March 9, 2018 at 3:03 pm
If I have a password manager on my local workstation and its files are not stored in the cloud then surely the risk of using a password manager is low?
Unless someone gains access to my workstation, cracks the encryption of the disk, cracks my login password, cracks my password safe password, beats MFA but if they can do that then perhaps it was meant to be.
March 9, 2018 at 4:40 pm
There is a risk no matter what you do, Certainly biometrics are potentially a problem, and the inability to change them later can be problematic for most people, but in many instances, they are a good second method of verification.
Are password managers completely safe? No. They are not. However the incidents of cracking a password file pale in comparison to the password issues we've had with poor memory and writing down passwords. It's not even close. A number of those password manager issues are because a company provides a service, and stores the password in a reversible encrypted format. They are also a concentrated source of passwords, just like someone hacking any other company. You're at their mercy.
I use a password manager, and sync the files in the cloud for convenience, but I also change the file pwd periodically. I've reset important passwords a times as well. Long passwords to get into the file should provide enough protection for long rotation, and ultimately, someone has to both crack the file sharing site as well as want to runs scripts that try to crack the password manager file. Low odds, and certainly better than anything I can memorize.
Is the "correct horse battery staple" better? I'd argue no. First, I can't memorize or keep a lot of those in my head. That means I've limited my security because I'm sharing passwords in places. Add some character? Well, if I do something like "correcthorsebatterystaplewellsfargo.com", that's great. If I also do "correcthosebatterystapledropbox.com", then when they lose my password, script kiddies will try that password on lots of other sites. I'll either need to change my mnemonic, or I'll have the same "shared password" issue.
We can agree to disagree here, but I think a password manager with 2FA where possible is a better solution than anything else I've seen so far.
March 9, 2018 at 11:43 pm
Steve Jones - SSC Editor - Thursday, March 8, 2018 8:14 PMComments posted to this topic are about the item Is Security Catching On?
Now It's time to understand and accept how much damage malicious activity can do.In my view we have to learn what machine can reveal about individuals from relatively innocuous pieces of data.
March 10, 2018 at 9:27 am
All this concern with passwords and no one yet has mentioned poor management, poor processes and the house of sand that our hardware, operating systems and applications are built on. Passwords are just part of large system.
Doesn't matter how great the passwords are, if the head of security or IT has more experience with music and marketing than security.You can block all the ports on a workstation, but a smartphone can record the information on the screen. Intel and it's competitors valued speed over security risking billions? Trillions? And we do know how to make more secure, tested, and validate software, but most programmers are authors and artistes instead of engineers, so we still use languages that have buffer overflows and such.
March 12, 2018 at 7:44 am
I have a password manager app on my phone, the type which maintains a local encrypted database file along with backups to a 3rd party cloud. Despite the option being free, I opted not to backup my password database to the same company that provides the app, because I figure that such a rich and massive trove of password data in the hands of a medium sized software firm makes them a target for hackers. I trust their app, but I don't trust their ability to hold onto passwords for millions of users.
Also, the passwords I maintain in the app are truncated (ie: g*75), where the asterisk is a token representing an additional set of characters (ie: g* = Gra$$yKnoll). Yes, it means I give up the convenience of logging into websites using a single tap, but it also means that in a worst case scenario where the password database file is compromised, the hacker doesn't have sufficient credentials to login.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
March 13, 2018 at 8:34 am
Eric M Russell - Monday, March 12, 2018 7:44 AMI have a password manager app on my phone, the type which maintains a local encrypted database file along with backups to a 3rd party cloud. Despite the option being free, I opted not to backup my password database to the same company that provides the app, because I figure that such a rich and massive trove of password data in the hands of a medium sized software firm makes them a target for hackers. I trust their app, but I don't trust their ability to hold onto passwords for millions of users.Also, the passwords I maintain in the app are truncated (ie: g*75), where the asterisk is a token representing an additional set of characters (ie: g* = Gra$$yKnoll). Yes, it means I give up the convenience of logging into websites using a single tap, but it also means that in a worst case scenario where the password database file is compromised, the hacker doesn't have sufficient credentials to login.
Similar to what I do.
Viewing 6 posts - 16 through 20 (of 20 total)
You must be logged in to reply to this topic. Login to reply