SoylentNews is people
SoylentNews
WSJ: What Keeps People From Using Password Managers?
No pay wall: https://archive.is/HCtcT
Many of us are vulnerable to hackers and eager to secure our online accounts, but lots of us also refuse to use an obvious solution: password managers.
Why? Our research has found that the typical reassurances and promises about password managers just don’t work. Fortunately, our research also suggests there are strategies that can persuade people to get past the psychological barriers and keep their data safe.
[...] In a study I conducted with my Ph.D. student Norah Alkaldi, we found that the two most common methods of persuasion were ineffective in getting people to adopt password managers. The first is the “push” approach—the idea that by showing people the dangers of using simple passwords, recording passwords on their computer or using the same passwords at different sites, we would push them to adopt a safer approach. Users, we found, don’t respond to the push strategy.
[...] The other, “pull,” approach—focusing on the positives of password managers—didn’t deliver any better results.
[...] We discovered two types of “mooring factors” that keep people from changing their behavior.
[...] First, there was the effort required to enter all your passwords into the password manager.
[...] People also fear they will lose all their passwords if they forget their master password.
(Score: 2, Insightful) by Anonymous Coward on Friday June 18 2021, @01:06PM (1 child)
The moment you put your data in the hands of another person, it's no longer your data. If the PWM stores your passwords "in the cloud" then they won't stay only yours for very long. If the PWM keeps them entirely local then *maybe* you can start to trust it, right up until it decides you aren't you & no longer deserve access to your data any longer.
Create a plain text file of the name of the service to which you are signing up. Like "ExampleSiteDotCom.txt". Inside the file give the full URL to the site main page. Include the UN & PW you used to sign up. Instead of using your real PII, use entirely fake PII specific to that site, so if said PII gets "leaked" you will know *exactly* whom leaked it. Record all those fake PII answers in said file. Real name? Throatwarbler Mangrove. Real DOB? January 1st, 1800. Real mailing address? 2021 Greedy Putz Place, Beverly Hills, California 90210. Real phone number? (202) 911-5150. etc etc etc.
If the site demands a credit card, go out & grab a PayAsYouGo card from somewhere, give it a balance of a few dollars, & use that card *only* for that specific site. If the management site reports that someone tried to charge a giant bill to it, you know *exactly* whom to blame for the "leak". You are also NOT rendered bankrupt by the site's inability to do actual security. You are out the balance on the card & not a penny more. If and only if the site service is one that you enjoy, keep topping off the card to cover whatever recurring charges the service demands. As long as they keep doing things right, you keep the card going. But if they screw up & try to screw you over, simply stop topping up the card & give them TheFinger. They don't have your real name, they don't have your real financial data, they're up a creek as far as proving the account belongs to you.
Once you've recorded all the security questions & fake answers, once all the fake PII is in the file, then save the file & stick it in a directory of the name of the site. Every time you have to deal with the site, add a "---" line to the bottom of the text file, drop in the date & time, and write a note to describe said interaction. Emails from them get dumped into the folder as well. This keeps a running record of everything to do with said site. Maintain the folder for as long as you keep records at all. If something happens a decade from now, you can simply check the main folder, find the folder with the site name, & get reminded of everything up to that point.
Keep that folder (and all other folders with real PII accounts) on a USB key that you encrypt. You need only remember the main encrypt key to access the files stored on the key, at which point everything is in plain text. Make a backup copy to long term archival storeage on a local HDD. Store the encryption key in a different file so it's not obvious.
There. You've just left yourself a reminder about every site you've registered at, the UN & PW needed to log in, all the security questions & fake PII used to register, and a running log of all interactions with said service. Write the name of the service on the PAYG card & leave it in a drawer. You never want to use it for anything else, so no point in leaving it on your person. And it's all stored locally, stays under your control, & remains entirely your own data.
Now if you pardon me, I'll go register for something & claim to be a 500 year old Hungarian ambidextrous, androgenous, hermaphrodite, lesbian, Jewish, techno polka player with neon green hair so as to screw with their heads. =-D
(Score: 0) by Anonymous Coward on Saturday June 19 2021, @04:21PM
At about the 200-300th site login, this was the conclusion I came to as well. Aside from a handful of actually important passwords, the majority simply have to be offloaded to a piece of paper, or file, or just constantly re-used.
Sites and services don't integrate with password managers, and those are specific to machines. Trusting your phone with anything is for fools. Every service and site under the sun now, including an increasing number of sites and apps for utilities and rl services that never needed the internet before, now demand logins and emails and passwords and the whole thing is completely out of control with no end in site.
It doesn't have to be like this. .ssh file and scripts work and work well for sever administration, with multiple methods of mitigating risk.
But of course no website or app will ever subscribe to such an open framework, because Big Tech SV is above such things in their common quest to monopolize all the things.
We could have had a different internet. But we have one that is imploding on itself, because we trusted ad companies and smartphone makers and "professional business" to manage the whole thing. The web will be dead in 10 years no question.