[Discuss] Password managers

Rich Pieri richard.pieri at gmail.com
Thu May 7 08:33:49 EDT 2020 

On Wed, 6 May 2020 20:37:13 -0400
Kent Borg <kentborg at borg.org> wrote:

> Choose and deploy password in such a way that you can survive many
> bugs.

I'll counter with: you should stop making assumptions.

First of all, this:

> Which is near where we started. By having passwords so cumbersome
> that they require convenience-driven password management you are
> betting that your password manager software is, for some magical
> reason, bug-free.

I don't use a password vault because I use cumbersome passwords. I use
a vault because I can't keep track of literally hundreds of unique site
passwords regardless of how memorizable each one might be.

And this:

> Why do you care about rainbow attacks? Once a site is so badly 
> compromised that an attacker the account database...what difference
> does it make if your plaintext password can be acquired? They are so
> owned.

Because I can.

> What if my password encryption has a really bad flaw? No big deal if

If you were following along you'd know that I use GnuPG for the primary
encryption. While it's possible that GPG has such a flaw I can be
confident that it will be fixed quickly, and reencrypting the vault is
not difficult.

> I also go to significant effort to prevent anyone from getting a copy
> of it. By having a limited feature password database it is possible

At rest, my vaults reside on BitLocker encrypted virtual disks which
are tied to each machine's TPM on machines I physically control and
locked with passwords different from the account logins. In flight,
SyncThing uses TLS 1.3 which is as good as we can reasonably get right
now.

> to put a layer of security around it. But if it is sitting between
> you and the internet, doing stuff automatically, then it is *on* the
> internet. And you should be scared.

I think you also missed the part where I explained that I don't use
Lastpass or 1Password. My passwords aren't "sitting between me and the
Internet".

> Most people should keep their password list, somewhat obfuscated,
> hand written, on paper, and then guard that paper carefully, as
> though it were very important.

I'm not "most people", and keeping 250+ passwords and growing
handwritten on a piece of paper is entirely unusable.

-- 
Rich Pieri

More information about the Discuss mailing list