BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Password managers

Subject: [Discuss] Password managers
From: kentborg at borg.org (Kent Borg)
Date: Wed, 6 May 2020 21:59:15 -0400
In-reply-to: <CANiupv4RjERd1Aontq8HYEVaKv4fBGuVkczLLhb48m0mT+GkPw@mail.gmail.com>
References: <9c4a5c7e-55aa-8ae1-da3b-4512cb2ae85c@gmail.com> <5eb1f81d.1c69fb81.80c8b.07ca@mx.google.com> <CANiupv686GBC5EZVsiEf831-b4i0E3NjZ3fnsDToM02z1zjUNg@mail.gmail.com> <5eb223cd.1c69fb81.6fa04.3ab5@mx.google.com> <0cbc8403-48a5-14bd-524c-a4eded6b64fa@borg.org> <e2be00f8-8de6-4645-e71b-a5d14f78ede7@borg.org> <5eb2d4b7.1c69fb81.c9540.9f0b@mx.google.com> <2fc76d5b-e5bd-2aa4-7002-7e7b65461d76@borg.org> <5eb2f4ba.1c69fb81.676b1.a824@mx.google.com> <bc8f39ad-543c-9be6-169b-b8b2c13261a9@borg.org> <5eb2fac0.1c69fb81.34622.b7dd@mx.google.com> <31156b7d-880c-f77f-0972-f1ebbe4ab837@borg.org> <5eb34f22.1c69fb81.8746.1128@mx.google.com> <bbb581c1-d898-0722-9487-2eef18e29e91@borg.org> <a0d11787-6e1d-3f71-05f5-2eac196ced2e@borg.org> <897a84ca-9d69-6d8b-23fd-46ab65405c78@borg.org> <CANiupv4RjERd1Aontq8HYEVaKv4fBGuVkczLLhb48m0mT+GkPw@mail.gmail.com>

On 5/6/20 9:44 PM, Doug wrote:
> > And even
> > then be really worried that, though your password software and how you
> > use it might be really, really excellent, if someone has spyware on your
> > machine that targets your password software, you are *so* screwed.
> >
> > This stuff is terrifying.
>
> Less so if one uses two-step verification.

Yes. But it is not the magic bullet some wish.

> I could type my username and password for GMail and lastpass right 
> here and you would not be able to get in. The reason: you don't have 
> my Yubikey.

But if I have owned your computer, you have it for me, I don't drain 
your bank account from my computer, I let yours do the work. But you are 
right, if the Yubikey works right, it makes it harder.

> Most banks and credit card companies use people's cell phones as a 
> 2SV. The cell phone is not as good as a Yubikey, but the second step 
> means your money is not immediately gone due to spyware. Spyware folks 
> do not also steal millions?of cell phones.

But many banks use SMS as the two-factor technique, if someone can 
convince T-Mobile to sell "you" a replacement SIM, your money can all go 
poof.

Two-factor isn't a bad thing, but it is complicated, introduces new 
failure points, and doesn't scale well to many, many accounts.

-kb

References:
- [Discuss] Password managers
  - From: j.natowitz at gmail.com (Jerry Natowitz)
- [Discuss] Password managers
  - From: richard.pieri at gmail.com (Rich Pieri)
- [Discuss] Password managers
  - From: sweetser at alum.mit.edu (Doug)
- [Discuss] Password managers
  - From: richard.pieri at gmail.com (Rich Pieri)
- [Discuss] Password managers
  - From: kentborg at borg.org (Kent Borg)
- [Discuss] Password managers
  - From: kentborg at borg.org (Kent Borg)
- [Discuss] Password managers
  - From: richard.pieri at gmail.com (Rich Pieri)
- [Discuss] Password managers
  - From: kentborg at borg.org (Kent Borg)
- [Discuss] Password managers
  - From: richard.pieri at gmail.com (Rich Pieri)
- [Discuss] Password managers
  - From: kentborg at borg.org (Kent Borg)
- [Discuss] Password managers
  - From: richard.pieri at gmail.com (Rich Pieri)
- [Discuss] Password managers
  - From: kentborg at borg.org (Kent Borg)
- [Discuss] Password managers
  - From: richard.pieri at gmail.com (Rich Pieri)
- [Discuss] Password managers
  - From: kentborg at borg.org (Kent Borg)
- [Discuss] Password managers
  - From: kentborg at borg.org (Kent Borg)
- [Discuss] Password managers
  - From: kentborg at borg.org (Kent Borg)
- [Discuss] Password managers
  - From: sweetser at alum.mit.edu (Doug)

Prev by Date: [Discuss] Password managers
Next by Date: [Discuss] Password managers
Previous by thread: [Discuss] Password managers
Next by thread: [Discuss] Password managers
Index(es):
- Date
- Thread