Received: from rlpowell by stodi.digitalkingdom.org with local (Exim 4.92) (envelope-from ) id 1iwqlh-00060L-QC; Wed, 29 Jan 2020 09:04:45 -0800 Date: Wed, 29 Jan 2020 09:04:45 -0800 From: Robin Lee Powell To: Gleki Arxokuna Cc: Riley Martinez-Lynch , secretary@lojban.org, president@lojban.org, Robert LeChevalier , djanatyn@gmail.com Subject: Re: Storing secrets for Lojban resources. Message-ID: <20200129170445.GI26741@stodi.digitalkingdom.org> Mail-Followup-To: Gleki Arxokuna , Riley Martinez-Lynch , secretary@lojban.org, president@lojban.org, Robert LeChevalier , djanatyn@gmail.com References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.11.3 (2019-02-01) Adding djanatyn as he's offered to help with some stuff. On Wed, Jan 29, 2020 at 04:05:30PM +0300, Gleki Arxokuna wrote: > On Wed, Jan 29, 2020, 13:33 Riley Martinez-Lynch > wrote: > > > Ha! I can confirm Robin's assumptions about secrets keeping. I want to be > > clear, though: I remain grateful to Robin for all of the organizational > > work that he has done and continues to do. Oh, I wasn't bothered at all, but thanks. > > I just think that given increasing online security threats, we > > need to adopt some new secret-keeping and sharing practices. > > > > I can't agree with friend Gleki about the use of email for secrets, and > > would kindly request that we not use email to share or store secrets. > > > > I applaud Robin for proposing a solution: I use 1password personally, but > > have also used LastPass, and I think we should consider using one of these > > services or something similar to create a vault for LLG secrets. There will > > be a small monthly charge. > > > > Ok since I don't want to rely on cloud services (LastPass was hacked once > iirc) I would instead rely on conversations with you. So first off, "lastpass was hacked once let's use email" is completely absurd. Secondly, there have never been on breaches in lastpass that have ever resulted in people's passwords being broadly exposed; they've never had a breach that has any effect on anyone who uses a decent master password, let alone anyone who uses 2FA. Well, except the browser plugin clickjacking one, but that was of limited effectiveness and patched basically instantly. Having said that, I'd be perfectly fine with KeePass + dropbox. The advantage there is that we can be absolutely sure that no cloud service has the unencrypted data (because KeePass is a local-only password system), the disadvantage is that the onboarding process would require sharing a single master password with everybody.