[Discuss] Password managers

[kentborg at borg.org (Kent Borg)]

On 5/6/20 1:45 PM, Jack Bennett wrote:
> One of the benefits of a password manager is that it automates this process
> so you can easily use passwords that would be impossible to remember and/or
> type in (and lock them behind a suitable and memorable passphrase).

I'm not opposed to software automatically generating passwords. But why 
make them impossible to remember?

It is easy to remember "tropic-judge-dragon", and it has 32-bits of 
entropy. Same with "voodoo-apollo-period". Neither would be a good 
encryption key, but both fine passwords. (Again, the distinction between 
password and an encryption key is *crucial*.) Those were both software 
generated. How many would you like?

    sandra-shelter-avenue
    bicycle-bruce-patrol
    under-survive-pluto
    zodiac-stuart-pattern
    amazon-mouse-museum
    dublin-scoop-optic

I got a million of em'! All fine passwords. (All terrible encryption keys.)

Wanna little extra comfort? "7atropic-judge-dragon" and 
"04voodoo-apollo-period", still pretty easy to remember, protects 
against stupid sites that silently truncate after a few characters.

> I don't expect that I would be able to cook up a better DIY solution that
> is anywhere near as convenient.

Convenience is a terrible measure for security. Usability matters, but 
the day there is a global crack of Lastpass the convenience will turn to 
regret. Pick an off-line password manager (one that is even easy to use, 
usability is good), but one that requires manual action, and there are 
/many/ fewer places where the software could fail catastrophically.

Insisting that passwords have excessive entropy is a great way to make 
things unusable.

-kb