undefined | Better HN

0 pointsraverbashing3y ago0 comments

And to be fair he's not that wrong

The real annoyance is that we need a "password manager" in the first place

You wouldn't need to worry (too much - as long it's not a weak password) about password reuse if websites abided by security best-practices and wouldn't leak lists of weakly hashed password. salt + pepper + good amount of rounds proper hashing function: good luck

And to be fair the browser ones work great. Another one that works great is a paper notebook

And again, it all depends on your threat models. Using very complicated passwords and 2FAing your password manager will only ensure that you'll get locked out of your accounts sooner or later (unless you have a target painted on your back for some reason)

0 comments

nicolaslem3y ago

Strong disagree about password reuse, the average person has multiple dozens if not hundreds of accounts on various services. Even if none of them ever get hacked, you are still trusting thousands of engineers having access to production to not record the passwords that are sent to them with each login.

Just use a random password per service and keep it in a password manager.

raverbashingOP3y ago

Again, if companies didn't treat password data carelessly (or, even worse like your example) it would have been a minor issue

Yeah, I'm not advocating for password reuse, I'm saying that a good system would make it a non-issue

RickHull3y ago

> Again, if companies didn't treat password data carelessly

This is not a real solution. The real world is full of unreliable actors and byzantine generals. Any solution that depends on a perfect environment isn’t one.

ncallaway3y ago

The problem is you don’t need to get one company to behave well. You need to get every company to behave well.

It’s almost like saying “we don’t need to spend money on a court system, if we just got everyone in the country to work out their disagreements amicably”. While… true, it doesn’t sound like a plausible solution to my ear.

1 more reply

lazide3y ago

I recently did a migration, and have > 1300 passwords.

vorpalhex3y ago

Remember that when you create an account and log into a service, you don't know if they even hash your password. They could email all the login attempts with your password in plain text.

A good password manager and 2FA, properly setup, should not increase your risk of lock out. It should decrease it - one set of 2FA elements and one password to remember.

ccouzens3y ago

Hashing passwords reduces the threat from database dumps, but it doesn't help against an attacker uploading a compromised version of the app and siphoning off credentials as they're submitted.

j / k navigate · click thread line to collapse