[Discuss] Password managers

[Rich Pieri]

On Tue, 5 May 2020 20:27:03 -0400
Doug <sweetser at alum.mit.edu> wrote:

> One nice perk of lastpass: it will give you an overall security score
> for every password you have. It took quite a bit of dull work over a
> few weeks, but my security score is at 95%. The reason it is not
> higher: shared passwords with the misses.

I really don't like these "score" things. At best they're a placebo. At
worst they are constraints that might make individual passwords strong
but make the corpus weak since known plain text constraints.

A site password is simple:

* Run: "pwgen -nsB ##" (where ## is typically 16 or more)
* Pick one.
* Store it in my password-store.
* Use pass from the command line or browserpass in browsers.
* Never reuse a password.

> What if someone gets your Gmail account password? They see you have
> lastpass. They get the reset sent to the Gmail account. Lastpass has
> fidelity credentials. All the savings get stolen using a laptop.

Doubtful. And I don't use Lastpass or 1Password so even if they figured
out the string of random characters password and got my phone and could
get into that to verify the access they still don't have access to my
password vault.

-- 
Rich Pieri