[Discuss] Password managers

[kentborg at borg.org (Kent Borg)]

On 5/6/20 12:03 PM, Doug wrote:
> Am I wrong to presume everyone here uses 2-factor authentication? Yubikey
> is that, plus it has software that does try to figure out if the servers
> being contacted are the right ones, and not ones that just look right to a
> casual observer.

You are wrong in the case of me. I am willing to consider trusting 
something like the old SecurID (was it called?). It has the virtue of 
being manual, so I know what it is doing and that it isn't automatically 
doing things without my knowing. The catch is even something that simple 
couldn't be trusted: RSA was an idiot organization and they had a 
systemic breach.

Yubikey feels more "Isn't this cool!?" to me than it feels secure. Why 
should I trust it will only let me in? Why should I trust it *will* let 
me in? (What the hell do I do if I damage it? Exactly how screwed am I?)

I do understand the the value of two-factor stuff to fight against 
compromised endpoints, but it doesn't solve, just hobbles them a little.

Two-factor can be extremely valuable to protect high value stuff, but it 
does not scale well, and the other things needed to protect such high 
value targets is too burdensome for slightly normal people.

-kb