Author Topic: Cell Phone question  (Read 2047 times)

0 Members and 2 Guests are viewing this topic.

Online The Latinist

  • Cyber Greasemonkey
  • Technical Administrator
  • Too Much Spare Time
  • *****
  • Posts: 7722
Re: Cell Phone question
« Reply #30 on: April 09, 2019, 09:30:23 PM »
And he would not need physical access to you: He'd just need to know your Lastpass log-in name and password.

No. He would need to obtain a passphrase that exists nowhere in the world except inside my mind.  It has never been written down or spoken and has never been sent in the clear on any network. The only way he could obtain my passphrase would be to extract it from me through physical violence.  And once he had done that, he would have to have physical access to my cell phone as well as either my physical fingerprint or another unique long passphrase and another pin code for my 2-factor authenticator in order to log into LastPass to obtain my password vault, since it requires two-factor authentication. Alternatively, he could turn off two-factor authentication, but he would need access to an E-mail account that is secured by another unique long, strong, random password...one which not even I know.
I would like to propose...that...it is undesirable to believe in a proposition when there is no ground whatever for supposing it true. — Bertrand Russell

Offline daniel1948

  • Isn’t a
  • Reef Tank Owner
  • *********
  • Posts: 8559
  • I'd rather be paddling
Re: Cell Phone question
« Reply #31 on: April 09, 2019, 10:43:10 PM »
My point is that even with a far lesser degree of password security it would still be easier for him to torture you than to break your password. Once finding your password exceeds a certain degree of difficulty, there's no advantage in making it more difficult because the thief who wants it badly enough will already have turned to more drastic methods, or methods that don't involve accessing the phone at all.

It's like putting 25 deadbolts on your door. Once you've gotten to 2 or 3 the thief is just going to break a window instead. I have a little key safe with a spare key to my house in case I lock myself out. A thief could break open the key safe using some heavy blacksmith type equipment. But it would be easier to kick the door down, so the key safe is all the security I need for my spare key.
Daniel
----------------
"Anyone who has ever looked into the glazed eyes of a soldier dying on the battlefield will think long and hard before starting a war."
-- Otto von Bismarck

Offline Belgarath

  • Forum Sugar Daddy
  • Technical Administrator
  • Poster of Extraordinary Magnitude
  • *****
  • Posts: 11855
Re: Cell Phone question
« Reply #32 on: April 10, 2019, 05:44:11 AM »
My point is that even with a far lesser degree of password security it would still be easier for him to torture you than to break your password. Once finding your password exceeds a certain degree of difficulty, there's no advantage in making it more difficult because the thief who wants it badly enough will already have turned to more drastic methods, or methods that don't involve accessing the phone at all.

It's like putting 25 deadbolts on your door. Once you've gotten to 2 or 3 the thief is just going to break a window instead. I have a little key safe with a spare key to my house in case I lock myself out. A thief could break open the key safe using some heavy blacksmith type equipment. But it would be easier to kick the door down, so the key safe is all the security I need for my spare key.


If you read the link I posted, it makes clear that no one at last pass has your secondary password.  It works the same way as your primary password but it’s a random client side generated passphrase that you print out and secure.  You can chose not to do that.  In which case you must remember the master. 

The point of making it as strong as possible is NOT because someone might commit violence against you but rather to prevent dictionary and other brute force attacks against the hashed and salted password blob.  This actually happened to lastpass a few years ago where hackers gained access to users password blobs.  This is essentially useless to the hackers for anyone with a strong password.  Using whatever scenario you want it’s going to take trillions of years guessing 100 billion passwords per second to guess my master password. 

Wastrel’s password, on the other hand, ..........


Sent from my iPhone using Tapatalk Pro
#non-belief denialist

Offline daniel1948

  • Isn’t a
  • Reef Tank Owner
  • *********
  • Posts: 8559
  • I'd rather be paddling
Re: Cell Phone question
« Reply #33 on: April 10, 2019, 08:11:51 AM »
... The point of making it as strong as possible is NOT because someone might commit violence against you but rather to prevent dictionary and other brute force attacks against the hashed and salted password blob.

You miss my point: If you make it hard enough that the thief cannot get the password by guessing or by brute force, he will turn to other methods. Violence, impersonation, etc. The point of difficulty where the thief turns away from guessing or brute force is the point beyond which making the password more secure no longer has any effect.

Example:

If it would take the thief a decade to brute-force my password and it would take a billion years for him to brute-force yours, our two passwords are effectively of equal security. In either case, he will either look for another target, or turn to other methods. A ten-year password is effectively just as good as a billion-year password.
Daniel
----------------
"Anyone who has ever looked into the glazed eyes of a soldier dying on the battlefield will think long and hard before starting a war."
-- Otto von Bismarck

Offline brilligtove

  • Too Much Spare Time
  • ********
  • Posts: 7380
  • Ignorance can be cured. Stupidity, you deal with.
Re: Cell Phone question
« Reply #34 on: April 10, 2019, 12:00:39 PM »
I think we all get your point, Daniel. I think you're missing our point(s).
evidence trumps experience | performance over perfection | responsibility – authority = scapegoat | emotions motivate; data doesn't

Online Billzbub

  • Stopped Going Outside
  • *******
  • Posts: 4329
  • I know you know I know
Re: Cell Phone question
« Reply #35 on: April 10, 2019, 12:35:45 PM »
So if you are using LastPass, how long does it take you to log into your bank?  Do you have to log into last pass on your phone, select your bank, read the difficult-to-memorize password, and then type it into your bank's web site?
Quote from: Steven Novella
gleefully altering one’s beliefs to accommodate new information should be a badge of honor

Offline wastrel

  • Great poster... or greatest poster?
  • Technical Administrator
  • Poster of Extraordinary Magnitude
  • *****
  • Posts: 13512
  • Science: A cold-hearted bitch with a 14" strap-on
Re: Cell Phone question
« Reply #36 on: April 10, 2019, 01:37:32 PM »
So if you are using LastPass, how long does it take you to log into your bank?  Do you have to log into last pass on your phone, select your bank, read the difficult-to-memorize password, and then type it into your bank's web site?

For my bank I  have touch ID, which does add an insecurity. 

If I need to enter a password on my phone that I don't have this configured, I go to LastPass (I have LastPass configured for touch-ID, Again this adds a layer of insecurity, if someone had access to me and my phone and could compel me to open it, but I acknowledge and accept this risk), search for the site, and tap it.  This loads the password to clipboard, and I switch back to app or page and paste. 

10 seconds maybe, if I need to enter a password.


Online The Latinist

  • Cyber Greasemonkey
  • Technical Administrator
  • Too Much Spare Time
  • *****
  • Posts: 7722
Re: Cell Phone question
« Reply #37 on: April 10, 2019, 01:53:51 PM »
So if you are using LastPass, how long does it take you to log into your bank?  Do you have to log into last pass on your phone, select your bank, read the difficult-to-memorize password, and then type it into your bank's web site?

I sign into my banking app, tap the password manager icon, authenticate with TouchID, and it inserts my password.  I never see the password.  This also works for any website: I click the username field and I am offered a username above the keyboard; I tap on that, authorize with TouchID, and it logs me in.
I would like to propose...that...it is undesirable to believe in a proposition when there is no ground whatever for supposing it true. — Bertrand Russell

Offline wastrel

  • Great poster... or greatest poster?
  • Technical Administrator
  • Poster of Extraordinary Magnitude
  • *****
  • Posts: 13512
  • Science: A cold-hearted bitch with a 14" strap-on
Re: Cell Phone question
« Reply #38 on: April 10, 2019, 02:05:44 PM »
So if you are using LastPass, how long does it take you to log into your bank?  Do you have to log into last pass on your phone, select your bank, read the difficult-to-memorize password, and then type it into your bank's web site?

I sign into my banking app, tap the password manager icon, authenticate with TouchID, and it inserts my password.  I never see the password.  This also works for any website: I click the username field and I am offered a username above the keyboard; I tap on that, authorize with TouchID, and it logs me in.

My phone doesn't have that in-app LastPass integration.  Is that on the iPhone?  Am I missing some setting?

Online Billzbub

  • Stopped Going Outside
  • *******
  • Posts: 4329
  • I know you know I know
Re: Cell Phone question
« Reply #39 on: April 10, 2019, 03:46:18 PM »
My password vault is encrypted on my computer/phone using 256-bit AES encryption with a key that never leaves my computer.  LastPass never sees the unencrypted vault and does not have access to my key.  They store only the encrypted vault, which they allow me to download if I enter my password.

So even if you lost your computer and phone in a freak meteor impact, you can just log into LastPass with your password and get your vault back?  I may have to look into this.  I have so many accounts in so many places.  I would just have to leave Netflix out of it so my dad can continue to use my account (I pay for extra simultaneous connections).

When choosing your pass phrase for LastPass, does it give you a bunch of crazy restrictions about needed capital letters and special characters?
Quote from: Steven Novella
gleefully altering one’s beliefs to accommodate new information should be a badge of honor

Online Billzbub

  • Stopped Going Outside
  • *******
  • Posts: 4329
  • I know you know I know
Re: Cell Phone question
« Reply #40 on: April 10, 2019, 03:57:33 PM »
Crap, LastPass requires you to install a browser extension.  My work won't allow that, and I'm not allowed to have my phone, either.  So basically, I couldn't manage any finances from work.  Well played, work.  Well played.
Quote from: Steven Novella
gleefully altering one’s beliefs to accommodate new information should be a badge of honor

Online The Latinist

  • Cyber Greasemonkey
  • Technical Administrator
  • Too Much Spare Time
  • *****
  • Posts: 7722
Re: Cell Phone question
« Reply #41 on: April 10, 2019, 05:15:31 PM »
So if you are using LastPass, how long does it take you to log into your bank?  Do you have to log into last pass on your phone, select your bank, read the difficult-to-memorize password, and then type it into your bank's web site?

I sign into my banking app, tap the password manager icon, authenticate with TouchID, and it inserts my password.  I never see the password.  This also works for any website: I click the username field and I am offered a username above the keyboard; I tap on that, authorize with TouchID, and it logs me in.

My phone doesn't have that in-app LastPass integration.  Is that on the iPhone?  Am I missing some setting?

Apps have to be written to integrate password managers, and not all do so.  One of my banks does; the other has built-in TouchID support.

By the way, you can fairly safely copy and paste from the LastPass iPhone app.  Copied passwords stay in the buffer only until they are pasted and time out after two minutes if they aren’t pasted.
I would like to propose...that...it is undesirable to believe in a proposition when there is no ground whatever for supposing it true. — Bertrand Russell

Offline wastrel

  • Great poster... or greatest poster?
  • Technical Administrator
  • Poster of Extraordinary Magnitude
  • *****
  • Posts: 13512
  • Science: A cold-hearted bitch with a 14" strap-on
Re: Cell Phone question
« Reply #42 on: April 10, 2019, 08:03:23 PM »
So if you are using LastPass, how long does it take you to log into your bank?  Do you have to log into last pass on your phone, select your bank, read the difficult-to-memorize password, and then type it into your bank's web site?

I sign into my banking app, tap the password manager icon, authenticate with TouchID, and it inserts my password.  I never see the password.  This also works for any website: I click the username field and I am offered a username above the keyboard; I tap on that, authorize with TouchID, and it logs me in.

My phone doesn't have that in-app LastPass integration.  Is that on the iPhone?  Am I missing some setting?

Apps have to be written to integrate password managers, and not all do so.  One of my banks does; the other has built-in TouchID support.

By the way, you can fairly safely copy and paste from the LastPass iPhone app.  Copied passwords stay in the buffer only until they are pasted and time out after two minutes if they aren’t pasted.

That's how I do it now, was just confused that you had it in-app.

Online arthwollipot

  • Reef Tank Owner
  • *********
  • Posts: 8846
  • Observer of Phenomena
Re: Cell Phone question
« Reply #43 on: April 10, 2019, 09:53:31 PM »
Apps have to be written to integrate password managers, and not all do so.

Really? I'm fairly sure that I've had apps that didn't incorporate password manager support start to support it after an update to LastPass when the app itself didn't update.

Obviously I could be wrong about that.
Self-described nerd. Pronouns: He/Him.

Tarvek: There's more to being an evil despot than getting cake whenever you want it.
Agatha: If that's what you think, then you're DOING IT WRONG!

Offline Captain Video

  • Superhero of the Silver Screen
  • Frequent Poster
  • ******
  • Posts: 3251
Re: Cell Phone question
« Reply #44 on: April 10, 2019, 11:15:44 PM »
Crap, LastPass requires you to install a browser extension.  My work won't allow that, and I'm not allowed to have my phone, either.  So basically, I couldn't manage any finances from work.  Well played, work.  Well played.

I also have a password manager device. It stores all your passwords on a small device a little larger than a thumb drive with a small led screen. You plug in with usb and it acts like a keyboard.  There is a wheel for inputing your pin code which opens it then you scroll through your passwords and pick the one you want then it automatically types it into your device (you don't see the password) . It works on all android, windows, apple and linux devices.

I got it from a company in England selling on etsy. I cant remember the name but when I get home ill look it up for you.
“Don't explain computers to laymen. Simpler to explain sex to a virgin.”
― Robert A. Heinlein, The Moon is a Harsh Mistress

 

personate-rain
personate-rain