[Discuss] Password managers

Doug sweetser at alum.mit.edu
Wed May 6 13:58:51 EDT 2020 

I am not a security expert. I certainly would not notice the 2FA versus 2SV
although now I see it is a real thing. What really impressed me and got me
to take out the credit card after I read the article was that Google
required all employees to use a Yubikey to do their day-to-day jobs. For
that reason, I don't think it is "cool", but provide a meaningful level of
security.

I don't care if my old Yahoo account is out of date. I only care about
where the money is kept: Northern Bank, Fidelity, E-trade. Do they have
2SV? Yup. With Yubikey? Often no. Gmail and lastpass have it. I recommended
buying 2 keys: one for my key chain, one for a specific place in my house.
For Gmail and lastpass, I register both keys. Then when I lost my keychain
for a week, I just used the other one (it was found in the couch).

There are rescue codes that can be written down on a piece of paper and
stored for the long term.

Doug

On Wed, May 6, 2020 at 1:47 PM Jack Bennett <ajbennett at gmail.com> wrote:

> One of the benefits of a password manager is that it automates this process
> so you can easily use passwords that would be impossible to remember and/or
> type in (and lock them behind a suitable and memorable passphrase).
>
> Of course, this still requires trusting the creators of the manager
> application itself.
>
> 1Password and LastPass have what appear to be good external security audit
> processes, so they've got that going for them
>
> e.g. https://support.1password.com/security-assessments/
>
> I don't expect that I would be able to cook up a better DIY solution that
> is anywhere near as convenient.
>
>
>
> On Wed, May 6, 2020 at 1:35 PM Rich Pieri <richard.pieri at gmail.com> wrote:
>
> > On Wed, 6 May 2020 13:05:58 -0400
> > Kent Borg <kentborg at borg.org> wrote:
> >
> > > Except 16+ is overkill for a password. (*Password*, not encryption
> > > passphrase--the two are extremely different uses.)
> >
> > Except... they're not. 16 random (I'm assuming) characters is what
> > Google use for application passwords. Which are in fact passwords in
> > their use. That's my base line.
> >
> > --
> > Rich Pieri
> > _______________________________________________
> > Discuss mailing list
> > Discuss at lists.blu.org
> > http://lists.blu.org/mailman/listinfo/discuss
> >
>
>
> --
> Jack Bennett
> ajbennett at gmail.com
> _______________________________________________
> Discuss mailing list
> Discuss at lists.blu.org
> http://lists.blu.org/mailman/listinfo/discuss
>

More information about the Discuss mailing list