SoylentNews is people
SoylentNews
WSJ: What Keeps People From Using Password Managers?
No pay wall: https://archive.is/HCtcT
Many of us are vulnerable to hackers and eager to secure our online accounts, but lots of us also refuse to use an obvious solution: password managers.
Why? Our research has found that the typical reassurances and promises about password managers just don’t work. Fortunately, our research also suggests there are strategies that can persuade people to get past the psychological barriers and keep their data safe.
[...] In a study I conducted with my Ph.D. student Norah Alkaldi, we found that the two most common methods of persuasion were ineffective in getting people to adopt password managers. The first is the “push” approach—the idea that by showing people the dangers of using simple passwords, recording passwords on their computer or using the same passwords at different sites, we would push them to adopt a safer approach. Users, we found, don’t respond to the push strategy.
[...] The other, “pull,” approach—focusing on the positives of password managers—didn’t deliver any better results.
[...] We discovered two types of “mooring factors” that keep people from changing their behavior.
[...] First, there was the effort required to enter all your passwords into the password manager.
[...] People also fear they will lose all their passwords if they forget their master password.
(Score: 5, Insightful) by turgid on Friday June 18 2021, @09:18AM (18 children)
If the password manager gets cracked, then presumably so do all of your passwords? Or at least your authentication tokens. Password managers are software. Show me a 100% secure piece of software.
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 0) by Anonymous Coward on Friday June 18 2021, @09:30AM (6 children)
main(){}
(Score: 5, Funny) by Anonymous Coward on Friday June 18 2021, @09:57AM (1 child)
Compile it with VC++ and it will have bugs.
(Score: 0) by Anonymous Coward on Saturday June 19 2021, @01:18AM
You mean it might actually do something useful?
(Score: 4, Insightful) by maxwell demon on Friday June 18 2021, @07:35PM (3 children)
This program has undefined behaviour because the main function has no return statement.
The program clearly is C90, as C99 as well as C++ don't allow to omit the return type. In C90, the omitted return type is implicitly int. And while both C99 and C++ generate an implicit return 0 statement in main if no explicit return statement is given, C90 does not do so. And a function with non-void return type that reaches the end of the function without an explicit return statement has undefined behaviour.
In practice, this code will “just” give some arbitrary exit code, and therefore will appear to work as long as you don't use it in well-written shell scripts or batch files that check for errors on their called programs (and it is, of course, possible that it just happens to give the exit code 0 by chance).
It is unlikely, but not completely inconceivable that this program is used by a shell script that will break due to the arbitrary exit code, and do so in a way that is exploitable.
So yes, this program might cause a security vulnerability.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Friday June 18 2021, @11:22PM (1 child)
The main function has special treatment even before c99. Even if shell scripts have bugs in the face of an arbitrary integer being return to the host environment, that is hardly a bug in the code.
(Score: 0) by Anonymous Coward on Saturday June 19 2021, @01:20AM
Documentation error, not a bug. Do not rely on the return code.
(Score: 0) by Anonymous Coward on Saturday June 19 2021, @01:30AM
Don't invite this guy to your party.
(Score: 5, Insightful) by Anonymous Coward on Friday June 18 2021, @10:14AM (3 children)
Yep. Can't use a password manager from anywhere except where you have it installed. If it breaks, you're hosed. If they're only stored locally, you can lose them all if your computer dies. If they're stored remotely, a data breach will reveal all your passwords. If stored remotely but encrypted with your master password, forgetting the master password locks you out.
Password managers just aren't a solution. They solve some problems and cause others. They are probably better in corporate environments where you can go to IT and have them fix everything when the password manager fails, as opposed to personal use where you have to chase down 1000 different systems yourself.
The psychological resistance comes from "thing under my control" (remember passwords) vs "thing not under my control" (password manager). Even if the thing not under your control is better on average, people don't want it. It is a little like self driving cars, lots of people just don't want them, period.
Everyone requiring stupid passwords that can't be remembered just makes everything worse. xkcd passwords are easier, but still probably would be forgotten if used rarely.
I'm a big fan of "log in with X service" - sure, it sucks to have more things depending on Google or Facebook, but it reduces the number of passwords and for most stuff it's completely adequate security - even the privacy is better than you'd expect.
(Score: 0) by Anonymous Coward on Friday June 18 2021, @10:49AM (1 child)
And if you keep it locally and/or on removable media and/or remotely you have to keep them all synced.
(Score: 4, Insightful) by driverless on Friday June 18 2021, @02:03PM
In fact I think it'd be fair to say that passwords and password managers are pretty much the worst form of user authentication.
Except for all of the others that have been tried [wsj.com].
(Score: 0) by Anonymous Coward on Friday June 18 2021, @05:30PM
You have a lot of good points. I use a password manager, though.
I only use passwords on my computer at home, never on a mobile phone. If my computer breaks, that's why I have daily, monthly, and semi-yearly backups on separate USB hard drives stored in different locations. I store my passwords locally only, so I only have to worry about someone breaking into my computer, not some server somewhere. I've remembered my master password for many years now, and it's really in muscle memory by now.
The point is, for my use case a password manger is a good balance between risk and reward. My email does indeed show up on haveibeenpwned as part of several sites' data breeches, but the only thing I've lost thus far is that site's password... which I just change, because it's not used anywhere else so can't be used anywhere else.
As for "log in with x" services, I will never knowingly use anything from Google or Facebook (I even block google fonts). They are simply evil and anyone who trusts them is mad, IMHO.
(Score: 5, Insightful) by MIRV888 on Friday June 18 2021, @03:41PM (4 children)
All your eggs in one basket. That seems like a bad idea to me.
(Score: 5, Funny) by looorg on Friday June 18 2021, @03:45PM (3 children)
Ah but what if you use two (or more) different password managers. You can even have one manager to manage the other managers. Now we are cookin'
(Score: 5, Funny) by Anonymous Coward on Friday June 18 2021, @07:41PM (1 child)
I use a different password manager for every password.
You can never be too safe
(Score: 0) by Anonymous Coward on Saturday June 19 2021, @01:21AM
I post as AC on every site, I don't have any passwords.
(Score: 2, Funny) by nitehawk214 on Saturday June 19 2021, @03:59PM
And put the passwords for the password managers in the other password manager!
"Don't you ever miss the days when you used to be nostalgic?" -Loiosh
(Score: 1) by nitehawk214 on Saturday June 19 2021, @03:48PM (1 child)
What is more likely, a password manager getting cracked, or someone using the same or similar passwords across 20 sites and one of those 20 getting cracked?
"Don't you ever miss the days when you used to be nostalgic?" -Loiosh
(Score: 0) by Anonymous Coward on Sunday June 20 2021, @03:13PM
That's kind of the issue, with the ridiculous number of accounts and passwords that people get pressured into making, there's only a few strategies possible. Reuse the same password or store them either electronically or physically being the main ones. My password manager has several hundred total entries.
I personally opt to use a locally installed password manager and worry about backup/ synchronizing separately, but I couldn't have decent passwords for all those sites without a manager and I couldn't cone back years later of I needed to either.