Received: from mail-ed1-f41.google.com ([209.85.208.41]:43495) by stodi.digitalkingdom.org with esmtps (TLSv1.3:TLS_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1j10ha-0006Q3-0u; Sun, 09 Feb 2020 20:31:42 -0800 Received: by mail-ed1-f41.google.com with SMTP id dc19so7061357edb.10; Sun, 09 Feb 2020 20:29:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=3pMnggngOTjwqz/tkl2QtJPGeFggJcaeMK9sWauOFqo=; b=CzBAPcuCaragCA4cZjFAwtvkhVHi++h/uBn4RNB9Gl95Um/8qMJOXZkAFtfXuRyzps CUgtBlPqH+4RXwgkFXyPDS+fnaH0Lqpacd6gHgBnxhoAxA8GOiabdoYRcrdDR7rLdmG2 i/4ZR+2/9OseHxCYMWVhWgd+ZkgY4C8sSw4nKUloBD54RVvFm5mKesmXND4etP2xKEPQ abmgLG6maUAvPyOZ4xDTy0Xe7J42Knugy5SWcKFyDVzTJGKEz/WGeVjKRWVNIwTYMVXL ASkXX5PIi/osw+XQN35YoxwO0E9xoS6i3PCeSutQ3/mSP1lUeXCNkp7VXKxIatt5zY4v dDLw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=3pMnggngOTjwqz/tkl2QtJPGeFggJcaeMK9sWauOFqo=; b=pedp9xgFGIRlXpF71F2UJHeTCaK6p/uyYiqfkQilWgcLDni+PIiK7bRTftAf44V9r3 vwo7mZhWtILrZ3SZJPfD6enLhKb1z6nCaXCZ6WozqMZqSI964v4JOCkQK9uQk1TAkr1a W3pmnj4BHCF0Kz3SFs1Gi8aaPPHTdOlaUH9d8HHG8b/0pANok6UpHz0JraoRJrRWA6RW Ih3G1dXpWmDramyZyDxC01qKRQPfrAbTLFhQ/zgjgRjIvoS64bOLZP69fGVpSWQ5T+vj /5y8HRU2vVzkYYcIoTs+t7v38eY6DXSo2qgtqVCWeLMaUbSMVNd4w7U7bz5cISq0NTtY WU7A== X-Gm-Message-State: APjAAAXNhqKq8gti7E2ARwR1PrSrLxiAQ4p4hHRKGtshdnSxthqNfR3O 787PgdSfhCTpDF4uPKxnnBhTjfRp8Q1VMXn5nQ== X-Google-Smtp-Source: APXvYqwB8t92BRNX8RHD/mpOBxGdqtDM7sTsZA4t04EdjRWgnL4dXGkPLShOR+up1HqoP07Kyq5DdVtC8oF+Z3Cav2Q= X-Received: by 2002:a17:906:5208:: with SMTP id g8mr10480621ejm.104.1581308975329; Sun, 09 Feb 2020 20:29:35 -0800 (PST) MIME-Version: 1.0 References: <20200129170445.GI26741@stodi.digitalkingdom.org> <20200210042153.GA11033@stodi.digitalkingdom.org> In-Reply-To: <20200210042153.GA11033@stodi.digitalkingdom.org> From: Gleki Arxokuna Date: Mon, 10 Feb 2020 07:29:23 +0300 Message-ID: Subject: Re: Storing secrets for Lojban resources. To: Jonathan Strickland , Gleki Arxokuna , Riley Martinez-Lynch , secretary@lojban.org, president@lojban.org, Robert LeChevalier Content-Type: multipart/alternative; boundary="000000000000c13408059e312f0a" X-Spam-Note: SpamAssassin invocation failed --000000000000c13408059e312f0a Content-Type: text/plain; charset="UTF-8" Since I'm not authorized to make changes to lojban.org I request removing me from this thread and the list of people with access. On Mon, Feb 10, 2020, 07:21 Robin Lee Powell wrote: > This is what I'll do unless someone objects soon-ish. > > On Sun, Feb 09, 2020 at 03:01:30PM -0500, Jonathan Strickland wrote: > > Hi all, just chiming in. > > > > I don't have the full context here, but I'd strongly advise against the > > usage of email or shared documents for managing secrets. > > > > I'm of the same understanding as Robin here with regards to the security > of > > LastPass. As noted above, the addition of 2FA adds some additional > security > > guarantees. > > > > Again, KeePass + dropbox is a fine solution as well that doesn't require > > sharing any unencrypted passwords with any cloud services. If there's > > already a shared DropBox account available, I'd recommend that method of > > sharing secrets: it would likely be less expensive, as most cloud > password > > managers (including LastPass) charge per-user, per-month. > > > > On Wed, Jan 29, 2020 at 12:04 PM Robin Lee Powell < > > rlpowell@digitalkingdom.org> wrote: > > > > > Adding djanatyn as he's offered to help with some stuff. > > > > > > On Wed, Jan 29, 2020 at 04:05:30PM +0300, Gleki Arxokuna wrote: > > > > On Wed, Jan 29, 2020, 13:33 Riley Martinez-Lynch < > shunpiker@gmail.com> > > > > wrote: > > > > > > > > > Ha! I can confirm Robin's assumptions about secrets keeping. I > want to > > > be > > > > > clear, though: I remain grateful to Robin for all of the > organizational > > > > > work that he has done and continues to do. > > > > > > Oh, I wasn't bothered at all, but thanks. > > > > > > > > I just think that given increasing online security threats, we > > > > > need to adopt some new secret-keeping and sharing practices. > > > > > > > > > > I can't agree with friend Gleki about the use of email for > secrets, and > > > > > would kindly request that we not use email to share or store > secrets. > > > > > > > > > > I applaud Robin for proposing a solution: I use 1password > personally, > > > but > > > > > have also used LastPass, and I think we should consider using one > of > > > these > > > > > services or something similar to create a vault for LLG secrets. > There > > > will > > > > > be a small monthly charge. > > > > > > > > > > > > > Ok since I don't want to rely on cloud services (LastPass was hacked > once > > > > iirc) I would instead rely on conversations with you. > > > > > > So first off, "lastpass was hacked once let's use email" is > > > completely absurd. > > > > > > Secondly, there have never been on breaches in lastpass that have > > > ever resulted in people's passwords being broadly exposed; they've > > > never had a breach that has any effect on anyone who uses a decent > > > master password, let alone anyone who uses 2FA. Well, except the > > > browser plugin clickjacking one, but that was of limited > > > effectiveness and patched basically instantly. > > > > > > Having said that, I'd be perfectly fine with KeePass + dropbox. The > > > advantage there is that we can be absolutely sure that no cloud > > > service has the unencrypted data (because KeePass is a local-only > > > password system), the disadvantage is that the onboarding process > > > would require sharing a single master password with everybody. > > > > --000000000000c13408059e312f0a Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Since I'm not authorized to make changes to lojban.org I request removing me from this threa= d and the list of people with access.

<= div dir=3D"ltr" class=3D"gmail_attr">On Mon, Feb 10, 2020, 07:21 Robin Lee = Powell <rlpowell@digitalk= ingdom.org> wrote:
This is = what I'll do unless someone objects soon-ish.

On Sun, Feb 09, 2020 at 03:01:30PM -0500, Jonathan Strickland wrote:
> Hi all, just chiming in.
>
> I don't have the full context here, but I'd strongly advise ag= ainst the
> usage of email or shared documents for managing secrets.
>
> I'm of the same understanding as Robin here with regards to the se= curity of
> LastPass. As noted above, the addition of 2FA adds some additional sec= urity
> guarantees.
>
> Again, KeePass + dropbox is a fine solution as well that doesn't r= equire
> sharing any unencrypted passwords with any cloud services. If there= 9;s
> already a shared DropBox account available, I'd recommend that met= hod of
> sharing secrets: it would likely be less expensive, as most cloud pass= word
> managers (including LastPass) charge per-user, per-month.
>
> On Wed, Jan 29, 2020 at 12:04 PM Robin Lee Powell <
> rlpowell@digitalkingdom.org> wrote:
>
> > Adding djanatyn as he's offered to help with some stuff.
> >
> > On Wed, Jan 29, 2020 at 04:05:30PM +0300, Gleki Arxokuna wrote: > > > On Wed, Jan 29, 2020, 13:33 Riley Martinez-Lynch <shunpi= ker@gmail.com>
> > > wrote:
> > >
> > > > Ha! I can confirm Robin's assumptions about secrets= keeping. I want to
> > be
> > > > clear, though: I remain grateful to Robin for all of th= e organizational
> > > > work that he has done and continues to do.
> >
> > Oh, I wasn't bothered at all, but thanks.
> >
> > > > I just think that given increasing online security thre= ats, we
> > > > need to adopt some new secret-keeping and sharing pract= ices.
> > > >
> > > > I can't agree with friend Gleki about the use of em= ail for secrets, and
> > > > would kindly request that we not use email to share or = store secrets.
> > > >
> > > > I applaud Robin for proposing a solution: I use 1passwo= rd personally,
> > but
> > > > have also used LastPass, and I think we should consider= using one of
> > these
> > > > services or something similar to create a vault for LLG= secrets. There
> > will
> > > > be a small monthly charge.
> > > >
> > >
> > > Ok since I don't want to rely on cloud services (LastPas= s was hacked once
> > > iirc) I would instead rely on conversations with you.
> >
> > So first off, "lastpass was hacked once let's use email&= quot; is
> > completely absurd.
> >
> > Secondly, there have never been on breaches in lastpass that have=
> > ever resulted in people's passwords being broadly exposed; th= ey've
> > never had a breach that has any effect on anyone who uses a decen= t
> > master password, let alone anyone who uses 2FA.=C2=A0 Well, excep= t the
> > browser plugin clickjacking one, but that was of limited
> > effectiveness and patched basically instantly.
> >
> > Having said that, I'd be perfectly fine with KeePass + dropbo= x.=C2=A0 The
> > advantage there is that we can be absolutely sure that no cloud > > service has the unencrypted data (because KeePass is a local-only=
> > password system), the disadvantage is that the onboarding process=
> > would require sharing a single master password with everybody. > >
--000000000000c13408059e312f0a--