For me it comes down to a basic risk decision once you can get your brain past the psychology of risk (Our brains are fundamentally flawed when it comes to calculating risk).
Online password manager like lastpass which on the surface sounds like a really bad idea
Impact is high for compromise since they have all my credentials mitigated somewhat by their use of encryption. I also use a robust 2 factor auth with the service so credential harvesting attacks for my lastpass account would be somewhat ineffective.
Likelihood is fairly low given their effective security posture and excellent incident response
Password reuse for all sites
impact is very high since a single compromise means all my sites are compromised
Likelihood is very high since any one of the sites I frequent can lead to compromise.
Use different password for each site and manage myself in Truecrypt protected datafile
Definitely the most secure option, but yeah that's too much work especially given the wide variety of platforms I utilize. Lastpass works on every platform I commonly use. Afterall, I'm a user too. Guess which option I choose? Is it perfect? No, but I think it's the best combination of security + usability.
I think we could probably diverge the discussion on how usable security solutions that are technically less secure are in actuality more secure than the more rigorous and less usable counterparts because users will comply and not seek to subvert the controls due to complexity or inconvenience. Generally speaking of course, swiss cheese is still swiss cheese.
BTW I'm not advocating this for enterprise usage, I still think an internally managed product like Cyber-Ark or something similar is a good fit but that's out of my personal budget. For $12/year, Last Pass Premium service fits the bill nicely for my personal stuff.
Last edited by tturner
on Wed Feb 08, 2012 8:57 am, edited 1 time in total.
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP
WIP: Vendor WAF stuffhttp://sentinel24.com/blog