In uk.comp.homebuilt David wrote:
Something like LastPass is found to have a vulnerability and exploits will
be all over the place on the web.

If you have an encrypted USB stick (with your own choice of encryption
software) then you are mainly vulnerable to someone finding/stealing it
and deciding to brute force it.

Security by obscurity isn't the greatest approach but it does have some
advantages.

The thing is, it doesn't gain you very much.

Suppose you put your passwords in a password-protected Excel sheet.
Excel has to decrypt it to show it to you.
That means all your passwords are now in memory, in the clear.

All malware has to do is search through memory for strings like 'password'
'username' 'bank' 'NatWest' etc, and then exfiltrate any text nearby.
It doesn't matter what format they're in, the malware doesn't care.

If you think this is implausible, this is exactly how disc forensics work -
they don't care that the disc claims to be NTFS or FAT or whatever, they
just search the raw bits. Memory forensics is similar.

Basically there is a high risk unless you keep up with the current threat
models, and so it is better to pick an approach which has been carefully
designed and scrutinised.

Theo