Summary
I'm a lastpass user, but I have concerns about storing high-value passwords, like my bank password, online. I've read some posts on this topic but still have questions.
- How safe are password managers like LastPass?
- Does the average user really need a password manager?
- Is saving passwords in Chrome as safe as using LastPass if you leave it signed in?
Threats I'm worried about
- The attacker gets my encrypted passwords and has enough resources to break my passphrase. The attacker decrypts my online banking password offline, logs in, and steals all my money.
- The attacker tricks me into entering my password on a different site than I intend (phising). The attacker gets my online banking password, steals all my money.
- One of my high-value accounts gets compromised. The attacker uses my password there to guess passwords to my other high-value accounts.
I have 4-5 online accounts that I consider high-value enough to be worried about these threats.
Questions
First, are there any more important threats that I'm overlooking here?
Second, how can I address these concerns? I was thinking of having a password manager store a random salt for each high-value account, hash this salt with a "master" password, and use it as the real account password (a bit like pwdhash). Neither the real account passwords not the master password would be stored anywhere (encrypted or not). This seems to force the attacker to try their password guesses against the online service, rather than being able to break them offline.
Note that this "master" password, which is used to derive the account passwords is different from the lastpass' "master password/passphrase", which is used to encrypt the stored data.
Does this scheme address the threats above? Any software that implements this for Chrome on Linux? I'm ok with switching from lastpass to something else.
Aucun commentaire:
Enregistrer un commentaire