[Discuss] Password managers

[kentborg at borg.org (Kent Borg)]

On 5/6/20 1:58 PM, Doug wrote:
> I am not a security expert. I certainly would not notice the 2FA versus 2SV
> although now I see it is a real thing. What really impressed me and got me
> to take out the credit card after I read the article was that Google
> required all employees to use a Yubikey to do their day-to-day jobs.

Google is an extremely high value target. Google needs (and apparently 
has) better security than do most countries.

If I were running Google security I would put a *lot* of effort into 
securing end points. That is, I would put effort into making sure no 
malware got onto employee computers. I would not let employees install 
whatever Chinese or Russian or American software they wanted, I would 
tell them to use their own computers for their own purposes.

I would demand employees to treat their work security as if it were one 
of the most important things in their lives. I would do stuff (e.g., 
dedicated computer) that does not scale across the rest of employees' 
lives' security needs.

Assembling that security would be a lot of work, I don't know the 
details, but it might well involve Yubikeys. But if it did, I doubt I 
would allow employees to commingle their Google Yubikey with personal use.

It would easy to cargo-cult copy a few things visible from the outside, 
but very hard for others to duplicate in a real way.

-kb