BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Password managers

Subject: [Discuss] Password managers
From: richard.pieri at gmail.com (Rich Pieri)
Date: Thu, 7 May 2020 08:33:49 -0400
In-reply-to: <a0d11787-6e1d-3f71-05f5-2eac196ced2e@borg.org>
References: <9c4a5c7e-55aa-8ae1-da3b-4512cb2ae85c@gmail.com> <5eb1f81d.1c69fb81.80c8b.07ca@mx.google.com> <CANiupv686GBC5EZVsiEf831-b4i0E3NjZ3fnsDToM02z1zjUNg@mail.gmail.com> <5eb223cd.1c69fb81.6fa04.3ab5@mx.google.com> <0cbc8403-48a5-14bd-524c-a4eded6b64fa@borg.org> <e2be00f8-8de6-4645-e71b-a5d14f78ede7@borg.org> <5eb2d4b7.1c69fb81.c9540.9f0b@mx.google.com> <2fc76d5b-e5bd-2aa4-7002-7e7b65461d76@borg.org> <5eb2f4ba.1c69fb81.676b1.a824@mx.google.com> <bc8f39ad-543c-9be6-169b-b8b2c13261a9@borg.org> <5eb2fac0.1c69fb81.34622.b7dd@mx.google.com> <31156b7d-880c-f77f-0972-f1ebbe4ab837@borg.org> <5eb34f22.1c69fb81.8746.1128@mx.google.com> <bbb581c1-d898-0722-9487-2eef18e29e91@borg.org> <a0d11787-6e1d-3f71-05f5-2eac196ced2e@borg.org>

On Wed, 6 May 2020 20:37:13 -0400
Kent Borg <kentborg at borg.org> wrote:

> Choose and deploy password in such a way that you can survive many
> bugs.

I'll counter with: you should stop making assumptions.

First of all, this:

> Which is near where we started. By having passwords so cumbersome
> that they require convenience-driven password management you are
> betting that your password manager software is, for some magical
> reason, bug-free.

I don't use a password vault because I use cumbersome passwords. I use
a vault because I can't keep track of literally hundreds of unique site
passwords regardless of how memorizable each one might be.

And this:

> Why do you care about rainbow attacks? Once a site is so badly 
> compromised that an attacker the account database...what difference
> does it make if your plaintext password can be acquired? They are so
> owned.

Because I can.

> What if my password encryption has a really bad flaw? No big deal if

If you were following along you'd know that I use GnuPG for the primary
encryption. While it's possible that GPG has such a flaw I can be
confident that it will be fixed quickly, and reencrypting the vault is
not difficult.

> I also go to significant effort to prevent anyone from getting a copy
> of it. By having a limited feature password database it is possible

At rest, my vaults reside on BitLocker encrypted virtual disks which
are tied to each machine's TPM on machines I physically control and
locked with passwords different from the account logins. In flight,
SyncThing uses TLS 1.3 which is as good as we can reasonably get right
now.

> to put a layer of security around it. But if it is sitting between
> you and the internet, doing stuff automatically, then it is *on* the
> internet. And you should be scared.

I think you also missed the part where I explained that I don't use
Lastpass or 1Password. My passwords aren't "sitting between me and the
Internet".

> Most people should keep their password list, somewhat obfuscated,
> hand written, on paper, and then guard that paper carefully, as
> though it were very important.

I'm not "most people", and keeping 250+ passwords and growing
handwritten on a piece of paper is entirely unusable.

-- 
Rich Pieri

References:
- [Discuss] Password managers
  - From: j.natowitz at gmail.com (Jerry Natowitz)
- [Discuss] Password managers
  - From: richard.pieri at gmail.com (Rich Pieri)
- [Discuss] Password managers
  - From: sweetser at alum.mit.edu (Doug)
- [Discuss] Password managers
  - From: richard.pieri at gmail.com (Rich Pieri)
- [Discuss] Password managers
  - From: kentborg at borg.org (Kent Borg)
- [Discuss] Password managers
  - From: kentborg at borg.org (Kent Borg)
- [Discuss] Password managers
  - From: richard.pieri at gmail.com (Rich Pieri)
- [Discuss] Password managers
  - From: kentborg at borg.org (Kent Borg)
- [Discuss] Password managers
  - From: richard.pieri at gmail.com (Rich Pieri)
- [Discuss] Password managers
  - From: kentborg at borg.org (Kent Borg)
- [Discuss] Password managers
  - From: richard.pieri at gmail.com (Rich Pieri)
- [Discuss] Password managers
  - From: kentborg at borg.org (Kent Borg)
- [Discuss] Password managers
  - From: richard.pieri at gmail.com (Rich Pieri)
- [Discuss] Password managers
  - From: kentborg at borg.org (Kent Borg)
- [Discuss] Password managers
  - From: kentborg at borg.org (Kent Borg)

Prev by Date: [Discuss] Password managers
Next by Date: [Discuss] Password managers
Previous by thread: [Discuss] Password managers
Next by thread: [Discuss] Password managers
Index(es):
- Date
- Thread