[Discuss] Password managers

[Kent Borg]

On 5/6/20 9:44 PM, Doug wrote:
> > And even
> > then be really worried that, though your password software and how you
> > use it might be really, really excellent, if someone has spyware on your
> > machine that targets your password software, you are *so* screwed.
> >
> > This stuff is terrifying.
>
> Less so if one uses two-step verification.

Yes. But it is not the magic bullet some wish.

> I could type my username and password for GMail and lastpass right 
> here and you would not be able to get in. The reason: you don't have 
> my Yubikey.

But if I have owned your computer, you have it for me, I don't drain 
your bank account from my computer, I let yours do the work. But you are 
right, if the Yubikey works right, it makes it harder.

> Most banks and credit card companies use people's cell phones as a 
> 2SV. The cell phone is not as good as a Yubikey, but the second step 
> means your money is not immediately gone due to spyware. Spyware folks 
> do not also steal millions of cell phones.

But many banks use SMS as the two-factor technique, if someone can 
convince T-Mobile to sell "you" a replacement SIM, your money can all go 
poof.

Two-factor isn't a bad thing, but it is complicated, introduces new 
failure points, and doesn't scale well to many, many accounts.

-kb