Password Managers.

redcalcium, 10 months ago

Using browser’s built-in password manager means you’re locking yourself permanently in that browser, or in case of Safari, locking yourself to Apple ecosystem. I refuse to do that. Beside, I’m sure you already heard about horror stories where Google suddenly ban their accounts. Imagine if you store your passwords in chrome and your account somehow mistakenly banned by Google. What a nightmare!

His arguments have merits though. Whenever I install my password manager extension in a new system, the first thing I do is to disable browser autofill in the password manager settings, which reduces possible exploits surface.

Yeah2206, 10 months ago

He does recommend using the built-in browser’s password managers; he just had beefs with how the extensions, which the non-browser password managers have to contend with, are implemented, and with the security of the vendor’s network and software. He himself uses Chrome password manager.

lemba, 10 months ago

Exactly but that’s why I will not use a password manager at all. Better safe than sorry 😜

atx_aquarian, 10 months ago

I tried his “try this example if you have NordPass” page, and it didn’t do anything in Brave mobile other than load a blank new tab. Maybe they’ve changed their mechanism, or maybe I should be less lazy and try it in another browser. For me on NordPass and Android, though, the password selection is shown on the keyboard, not within the content area.

I also don’t know about his claim about the invalidity of any vendor’s “we can’t see your passwords” claims. If their software is audited (which is probably easiest with Bitwarden due to its open source–as long as you trust who distributed the built binary) to verify the code is encrypting your key/value store locally with your own passphrase prior to sending, they would have to crack the file to access its contents. But I take his point to be more about trusting their software to do what they claim, which, he points out, may even be out of their control if a malicious actor gets privileged access to modify their software. But, if I’ve understood that claim, then it is just as applicable for any centralized application; in other words, also don’t use web browsers in the first place.

He’s got other points about APIs I’m not familiar with, so I have to admit I’ve only focused on 2 of several points. But, for the 2 I thought I followed, I wasn’t seeing those arguments go down the same road he did. This has gotten me thinking though, and I still won’t dismiss the thought entirely. Interesting article.

AlternateRoute, 10 months ago

Would be more relevant if you linked to something relevant to your argument not just the wiki on him.

Travis actually recommends several lock.cmpxchg8b.com/passmgrs.html

Good examples of simple and safe password managers are keepass and keepassx, or even pass if you’re a nerd.

He doesn’t like password managers that are hosted or integrate with apps via plugins.

eager_eagle, 10 months ago

the post title is actually the link you pasted here, which I think it’s even worse because it demonstrates a severe lack of interpreting skills from OP.

AlternateRoute, 10 months ago (edited 10 months ago)

Ya the conclusion is very clear

Conclusion If you want to use an online password manager, I would recommend using the one already built into your browser. They provide the same functionality, and can sidestep these fundamental problems with extensions.

I use Chrome, but the other major browsers like Edge or Firefox are fine too. They can isolate their trusted UI from websites, they don’t break the sandbox security model, they have world-class security teams, and they couldn’t be easier to use.

Also there are studies showing how bad mental formula passwords are, while computers are not truly random, humans are even worse.

lifehacker.com/password-formulas-don-t-fool-hacke…

eager_eagle, 10 months ago

deleted_by_author

lemba, 10 months ago

That’s why I wrote “my suspicion”!

eager_eagle, 10 months ago

so your reasoning for not using a password manager is because they may be tricked by defacing or sneaky scripts, and yet you don’t consider yourself vulnerable to phishing when entering your password manually?

lemba, 10 months ago

Yes.

oatmilkmaid, 10 months ago

I refuse to use my brain to remember things and thus Bitwarden it is

Izzy, 10 months ago

What do you use your brain for instead?

Izzy, 10 months ago

Password managers are technically a convenience at the cost of security. At least compared to memorizing dozens of long unique passwords. I’d probably host my own if I were going to use one. For now I just memorize a ton of random characters and then reset my password when I fail to remember. 😅

redcalcium, 10 months ago

Dozens? Dude, I have over 700 passwords in my password manager ever since I started using them 15 years ago. No way I can remember them all.

Izzy, 10 months ago

I don’t know how many things I’ve registered for, but I don’t regularly use more than 10 passwords. There might be something I need to check every few years so I just reset it then.