Received: from rlpowell by stodi.digitalkingdom.org with local (Exim 4.92) (envelope-from ) id 1j10a1-0004CJ-9G; Sun, 09 Feb 2020 20:21:53 -0800 Date: Sun, 9 Feb 2020 20:21:53 -0800 From: Robin Lee Powell To: Jonathan Strickland Cc: Gleki Arxokuna , Riley Martinez-Lynch , secretary@lojban.org, president@lojban.org, Robert LeChevalier Subject: Re: Storing secrets for Lojban resources. Message-ID: <20200210042153.GA11033@stodi.digitalkingdom.org> Mail-Followup-To: Jonathan Strickland , Gleki Arxokuna , Riley Martinez-Lynch , secretary@lojban.org, president@lojban.org, Robert LeChevalier References: <20200129170445.GI26741@stodi.digitalkingdom.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.11.3 (2019-02-01) This is what I'll do unless someone objects soon-ish. On Sun, Feb 09, 2020 at 03:01:30PM -0500, Jonathan Strickland wrote: > Hi all, just chiming in. > > I don't have the full context here, but I'd strongly advise against the > usage of email or shared documents for managing secrets. > > I'm of the same understanding as Robin here with regards to the security of > LastPass. As noted above, the addition of 2FA adds some additional security > guarantees. > > Again, KeePass + dropbox is a fine solution as well that doesn't require > sharing any unencrypted passwords with any cloud services. If there's > already a shared DropBox account available, I'd recommend that method of > sharing secrets: it would likely be less expensive, as most cloud password > managers (including LastPass) charge per-user, per-month. > > On Wed, Jan 29, 2020 at 12:04 PM Robin Lee Powell < > rlpowell@digitalkingdom.org> wrote: > > > Adding djanatyn as he's offered to help with some stuff. > > > > On Wed, Jan 29, 2020 at 04:05:30PM +0300, Gleki Arxokuna wrote: > > > On Wed, Jan 29, 2020, 13:33 Riley Martinez-Lynch > > > wrote: > > > > > > > Ha! I can confirm Robin's assumptions about secrets keeping. I want to > > be > > > > clear, though: I remain grateful to Robin for all of the organizational > > > > work that he has done and continues to do. > > > > Oh, I wasn't bothered at all, but thanks. > > > > > > I just think that given increasing online security threats, we > > > > need to adopt some new secret-keeping and sharing practices. > > > > > > > > I can't agree with friend Gleki about the use of email for secrets, and > > > > would kindly request that we not use email to share or store secrets. > > > > > > > > I applaud Robin for proposing a solution: I use 1password personally, > > but > > > > have also used LastPass, and I think we should consider using one of > > these > > > > services or something similar to create a vault for LLG secrets. There > > will > > > > be a small monthly charge. > > > > > > > > > > Ok since I don't want to rely on cloud services (LastPass was hacked once > > > iirc) I would instead rely on conversations with you. > > > > So first off, "lastpass was hacked once let's use email" is > > completely absurd. > > > > Secondly, there have never been on breaches in lastpass that have > > ever resulted in people's passwords being broadly exposed; they've > > never had a breach that has any effect on anyone who uses a decent > > master password, let alone anyone who uses 2FA. Well, except the > > browser plugin clickjacking one, but that was of limited > > effectiveness and patched basically instantly. > > > > Having said that, I'd be perfectly fine with KeePass + dropbox. The > > advantage there is that we can be absolutely sure that no cloud > > service has the unencrypted data (because KeePass is a local-only > > password system), the disadvantage is that the onboarding process > > would require sharing a single master password with everybody. > >