[Discuss] Yesterday's Cloudflare News and Online Password Managers...

[john at johnbyrnes.info (John Byrnes)]

On 02.24.17, Kent Borg wrote:
> Did you know that some software has bugs? It's true!

I'm shocked -- shocked! that you would make such an insinuation! ;-)


> Yesterday's Cloudflare bug ("cloudbleed") leaked lots of kinds of data.
> Including data from an unnamed password manager. No! (Yes.)
> 
> https://www.theregister.co.uk/2017/02/24/cloudbleed_buffer_overflow_bug_spaffs_personal_data/
> 
> Again: When choosing a password manager (when putting all your eggs in one
> basket), look for the one that is the most manual, with the fewest
> convenience features (such as auto-fill or being on online service, say).
> 
> Your password manager *will* have bugs.

As I mentioned before, I've found that PasswordStore to be a good compromise
between the online commercial products and offline only offerings. You can host
your git repo on a raspberry pi in kitchen cabinet.

 
> Choose one that is most conservative, most isolated from the outside world,
> one that requires you be in the middle of every dispensing of a password.
> Then that inevitable bug (only one?) won't matter so much.

Adding the hardware token as we discussed earlier takes this a step further. 

> Or, you don't have to do this. You could go with one that just takes care of
> everything for you, sit back, relax...and wait for the bad news that you need
> to rebuild your life. Maybe that news never comes, but yesterday's news
> suggests otherwise.

I would say that the password manager you describe is still better than using
the same lousy password for all of the online cat video enthusiast forums,
newspaper commenting systems and other non-critical accounts.


> There will be bugs.

#jobsecurity.


Cheers,
John