this post was submitted on 27 Oct 2023
1302 points (98.0% liked)

Memes

45719 readers
855 users here now

Rules:

  1. Be civil and nice.
  2. Try not to excessively repost, as a rule of thumb, wait at least 2 months to do it if you have to.

founded 5 years ago
MODERATORS
 
you are viewing a single comment's thread
view the rest of the comments
[–] Kedly@lemm.ee 36 points 1 year ago* (last edited 1 year ago) (3 children)

Counterpoint: Password Manager = One point of failure

Multiple Strong Passwords that have to be changed every 3 months even to sign on to your cornerstore rewards program without a password manager? Guess you're never accessing any account older than 3 months because you've forgotten th3 b1lli0n$ oF s+r0ng p4s5w0rds Y0u h4Ve cr3atEd!

[–] Catsrules@lemmy.ml 25 points 1 year ago (1 children)

Actually you are the single point of failure

https://xkcd.com/538/

[–] Kedly@lemm.ee 7 points 1 year ago

I mean yeah, the security benefit from being un-notable isnt negligible

[–] FakinUpCountryDegen@lemmy.world 14 points 1 year ago (3 children)

That's...not a counterpoint.

You can have strong authentication on your central password manager, and have an encrypted container protecting it.

There is no logical argument against password vaults as a concept. There are bad implementations of specific password vaults, but a password vault is the answer for the highest possible password based security available in 2023.

[–] Kedly@lemm.ee 2 points 1 year ago

And figuring out which password managers to use is not a task which a lot of people know where to start, and it is STILL a single point of failure

[–] RedditRefugee69@lemmy.world 1 points 1 year ago

What makes it completely unusable for me is that I don’t have a single work computer I use. I have to bounce around computers at work, my personal phone, computer, work iPad, etc.

[–] Comment105@lemm.ee -1 points 1 year ago* (last edited 1 year ago)

I have no idea about how to protect a password manager with an encrypted container.

And to be honest with you, it's not something I'm likely to do even if you do attempt to explain the 60 minute long $10 18-step process to me. Or however long it takes and whatever it costs.

And really, for all my ignorant ass knows you could've just as well been encouraging me to get malware and I'd be none the wiser.

[–] 0xD@infosec.pub 9 points 1 year ago* (last edited 1 year ago) (1 children)

Okay and now let's get into threat modelling and risk management.

What is the purpose of a password manager? What are the possible threats against them, and what are those against singular passwords for services? What is the risk of each of those?

[–] Kedly@lemm.ee 7 points 1 year ago (2 children)

Guys, before you argue with me, password security is something that EVERYONE in the 1st world has to deal with, not just tech nerds. If you need to grow up around computers or take a class for it to be a good form of security, its a shit form of security for the general public

[–] 0xD@infosec.pub 2 points 1 year ago (1 children)

But you don't?

Password managers really are not hard to use. Also there's stuff like the password manager built into iOS, for example, which you don't even have to think about.

My comment about threat modelling was that you do not seem to understand the purpose of password managers. A way bigger problem for the average person online is password reuse, not targeted attacks against password vaults. That is the problem they solve.

[–] wewbull@iusearchlinux.fyi 2 points 1 year ago (1 children)

The weird trope I've seen now is "don't use the password manager in your browser". For the life of me, I can't think why some think a browser plugin to a commercial password manager is safer than the built in version.

[–] Gestrid@lemmy.ca 1 points 1 year ago

They probably think it's safer somehow. But I don't really get how.

Most built-in password managers allow for you to setup a master password of sorts if you try to sync everything to a new device, and most also require you to use your computer's native verification to view a single password in plaintext or export all of them as plaintext. (For browsers on Windows, they use Windows Hello; for browsers on Android, they use the fingerprint scanner or the lock screen pin.)

[–] Comment105@lemm.ee -1 points 1 year ago

I've had security fatigue for years now. I'm sure most of you have. I've written down so many usernames and passwords and it's still not half of what I have, and to top it off, several of the written passwords are now wrong after obligatory password changes and I don't remember the new ones.