[Discuss] Password managers
Jack Bennett
ajbennett at gmail.com
Thu May 7 08:04:19 EDT 2020
On Wed, May 6, 2020 at 6:59 PM Kent Borg <kentborg at borg.org> wrote:
> On 5/6/20 1:45 PM, Jack Bennett wrote:
> > One of the benefits of a password manager is that it automates this
> process
> > so you can easily use passwords that would be impossible to remember
> and/or
> > type in (and lock them behind a suitable and memorable passphrase).
>
> I'm not opposed to software automatically generating passwords. But why
> make them impossible to remember?
>
> It is easy to remember "tropic-judge-dragon", and it has 32-bits of
> entropy. Same with "voodoo-apollo-period". Neither would be a good
> encryption key, but both fine passwords. (Again, the distinction between
> password and an encryption key is *crucial*.) Those were both software
> generated. How many would you like?
>
> sandra-shelter-avenue
> bicycle-bruce-patrol
> under-survive-pluto
> zodiac-stuart-pattern
> amazon-mouse-museum
> dublin-scoop-optic
>
> I got a million of em'! All fine passwords. (All terrible encryption keys.)
>
I agree 100% that any one of these individually is easy to
memorize/remember (and type in, which is a nice feature as well). The hard
part comes in organizing and remembering N>>1 of these (bank site,
insurance site, email, retail sites, etc, etc), updating them, deprecating
them, and so forth. A password manager does this at a very low financial
cost; whether the risk is acceptable is another question.
I do trust Thomas Ptacek's (@tqbf) assessment of the situation. This was
one of the factors that sold me on 1Password a few years back:
https://twitter.com/tqbf/status/886058611692232704 (herd mentality perhaps,
but at least informed and considered herd mentality ...)
More information about the Discuss
mailing list