undefined | Better HN

0 pointsmikeash9y ago0 comments

What's the alternative? Using different passwords for every account is not practical without some way to store them, and using the same password makes you even more vulnerable. We could write them all down in a big book or something, but that leaves us vulnerable to physical theft and loss.

0 comments

14 comments · 7 top-level

codazoda9y ago· 5 in thread

Two options come to mind, neither perfect, but options.

1. Use a password pattern. Something like 8 random digits that you memorize and then part of the domain name or business name. Such as "goo" for google. Put them in whatever order you like. Now you've memorized one pattern but use a unique password everywhere.

2. Use a predictable algorithm instead of a password. Their are web based services for this. You enter the domain name and then "encode" it to a password. That is typically not reversible.

These fall down some when you have to change a password or when a system has requirements that don't match your password (like requiring a number or symbol). Other users will mention other limitations as well.

smichel179y ago

I do #2 using master password app. https://ssl.masterpasswordapp.com

ProbabilityMoon9y ago

You made me curious so I tried this app. Unfortunately the UI is horendous. So far I tried the macOS, iOS, .jar and web version. Each version generates different passwords for the same site. This app has the most confusing UI I have seen in a long time, with each version being wildly different from the other. I still have no idea how to have multiple users for the same site, or even if setting the user makes a difference at all (seems not as it does not change the password). But most important: this app generates different passwords for the same input on different platforms. Kind of beats the purpose of having it in the first place.

tambourine_man9y ago

That is an interesting idea. echo URL + password | sha/md5

Should be hard to crack and easy to remember.

Can anyone who actually knows this thing chime in?

microtonal9y ago

That is an interesting idea. echo URL + password | sha/md5

There are 'stateless' password managers that work that way. It does not really protect against malware. If your user account is compromised by malware, what holds them from reading out your password and applying the same procedure to obtain password for interesting sites? You'll still be updating your password everywhere.

What you want is a second factor that uses a challenge-response mechanism with user interaction (e.g. U2F Yubikeys that require a finger press to start the challenge-response).

2 more replies

jhasse9y ago

https://bixense.com/pwcalculator

arjie9y ago· 1 in thread

Theorycrafting without a real idea here but how about a physical device with private keys and challenge-response authentication from a site. To login you have to press a button to sign a specific message as a specific person.

Then they can't silently gain access to your account persistently. They can gain access until you logout but then they have to wait for you to login again. Or they can change the key but then you'd notice that you can't login.

andrewaylett9y ago

That sounds like this: https://en.wikipedia.org/wiki/Universal_2nd_Factor

Navarr9y ago· 1 in thread

Certificates, maybe?

You'd need a way to change your certificate though (and keep it to the same account).

Some system through DNS? I think I'm just slowly reinventing OpenID

rocky11389y ago

Client side certificates are a thing but hardly anyone uses them because they are unwieldy.

rocqua9y ago

To protect against password compromise in general, use 2 factor auth.

For this to really work, you need a way to detect compromise of the password. This way the 2nd factor holds you over until you've managed to rotate all important enough passwords.

Alternatively, separate trusted hardware with an interactive (i.e. challenge-response) protocol. Something like a TPM or yubikey.

xoa9y ago

You now have 3 responses as of my comment and they're all worthless because they completely miss the point of Password Managers. PMs are not elegant, they are not ideal, their limits are very well known. They exist purely as a hack around the objective real world reality that authentication in general in the modern world completely sucks and depends on passwords. And that that reality is something we've got to live with and deal with for the foreseeable future.

Yes, we shouldn't have passwords for authentication at all, ever, period, and shouldn't have had them for at least a decade now. All the tech has long existed to switch to hardware backed public key cryptographic auth, and even to do so in a way that is far more user friendly then endless passwords and more secure at the same time, a sort of win-win that is quite unusual. We should all have HSMs (be it in the form of tokens, cards, compliant hardware in phones, or whatever) holding our private keys, and websites should only have our public certs. Entire classes of issues (like everything associated with password databases) would be perfectly and completely eliminated forever. There would be no dependence on any 3rd party services. Users would only need to remember at most a couple of PINs and that's it.

Back here on Earth though I can count every single site I've used in my life that had certificate based authentication and still have plenty of fingers left. Maybe U2F will make a bit more of a dent, but for a long time to come passwords will be the core of a lot of people's most critical personal security (like most of their money) and online identities. To have any value passwords need to be unique, and need to be fully random, and also have to deal with layers of extra crap that have been piled on top like password policies, arbitrary allowed characters (universal UTF? hahahaha), arbitrary minimum/maximum lengths, "security" questions (which should of course just be random strings lest they undermine the point of having a password but probably have their own special character restrictions), etc. Humans cannot remember all this garbage for more then a handful of sites. Password Managers are a practical solution to this mess of the "worst one except for all the other ones" variety. They effectively replicate (badly, but that's not their fault) some of what an actual decent key system would offer by default. They make attack scaling harder.

In short they're the best match to the most typical threat models most people face. Any good efforts to replace passwords period with keys is to be applauded, and if successful would eventually (years down the line) make password managers obsolete by making passwords themselves obsolete. But in the mean time password managers matter and people talking down at them due to issues that don't actually match general threat models are doing a terrible disservice to the public.

dsego9y ago

A password generator perhaps, the one I use is http://getvau.lt .

deadbunny9y ago

Or just use 2FA on your password db.

j / k navigate · click thread line to collapse