SoylentNews is people
SoylentNews
WSJ: What Keeps People From Using Password Managers?
No pay wall: https://archive.is/HCtcT
Many of us are vulnerable to hackers and eager to secure our online accounts, but lots of us also refuse to use an obvious solution: password managers.
Why? Our research has found that the typical reassurances and promises about password managers just don’t work. Fortunately, our research also suggests there are strategies that can persuade people to get past the psychological barriers and keep their data safe.
[...] In a study I conducted with my Ph.D. student Norah Alkaldi, we found that the two most common methods of persuasion were ineffective in getting people to adopt password managers. The first is the “push” approach—the idea that by showing people the dangers of using simple passwords, recording passwords on their computer or using the same passwords at different sites, we would push them to adopt a safer approach. Users, we found, don’t respond to the push strategy.
[...] The other, “pull,” approach—focusing on the positives of password managers—didn’t deliver any better results.
[...] We discovered two types of “mooring factors” that keep people from changing their behavior.
[...] First, there was the effort required to enter all your passwords into the password manager.
[...] People also fear they will lose all their passwords if they forget their master password.
(Score: 5, Insightful) by turgid on Friday June 18 2021, @09:18AM (18 children)
If the password manager gets cracked, then presumably so do all of your passwords? Or at least your authentication tokens. Password managers are software. Show me a 100% secure piece of software.
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 0) by Anonymous Coward on Friday June 18 2021, @09:30AM (6 children)
main(){}
(Score: 5, Funny) by Anonymous Coward on Friday June 18 2021, @09:57AM (1 child)
Compile it with VC++ and it will have bugs.
(Score: 0) by Anonymous Coward on Saturday June 19 2021, @01:18AM
You mean it might actually do something useful?
(Score: 4, Insightful) by maxwell demon on Friday June 18 2021, @07:35PM (3 children)
This program has undefined behaviour because the main function has no return statement.
The program clearly is C90, as C99 as well as C++ don't allow to omit the return type. In C90, the omitted return type is implicitly int. And while both C99 and C++ generate an implicit return 0 statement in main if no explicit return statement is given, C90 does not do so. And a function with non-void return type that reaches the end of the function without an explicit return statement has undefined behaviour.
In practice, this code will “just” give some arbitrary exit code, and therefore will appear to work as long as you don't use it in well-written shell scripts or batch files that check for errors on their called programs (and it is, of course, possible that it just happens to give the exit code 0 by chance).
It is unlikely, but not completely inconceivable that this program is used by a shell script that will break due to the arbitrary exit code, and do so in a way that is exploitable.
So yes, this program might cause a security vulnerability.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Friday June 18 2021, @11:22PM (1 child)
The main function has special treatment even before c99. Even if shell scripts have bugs in the face of an arbitrary integer being return to the host environment, that is hardly a bug in the code.
(Score: 0) by Anonymous Coward on Saturday June 19 2021, @01:20AM
Documentation error, not a bug. Do not rely on the return code.
(Score: 0) by Anonymous Coward on Saturday June 19 2021, @01:30AM
Don't invite this guy to your party.
(Score: 5, Insightful) by Anonymous Coward on Friday June 18 2021, @10:14AM (3 children)
Yep. Can't use a password manager from anywhere except where you have it installed. If it breaks, you're hosed. If they're only stored locally, you can lose them all if your computer dies. If they're stored remotely, a data breach will reveal all your passwords. If stored remotely but encrypted with your master password, forgetting the master password locks you out.
Password managers just aren't a solution. They solve some problems and cause others. They are probably better in corporate environments where you can go to IT and have them fix everything when the password manager fails, as opposed to personal use where you have to chase down 1000 different systems yourself.
The psychological resistance comes from "thing under my control" (remember passwords) vs "thing not under my control" (password manager). Even if the thing not under your control is better on average, people don't want it. It is a little like self driving cars, lots of people just don't want them, period.
Everyone requiring stupid passwords that can't be remembered just makes everything worse. xkcd passwords are easier, but still probably would be forgotten if used rarely.
I'm a big fan of "log in with X service" - sure, it sucks to have more things depending on Google or Facebook, but it reduces the number of passwords and for most stuff it's completely adequate security - even the privacy is better than you'd expect.
(Score: 0) by Anonymous Coward on Friday June 18 2021, @10:49AM (1 child)
And if you keep it locally and/or on removable media and/or remotely you have to keep them all synced.
(Score: 4, Insightful) by driverless on Friday June 18 2021, @02:03PM
In fact I think it'd be fair to say that passwords and password managers are pretty much the worst form of user authentication.
Except for all of the others that have been tried [wsj.com].
(Score: 0) by Anonymous Coward on Friday June 18 2021, @05:30PM
You have a lot of good points. I use a password manager, though.
I only use passwords on my computer at home, never on a mobile phone. If my computer breaks, that's why I have daily, monthly, and semi-yearly backups on separate USB hard drives stored in different locations. I store my passwords locally only, so I only have to worry about someone breaking into my computer, not some server somewhere. I've remembered my master password for many years now, and it's really in muscle memory by now.
The point is, for my use case a password manger is a good balance between risk and reward. My email does indeed show up on haveibeenpwned as part of several sites' data breeches, but the only thing I've lost thus far is that site's password... which I just change, because it's not used anywhere else so can't be used anywhere else.
As for "log in with x" services, I will never knowingly use anything from Google or Facebook (I even block google fonts). They are simply evil and anyone who trusts them is mad, IMHO.
(Score: 5, Insightful) by MIRV888 on Friday June 18 2021, @03:41PM (4 children)
All your eggs in one basket. That seems like a bad idea to me.
(Score: 5, Funny) by looorg on Friday June 18 2021, @03:45PM (3 children)
Ah but what if you use two (or more) different password managers. You can even have one manager to manage the other managers. Now we are cookin'
(Score: 5, Funny) by Anonymous Coward on Friday June 18 2021, @07:41PM (1 child)
I use a different password manager for every password.
You can never be too safe
(Score: 0) by Anonymous Coward on Saturday June 19 2021, @01:21AM
I post as AC on every site, I don't have any passwords.
(Score: 2, Funny) by nitehawk214 on Saturday June 19 2021, @03:59PM
And put the passwords for the password managers in the other password manager!
"Don't you ever miss the days when you used to be nostalgic?" -Loiosh
(Score: 1) by nitehawk214 on Saturday June 19 2021, @03:48PM (1 child)
What is more likely, a password manager getting cracked, or someone using the same or similar passwords across 20 sites and one of those 20 getting cracked?
"Don't you ever miss the days when you used to be nostalgic?" -Loiosh
(Score: 0) by Anonymous Coward on Sunday June 20 2021, @03:13PM
That's kind of the issue, with the ridiculous number of accounts and passwords that people get pressured into making, there's only a few strategies possible. Reuse the same password or store them either electronically or physically being the main ones. My password manager has several hundred total entries.
I personally opt to use a locally installed password manager and worry about backup/ synchronizing separately, but I couldn't have decent passwords for all those sites without a manager and I couldn't cone back years later of I needed to either.
(Score: 5, Insightful) by Rich on Friday June 18 2021, @09:42AM (6 children)
A simple password manager on a computer can be easily compromised by malware. If there is hardware in the box involved, with buzzwords like "secure enclave", someone else really holds the keys. In both cases whoever provides system updates will be able to fish off the entire set. (They could also install a keylogger, but that has a higher visbility profile and is more effort).
For casual online security, nothing that's on the box beats a piece of paper next to the box, possibly with slight extra security measures. Breaking into your house to obtain that has a really high threshold.
I could live with a decent USB keyboard emulation dongle, though. A little display, an encoder for choosing, plus OK/Cancel button. Just had a look around and there is nothing decent on the web. There's an apparently failed product, "Zamek", and another vaporware "Mooltipass" (which comes pretty close, but has extra smartcard/PIN locking). However, for an acceptable level of paranoia, such a thing would have to come as a kit with FLOSS firmware, where you can source your generic microcontroller, and flash it with a self-compiled image. :)
(Score: 5, Interesting) by RamiK on Friday June 18 2021, @11:35AM
https://www.reddit.com/r/Android/comments/2tp5p9/dev_keepass2android_usb_keyboard_plugin/ [reddit.com]
compiling...
(Score: 2, Interesting) by Anonymous Coward on Friday June 18 2021, @02:10PM (1 child)
I use the “piece of paper next to computer” idea - my very long and ugly passwords all contain a special character which gets replaced by a memorized set of 8 characters when typing in a password to a website so if someone does take or photograph my password sheet, I’ll have some time to change the passwords
Passwords are typed on an offline computer and I save that encrypted file in safe deposit boxes
(Score: 0) by Anonymous Coward on Friday June 18 2021, @02:15PM
Replace:
Passwords are typed on
With:
Password sheets are typed and printed with
(Score: 5, Informative) by edIII on Friday June 18 2021, @11:47PM (2 children)
I don't think people should be coming up with passwords, other than the master password, and even then, not all of it. My master password is a combination of high-entropy noise plus a couple of phrases. All chained together for 60-90 characters.
My own "password manager" is a VeraCrypt container in multiple levels with dummy passwords I leave out in the open. I print it and leave it inside my desk, or under the keyboard. Then if somebody finds the VeraCrypt file they will open it up and get a whole bunch of what appears to be security credentials and confidential data.
The real password to the container is contained elsewhere as a physical backup, but not in an easy or even intuitive place, nor does it readily appear as a contiguous password. It's more or less a hint just for me in multiple parts as a backup for my memory as I get older.
Inside the container are a bunch of SSH keys, passwords, and scripts. I run the scripts to open shells on remote systems, and display passwords for websites and other systems. I then use copy/paste, which I realize isn't the most secure way to do it. Requires a lot of trust in the machine, which is why I like using virtual throw-away systems. So I'm pushing the security credentials from a higher system into a lower system, so to speak. When I'm done, the lower system is destroyed and doesn't retain anything.
When I need a new password, or to regenerate one, I use crpytographically secure methods of generating high-entropy passwords.
I take that and pipe it to a file that records the security credentials. I treat all security questions as just another field needing high-entropy noise.
Ironically, all of that is heavily compromised by the fact anybody can request a new password with the ubiquitous forgot-my-password process. So in the end my passwords are only as secure as my email systems. The moral of that story is that passwords alone, no matter how they are stored, are crap.
All websites and systems that use passwords need 2FA or rotating OTP codes similar to the way Google does it. If I want to reset my password, then I need to take one of X number of codes and use it in conjunction with 2FA and email verification (verification I can access X system).
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 1, Funny) by Anonymous Coward on Saturday June 19 2021, @01:23AM
> I treat all security questions as just another field needing high-entropy noise.
You mean your favorite animal when you were 12 was not a 5aff8f2tthhcFR2f00?
(Score: 2) by Rich on Saturday June 19 2021, @02:24AM
You lost me there. I had to read that twice before (I think) I understood it. Point is, you have an elaborate process for your credentials that is way over the head of common users and even for people with security knowledge is rather inconvenient. But even having to look up a sufficiently safe password from a piece of paper and typing it is inconvenient enough.
The corporate people work around that with smartcards that have to be put into the keyboard to authorize the user, but again, that relies on the hosting machine being uncompromised - if it is, every kind of nasty shit can be done behind your back, and with your genuine authentication.
The TFA smartphone banking apps have a somewhat sensible process. Whatever is supposed to be done (e.g. a transfer) shows up on the phone and then has to be unlocked with a simple PIN or password. Still, a dedicated attacker could compromise both devices and send your savings to Fraudistan.
For a solidly secure process, the device holding the password would need to be so trivial that it is free from attack vectors. That means a microcontroller with limited storage that ideally has shown over years that it resists simple hardware attacks like glitching. It would delete its volatile contents upon tamper attempts, but there would be a printable backup that could be typed in from paper, a bit like the hex dumps of old gaming magazines. Restoring will be inconvenient, but it is a guard against loss or catastrophic digital failures. Another paper will contain a simple 128-bit master key that can NOT be printed and has to be handwritten. Passwords will (usually) be generated by the device.
The device has to look (somewhat?) like I described in the thread start, but it has to be rugged, so it can be carried on a physical keychain, much like a house or car key. USB might work, but a MagSafe-like attachment to a little cradle would be more convenient. No radio functions, because of paranoia. Key or cradle would annoyingly beep when the computer is shut down and the key is forgotten. So while you are at the machine, all you have to do is acknowledge TFA requests with a button push, or for typed passwords dial to the target and push the button. If a work session is over or times out, or whatever, you have to once enter the pin. (Assuming an encoder wheel, there would be two or three numbers from 00 to 99, which could be quickly hit; this would avoid to have a keyboard on the device. The alternative would be a keyboard with such a device built-in (SO close: https://www.youtube.com/watch?v=vOa5-NTIvZ8 [youtube.com] gg. Feasibility could be tested with a RasPi 400 or a USB converter for an old PS/2 model M with a little display hooked up. Nice Arduino project idea...)
Short of such a device, I don't see a sensibly secure and convenient solution. One might try to simulate the device at kernel level. Re-do the keyboard driver, so no one outside has direct control over NumLock and CapsLock. Detect a key combination that "launches" the device (or maybe respond to TFA). When that happens, NumLock and CapsLock flash alternatingly (like old airport boarding signs, and that is suppressed in a way that other software can't do exactly that). You'd have hardware verification that a request is legit, but then safety gets into the realm of an ordinary well done password manager that runs as root.
(Score: 3, Interesting) by looorg on Friday June 18 2021, @09:42AM (2 children)
I am not demented (yet) so I can remember my password(s). There really are not that many of them that I care about. For all the other accounts I mostly just type whatever password, then I forget about it. If I ever have to login again for some reason I just request a password reset from the system. That way the only password I have to keep secure and remember is the one for my email. Remembering one password isn't that hard. Totally within my grasp, for the most part.
That said I find it somewhat idiotic that corporations and government are pushing password security to the user. They should know by now that users are the weakest link. So for them to rely on passwords alone is bad at best. That they make you follow various patterns or include various characters, numbers, lower case, upper case etc is just padding for an insecure system.
(Score: 0) by Anonymous Coward on Friday June 18 2021, @02:26PM
That’s to make the password brute force proof. Which is exactly where a password manager can help out, it generates secure passwords automatically and you don’t even attempt to remember it, the password manager remembers it. As an added benefit, you never have to type a login manually, the password manager types it for you. Password managers are similar to microwave ovens when they first came out; at first you don’t see the point, until you try it and use it, it then becomes essential.
(Score: 3, Insightful) by bzipitidoo on Friday June 18 2021, @11:01PM
So your email account is your password manager?
(Score: 0, Disagree) by Anonymous Coward on Friday June 18 2021, @10:07AM (4 children)
Password managers are useless. If you don't want to remember passwords, there are many better solutions...
(Score: 2, Interesting) by Anonymous Coward on Friday June 18 2021, @01:32PM (1 child)
The easiest solution is not to use passwords. Obviously works for me - not logged in, don't need a password.
Passwords for internet banking? I don't use the internet to bank - problem solved.
Web mail passwords? I don't use webmail. Problem solved. If you know me, you can text me. If you don't know me, I don't want to hear from you anyway. I already know hundreds of people (maybe 1,000). So why would I need social media and social media passwords?
My phone? No password. But it's always in my pocket if it's not charging or in my hands. Don't have to futz with finger print readers or facial recognition in rain, snow, or -30° weather.
Taxes, etc? Snail mail.
Well, gotta go, I have a life that is too damn busy to waste much time on the shitternet. Try doing a digital detox for a month. You'll probably dump most of your accounts that require passwords.
(Score: 0) by Anonymous Coward on Saturday June 19 2021, @01:25AM
See you in a month, I guess. Thank for dropping in.
(Score: 2) by MIRV888 on Friday June 18 2021, @03:44PM (1 child)
A piece of paper kept in a lock box is extremely difficult to hack.
(Score: 1, Funny) by Anonymous Coward on Friday June 18 2021, @04:26PM
Unless you purchase a $3 hacksaw.
(Score: 0) by Anonymous Coward on Friday June 18 2021, @10:58AM
First, it is a single point of failure. Password bases are usually stored in some backups - so theoretically there is a reliability protection in a backup and security protection - in manager's encryption.
However, with current state of PCs and code execution on rings -1 and -2, the encryption is questionable. Simultaneously reliability protection starts working against the security.
Additionally using the clipboard to move passwords is at least unresponsible.
What instead? The solution seems to be simple - just use system-wide driver for input device, this is a bit better in security, but the best would be to just thunk into form processing code. It was certainly possible in earlier Windows, as these all debugging tools could inspect other program's forms, but now it looks like it is forgotten. Even with many browsers being open source.
(Score: 3, Flamebait) by dltaylor on Friday June 18 2021, @11:13AM (5 children)
Are we emulating the "other" site now, doing market research for a possible product?
All of the listed reasons are, by themselves, sufficient; in aggregate, a full-on condemnation.
The master password is both a single point of failure for security and user access. If cracked, all logins are compromised, if misplaced/forgotten users can't access their data.
Data entry on the master is a pain, both for the initial set and for updates.
Maybe, if your persuasion is not working, that is a clue that the idea is not strong enough, so you should just quit and work on a different idea.
(Score: 4, Informative) by martyb on Friday June 18 2021, @12:42PM (3 children)
No!
We never have. Period. And I cannot imagine a case where that would even be proposed.
Remember "Buck Feta"?
Further, at the time SoylentNews got started, there was some discussion among staff of possibly offering something like a single static banner advertisement on the main page as a way of financing the site... that discussion lasted for maybe a week or two and was soundly rejected as a possibility.
It was decided that, rather than trying to make a profit and pay staff for their efforts, we would remain a purely volunteer organization and rely entirely on voluntary subscriptions to the site. Tht's been working for us for 7+ years!
community++ !!!
Wit is intellect, dancing.
(Score: 1, Insightful) by Anonymous Coward on Friday June 18 2021, @01:36PM (2 children)
(Score: 5, Informative) by martyb on Friday June 18 2021, @02:11PM (1 child)
Excellent point.
Except then there comes the hassle of contacting companies to sell the ad space to them, or to sign up with an agency and the need for ongoing communications with them to keep it all up and running. These days, with how ad rates have plummeted and given our site activity level, any income we might receive for static ads would be negligible. Then again, that leads to overhead for people's time to actually operate a "sales function" and tracing sales, and profits, and reporting on taxes, and so on. It is a non-trivial and time-taking effort. Again, the potential incomer would be marginal compared the work required to set up and operate a system. And that is ignoring how many ads would be blocked by the community! I know I would block them! Ads were deemed "Not. Worth. It."
Further, by NOT running ads, we retain our actual and perceived independence of the stories we run on the site.
Remember when slashdot seemed to run a story each week about bitcoin? I have no proof, but I do have strong suspicions, that they were mining bitcoin on their servers using spare computes. Think of how many nerds would follow a link and "slashdot (v.)" a site listed in a story. Slashdot had to survive slashdotting *themselves* with their *own* servers being hammered by nerds with high-speed connections. So they had to handle a high peak load... and had computes to spare during "off hours"/ (Think: nighttime in the US.
Like I said, I have no proof, but I see too strong a correlation to think otherwise. Thus, their journalistic independence was cast into doubt.
tl;dr: non-trivial overhead, minimal income, and a hit on our perceived and actual independence... seems to me to be not worth it.
Wit is intellect, dancing.
(Score: 0) by Anonymous Coward on Saturday June 19 2021, @06:39AM
Not to mention, us AC shitheads would rip it mercilessly. Rightly.
(Score: 0) by Anonymous Coward on Friday June 18 2021, @12:46PM
I have been using PwdHash [github.io] since I first read about. Judging from the date on the website, that was probably in 2006. It takes the web address and an inputted password and generates a unique hash to use as that site's password. Unfortunately it has not been developed in a number of years, so it is showing its age. In particular, the hashes are intentionally crippled to try and be as universally valid with the terribly restrictive password requirements of the time. I have seen a few other versions of this idea when installing the Android version for use on mobile, but that is a lot of inertia to overcome for me, so I have not checked out if they are any better. I also managed to get locked out of a banking site after their upgrade included a URL migration.
I always try and hijack Password Manager discussions to include password hashing as I believe it to be a much more sensible solution, especially if asinine password restrictions get sorted out (looking at you Android).
(Score: 0) by Anonymous Coward on Friday June 18 2021, @11:27AM (2 children)
Don't need a graduate student to solve the above equation.
(Score: 0) by Anonymous Coward on Friday June 18 2021, @01:40PM (1 child)
Maybe I can get a government research grant to study "poeple?"
(Score: 0) by Anonymous Coward on Friday June 18 2021, @03:09PM
Maybe OP is dyslexic, you insesnitive clod.
(Score: 2, Insightful) by Anonymous Coward on Friday June 18 2021, @01:06PM (1 child)
The moment you put your data in the hands of another person, it's no longer your data. If the PWM stores your passwords "in the cloud" then they won't stay only yours for very long. If the PWM keeps them entirely local then *maybe* you can start to trust it, right up until it decides you aren't you & no longer deserve access to your data any longer.
Create a plain text file of the name of the service to which you are signing up. Like "ExampleSiteDotCom.txt". Inside the file give the full URL to the site main page. Include the UN & PW you used to sign up. Instead of using your real PII, use entirely fake PII specific to that site, so if said PII gets "leaked" you will know *exactly* whom leaked it. Record all those fake PII answers in said file. Real name? Throatwarbler Mangrove. Real DOB? January 1st, 1800. Real mailing address? 2021 Greedy Putz Place, Beverly Hills, California 90210. Real phone number? (202) 911-5150. etc etc etc.
If the site demands a credit card, go out & grab a PayAsYouGo card from somewhere, give it a balance of a few dollars, & use that card *only* for that specific site. If the management site reports that someone tried to charge a giant bill to it, you know *exactly* whom to blame for the "leak". You are also NOT rendered bankrupt by the site's inability to do actual security. You are out the balance on the card & not a penny more. If and only if the site service is one that you enjoy, keep topping off the card to cover whatever recurring charges the service demands. As long as they keep doing things right, you keep the card going. But if they screw up & try to screw you over, simply stop topping up the card & give them TheFinger. They don't have your real name, they don't have your real financial data, they're up a creek as far as proving the account belongs to you.
Once you've recorded all the security questions & fake answers, once all the fake PII is in the file, then save the file & stick it in a directory of the name of the site. Every time you have to deal with the site, add a "---" line to the bottom of the text file, drop in the date & time, and write a note to describe said interaction. Emails from them get dumped into the folder as well. This keeps a running record of everything to do with said site. Maintain the folder for as long as you keep records at all. If something happens a decade from now, you can simply check the main folder, find the folder with the site name, & get reminded of everything up to that point.
Keep that folder (and all other folders with real PII accounts) on a USB key that you encrypt. You need only remember the main encrypt key to access the files stored on the key, at which point everything is in plain text. Make a backup copy to long term archival storeage on a local HDD. Store the encryption key in a different file so it's not obvious.
There. You've just left yourself a reminder about every site you've registered at, the UN & PW needed to log in, all the security questions & fake PII used to register, and a running log of all interactions with said service. Write the name of the service on the PAYG card & leave it in a drawer. You never want to use it for anything else, so no point in leaving it on your person. And it's all stored locally, stays under your control, & remains entirely your own data.
Now if you pardon me, I'll go register for something & claim to be a 500 year old Hungarian ambidextrous, androgenous, hermaphrodite, lesbian, Jewish, techno polka player with neon green hair so as to screw with their heads. =-D
(Score: 0) by Anonymous Coward on Saturday June 19 2021, @04:21PM
At about the 200-300th site login, this was the conclusion I came to as well. Aside from a handful of actually important passwords, the majority simply have to be offloaded to a piece of paper, or file, or just constantly re-used.
Sites and services don't integrate with password managers, and those are specific to machines. Trusting your phone with anything is for fools. Every service and site under the sun now, including an increasing number of sites and apps for utilities and rl services that never needed the internet before, now demand logins and emails and passwords and the whole thing is completely out of control with no end in site.
It doesn't have to be like this. .ssh file and scripts work and work well for sever administration, with multiple methods of mitigating risk.
But of course no website or app will ever subscribe to such an open framework, because Big Tech SV is above such things in their common quest to monopolize all the things.
We could have had a different internet. But we have one that is imploding on itself, because we trusted ad companies and smartphone makers and "professional business" to manage the whole thing. The web will be dead in 10 years no question.
(Score: 4, Insightful) by throckmorten on Friday June 18 2021, @01:20PM (9 children)
Still waiting for someone to explain what's wrong with writing them on a piece of paper.
It's fundamentally no different than a password manager, suffers from the same downsides (theft, loss, ability to be compromised, etc) and it's a lot easier to use
(Score: 2) by helel on Friday June 18 2021, @02:22PM (1 child)
From a certain point of view the lack of a subscription fee would be a serious flaw...
I think writing down passwords gets a bad rap because of the post-it note on the monitor at work. Lots of (older) people have used written passwords and then left them visible in public spaces making the entire idea seem bad when in truth it's perfectly secure in your own private space.
Republican Patriotism [youtube.com]
(Score: 0) by Anonymous Coward on Sunday June 20 2021, @03:32PM
It has a bad rap because it's easy to lose the sheet, hard to back up, gives them all of your passwords and limits the length and type of passwords. It fails on just about every level other than being remotely accessible.
Really, the right thing would be for the people running the sites to be held accountable for not allowing proper 2FA like FIDO or the like along with secure passwords. I've encountered far too many sites that either don't authenticate the passwords as they're being set or just silently truncate to fit the character limit. And don't even get me started on character limits, there should never be a maximum character limit.
(Score: 2) by Freeman on Friday June 18 2021, @03:35PM (1 child)
Writing down your passwords is actually more secure in some ways as a random hacker on the internet has no way to see your notes. In the event that someone has physical access to your house / machine, you've already lost anyway. Still, it's pretty stupid to write down your password in a public work space, or even a "private" work space that is shared with your colleagues.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 0) by Anonymous Coward on Sunday June 20 2021, @03:35PM
My password manager isn't accessible via the internet without me personally handing the encrypted database to a 3rd party. A cracker is not going to randomly break into my computer hoping to then break into my password database, that's far more work than compromising the sites I use or phishing for the credentials.
(Score: 1, Informative) by Anonymous Coward on Friday June 18 2021, @07:47PM (3 children)
The downside to writing passwords on paper is you can't cut and paste them into password prompts. This eliminates the possibility of difficult random string passwords. Nobody has time to squint at paper and flawlessly retype a collection of gibberish.
(Score: 0) by Anonymous Coward on Friday June 18 2021, @09:49PM (2 children)
Really, I hope you're not putting your passwords into paste buffers.
(Score: 0) by Anonymous Coward on Saturday June 19 2021, @06:47AM
Really, you should not even touch the keyboard. I saw on Jason Bourne they got the password from how worn out some of the keys were. Noobs.
(Score: 0) by Anonymous Coward on Saturday June 19 2021, @06:55AM
If something is reading your paste buffers, your computer is already hopelessly compromised. You already lost.
(Score: 0) by Anonymous Coward on Saturday June 19 2021, @02:55AM
It depends on what your treat model is. I have a number of SSH passwords and TOTP tokens written down because what I am protecting them from either won't have access to where they are written or if they do have access to them then they don't matter anyway. The only real downside of writing them down is that it lowers the entropy people use because we still teach people that "$3cUr3?" is better than "A somewhat long (and convoluted) passphrase for SoylentNews that I can remember and transcribe easily, whenever I need to do so!"
(Score: 3, Insightful) by ElizabethGreene on Friday June 18 2021, @01:32PM
Opinion:
What keeps people from using password managers?
Security policy at most companies disables the password managers built-in to browsers.
Many websites intentionally disable password saving for security. This was so pervasive that FireFox and Safari both have options to ignore autocomplete="off".
The absolute shit quality and usability of enterprise password managers (I'm looking at you CyberArk) makes people hate them.
It is annoying to set them up the first time you use them.
Data Point:
I've used password safe (open source) with the underlying data file stored on Dropbox for well over a decade. It's very good software.
(Score: 0) by Anonymous Coward on Friday June 18 2021, @02:22PM
Why would I want to store passwords on the same device that uses the passwords? That's just asking for them to be stolen after an exploit.
A step further, why store passwords on any network-attached device if they don't absolutely have to be?
Also, many password managers are garbage [cmpxchg8b.com].
(Score: 3, Interesting) by ccgsNorthernLight on Friday June 18 2021, @03:48PM
A simple encrypted text file is more flexible and easier to use than a password manager.
You can also add other information that doesn't nicely fit the fields of a password manager.
Steganos LockNote keeps the application and the text in a single password protected file.
https://sourceforge.net/projects/locknote/ [sourceforge.net]
Have it available wherever you go by putting it on a USB drive on your keychain.
Backup is simple, just copy the file.
(Score: 2) by crafoo on Friday June 18 2021, @04:02PM (1 child)
The real world alternative is to write them all down on paper and tape them on the desk under your keyboard. Well, at least that's what many people do in offices I've worked at.
(Score: 3, Funny) by Dr Spin on Friday June 18 2021, @09:17PM
A company has been marketing a solution for exactly this problem for years:
Its called the "Post-It Note".
It is equipped with an adhesive stripe to allow it to be temporarily attached to your screen so you can always find it when you most need it.
I have found it effective and reliable. The only major snag is when you put it in the copier to make backups it tends to stick to the platten cover.
Warning: Opening your mouth may invalidate your brain!
(Score: 2) by jdccdevel on Friday June 18 2021, @04:05PM (1 child)
The biggest complaint I have about password managers, as someone who almost never uses them, is they're so aggressive in trying to save a password. Basically anything in a hidden text box gets interpreted as a password, and it's annoying as hell:
- Enter a WiFi Passphrase while configuring a router? Do you want to save that?
- Some other non-login related thing that has a hidden field? Let me save that for you!
- Can't detect a possible username? We'll try to save something anyway!
Also, they're always trying to auto-generate new credentials for me! WTF? I'm setting up a standard login you POS! I don't want your 25 character randomly generated garbage that'll only exist on this particular browser!
Can we please get a standard metadata tag for login forms? At lest then the password manager can stop bugging me every time there's a hidden field in a form FFS!
Also, I've noticed Firefox's password manager is particularly bad at popping up over-top of the box where I'm actually trying to type. Very Annoying!
When I spend so much time telling the thing to GO AWAY, it's hard to think of a case when I'd actually want to use it.
That said, Even if it did work perfectly, all the disadvantages mentioned in other comments still apply:
- It's easy to forget passwords you never use. (I need to log in from a different device, that isn't mine. But I can't because I don't know my password, it's in my password manager on a different PC!)
- Single point of failure. (My HDD Died! Oh NO! Now I lost all of my randomly generated passwords that I'll never be able to recover! I hope I can reset them!)
- Also, they're a massively juicy target for malware. (Compromise dozens of logins all at once, just use an exploit to hack the password manager!)
At least with pen-and-paper, the only exploit available is physical. Keep your passwords on a note in your wallet, and at least you'll be much more likely to know they've been compromised.
It's not as bad as it could be. Single/common sign-on integration has reduced the number of usernames/passwords required in most work environments. Combined with tech like 0-Auth for some websites, that has improved the situation on the web too somewhat.
TL;DR: Annoying when they're not needed. For some situations they are useful, but I'd never use them for anything really important.
(Score: 0) by Anonymous Coward on Friday June 18 2021, @05:53PM
That's why you use a stand-alone password manager program instead of whatever crap the browser provides. Makes life much simpler.
(Score: 0) by Anonymous Coward on Friday June 18 2021, @05:55PM (3 children)
Surprised by all the negativity toward password managers here. But, I think some folks are confusing password managers in general with the ones that integrate into your web browser / a cloud service.
One password to rule them all is actually a strength, not a weakness. I can remember a few really good passwords. One of these really good passwords is used for my password database. And, in using the password database, it, allows me to have 1000s of unique good passwords which would have been impossible if I had to commit all of them to memory. If someone uses rubber hose cryptanalysis on me, their going to get all the passwords they care about either way.
A decent password manager is keepassXC. It runs on nearly anything *nix, mac, windows, etc., and where it doesn't run, there is a compatible app that can share the same password database file. It has a virtual keyboard function to "type" your passwords to avoid apps/websites stealing passwords by harvesting your clipboard, and it handles TOTP auth as well. There are quite a few options for password managers out there, e.g., 'pass' looks pretty interesting.
After I make a change to my password DB, I sync it around to various computers at home and at work, and to my phone via scp and adb. Backing it up is part of my normal backup routine. No clouds.
(Score: 2) by hendrikboom on Sunday June 20 2021, @01:10AM (2 children)
Is the keepassXC password database distributed? Can it reasonably be managed with distributed revision management system like, for example, monotone?
(I pick monotone instead of git because I prefer it).
(Score: 0) by Anonymous Coward on Sunday June 20 2021, @03:41PM (1 child)
You can distribute it using whatever file sync tools or services you like. One of the strengths of keepass is that it isn't coupled to an online service, you can use none or whichever you like. Just make sure not to overwrite changes made on one computer with ones from another. If in doubt, you can manually sync databases from time to time. I recommend using a different file for sync than usage of you're going to sync between computers to prevent logins from being lost due to sync mistakes.
(Score: 2) by hendrikboom on Monday June 21 2021, @03:14PM
If the file consists of lines, and the lines are separately encrypted, and each data base entry is a line, any decent distributed revision management tool should be able to handle the situation, requiring manual intervention only when there are conflicting changes.
So my question becomes : is this so?