Received: from mail-pj1-f51.google.com ([209.85.216.51]:39635) by stodi.digitalkingdom.org with esmtps (TLSv1.3:TLS_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1j0sm4-0005M9-BI; Sun, 09 Feb 2020 12:01:49 -0800 Received: by mail-pj1-f51.google.com with SMTP id e9so3247667pjr.4; Sun, 09 Feb 2020 12:01:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=E+PhDUDcGIuFVRY7yEjP7JjyP6v2aHi6G7QwGYcKokM=; b=jgn8M7UfaDz0qi5Zo6pDvK6FtoAWDprOFUufPNGKRZ7BAygfUvhGkV2OqikmIX8H6S cohkIGysDbadiZOzO/wU4KpmbmMpirZNnN94jrnlXfML1ZA+Kh8UrIddNhWUPtyhE7gR d2g1pcSD+/5SVkI6Xa0I72ApK9GFCoXufI0Fh9bE4vK3VTz/Li3STcQLQNPC7T2bbzUT rnZ5couzH0Olxqm5PtY0KQK5wf37brgDa68n/4IHB8qcI7tmJo/SXpjru40n/kVV0Vok dQWoCJvTevry8Uv6pCTwVpgVQjQwR8LzaZ6FEuFUK1V6ukNX4GxbVFGy+lSKFbmLZSz1 +bpg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=E+PhDUDcGIuFVRY7yEjP7JjyP6v2aHi6G7QwGYcKokM=; b=hY4NvwVDYcb/LAspUvVINOZN/KIz771VvOgBvEFbuxL/J8lvVspBmMjeQH7di9Uk4d QL9G4swOwQMSz8QXCmvrXvHdN27aVAjEGnlyA4/YxPLQIXiR8ueLc6ii5yBCnNYZNYmJ ci+H51kdYt1EnjQpgwlnAGTL4jNm7/2WuAoHuL8XruCiMESRe/veZcinlGE51c/WitZU p9dnjK8v/WeR0fHS6TeUColoBLt58MA58glImSSbuhi2PH0YG3tvBGDcyHtb85420DrV 85aY0wwMiGFxdmeArF1Tqg+82cA3SVJgSNP4xTWJGZZHHlnbWPdSlhSoxBGGCE0W5OXp VrgQ== X-Gm-Message-State: APjAAAWO6tGplaeEzGtO2Z+KCH5+tVMjcLv0kDC/2x8RtEKgIchlB1wZ w9u7kiXq8W/59nZddlHcqYomGLcpq7xrg5adA2o= X-Google-Smtp-Source: APXvYqy1hleuqIRBCstJyrLRWrzlXMK/h19PsJ7Wuxmgpwbz4YwpJ+mFD8Cz64j3kkJHC1BH6UP+r/3u5fdiescwyk0= X-Received: by 2002:a17:902:7b86:: with SMTP id w6mr9114757pll.317.1581278501959; Sun, 09 Feb 2020 12:01:41 -0800 (PST) MIME-Version: 1.0 References: <20200129170445.GI26741@stodi.digitalkingdom.org> In-Reply-To: <20200129170445.GI26741@stodi.digitalkingdom.org> From: Jonathan Strickland Date: Sun, 9 Feb 2020 15:01:30 -0500 Message-ID: Subject: Re: Storing secrets for Lojban resources. To: Gleki Arxokuna , Riley Martinez-Lynch , secretary@lojban.org, president@lojban.org, Robert LeChevalier , Jonathan Strickland Content-Type: multipart/alternative; boundary="000000000000667d17059e2a17ac" X-Spam-Score: -2.1 (--) X-Spam_score: -2.1 X-Spam_score_int: -20 X-Spam_bar: -- --000000000000667d17059e2a17ac Content-Type: text/plain; charset="UTF-8" Hi all, just chiming in. I don't have the full context here, but I'd strongly advise against the usage of email or shared documents for managing secrets. I'm of the same understanding as Robin here with regards to the security of LastPass. As noted above, the addition of 2FA adds some additional security guarantees. Again, KeePass + dropbox is a fine solution as well that doesn't require sharing any unencrypted passwords with any cloud services. If there's already a shared DropBox account available, I'd recommend that method of sharing secrets: it would likely be less expensive, as most cloud password managers (including LastPass) charge per-user, per-month. On Wed, Jan 29, 2020 at 12:04 PM Robin Lee Powell < rlpowell@digitalkingdom.org> wrote: > Adding djanatyn as he's offered to help with some stuff. > > On Wed, Jan 29, 2020 at 04:05:30PM +0300, Gleki Arxokuna wrote: > > On Wed, Jan 29, 2020, 13:33 Riley Martinez-Lynch > > wrote: > > > > > Ha! I can confirm Robin's assumptions about secrets keeping. I want to > be > > > clear, though: I remain grateful to Robin for all of the organizational > > > work that he has done and continues to do. > > Oh, I wasn't bothered at all, but thanks. > > > > I just think that given increasing online security threats, we > > > need to adopt some new secret-keeping and sharing practices. > > > > > > I can't agree with friend Gleki about the use of email for secrets, and > > > would kindly request that we not use email to share or store secrets. > > > > > > I applaud Robin for proposing a solution: I use 1password personally, > but > > > have also used LastPass, and I think we should consider using one of > these > > > services or something similar to create a vault for LLG secrets. There > will > > > be a small monthly charge. > > > > > > > Ok since I don't want to rely on cloud services (LastPass was hacked once > > iirc) I would instead rely on conversations with you. > > So first off, "lastpass was hacked once let's use email" is > completely absurd. > > Secondly, there have never been on breaches in lastpass that have > ever resulted in people's passwords being broadly exposed; they've > never had a breach that has any effect on anyone who uses a decent > master password, let alone anyone who uses 2FA. Well, except the > browser plugin clickjacking one, but that was of limited > effectiveness and patched basically instantly. > > Having said that, I'd be perfectly fine with KeePass + dropbox. The > advantage there is that we can be absolutely sure that no cloud > service has the unencrypted data (because KeePass is a local-only > password system), the disadvantage is that the onboarding process > would require sharing a single master password with everybody. > --000000000000667d17059e2a17ac Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi all, just chiming in.

I don'= t have the full context here, but I'd strongly advise against the usage= of email or shared documents for managing secrets.

I'm of the same understanding as Robin here with regards to the secur= ity of LastPass. As noted above, the addition of 2FA adds some additional s= ecurity guarantees.

Again, KeePass=C2=A0+ dropbox = is a fine solution as well that doesn't require sharing any unencrypted= passwords with any cloud services. If there's already a shared DropBox= account available, I'd recommend that method of sharing secrets: it wo= uld likely be less expensive, as most cloud password managers=C2=A0(includi= ng LastPass) charge per-user, per-month.

On Wed, Jan 29, 20= 20 at 12:04 PM Robin Lee Powell <rlpowell@digitalkingdom.org> wrote:
Adding djanatyn as he's offered to h= elp with some stuff.

On Wed, Jan 29, 2020 at 04:05:30PM +0300, Gleki Arxokuna wrote:
> On Wed, Jan 29, 2020, 13:33 Riley Martinez-Lynch <shunpiker@gmail.com>
> wrote:
>
> > Ha! I can confirm Robin's assumptions about secrets keeping. = I want to be
> > clear, though: I remain grateful to Robin for all of the organiza= tional
> > work that he has done and continues to do.

Oh, I wasn't bothered at all, but thanks.

> > I just think that given increasing online security threats, we > > need to adopt some new secret-keeping and sharing practices.
> >
> > I can't agree with friend Gleki about the use of email for se= crets, and
> > would kindly request that we not use email to share or store secr= ets.
> >
> > I applaud Robin for proposing a solution: I use 1password persona= lly, but
> > have also used LastPass, and I think we should consider using one= of these
> > services or something similar to create a vault for LLG secrets. = There will
> > be a small monthly charge.
> >
>
> Ok since I don't want to rely on cloud services (LastPass was hack= ed once
> iirc) I would instead rely on conversations with you.

So first off, "lastpass was hacked once let's use email" is completely absurd.

Secondly, there have never been on breaches in lastpass that have
ever resulted in people's passwords being broadly exposed; they've<= br> never had a breach that has any effect on anyone who uses a decent
master password, let alone anyone who uses 2FA.=C2=A0 Well, except the
browser plugin clickjacking one, but that was of limited
effectiveness and patched basically instantly.

Having said that, I'd be perfectly fine with KeePass + dropbox.=C2=A0 T= he
advantage there is that we can be absolutely sure that no cloud
service has the unencrypted data (because KeePass is a local-only
password system), the disadvantage is that the onboarding process
would require sharing a single master password with everybody.
--000000000000667d17059e2a17ac--