undefined | Better HN

0 pointsj-bos2y ago0 comments

I personally feel password managers are convenience that bundles separate risks into a single point of failure.

0 comments

10 comments · 4 top-level

fragmede2y ago· 5 in thread

It might have been a convenience thing back when there were only a few sites on the Internet but it's unreasonable, and just not practical to expect users to memorize several hundred, good, unique passwords for all the websites and apps they'll use in their modern digital life. Login with Google/Facebook/Apple/auth0 help mitigate the number of passwords to remember, but then you are beholden to that company.

Not all single points of failure are made equal, and password reuse is a much bigger problem than the possibility of your password manager getting hacked, assuming you choose a good one.

xg152y ago

My bigger worry is less getting hacked and more losing access to the password manager: If I use an online one, I'm once again dependant on a third party that can change their terms (or have an outage or get hacked) tomorrow; if I use an offline one, I have to manage a password database which has to be backed up, synchronized across devices, etc. If I use a new device, I cannot log into any account if I don't have an old device at hand from which to copy the password file.

All that seems a lot more risk and hassle than choosing 2 or 3 good passwords (correct horse etc), then making variants that you can remember for each site.

michaelmrose2y ago

If I were nefarious I would attempt to login to websites with variations of pwned passwords and you would be one pwned trivial bullshit site away from having your entire digital life pwned. This form of security is worse than nothing because it gives a false assurance of security AND a false concept of ergonomics in one go.

99.9% of people are going to be unable to remember a reasonable number of variants that aren't trivially deterministic and once things are very similar to another its increasingly easy to confuse them.

You can sync your encrypted password vault between local devices and a remote resource which has access to the vault but not the key for same. At that point is very very hard to get pwned or lose access to anything. This was a solved problem 20 years ago.

fragmede2y ago

Offline password managers offer sync features that make that issue more tractable. Better than having using the password variant scheme, anyway.

j-bosOP2y ago

For silly websites I agree, a password manager makes sense. For banking, identity, and work, I prefer to keep those keys on my person, in my head.

michaelmrose2y ago

For practical purposes if you tell people to forgo password managers you are just implicitly suggesting they pick bad passwords or write them down or constantly harass support when they forget for the 10th time. Don't let perfect be the enemy of good.

joe__f2y ago· 1 in thread

I also feel like this about them, but I don't really have much knowledge on the subject. Do you have any experience or references that this might be the case?

j-bosOP2y ago

For passwords nothing personal, only the eggs 1 basket heuristic. But stories like this don't inspire my confidence: https://news.ycombinator.com/item?id=34516275

bmitc2y ago

The points of failure are either a single person manually remembering unsecure passwords or a password manager storing highly secure passwords in encrypted storage with multiple factors of authentication. There is no increase or decrease in points of failure, and in both cases, the password reset mechanism still exists.

firebat452y ago

It's really no different than using a single email account as the recovery address for all your other accounts.

j / k navigate · click thread line to collapse

0 comments

10 comments · 4 top-level

fragmede2y ago· 5 in thread

Not all single points of failure are made equal, and password reuse is a much bigger problem than the possibility of your password manager getting hacked, assuming you choose a good one.

xg152y ago

All that seems a lot more risk and hassle than choosing 2 or 3 good passwords (correct horse etc), then making variants that you can remember for each site.

michaelmrose2y ago

fragmede2y ago

Offline password managers offer sync features that make that issue more tractable. Better than having using the password variant scheme, anyway.

j-bosOP2y ago

For silly websites I agree, a password manager makes sense. For banking, identity, and work, I prefer to keep those keys on my person, in my head.

michaelmrose2y ago

joe__f2y ago· 1 in thread

I also feel like this about them, but I don't really have much knowledge on the subject. Do you have any experience or references that this might be the case?

j-bosOP2y ago

For passwords nothing personal, only the eggs 1 basket heuristic. But stories like this don't inspire my confidence: https://news.ycombinator.com/item?id=34516275

bmitc2y ago

firebat452y ago

It's really no different than using a single email account as the recovery address for all your other accounts.

j / k navigate · click thread line to collapse