people that they set up a system that uses some permutation of the domain name or company name to uniqueify their passwords. This way, you only have to remember one password, plus your system, and you have unique passwords everywhere.
On the subject of red flags during signup, a password length restriction is always a red flag to me. If you're hashing my password, you don't care how long it is, right? If you limit length, I assume it's stored in plain text.
Since 3D content is relatively difficult to make, Andrew Plotkin is making a platform called Seltani that lets people write their multiplayer Myst-universe puzzles in text format. http://dev.seltani.net/ Edit: perhaps more informative wiki page http://seltani.shoutwiki.com/wiki/Main_Page
I also thought you were saying that this project was an actual implementation of Myst's fictional art of writing ages (as practiced by Atrus), as in you describe something with text and an interactive 3D world is generated that corresponds to what you wrote.
Given a limited vocabulary to describe terrain and buildings and furniture and their physical relationships, along with a database of tagged 3d object models or procedural methods of generating such, this could be done but I'm not aware of anyone having attempted to create such a thing.
Edit: Actually, I guess Scribblenauts is the closest approximation to this that exists yet.
You should check out Mystcraft (http://ftbwiki.org/Mystcraft). Basically you need to find pages to write your own age, using them you can describe a Minecraft world that would then be generated, complete with linking book that you can give to other player. It's pretty fun and the closest I have ever found to recreate the experience of being Atrus.
I've always found Scribblenauts to be a guessing game, like the text adventure games of old. You have to find the correct word to use that the machine understands. At least in an IRL role playing game you can discuss what you are talking about to get your point across.
The Myst series are probably one of the games that bring back so many memories. When my brother and I heard they were turning URU into an MMO we were pretty excited, but also scared that there wouldn't be a big enough user base. We were right, and the project 'died' . Then I told him they'd probably open-source it, and there we are!
I'm gonna play the MYST series again. Any programmer/hacker will love these series. they're a real classic brain cracker, and worth the play. You will get pulled into the myst worlds as if it are your own. it's so immerssive!
Another game that I feel doesn't get nearly enough credit is Douglas Adams' "Starship Titanic", which was built on the backstory of the book and came on a five-CD collection.
Yes! Such a wonderful game - from the dry humour to bots' AI and the gorgeous art deco design of the ship itself. Although it's not exactly solvable without a walkthrough...
Ah, spectacular! A few friends and I had a lot of fun in the GameTap updates, especially solving some of the nonexistent puzzles (I just call missing puzzles Hard Puzzles, like Jalak). This should be a lot of fun!
I was a big Riven fan but I never tried URU so far - this seems like a great chance doing that. Could someone sum up what the multiplayer experience is like? I could never really imagine how this works. Are there puzzles that you solve together, something like in Portal 2?
Most are 'exploratory' (they can be solved by just one person who does a lot of backtracking / note taking, but are easier with two)
A few actually require two people. (I can't remember if they are still in MOULa today, or if their one-player counterparts are live).
A few are "cheat" puzzles -- they rely on the (very bad) physics engine or stupid-long wait times. (some are upwards of 20-30 minutes, some are over 24 hours). They were always bad ideas, but luckily these are few and far between.
While I'm a big fan of what they were trying to accomplish, the experience is significantly less polished when compared to Portal 2.
If you found Riven enjoyable, the puzzles are slightly easier and simpler. You'll probably have fun, either on your own or with a few friends.
Most of the puzzles are solvable by a single player, because the original Uru Live got cancelled before release, and they had to re-work things to create a single-player offline version. The only puzzles that strictly require a second player are in content introduced during the short-lived GameTap revival. However, may of the puzzles that are theoretically solvable by a single player were first solved by group effort of observing and mapping out the new worlds.
Uru's single player mission has incredible high-def graphics that still look great today. The geometry is obviously a bit limited, but the textures look great even at 1920x1200
The only Mac version that ever shipped used a commercial Wine wrapper. None of the open-source client forks have completely removed all the windows-specific dependencies, so there are not any native ports yet. The biggest sticking points are Direct3D and an older version of PhysX.
So, from what I read, the client uses an open source license, but the server is proprietary? I hope they will eventually go the extra mile and liberate the server too.
Cyan open-sourced it because they no longer had the resources to further develop it. They weren't able to produce new content for the Windows version, let alone fund a port. Open-sourcing it as-is was all they could do.
There are five installments in the original Myst series :
Myst - (Cyan Worlds) and realMyst (same game, re-created in 3D)
Riven - (Cyan Worlds)
Myst III : Exile - (Presto Studios, of Journeyman Project fame)
Myst IV : Revelation (Ubisoft Montreal)
Myst V : End of Ages (Cyan Worlds)
realMyst - (Cyan Worlds) the realtime 3d remake of the original Myst game
There's also a 'partial spin-off' series "Uru", created by Cyan Worlds, which exists in the Myst universe, but happens in a different portion of that universe, and in present day (although this is somewhat of a misnomer, as the Myst V game also takes place in the present day, after events in Uru, and references them)
Uru - Ages Beyond Myst
Uru - To D'Ni
Uru - Path of the Shell
Myst Online : Uru Live (MO:UL) is the latest incarnation of the original "Uru Live", and represents the state of the project after it's second (GameTap) cancellation, with some additional changes / bugfixes / ect.
Myst V is sort of an odd-ball in the series, as it was originally meant to be content for Uru Live, but Uru was cancelled and Cyan could only get funding for another single player Myst-type game (something considered 'lower risk' than an online game).
So a lot of content was re-purposed from the Uru Live pipeline for Myst 5, and it attempts to closely bridge the two different parts of the universe and wrap them up together.
Uru is a bit uneven in spots, but I would recommend it just for Path of the Shell. It uses the new mechanic to create one of the sneakiest puzzles of the entire series. Unfortunately there are also several puzzles that require waiting around in order to solve, but it's worth it to beat your head against the time-travelling puzzle.
The real issue with Myst V was the awful drawing mechanic that was necessary to solve almost all of the puzzles. I don't have a lot of artistic ability and what I have is made worse after trying to use a mouse rather than a pen to draw with. Worse, the drawing recognition was poor, so even if you did draw what you were supposed to it was a crapshoot whether the game would recognize it as such. For me, that mechanic reduced the game's puzzles to an incredibly boring session of trial and error.
Probably worth being careful with password choice if you're going to sign-up to this. Don't use one of your existing ones!
Other than that, I'm so glad to see Myst back!