W
W
WorthToLive2020-02-23 03:41:02
Encryption
WorthToLive, 2020-02-23 03:41:02

How to implement a system for storing and using passwords?

System characteristics.
Two methods of authorization in the system:
1) Using a USB token with a built-in keyboard to enter a pin code to log into your LastPass account (or similar password manager)
This method will be the main one. It must be safe to use on public computers. It is desirable that there is no need to install additional programs on the computer used.
2) Using a master key to log into LastPass (or a similar password manager)
This method is optional. It is only on trusted computers or when the USB token is lost.
Tell me how this can be roughly implemented and what are the weaknesses in such a system?

Answer the question

In order to leave comments, you need to log in

2 answer(s)
A
Armenian Radio, 2020-02-23
@gbg

"Stranger computer without drivers" will gladly steal your password from the token on the way to its input field in LastPAss

A
Alex, 2020-02-23
@asilonos

If this is for yourself, then buy yourself a laptop, and make a virtual machine in it where you will use LastPass in an isolated environment.
There are a lot of malware to hunt for LastPas now. therefore, if you, for example, store logins and passwords in Banking (finance), then it is better to hide it in a trusted environment (virtual machine) where one browser will be installed to enter sites. In this virtual machine, it is better not to open Word, PDF files.
Well, if you want all the same with a USB flash drive with a password, well, ok. But the contents of the flash drive should be backed up, right? how and where will you do it? If this issue is not resolved, there is a big risk of losing everything.
In general, now this kind of Risk Model should be designed taking into account the "Zero Trust" methodology. those. we must proceed from the assumption that let's allow LastPass to let you down - passwords will "leak" sooner or later (or they will disappear, no matter how, you lose a USB flash drive or a master access key). Then it is more important to foresee - how quickly can I block logins, reset, restore them? What harm can be done to me if the Evil Hacker gets access to my gmail \ account? How do I know about it? how to minimize this damage?

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question