Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Bitcoin Discussion
Re: Bitcoinica MtGox account compromised
by
Vladimir
on 25/07/2012, 14:20:58 UTC
Quote from: BitBuster on July 25, 2012, 01:42:52 PM
Quote from: defxor on July 24, 2012, 04:11:57 PM
Quote from: BitBuster on July 24, 2012, 12:12:32 PM
Storing passwords for all system components behind one password/access point is a most obvious and deliberate insecurity.
No. The easiest way to understand why that is so is to explore the alternatives. It's a lot easier to keep one password (which might include two factor auth) provably secure than several. I don't have to plan for my LastPass password getting broken since it's heat-death-of-the-universe-unfeasable for someone to break it. Thus the risk management is at an optimum.

You don't gain security if you split it up - only obscurity. Increasing the number of different passwords someone needs to remember also increases the risk for people to invent "password schemes", which all lessen security due to lowering entropy.

Bitcoinica using LastPass wasn't a problem. Using a known string as master password was.

I understand what you are getting at and in the technical sense only I agree. But having access to each system component distributed between different username and password combinations, even if they tend to follow a scheme or formula, still requires more effort to break into each one than to compromise one account that gives access (information) for all of the components. An attack on that one account may for now be technically unfeasible, but combined with a leak and/or stupidity as in this case, the results were far more catastrophic than they might have been had passwords not been centrally stored.
...

I think that lastpass is a very excellent system and it is capable of greatly improving information security of a typical company that is using it instead of almost any one other typical method in common use for such purposes. However, last pass must be used correctly.

This means:
1. Using second factor auth for lastpass (except maybe when the team using it is very small and has no really valuable assets at risk, or during transitional period)
2. Not using lastpass for the most valuable passwords such as those which give assess to bank accounts, money, bitcoin wallets, and most of all "other people money".

For 2. probably using keepass with second factor key is a good idea.