I wrote this letter
as a Q&A submission for the Security Now! podcast. It didn't make it into
the show, but I thought about sharing it here. I think
there's a valid point to my argument, but who knows? Am I right? Overly
exaggerating? You tell us!
Dear Steve,
I'm currently moving
away from a algorithm based password system. I have been testing out LastPass
with some sites and have been more or less liking it. I'm already convinced
that its technology can keep me safe from threats from without. However, I still
have a cause for concern. As I see it, and as it currently stands, the greatest
threat to a LastPass based security scheme is: *myself*.
Although I use good
habits and have not had a problem for the last decade, I cannot completely
trust myself not to bring malware to my system: I can be served a malicious
banner on a trusted site, open a file from a contact that has been previously
compromised, or click a link in an e-mail message while distracted
("so-and-so sent you a message!").
So, if I happen to
get malware in my system, what is there to stop it from taking advantage from
my LastPass sessions? As I see it, there are at least two ways in which it
could harm me. The first one, taking advantage of an open LastPass session to
look into my vault and grab whatever it can in one fell swoop; and
secondly, passively detecting the
presence of LastPass and recording the unencrypted passwords on their way from
LastPass to each webpage; key logging is surely not the only tool available for
hackers. And, still a third one, if one wants to go over the top, what's to
stop the malware from interacting concurrently with me on an open webpage? No
doubt it can beat me on speed ("look! A banking site! Let's attempt a
quick transaction").
The PPP option
doesn't look as if it could help me here, because it would only protect the
LastPass data when closed or from without, not when open and in use.
By the looks of it,
LastPass is great with holding my passwords and populating fields quickly, but
not much else. I still need some sort of second factor authentication for each
site, preferably a global one.
Are these cause for
concern or have the LastPass people have come with a solution for this too?
0 comments:
Post a Comment