Don’t use any of those password managers. Do not use any system which stores your password, even in an encrypted form. Once it is stored, it becomes something you have and not something you know. The only place a password should be stored is in your brain.
If you need help remembering lots of unique passwords, because you don’t want to use the same password in multiple places, there are several systems available to help with that.
I disagree with the premise that all passwords should be remembered.
A properly encrypted password vault with a sufficiently strong method of decrypting it that contains a bunch of highly unique passwords is better than re-using passwords in multiple places as I place no trust in the security of the password I enter into any one service / app / website, if they store it in plain text I don’t want to have to change that one password in multiple locations. Plus if I properly backup said encrypted file in multiple locations, at worse I loose temporary access to my passwords from one device but will not have permanently lost my passwords.
Now, one can argue whether 1Password, LastPass, or any other application is fulfilling all of those security & reliability requirements, but I contend that the approach is not inherently wrong or bad.
Correct, you should not reuse passwords. You should use unique ones on each spot for exactly the reasons you say.
1password, lastpass, and other such vaults are indeed bad. If the passwords are stored in any form, they can be compromised. You’ve effectively used the same password on every site, just with one level of separation. If someone gets into that vault, then you’re done. These vaults have had security vulnerabilities in the past, including the most popular ones.
The methods I linked above are tools to help manage different passwords on every single site without storing anything anywhere other than your brain. Well, passwordcard stores things on a piece of paper, but good luck to anyone who finds that piece of paper and tries to use it. The other ones store nothing anywhere ever when used properly.
Even if it’s encrypted, a stored password is now a thing you have and not a thing you know. A thing you have is good, that is why we use 2FA. We want people to have a thing AND know a thing to authenticate their identity. If you turn the known thing into a had thing, then now authentcation requires two had things, and that is not secure.
Super Gen pass seems pretty cool. Only issue I have with it, is that other than literally reading their code and finding out exactly how they generate the seed and doing the exact hash that they do, there seems to be no way to get the site to spit out the password for you once.
I’d worry that the site’d change it’s domain name and ruin my password. Like I’m envisioning the scenario where the domain’s changed and I just wanna find out what my password would have been with the old domain and get it typed in.
Supergenpass runs client-side in your browser. If you notice, the domain is github.io. The site itself is statically served directly from the GitHub repository. GPLv2 license.
SGP has the downside of being unable to roll credentials if/when they are compromised.
A local-only password manager like keepass is also fine. Everything is just stored in an encrypted file on your hard drive. If bad guys have code running on your machine, or physical access, you were already hosed anyway.
What are you talking about? If a credential is compromised, you change it. The same goes no matter what system you are using.
No, it’s not fine. The password is stored, even encrypted, and then becomes a had thing instead of a known thing. If someone takes your computer, now they have the thing. It might be encrypted, but that just takes time.
Someone could steal all my computers and they would get exactly 0 passwords because they are in my brain only.
Say you were using SGP with hunter2 on frontrowcrew.com. Oh no! The site got hacked, and everyone has to change their passwords. Go to… hunter3? Now you’re back to where you started, having to remember different things for every site.
What’s your threat model here? Laptop snatcher is not cracking anything. Script kiddies would just install a keylogger anyway. If it’s a three letter agency or worse, they would have subpoenaed or NSL’d the other party in the first place.
If you have particularly sensitive passwords, go ahead, don’t save them. But now you’re only talking a handful instead of however many things you have ever logged into.
It’s like the xkcd. It doesn’t have to be fantasy scenario perfect, it just has to be harder than any other way of getting the goods.
In an ideal world yes, everyone would perfectly remember all their unique passwords forever. That’s not the world we live in.
There are many strategies. For starters, you could change to using hunter3 everywhere.
Also, even with my bad memory, I seem to have no problem memorizing these things. I even remember which password techniques I used on which sites. For the most important things i use diceware.
Same. I have algorithmically derivable passwords for everything I log into, all unique and all existing solely in my head. I can, from my head alone, type the correct unique password into dozens of different sites and tools. Dozens
I do have a handful of shared passwords for garbage things I don’t care about, but there are fewer and fewer of those as time goes on.
As long as you know what the domain used to be, you are fine. If frontrowcrew.com changes to frc.com just type frontrowcrew.com into SGP. No development necessary.
I just got done resetting and backing up all my 2FA codes.
However, I was surprised at just how many sites suck ass at this.
Some sites only let me see backup codes while enabling the 2FA for the first time. This means I had to disable it and re-enable it to get codes. This isn’t any more secure than just letting a logged in user see print some codes, which is what Google does. Just a hassle.
Some sites offer one, and only one, backup code. Booo! What if you use that one code and then get logged out or something before fixing your 2FA situation? You need multiple backup codes to be safe.
Some sites don’t have backup codes. They use SMS or other methods as a backup. This defeats the purpose of using an app! Now an attacker can just use the backup method of SMS. Boooo.
Some sites don’t have any backup mechanism whatsoever. They expect you to call customer service who will disable 2FA for you. Booo! This means social engineering will get into my account making 2FA useless.
My NAS was like “yeah, if you lose your 2FA, just push the reset button on the NAS.” BOOO.
If you have 2FA, then it needs to be the ONLY way to get into the account. However, you also need to allow users to print out onto paper several backup codes so that they can login after their phone explodes. It’s that simple. So many get it wrong!
Most people with a NAS care about network security more than they care about the physical security of the device. I am sure they sell ones that have better physical security but those are probably more expensive and have a more limited market. Seems to me if you cared about the physical security you would have bought one with more physical security as a feature.
It effectively is a second password. My understanding is that’s sort of the point. You print them out and put them somewhere safe (Mine is a bookmark in a seemingly random book on my shelf) and only use them in the event that you cannot use 2FA.
If everything else is working properly, not having this system is a one way ticket to losing your 2FA token being indistinguishable from losing your account.
In practice this isn’t the case because in practice 2FA isn’t that secure most of the time because… well:
The physical security isn’t the concern. The concern is that if my phone fails, it’s a huge hassle to reset the NAS when they could have just done the backup code thing.
Correct. The backup codes should be one-time use, which is another reason you need several of them. Google actually has you print out a sheet that has check boxes next to the codes so you can mark which ones have been used up.
