undefined | Better HN

0 pointslmilcin4y ago0 comments

Autocomplete has one huge, glaring disadvantage: the passwords are stored on your computer, in reversible form.

0 comments

Not really a glaring disadvantage. If someone has physical access to your unlocked computer and wants to do bad stuff to you, you are going to have a very bad day.

lmilcinOP4y ago

Consider Chrome, automatically, by default, replicates all your passwords to all your devices on which you are signed in.

Thankyouverymuch. I am gonna keep using my password book.

There is no sure way, as a private person and not being expert in security, to secure your browser. But there are ways to limit the damage that can be made. Maybe just don't make it too convenient and have a database of all your passwords on all your devices?

kikoreis4y ago

Yes, but let's be fair, it's a galaxy better than writing it on a post-it or password booklet, and still way better than using a memorable passphrase which will get reused and then leaked.

Besides, you can encrypt the local storage with a master password (and if you accept online as a requirement, you could even add 2FA to that).

Mordisquitos4y ago

A (well handled) physical password booklet is much more secure for the average home user, who is unlikely to ever be individually targetted by a third party attacker, let alone to the level of the attacker physically breaking into their home. My parents being victims of a zero-day vulnerability or installing a malicious application by mistake are much more realistic scenarios than their house being broken into and their password booklet being stolen by a thief who is meticulous and observant enough to take it and know how to make use of it.

Not only that, I would argue that a physical booklet is not only more secure but also safer. Nothing short of a house fire will destroy the booklet, and however much I like to rave about old-school ThinkPad durability, I don't think my locally stored encrypted database would survive that either.

ta894895444y ago

A password booklet works well at home, but it's obviously much less secure if you wanted to sign in to a service while in public on your phone for example. One of the major benefits of a password manager is that your passwords are present, encrypted, on all of the device you need them on. Most people don't only need passwords at home, so the odds of theft or loss of the password book are much higher than your example makes it out to be. If we're talking about an average user, the solution of only sign into services at home isn't really an option.

eherot4y ago

You are correct that the access security of a booklet is almost certainly better than that of a password manager. The issue with the booklet is that humans do not like transcribing long strings between computer and paper so (at least in my experience) people who use the booklet method tend to eschew longer passwords, they tend to avoid creating new passwords when they can re-use an old one, and they don’t change the passwords very often (if at all). Also in the event that the booklet is ever lost or stolen (which is made significantly more likely by the fact that you must carry it around with you everywhere in this age of the pocket computer), you are suddenly in a very bad place.

bryanrasmussen4y ago

>Yes, but let's be fair, it's a galaxy better than writing it on a post-it

the modern security hazard is not someone reading your post-it that is sitting on your desk, it is someone remotely getting access to some part of your computer or some service you own that can tell you what the password is.

The post-it note in our world is more secure than lots of things that have replaced it.

on edit: I see Mordisquitos said it better than I.

m-p-34y ago

The password booklet can be secure if you have good physical security, and is immune to a software zero-day and autocomplete exploits.

teknopaul4y ago

this x 10, computer security is usually flawed, personal security is (bar a few war zones) much better.

1 more reply

WindyLakeReturn4y ago

>but let's be fair, it's a galaxy better than writing it on a post-it or password booklet

Is it? If someone is physically in your home you are in greater trouble anyways and even then they likely aren't going to be grabbing a notebook. Just keep it somewhere nearby but hidden (notebook in a drawer on the desk).

jimktrains24y ago

When you connect to a website with ssl, your sensitive data is transmitted in a reversible form as well.

I believe moat browsers will use the system keyring (which is usually encrypted based on your login password or a tpm) if present or use a master password to encrypt them at rest.

teknopaul4y ago

Most websites are data sinks of anything that can be taken. No reason IMHO the login page should not always send a hash over ssl. (which is hashed again to test it)

jimktrains24y ago

I'm not sure what you mean by hash, but i6 think you're trying to describe mutual authentication, where the service also authenticates itself to the user. Look up things like pake, srp, and tls client certificates for more information.

https://en.m.wikipedia.org/wiki/Mutual_authentication

https://en.m.wikipedia.org/wiki/Secure_Remote_Password_proto...

https://en.m.wikipedia.org/wiki/Password-authenticated_key_a...

https://en.m.wikipedia.org/wiki/Client_certificate

j / k navigate · click thread line to collapse

0 comments

airza4y ago

Not really a glaring disadvantage. If someone has physical access to your unlocked computer and wants to do bad stuff to you, you are going to have a very bad day.

lmilcinOP4y ago

Consider Chrome, automatically, by default, replicates all your passwords to all your devices on which you are signed in.

Thankyouverymuch. I am gonna keep using my password book.

kikoreis4y ago

Yes, but let's be fair, it's a galaxy better than writing it on a post-it or password booklet, and still way better than using a memorable passphrase which will get reused and then leaked.

Besides, you can encrypt the local storage with a master password (and if you accept online as a requirement, you could even add 2FA to that).

Mordisquitos4y ago

ta894895444y ago

eherot4y ago

bryanrasmussen4y ago

>Yes, but let's be fair, it's a galaxy better than writing it on a post-it

The post-it note in our world is more secure than lots of things that have replaced it.

on edit: I see Mordisquitos said it better than I.

m-p-34y ago

The password booklet can be secure if you have good physical security, and is immune to a software zero-day and autocomplete exploits.

teknopaul4y ago

this x 10, computer security is usually flawed, personal security is (bar a few war zones) much better.

1 more reply

WindyLakeReturn4y ago

>but let's be fair, it's a galaxy better than writing it on a post-it or password booklet

jimktrains24y ago

When you connect to a website with ssl, your sensitive data is transmitted in a reversible form as well.

I believe moat browsers will use the system keyring (which is usually encrypted based on your login password or a tpm) if present or use a master password to encrypt them at rest.

teknopaul4y ago

Most websites are data sinks of anything that can be taken. No reason IMHO the login page should not always send a hash over ssl. (which is hashed again to test it)

jimktrains24y ago

https://en.m.wikipedia.org/wiki/Mutual_authentication

https://en.m.wikipedia.org/wiki/Secure_Remote_Password_proto...

https://en.m.wikipedia.org/wiki/Password-authenticated_key_a...

https://en.m.wikipedia.org/wiki/Client_certificate

j / k navigate · click thread line to collapse