Tonight on GeekNights, in light of updated NIST guidelines for password best practices, we talk about the current state of passwords in 2017. Sure, 2-factor is important and so forth, but what about the passwords themselves? Are you using passphrases instead?
It’s not lastpass but it was originally written and designed by Bruce Schneier and maintained by someone he trusts (I know trust isn’t transitive but still) I use it because when I’m not just using SSO, I use like 18 digit completely random passwords that no person needs to remember and maintain the safe.
Is it a single point of failure? Yes. But, but unlike lastpass or keypass there’s no online component. It’s just an encrypted volume that I control. It’s what I use anyway.
A thing that comes up in my work pretty regularly is people dying with their passwords and it becoming a giant complicated mess to try to recover data. Sometimes this is for court, sometimes it’s just trying to give as much data as possible to the family.
As a result I do generally suggest people either don’t use full disk encryption or have one time passwords / password stores in a safe deposit box or something if they ever want their family to have access to anything. Things are starting to get better, but most tech is still designed with some expectation that the user will survive the life of the service / device.
It’s really frustrating when we can’t get into an encrypted device, particularly in these kind of cases. On a slightly related note, when you’re dead, you don’t have any expectation of privacy. So if you die in an accident or at a crime scene going through your phone is not unlike performing an autopsy.
When people walk away from their workstations without locking them, and you can’t goatse them for harassment reasons, there is another solution.
GIS a picture of the most disgusting poop-filled overflowing nasty toilet bowl you can find, and set THAT as their desktop image. Juvenile, yes, but it gets the point across while being reasonably HR-friendly.
My work place still has that stupid periodic password change policy.
Tried to convince them using the NIST guidelines, head of IT got super pissed and reported me to the CTO and manager. I was apparently correct but they’re not changing because of reasons not provided.
Sites like this have been around forever, and that’s awesome but this one is different in a way I’ve not seen before. It’ll happily let you download some millions of real compromised password hashes. Hashes out of respect for people still using those passwords. Still profoundly useful for personal opsec.
What is the current recommendation of password manager across multiple devices (desktop & mobile)?
I have been using 1Password for years and it has worked quite well but largely because I have refused to go in with their ongoing subscription service and thus have run an increasingly outdated version of their app which allows me to store my password vault in Dropbox which I backup to my home NAS regularly. It looks like LastPass also wants to charge an ongoing fee to store your vault for you so switching there doesn’t seem to change much.
I’d rather not rely on my password manager for my vault storage but I also want integration with browsers and desktop & mobile OS’s.
