Slashdot Mirror
A Plea For Websites To Stop Blocking Password Managers
An anonymous reader writes: Password managers aren't a security panacea, but experts widely agree that it's better to use one than to have weak (but easy-to-remember) passwords. Just this week, they were listed as a tool non-experts don't use as much as experts do. I use one, and a pet peeve of mine is when a website specifically (or through bad design) interferes with the copying and pasting of a password. Thus, I appreciated this rant about it in Wired: "It's unacceptable that in an age where our lives are increasingly being played out online, and are sometimes only protected by a password, some sites deliberately stop their users from being as secure as possible, for no really justifiable reason."
Well some sites don't want scripts interacting with the password fields. This could be a way to stop some malware from scraping user passwords from input fields.
And that works fine for me. (using keeppass)
No chance. Password managers are a fucking stupid idea.
One place to attack and get all your passwords. Fucking brilliant!
One work-around - that doesn't work with OpenERP, is a little javascript I use as a bookmarklet.
Anyone who uses password managers and believes them to be safe and unable to be broken should not be able to use the Internet. All passwords should be maintained separately and typed in manually.
Do you have a citation for that Mr. Scraps of Bad Security on Paper? or are you just varying your normal MOO trolls.
I'm sure Bruce Scheirer would appreciate your insights into secure code. KeepPass has so many flaws.
Instead of copy/paste? Oh the horror!!! Never a tale of more woe, truly.
When its 256 random chars Yes !
If your password is "OPnuo(I&n hKUYNB68IOnih4wOIB*GBi234t73" as it should be,* then yes...
* Yes, please use exactly this password; it's super safe, I promise!
Bitten Apples are still better than dirty Windows...
Another factor - do you trust the password manager?
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Prioritization of passwords i.e. choosing complex ones for a few critical accounts/services and "easy to remember" ones for non critical things can eliminate the need for managers . As someone pointed out , managers are all eggs in one basket.
Most websites are very poorly designed.
I mean, can I sue a site for forcing me to use an easy password, which then gets hacked?
no, I don't have a sig
While it's true the site operators are at fault, I also blame the browser makers.
Many websites don't allow copy or paste, or even selecting/highlighting text.
While I can understand the draw of websites, especially ones with games, being able to grab keyboard input, it's a potential security disaster waiting to happen.
Browser makers should treat these kind of keyboard/mouse hooks the same way they treat websites asking for location data. With a message asking the user if they want to allow the behavior or not. Furthermore, they should do it in such a way that operators can not force users to click allow.
So lets pretend that we've just completed writing this code, as opposed to having just completed sabotaging it -Altera
I generally don't trust anything or anyone having the word "manager" in their name.
I think the concern is that if your computer gets taken over, the criminal can just automatically scan the password logs for all your browsers and you're toast.
Help! I'm a slashdot refugee.
Definitely less than I would like; but it arguably still stacks up well compared to any alternatives that are compatible with sites that support nothing but username/password. Sure, in an ideal world, we'd be using something that isn't intrinsically doomed(say a CAC/PIV-style system); but both manually entered passwords and password managers are vulnerable to local malware; but the former also encourage weak and re-used passwords, depend on the user to recognize phishing and so on.
IMHO, this is a browser problem, not a website problem. Browser shouldn't allow scripts to interact with a password field. Period.
[Disclaimer: I'm not the GP AC.]
This is only if you allow passwords to be saved in your browser...
I'm sure your password is safe, but it's nowhere near as safe as my password (hunter2) or my luggage combination (12345). :D
Nobody would ever guess that I'd be stupid enough to use those, so they're literally the last things anyone would try!
Seems stupid to me. First, a website cannot know how the password gets entered at all. It just gets something from the browser. So stop blaming websites - blame the browser or the badly implemented password manager.
You can write a browser with a built-in password manager. No need for "paste" then, and the website can never know how the password was entered. If you don't feel like writing a browser from scratch - just grab firefox sources which are available already. All you need is your password manager bits.
Except it doesn't stop shit.
Any malware would either intercept the keystrokes, or read the in-memory data directly, or even change the web content to inject whatever scripts it wanted... or even read the password from clipboard, because the fact that you can't paste it into the page, does not stop you from copying if from wherever you had it in the first place.
Whenever I see some financial or health care site that has a stupid limit like "8-16 characters, letters and numbers only and only one of these three non-alphanumeric characters" I struggle with free market principles and not saying "there ought to be a law..." In fact, it'd be easier on people to just let them use a phrase that has a meaning only to them. You know, a sentence that has numbers in it and goes on to something like over 128 characters easily.
If your machine is compromised then it doesn't really matter how you store your passwords.
Unless you go analog, you're trading 1 form of opaque security for another. You're trusting blindly in both, and assuming you're safe. Human nature then kicks in and you stop being secure in other areas.
If you're going to use a software to keep your passwords, you might as well use a PKCS (public key cryptography system) to sign in. That could even protect your key in a hardware module. Everything has Bluetooth and NFC these days. The time is right to do it right.
IMHO, this is a browser problem, not a website problem. Browser shouldn't allow scripts to interact with a password field. Period.
[Disclaimer: I'm not the GP AC.]
Isn't this exactly what a password manager does? I thought Lastpass (to name one) uses Javascript to change the form fields, including the password field (which suddenly has a clickable * in it). So if you disable that, you have to paste manually.
I used to have a "good" combination on my luggage... until the day I forgot it (or set it wrong, who knows). Poking this way and the other, it turned out that it takes about 10-15 seconds to pick my luggage, and about 2 seconds to pry it open with a screwdriver. :D
Since then, I just use 12345, because why bother
access denied
What annoys me more is websites that do not allow sufficient complexity, or enforce things like must start with a character, max 8 in length. My passwords all contain uppercase, lowercase, special chars and numbers, are over 10 characters in length and do not contain dictionary words. Sites need to stop having such incorrect and draconian password policies.
Correct cow battery staple.
Sound like a troll, but anyway... "password manager" and "online password manager" are two different things.
It's not a difference that I would rely on; but there likely are some differences: it's typically easiest to get some sort of cross-site-scripting malice to work, less easy but far too common to escape from the browser and poke around with the user's permissions, more difficult again to escalate privileges above the user's context; and potentially quite tricky to get a kernel driver in without either compromising some vaguely respectable OEM or mucking with the system's certificate store.
Mechanisms that touch the browser too closely will probably fall to a good XSS exploit, basic browser-stores-passwords arrangements should fall over with nothing more than your security level; actually getting a keylogger, especially a persistent one, in there should be more demanding.
In practice, obviously, hoping that they 'just' penetrated the system part of the way is a sucker's bet; and you should nuke and pave; but if you are so lucky there might be a difference.
IMHO, this is a browser problem, not a website problem. Browser shouldn't allow scripts to interact with a password field. Period.
Period is not an argument.
A compromised site or a browser where a malicious script is running could easily place a fake textbox over any password field and mimic the behavior of the now unused password field.
The browser allowing scripts to interact with a password field is irrelevant, that is not where the security should be.
See, I knew that you were wrong because people who are right never ends their statement with "Period."
Many SaaS vendors are moving towards new generation of logins. I see many vendors removing OpenID in general and we're seeing an equally high number of companies embracing SSO.
Helprace: customer service software for best customer support ever
JavaScript can also intercept the contents of the clipboard. If you're blocking password managers, then people are going to do one of two things. Either they'll pick a (weak) easy-to-remember password, or they'll use a password manager and paste the password in. If they opt for the latter, then any malicious ad on the page can grab the password while it's in the clipboard...
I am TheRaven on Soylent News
I have some generic passwords that I use for non-critical accounts. For critical accounts, I have some pretty tough password-generated things. I have a list of them encrypted on my hard disk, so that I can throw some away if/when the need arises, and grab another. But - I can't copy paste them everywhere. How the hell am I supposed to EVER memorize those damned passwords? Just let me copy paste them, FFS.
A real "Password Manager" would be even better - if I find one that I trust, and I'm comfortable using. I haven't found it yet . . .
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
And why not?
Some script/program having access to a password field is totally irrelevant from a security standpoint. Heck, even browsers most of the times can't even tell that some html field is THE password field (because there's no standard...often they just guess).
Any way, If attackers already have access to your machine, they can just steal your password with a keylogger. That is a lot easier than trying to guess what is a password field or not.
Your argument has one flaw - just because someone uses a password manager doesn't mean he will pick strong passwords...
...and they get lazy and reuse them everywhere.
Yeah. I have weak, strong and you're gonna have to work your ass off to break into my account passwords. I can't remember that many.
And in other cases where I don't have to create some account for some asinine reason (like on Slashdot) I don't.
My wife OTOH, creates a password for every website that demands one. She is constantly resetting them because she forgets. And she gets really pissed at the websites for demanding such shit. Consumer Reports demands a strong password and for what? If someone breaks in and gets her password, what are they gonna do? And when she needs to get back in, she resets it and the hackers are SOL.
And most websites demand accounts for advertising purposes anyway - like Slashdot and to drive traffic. People get off on building karma and whatnot because they have no lives. You see Redditors with tens of thousands of karma points and I gotta wonder if they have any life at all outside of the Web or Reddit.
Anyway, outside of important things, this whole password shit is nonsense.
I think the concern is that if your computer gets taken over, the criminal can just automatically scan the password logs for all your browsers and you're toast.
I agree - that probably is the concern. I don't believe that's a legitimate concern. It definitely is a concern that it's expressed so vehemently with no supporting reasons. It may not be a troll, but it is as ugly as one.
I'm not suggesting you should never write down a password.
I'm certainly not suggesting password control on it's own is the basis of BP security - backups, risk management, and OpSec are also critical components. All of which must be employed.
Broad brush approaches to security are doomed to failure. There is no single security practise e.g. writing passwords on paper in code, or using a password safe that solves all security problems. Writing all your passwords down is definitely less secure than using a password manager. If what you are trying to secure is important enough not to trust to a password manager you should entrust is to several password managers and employ OpSec to segregate the risks across several computers - or don't take the risk.
When it comes to a choice between using passwords or cryptographic keys it's far better to use cryptographic keys.
This is only if you allow passwords to be saved in your browser...
Which browsers does not allow passphrase protection of the password manager?
Some sites and wifi hotspots double down on this annoyance by inflicting it on their mobile pages too. So you have to enter an email twice from a handset. And just in case that wasn't enough, they fail to specify the field is for email so the phone browser's autocorrect fucks it up as you type it.
It's not a difference that I would rely on; but there likely are some differences: it's typically easiest to get some sort of cross-site-scripting malice to work,
In which case your passwords are toast no matter whether you typed them in by hand or they were injected by a password manager.
less easy but far too common to escape from the browser and poke around with the user's permissions,
Do you have a citation for this common occurrence?
I can't seem to find one - though I only did a quick google and a search though the last decade of email from the Full Disclosure mailing list.
Also could you expand on how such an exploit would not be able to result in key logging that also result in a typed password being captured?
more difficult again to escalate privileges above the user's context; and potentially quite tricky to get a kernel driver in without either compromising some vaguely respectable OEM or mucking with the system's certificate store.
I agree with what made sense. You lost me with the "vaguely respectable OEM" bit. Could you expand on that please. I can be a bit thick.
Mechanisms that touch the browser too closely will probably fall to a good XSS exploit, basic browser-stores-passwords arrangements should fall over with nothing more than your security level
Sound good - a bit theoretical. How does that get past a passphrase and encrypted password storage?
; actually getting a keylogger, especially a persistent one, in there should be more demanding.
I'd disagree there - if I have that much access I can download what I need - if I'm too lazy to use what's already on the system.
Better to use a single password and write it on a couple of post-its. That way you can tape one to every device you own.
Is it just my observation, or are there way too many stupid people in the world?
If your password is "OPnuo(I&n hKUYNB68IOnih4wOIB*GBi234t73" as it should be,* then yes...
Now my favorite password is in cleartext on the Interweb, and I can't use it any longer.. Thanks for nothing. :(
Sig ?
Using the same password everywhere and/or spreading your security thin across a thousand different web services
Let's face it. Those "thousands of different web services" don't amount to shit. There are probably only a handful that contain any *valuable* information about the user: such as your online banking, online tax returns, the very few sites that a person of sound mind would trust with storing their credit card details (e.g, PayPal, Amazon). But apart from that, most web sites, like forums - and even Facebook (you don't really give them actual personal information - do you? ) contain nothing of any value. So why not use the same 6 character password that you've been using for 20 or 30 years? Even if someone does crack it, nobody here is important enough for anything of any consequence to happen.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
IMHO, this is a browser problem, not a website problem. Browser shouldn't allow scripts to interact with a password field. Period.
[Disclaimer: I'm not the GP AC.]
Isn't this exactly what a password manager does? I thought Lastpass (to name one) uses Javascript to change the form fields, including the password field (which suddenly has a clickable * in it). So if you disable that, you have to paste manually.
Nope. Lastpass is an extension, not a script. A script is one type of component, and an extension is another. The fact that the extension is implemented in the Javascript language does not make the extension a script except in a semantically-distinct usage of the word "script". Beware the fallacy of equivocation.
Websites have disabled autocomplete on password fields to prevent browser bases password managers from working. In response to this many browsers ignore autocomplete=off on password fields. I ran into this behaviour on a user administration screen, the browser was trying to fill in my password into the other users password field. I could not stop the browser from autofilling in the wrong password.
The most dangerous drug
So many talking about securing passwords and not single mention to double factor authentication...
IMHO, this is a browser problem, not a website problem. Browser shouldn't allow scripts to interact with a password field. Period.
[Disclaimer: I'm not the GP AC.]
I'd have to disagree with that opinion. I would reconsider if someone showed me good reason. Typing password manually lead to password reuse and insufficiently complex password use.
That assumes that they're not trying to get a specific password from a site where their already identified the password fields.
Since my password manager is a simple piece of software - an encrypted database of my passwords that runs on my computer with the data on my computer, I'd say yes, I have no reason not to trust it. I wouldn't put my bank login details in to it though, because of vulnerabilities + trojans + keystroke-loggers.
Trust an online password manager - hell no.
Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
And why not?
Some script/program having access to a password field is totally irrelevant from a security standpoint. Heck, even browsers most of the times can't even tell that some html field is THE password field (because there's no standard...often they just guess).
That's interesting. Which browsers guess which form field takes a password please? It'd save me some time if you could tell me the function is used to guess it - but I can just dig through the documentation if you don't remember precisely.
I know how Iceweasel/Firefox finds a password form field - and it's not "guess" work.(it remembers the form field positions from when you hit the Submit button - if you have autologin enabled).
The password manager I use knows nothing of form fields - it handles password request from applications. When I'm not using Iceweasel I just copy and paste from the password manager (which I use to hold additional information relevant to each password).
A stock page login form field:-
Refs: Firefox password debugging, the login manager
Doesn't make sense, if you have malware it could be keystroke logging - which would make a password manager more, not less secure if it auto-fills the user+password fields the user+password might not get sniffed.
Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
Which is one of the many reasons why JavaScript clipboard functions should only be allowed for white-listed sites.
If anyone knows of an extension to fix this I'd like to know.
Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
Found one, apparently no whitelist though.
Disable clipboard manipulations
Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
Lastpass is proprietary, so you don't know what they are doing with your passwords. It was also hacked just recently.
KeePass is much better, open source and no stupid browser integration crap to get in the way. Just run it and manually copy your password to the browser.
Why not NoScript?
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
You are forgetting that not all sites are created the same. Some even use editable DIV tags instead of forms and use JavaScript submission. Many pass more inputs on their forms than just the user name and password.
I think the OP's point was that password managers often have to take their best guess at what is and isn't a login form, because while most sites use standard forms, that doesn't work for ALL sites.
True, although most password managers can generate random passwords (of varying strengths, as a recent Oakland paper showed). Using this functionality is generally easier than thinking up a password.
I am TheRaven on Soylent News
The last thing that someone would try as your luggage combination is 9999. I suggest you change your combination for this one, it will take longer to break in.
Achille Talon
Hop!
the Treasury.gov website? I don't believe they let you interact via keyboard---they force you you to click buttons with the mouse.
Your argument has one flaw - just because someone uses a password manager doesn't mean he will pick strong passwords...
The flaw you see is not where you think it is. The OP never said a password manager requires strong passwords. That would require idiot proofing - that's a whole other subject.
Using a password manager does not necessarily enforce good passwords - or prohibit the reuse of them.
Writing passwords down means you have to read them out, and type them in to use them - a practise that also does not necessarily enforce good passwords - or prohibit the reuse of them.
Writing passwords down means you have to read them out, and type them in to use them - a practise that encourages bad passwords and the reuse of them.
Using a password manager does not encourage bad passwords and the reuse of them.
The reason for the difference is in ease of use and amount of effort involved. People cut corners because they are lazy or in a hurry.
I touch type - most people don't, I make mistakes typing in complex passwords that have been written down. The more I use those passwords, and the more passwords I need to keep, the greater the incentive to practise bad security. Given that most people can't touch type - they have an even stronger incentive than me to practise poor security - the evidence from all the password list dumps and all the security tests on password usage just proves the same thing. People use dumb passwords, people reuse passwords. When they are asked why they do so they say it's because it's too hard to remember them - or to write them all down, keep control of the pieces of paper, and to type them back in each time.
The other risk with using either method for storing password is loss of the passwords. Passwords managers have to be backed up. Paper records of password needed to be backed up and secured. Password manager use passphrase protection so they are secured. (or should be - see my previous comment about idiot proofing)
If your password is "OPnuo(I&n hKUYNB68IOnih4wOIB*GBi234t73" as it should be,* then yes...
Parent was modded funny, but this is what your passwords should look like -- long and random, and typing them is a PITA. Any web site that disables pasting or prevents your browser or extensions from auto-filling passwords is broken. The sad thing is that most sites that do this (other than those that do it by accident because the devs are clueless) do it because they think they're increasing the security of their users' accounts. They're not.
Solutions like LastPass et al are the best, but honestly just using your browser's password database is better than reusing passwords everywhere. And Chrome and Firefox (at least, perhaps others) offer the option of keeping your passwords synced to all of the devices you use, optionally protected with a master password. Browsers need to offer password generation as well. I think some are working on it.
Of course, the real solution is to get rid of passwords. Web sites should switch to using OpenID authentication. Yes this means that most users will use their Facebook or Google logins, which means that, essentially, the site has outsourced its account security to those other entities. So what? If the developers of random web sites think they can do a better job of account security than Google or Facebook -- they're wrong . I work for Google and previously spent a decade as a security consultant in the financial industry and after seeing how they all work from the inside, I would feel much more secure about my bank account if I could use my Google account (with 2FA, plus all of the analytics and monitoring Google does) to log into it rather than trusting the bank to do a decent job with password-based security. I haven't seen Facebook's infrastructure, but I know people who work there, and they're good. Far better than you'll find at a typical bank, much less J. Random Web Developer.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
have a feature that "types" your password in the box instead of having to copy paste it.
Problem -> solved.
So keepass is a glorified speadsheet. Nice to know it's useless. Copying and pasting is idiotic for a password manager.
OPnuo(I&n hKUYNB68IOnih4wOIB*GBi234t73
What a coincidence. That used to be my exact password until I read somewhere you aren't supposed to use your name as a password.
KeePass has an encrypted database. Copying and pasting for passwords is a lot more secure than having automagic fill in crap.
Enjoy your identity theft, credit card fraud and viruses.
Yeah but TFS said "secure as possible", what do you mean it might possibly not be!?!?!?
LastPass is no more proprietary than KeePass. The JavaScript implementation is visible. And while their server was hacked, the thieves got nothing of value since the contents of your "vault" never leave your computer unencrypted and LastPass doesn't have the key.
I agree with the article - blocking password managers lowers security.
The websites that force you to type the password in twice to make sure you got it right. Arggghhh!
PasswordSafe.
Generates random passwords for you, using specifications you provide (generally that means "generate a password consistent with the site requirements") as to length and content.
You never have to even look at your passwords if you don't want to - they're not displayed by default, so someone looking over your shoulder while you use it won't see a password by accident. Right-click, copy password to clipboard, paste to password field for website. Then PasswordSafe overwrites the piece of memory your password used in the clipboard several times with gibberish to make it harder for someone to find it that way.
So, pick one really good password (or passphrase - it doesn't have a limit on password size for itself) for your PasswordSafe, and let it generate all of your other passwords for you, and remember them and secret questions and whatever else you need to remember.
And it's not like the functionality I've described is unique to passwordsafe. Pretty much every password manager I've looked at has the same basic functionality....
"I do not agree with what you say, but I will defend to the death your right to say it"
Indeed.
We are however talking about webpages so it is reasonable safe to say that the password manager used is running on a computer that is online.
The nicsez check website comes to mind.
You know to one that's used to run background checks for guns in 36 states or so?
If I recall correctly its forbidden in the terms to use a password manager.
And you have to change the password every 90 days.
Minimum threshold fixed. Thanks!
If your website doesn't import scripts from elsewhere, there's no problem.
It's a website design problem.
Lastpass is proprietary, closed source software that's been hacked and promotes poor security practices. KeePass is fully open source and has never been hacked.
Oh and email addresses, password reminders, server per user salts and authentication hashes are extremely valuable. I'm glad I use KeePass so nothing like that can ever happen to me because *I* control it, not some faceless, soulless, proprietary, anti-open source corporation.
If you use Lastpass, you need to change ALL of your passwords because you can easily be hacked with the information that the hackers got away with.
Visible != Open Source
Keepass is GPL and the full app is open, not just some simple lookup script for a remote API that masks how the important data is stored.
I stopped using traditional "passwords" years ago and switched to a derivation algorithm instead.
I never have to remember a password because I can derive each one easily. Does anyone else use this strategy?
Don't Panic.
"I agree with the article - blocking password managers lowers security."
Password managers suck. You want to know what works better? Image/phrase/password verification like my bank is using (and I've been using on my anime forum for at least a decade.)
Let's see your password manager work worth a shit when your system hard drive takes a dump and you don't have a backup.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
That didn't cheer me up at all!
Actually, I may just use that for a wi-fi key. Spaces included.
Attackers won't guess it, and if they find out what it is, they'll give up before they type it all in.
No good reason in this day and age for sites to disallow ANY character on your keyboard as valid password symbols. I really hate that. Usually government sites, but a recent loyalty program for a drug store was doing it... suggests to me they are either failing to sanitize input, storing pws on the clear to their DB or both.
Wrong. Keep trying though.
Obviously you have limited experience or familiarity with password managers. LastPass, among others, keeps your encrypted passwords "in the cloud", so that they are accessible even if your local disk "takes a dump". For LastPass, there's also a local copy of the encrypted database, and yes, I do have backups. (If you don't have backups, you have a lot more problems than losing passwords.)
Image/phrase/password verification is hardly "better" (better than what?). How many of those can you remember? If you can come up with an authentication scheme better than passwords that you can get every online service to use, then please let us know. The reality is that passwords are what we use today and password managers make them easier to use in a more secure fashion, so that one has a different, strong password for every login. Two-factor authentication is also very helpful (and I enable that where supported.)
Currently the biggest weakness of passwords, other than most people using them poorly, is sites that store passwords insecurely. This, combined with the tendency of those NOT using password managers to reuse passwords, is what leads to the majority of account hacking.
I use the rings sold here to generate my passwords, there are cards and keychains too. Simple system and no need to rely on cloud storage or worry about having a wallet hacked.
https://www.tindie.com/search/#q=password generator recall
Why would you not have a backup? You can't fix stupid, no matter what you use.
Keepass is also (correct me if I'm wrong: I'd love to hear there is another) the only password manager I know of which is fully cross platform. Combined with Dropbox or some private file sync tool (I host a seafile installation), I have a synced password manager that works on Linux/Win/Mac/iOS/android. And I keep the key separate and move that to devices I use manually, so I'm almost totally unafraid of my vault being intercepted/stolen. Without my master pass phrase AND the encrypted key itself, breaking it is.... way harder than my passwords are worth.
"Do you have a citation for that Mr. Scraps of Bad Security on Paper?"
Every fucking government agency that uses a fucking AIR GAP like a REAL PROFESSIONAL.
Which you are obviously NOT.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
"Do you have a citation for that Mr. Scraps of Bad Security on Paper?"
Every fucking government agency that uses a fucking AIR GAP like a REAL PROFESSIONAL.
That's not a citation - that's just stupid. Hint: you can't use an air gapped machine on the internet you moron.
Heck, even browsers most of the times can't even tell that some html field is THE password field (because there's no standard...often they just guess).
You mean the one with the attribute type=password? That is the standard, and it's been used like, forever. AC, please stop talking about silly things you know absolutely nothing about.
It's "cross platform" my foot. It's written in c#... The only reason it runs on other platforms is because someone else other than Microsoft made a compatible product to dotnet. Its called mono. Not to put it down but a compatible product doesn't equal the original product and is only going to add one more attack surface.
It hasn't been this way for a very long time, if ever. There has been a few bugs related to this 'protection' over the years, though. Browsers only allow reading content copied from the current page, only through the oncopy/onpaste/oncut events. That is, when you copy something on a page, the site can know that you did, and what you copied from it. (It can always write in it though).
Same with Flash (see http://www.adobe.com/devnet/flashplayer/articles/fplayer10_security_changes.html#head61 ... they say in Flash 9, in 2007, content couldn't even be read, ever, from the clipboard, and in Flash 10, in 2008, it now could be read, but only when content was copied from an animation, and only for that specific content).
And even these events can be disabled (e.g., "dom.event.clipboardevents.enabled = false" in Firefox). I think I remember disabling them in IE6 too, after each reinstallation, way back in the days.
That being said, it's probably good still to avoid leaving a password in the clipboard after use... I generally copy some random text afterward...
The article mes a good point: preventing paste into a password field just encourages people to use crappy passwords that are easier to type. The same applies to that silly convention of asterisk masking in password fields. The inconvenience massively outweighs that one time in a hundred that masking prevents a shoulder-surf attack.
Can we develop a standard HTML interface for password managers, with built-in safeguards against malware usage? Any compliant PM would connect with any compliant login screen.
some sites deliberately stop their users from being as secure as possible, for no really justifiable reason.
Perhaps the website has had issues with some sort of script, or bad actor, who just pastes password guesses into the field. Then the site admin found that blocking pastes blocked the software which was trying to attack them.
" just because someone uses a password manager doesn't mean he will pick strong passwords"
But because a PM makes it easy to maintain strong passwords, you no longer have inconvenience as an excuse for slacking on password security.
Ugh silly troll is silly.
Yes there are standards... But no requirements to FOLLOW the standards... Yes most sites follow the two input fields and one marked as password. Get off the "sanitized" Internet and things can get sketchy quick. The password field could be a string of dropdown boxes with a single letter each for each or not even an input field at any point in time and instead faked by JS code to look and act like one and....... Need I go on? The proliferation of JavaScript makes our "job" of ensuring the legitimacy of a website before or during our visit even harder.
There was no equivocation here. The original statement was:
I thought Lastpass (to name one) uses Javascript to change the form fields, including the password field
The response never equated Lastpass to a script. It said Lastpass uses Javascript to change the form fields in contradiction to the statement that scripts should never be allowed to interact with a password field.
KeepassX does not use the clipboard but instead simulates actual typing, with a configurable delay.
When you select a password entry and press Ctrl-v in KeepassX, it hides itself, switches the focus to the last active window and types the password.
This also protects you from accidentally leaking password to remote desktop sessions or virtual machines that synchronize the clipboards.
I have been using RoboForm for many years and have always loved it. It is about as cross-platform as you could want (it's Windows Mobile support is a little lackluster, but its iPhone and Android support are the best I have seen).
Before they switched to the cloud sync platform, I had 5 registered copies I was maintaining, it was worth that much to me. Then they switched to the Everywhere product which gives you as many devices as you want for around $25/year.
I have never had a problem with it other than the usual issues one gets when synching from many different devices. The occasional password will slip through the cracks because your device wasn't online to sync properly and then propagate to your other devices. I would guess this is the same issue you would find with LastPass or any other cloud synching PM.
My eyes reflect the stars and a smile lights up my face.
Only users use browsers, Hacker/cracker, blackhat low-lifes use perl's LWP modules.
Apocalypse Cancelled, Sorry, No Ticket Refunds
I'm sorry. Most of the time I use keepassx on Lin/Mac, and some other keepass app on my phones. I guess I should have said the keepass format is cross-platform.
So run it under mono on Windows.
If your definition of cross-platform is so narrow that it means the exact same binaries run under different operating systems, then there is virtually no cross-platform software.
Would you be kind enough to name the browser?
"Obviously you have limited experience or familiarity with password managers. LastPass, among others, keeps your encrypted passwords "in the cloud", so that they are accessible even if your local disk "takes a dump"."
That's EXACTLY WHY I don't use it. Keep my passwords on SOMEONE ELSE'S COMPUTER?!?!?! That's FUCKUP NUMBER ONE of security.
" If you can come up with an authentication scheme better than passwords that you can get every online service to use, then please let us know."
Same fucking one I got my bank to switch to - same one that I've used on my anime forums for over a decade. Picture/your custom caption/password. Same fucking one I've been telling people on /. about for YEARS. Spammers haven't beaten it, hackers haven't beaten it (because it's actually more than two-factor auth) and even in the case of being hacked, you would still need the matching image file (which resides on another server and is accessed by a constantly-changing encrypted variable for filename so you can't just rip it) to make the phrase and password usable.
I've been at this game almost 30 years. When are you n00bs ever going to catch up with the basic security of things like Air Gaps and separated content passwords, which have been around since, well, PROHIBITION?
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
" You can't fix stupid, no matter what you use."
That's exactly why many don't have a backup.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
" Hint: you can't use an air gapped machine on the internet you moron."
Yes, you can. Do you even know what PROTOCOL is? Do you even know about SNEAKERNET, n00b?
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
This is why my mantra is "laziness always wins".
That is, if I want to change user behavior, I need to make the desired behavior easier than the bad behavior. PW managers do this by generating 'good' passwords with a click of the button.
Some people like phrasal passwords as an alternative to PMs. Random phrases from which you use the first few letters of each word are a lot easier to remember than random strings. But now that passworded sites have taken to using silly password formation rules as a vain attempt to enforce strength, these no longer work. Was this the site that requires one capital and two numbers, or was it the other way around?
Until you go to a random PC which you don't own and try logging in to that whatever website...
What I did (but is difficult to do in general) is learn an algorithm which allows my own brain to generate a password based on the website I'm logging in to.
Give me a website name and I can create an unique password for it, all in my head. And whenever I revisit the website I can re-generate the password for reuse.
The algorithm has evolved during last few years and sometimes I have to enter 2-3 passwords if I rarely visit a certain website, but overall it works great.
Thinking a password is easy - but only after you spent some time and brain cells learning the algorithm.
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
n00bs, eh? I've been in the software business for almost 40 years, you young whippersnapper.
I suggest you study texts on encryption, and maybe read the technical details of how a good cloud-based password manager like LastPass actually works. https://lastpass.com/whylastpa... https://lastpass.com/support.p...
Your super-whiz-bang method still requires a password, it seems. Without a password manager, users will still need to remember their password and many will either reuse passwords from other sites or choose simple ones. The image/caption thing you talk about is often used as an anti-phishing technique, but that's not authentication. If you're requiring the user to choose from among multiple pictures or captions, then that's effectively another one or two passwords. Yes, it will make it harder to attack YOUR site through the web interface, but doesn't itself strengthen protection of the users' passwords.
The goal for password managers is not to protect individual sites, it's to protect the users against their own misuse of passwords and reducing the risk when some site (not yours, hopefully) gets hacked and has their password database stolen. (How do you hash the passwords for your sites? Still using MD5?)
Not by default it can't.
True there are potentially bugs in implementation or bad configurations that allow scripts to read the external clipboard, but the same argument could be made against password managers. Poor security / configuration of the browser could allow scripts to read the password provided by the password manager.
Because turning off JavaScript completely breaks so many sites these days.
Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
Copy/paste cache scrapers exist, and are common for browsers with bugs. Training people not to copy/paste passwords is a good idea.
Not only password managers but institutions are screwing up online security and it has to be deliberate. Banks have vast restrictions on what one can use for a password. Really only weak passwords are allowed at many banks. Every night on the news we here whining about lack of security in financial transactions over the net. Yet the banks refuse the use of strong passwords. Other people must be noticing this. why is there no outcry?
non-repeating characters (in fact it reduces entropy by some security admins seems to think it is a good idea), numbers and so on.
If there are 64 choices for each character, a requirement for non-repeating characters reduces the number of choices for characters after the first to 63, for a total of -log[2]((63/64)^9) = .2 bits of entropy lost in a 10-character password.
I've always wondered why a system similar to ssh keys has never been implemented for website logins and widely used. Even if it were optional, as a lot of people probably wouldn't understand and therefore not use it, a lot of others would probably use it or learn to.
Chewbacon
The Bible is like Wikipedia: written by a bunch of people and verifiable by questionable sources.
Yep, that use case is a potential weak spot for password managers. (I say potential because I consider it a plus - makes it less likely I'll enter passwords on a system I shouldn't trust - but ymmv.) When I have to do that I use the "forgot password" process, which is typically multi-factor (they send me an email or text, both of which I'll read on my phone), and make a note to reset the password once I get back to a safe system.
If you are writing software that takes in a password and you are hashing the password to compare it to a stored hash, there is no reason at all to restrict the maximum length of a password or prohibit certain characters from being used in it.
Other than that it's far harder to type a 60-character password on a mobile device whose only text input method is a flat sheet of glass. Allowing users to enter a long password discourages users from even trying the mobile site or mobile app.
If you are writing software that takes in a password and you are NOT hashing the password (but instead storing it in the clear or otherwise doing something with it), you shouldn't be writing software involving passwords in the first place
Unless you're storing the user's password in order to log on to a service on the user's behalf. A password manager is an example of such an application. With other applications, even if the service supports some form of OAuth, the application still has to somehow store the client ID, client secret, and user token securely.
All passwords should be maintained separately and typed in manually.
by Anonymous Coward
Coming from someone that doesn't even use usernames or passwords, your advice carries less than zero weight :P
Another commonplace annoyance is sites of no consequence that ask for an email address and for some unknown reason require it to be entered twice.
Some site probably tested it and found that it reduces the number of registrations that fail to complete because the user mistyped his e-mail address and thus failed to receive the registration confirmation e-mail message. Then other sites copied it.
you keep a copy or an excerpt of the password book safe in your wallet
Likewise, most adults in my country keep a plastic card with their credit card number and CVV2 in their wallets.
>because it's actually more than two-factor authentication
Kind of, maybe, but you really have to stretch the definition. Two factor authentication is typically a combination two of:
- something you know
- something you have (physical object)
- something that's an inherent characteristic (biometric data)
specifically so that it's extremely unlikely that an unauthorized user can get access to more than one of them.
Meanwhile yours (from what I can guess from your under-specified description) involves:
-Picture (keyfile?) that's stored online where anyone can get it (and how do you access it? a password?)
-passphrase
-password
And yes, that's considerably more challenging to hack than a simple password alone, but it still sounds like it only involves "something you know", and thus offers none of the more concrete protections offered by more traditional two-factor authentication. All it takes is someone filming your keyboard and screen while you log in and your security is completely bypassed. Not appreciably more difficult to hack than a completely random 30-character password that can be conveniently stored in an encrypted password manager on a USB flash drive accessible via passphrase, which provides quasi-twofactor authentication on the front end. You can watch me enter my passphrase, but without also having the file on my USB drive it won't help you log into any of my accounts
Granted, that's not as convenient on phones/tablets/etc, but given how common spyware of various types is on such devices I'd be *extremely* hesitant to access anything actually important from those unless you completely refused to install any software that has the potential to monitor your activities - a call that's becoming increasingly difficult to make even for the competent.
--- Most topics have many sides worth arguing, allow me to take one opposite you.
I'm not talking about unsafe machines, just other machines which you occasionally are an user on (e.g. meeting room presentation machine or something). Yeah, I know, those are considered unsafe but we have security solutions enabled on all our machines and they do a decent job.
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
If your password is "OPnuo(I&n hKUYNB68IOnih4wOIB*GBi234t73" as it should be,* then yes...
Parent was modded funny, but this is what your passwords should look like -- long and random, and typing them is a PITA. Any web site that disables pasting or prevents your browser or extensions from auto-filling passwords is broken. The sad thing is that most sites that do this (other than those that do it by accident because the devs are clueless) do it because they think they're increasing the security of their users' accounts. They're not.
Solutions like LastPass et al are the best, but honestly just using your browser's password database is better than reusing passwords everywhere. And Chrome and Firefox (at least, perhaps others) offer the option of keeping your passwords synced to all of the devices you use, optionally protected with a master password. Browsers need to offer password generation as well. I think some are working on it.
Of course, the real solution is to get rid of passwords. Web sites should switch to using OpenID authentication. Yes this means that most users will use their Facebook or Google logins, which means that, essentially, the site has outsourced its account security to those other entities. So what? If the developers of random web sites think they can do a better job of account security than Google or Facebook -- they're wrong . I work for Google and previously spent a decade as a security consultant in the financial industry and after seeing how they all work from the inside, I would feel much more secure about my bank account if I could use my Google account (with 2FA, plus all of the analytics and monitoring Google does) to log into it rather than trusting the bank to do a decent job with password-based security. I haven't seen Facebook's infrastructure, but I know people who work there, and they're good. Far better than you'll find at a typical bank, much less J. Random Web Developer.
The problem with using Google or Fuck-Book for logins is: "I don't have a God Damn Fuck-Book account--nor will I be getting one, (And the same goes for Twatter), and I'm not going to log into your fucking website with my Google ID." When a site insists I log in with one of those IDs, I go elsewhere--Fuck them.
And No, I don't give a fuck about the security of the OpenID provider, I give a Fuck about keeping my accounts separate.
So why use a password manager that saves your passwords to a server? Whats the point of trying to be safe when you now have put your safety in their hands?
Jack of all trades,master of none
As the article points out, malware doesn't steal password by copying them out of password fields, it does it by capturing keystrokes. So this does nothing to prevent malware.
Is that like the login form AT&T used for a while to pretend it was all mobile-6-point-oh-like where the password field was a plain text box with a script that turned the letters you typed into dots after you type the next letter?
There's a reason that all the major browsers don't autofill forms until you tell it to.
If I have been able to see further than others, it is because I bought a pair of binoculars.
Of course, the real solution is to get rid of passwords. Web sites should switch to using OpenID authentication.
One problem is that a lot of identity providers,* such as Google, have switched from classic OpenID to OpenID Connect. Because of the OAuth 2 underlying OpenID Connect, it has become more common for IDPs to require each relying party* to enter into a contractual relationship with the identity provider. With classic OpenID, if you had an identifier URL from a given IDP, you could use it on any RP. But in OpenID Connect, you can't use your identifier unless the RP has a client ID and client secret pair issued by the same IDP that issued your identifier. There is a Dynamic Client Registration protocol for an RP to automatically obtain a client ID and client secret from an IDP, but no major IDPs appears to support DCR. If there are n RPs and m IDPs, a human has to review and accept a contract m*n times, and managing this becomes O(n^2):
* In OpenID, an "identity provider" is the website that issues OpenID identifier URLs and takes your password, such as Google, and a "relying party" is the website that takes your OpenID identifier and redirects you to the identity provider to log in.
By default, everything you save in RF is encrypted into discrete files before being synchronized to the server.
I have encryption turned off for bookmarks so that I can have a roaming set of bookmarks across all my devices without having to enter a password to decrypt them. Same goes for contacts.
My eyes reflect the stars and a smile lights up my face.
Of course, the real solution is to get rid of passwords. Web sites should switch to using OpenID authentication
Or SQRL!
My eyes reflect the stars and a smile lights up my face.
I gave up on trying to remember increasingly complex passwords and just remembered how to make them. Computers are great at doing complex math humans aren't. Humans can remember some things very easily (Correct Horse Battery Staple).
Then I only have to remember or write down 3 things: The 'password', the length and the mapping.
echo -n $password+$user+$website | sha256 | cut -c1-$length | [mapping]
Where mapping maps the hex codes to a-z, a-Z, a-Z0-9, a-Z0-9!-). (You can make up your own charset and just use mod(charset length)).
For example if my password was 'qwerty' I'd salt it such that my actual slashdot password would be:
echo -n qwerty+0100010001010011+slashdot.org | sha256 | cut -c1-20
050e48f9f39d4d481ec3
It's not that much harder to implement in Python for use on Windows. (I just have a simple GUI).
If you want to take it a step further just remember a pattern and then a start letter. qwerty, asdfgh and zxcvbn are the same 'password' in my brain. It's "Password 1, start q, a, or z'.
I have everything written down on how to generate the passwords in a lock box and my wife knows my 'password'. So if I die and everything is locked she could get into any website she wanted just by following the instructions.
All of our joint accounts do actually use our anniversary. Jan 1, 1980. 01Jan1980, etc are all going to generate different end passwords. You have to know both the date and the formatting, which she does.
Stop remembering passwords and start remembering how to get to your password.
Given that most of these webpages are also the ones where you have to answer some "secret" question to recover your password, it's kinda moot to select a secure password.
What is it you say? "Instead of giving a real answer to the "secret" question, simply use another randomly generated string?"
That's a good idea. Until the admin of the page locks your account because "you obviously are a robot, because humans don't do this".
The problem runs far, far deeper, people...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Oh i know that i have had Roboform since it was released. No matter what the files type is it can be hacked and storing it on someone elses servers is far less secure. There is no argument anyone can make. The cloud "servers" are as secure as they make them. Taking your security away from you. Look today even Steam it has a huge security hole http://masterherald.com/steam-...
Jack of all trades,master of none
Then I get on my phone and type in those 36 characters by hand.
Peter predicted that you would "deliberately forget" creation 2000 years ago...
Exactly this. A programmer that fights "human nature" is doomed, no matter how good the software is.
Peter predicted that you would "deliberately forget" creation 2000 years ago...
Of course it does. I can pick a random 24-character password for every website just by leaving the defaults on LastPass.
Peter predicted that you would "deliberately forget" creation 2000 years ago...
You're actually very wrong. Long complicated passwords are horrifically impossible to remember causing people to write them down or store them in managers with simpler passwords to open the manager.
Length is all that matters for passwords. You're better off with "thatswhatshesaid" (26 ^ 16) than "B4c0nL0v3r!" (72 ^ 11). You're 162 times better off, in fact.
26 ^ 16 = 43,608,742,899,428,874,059,776
72 ^ 11 = 269,561,249,468,963,094,528
https://xkcd.com/936/
If the web site requires some sort of login, and denies me the ability to use LastPass to manage that login, I do not use that website. No discussion, no arguments, my mind is entirely made up, closed, and locked on this point. I will find someone else to do business with who doesn't think they know better than I do how to secure my access to their site.
But the poster worked as a security consultant for 10 years! And now works for Google, he can't possibly be wrong!
He's probably even written white papers on the subject!
All it takes is someone filming your keyboard and screen while you log in and your security is completely bypassed.
And how are they supposed to do that? Magic? I only access secure sites from my PC desktop, at home. It doesn't have a web camera attached and doesn't run Windows.
Good, inexpensive web hosting
Some cases where websites work very badly with a password manager (in my case the one built into Safari):
One case where the stupid website didn't accept the password that Safari suggested. Because it had some "special character" in it. What's annoying is that Safari remembers the password and suggests it again, BEFORE the site rejects it. Bummer.
Another case where the password is used in different places, and Safari cannot figure out that the two different places belong to the same site and should use the same password. What happens: On the second site, Safari suggests a different password which obviously doesn't work...
Apart from not working because of some stupid websites, it seems to be safe. The problem mentioned with password use on some public computer doesn't happen, because the passwords can only be used on my Macs, iPads and iPhones (but on all of them), but not on a random third-party device.
Keepass is also (correct me if I'm wrong: I'd love to hear there is another) the only password manager I know of which is fully cross platform.
I like keepass, especially since there are so many ports of it to so many platforms. However, if someone is looking for something more akin to lastpass, here's a few open source ones:
https://clipperz.is/ - clipperz seems most similar IMO. It's open source and all in the browser via javascript, thought signup and site desire are a little wonky.
http://www.fpx.de/fp/Software/... - Password Gorilla (also on github: https://github.com/zdia/gorill...). It's also open source, but it's a TCL/TK application. I'm not sure what their andriod status is (there is some info on their site regarding use of HECL to port the TCL parts to android, but I don't know the status).
https://www.passpack.com/ - Passpack works on chrome, firefox, ie, and safari. It's similar to lastpass in many ways. It's not fully open source, but they did open source a bunch of the libraries they use/made (aes/rindael, xxtea, json2, sha-256 in js, etc: https://code.google.com/p/pass... ).
https://www.passlet.com/ - passlet. The SSL cert for that site expired in 2010, so I don't think I'd use this, but it is cross platform and built according to the host-proof-hosting concepts. They open sourced their PBKDF2 methods: http://anandam.name/pbkdf2/
http://aaronboodman.com/halfno... - halfnote is just a notepad, but it's encrypted in browser, and it's open source (https://code.google.com/p/halfnote/)
All that said, I'd probably stick with keepass and/or lastpass.
I had found their accounting methods to be...not necessarily straightforward or well documented...so I decided to log in to their site every single day and download a PDF summary of the loan principle and interest balances. That way, I at least have a record over time of what they've done. Once I've collected enough data, I intend to go back and get a full understanding of how they're accounting for everything. Easy as pie, copy and paste my username/email address and password, click download, save a dated copy of the report and be done for the day.
Anyways, one day I found that I was unable to paste, so I chalked it up to a bug. A few days went by and I finally contacted their support team notifying them of the bug. They responded that their developers said that “By allowing users to paste a password into Manage My Account, the password is not being subjected to the edits in place to ensure that the password meets security requirements. Although it does not rule out all attacks, it does help to prevent automated attacks.” I found this to not be a satisfactory explanation, so I politely informed them in a detailed manner that passwords meeting security requirements had nothing to do whatsoever with the process of logging in and that their change had made for a very unpleasant user experience. I didn't hear anything back for a couple of weeks, but then they responded saying that they would make the change back to the original functionality within a couple of months...and they did!
If it's using editable div tags instead of forms then it isn't a login form.
You're actually very wrong. Long complicated passwords are horrifically impossible to remember causing people to write them down or store them in managers with simpler passwords to open the manager.
Putting them in password managers is the right thing to do.
Length is all that matters for passwords. You're better off with "thatswhatshesaid" (26 ^ 16) than "B4c0nL0v3r!" (72 ^ 11). You're 162 times better off, in fact.
26 ^ 16 = 43,608,742,899,428,874,059,776 72 ^ 11 = 269,561,249,468,963,094,528
https://xkcd.com/936/
You're wrong. Hilariously so.
The entropy of "thatswhatshesaid" is far lower than 43,608,742,899,428,874,059,776. Randall Munroe calculated correctly in the XKCD comic, of course. He didn't assume that each letter was random, he assumed he was choosing four words at random from a dictionary of a specific size (about 2048 entries == ~11 bits of entropy per word). Your password is clearly not a selection of randomly-chosen words, and even if it were, it would likely have been from a much smaller dictionary.
This highlights the danger of asking users to pick passwords... even those who think they know what they're doing are likely to screw it up. Munroe's advice in 936 was good... but I think it has mislead more people than it has enlightened.
No, it's much better to use a password manager and let a computer pick large random passwords for you.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Copy/paste cache scrapers exist, and are common for browsers with bugs. Training people not to copy/paste passwords is a good idea.
You're promoting perpetuating a long-standing, widespread and hugely-damaging user security error in order to avoid a relatively obscure problem which can actually be fixed through purely technical means. Not a win.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
KeepassX which is the cross platform version, is derived from Keepass 1.0 which doesn't use NET/Mono (instead uses Qt Libraries). Version 2.0 beta has recently been released for KeepassX.
It's not just copy-paste operations that are affected, though. For example, the developer web portal for a fruity company used to actively interfere with the Auto-Type functionality of KeePass when logging in with Chrome, Safari and Firefox (but interestingly not when using MS-IE) until enough people complained to them to get them to stop it.
So: (1) complain to the web site operator to get them to fix their site, or (2) when they refuse to fix their site just actively boycott them and call them out in public.
Key- and screen-loggers? Pretty standard stuff I believe. All that's required is the wrong virus or trojan sneaking on to your machine somehow.
The main point is only that only one thing is needed to compromise security - knowledge - and thus is a stretch to cal two-factor under the traditional definition (at least so far as I understand it. I'm a programmer, but no expert on security)
I certainly don't contest the challenge that it's probably significantly more difficult to bypass. At first glance it would seem to have great potential, IF done well. But I don't even know enough details to judge the theory, and as always implementation details will likely expose far more vulnerabilties to hackers. The question is, would it continue to be fundamentally more secure if it became the primary means of security, or is it's primary benefit that of being a small small enough target that it's not worth the effort?
--- Most topics have many sides worth arguing, allow me to take one opposite you.
A (well implemented) online password manager is just an encrypted database of your passwords using a simple piece of software. Just gets backed up for you for free. And usually has some clever tools to make it easier to get the data in to the password fields. There's already a more detailed explanation in this thread of how they work. Pretty much how your system does but more convenient.
Key- and screen-loggers? Pretty standard stuff I believe. All that's required is the wrong virus or trojan sneaking on to your machine somehow.
I presume, then, that you're not that familiar with Linux or how people use it. Aside from the fact that almost all of the virus/trojan programs out there won't run directly on a Linux machine, you still need root (Or, in Windows-speak Administrator.) rights to install new software. Not only that, most Linux users get their software from their distro's repositories and nowhere else. I won't say that it's impossible to infect a Linux box if you try hard enough, but I will say that it's exceptionally hard to do without the user assisting you. I know; I've had malicious websites try to slip in a drive-by download and all that happens is I get a dialog box asking me if I want to download the file and if so, where to put it. And, since most main-stream distros use SELinux, it's next to impossible for a program like that to do any damage to the system files.
Good, inexpensive web hosting
Since my password manager is a simple piece of software - an encrypted database of my passwords that runs on my computer with the data on my computer, I'd say yes, I have no reason not to trust it. I wouldn't put my bank login details in to it though, because of vulnerabilities + trojans + keystroke-loggers.
Trust an online password manager - hell no.
I have a very strange method of storing my passwords. I keep them in the mk I human brain.
The real security risk is with the online service being compromised and databases or details being downloaded... As what happened to LastPass a few months ago.
Calling someone a "hater" only means you can not rationally rebut their argument.
war4peace's password list:
fb
username: war4peace
password: facebook1
linkedin
username: war4peace
password: linkedin1
gmail:
username: war4peace
password: gmail1
but now you want us all to have a facebook or g+ account to access our passwords?
what if those services go down? what happens to that OpenID authentication?
You might be able to win $500 in an ADA case. It is even tax-free money I understand. Screen readers have issues with some radio buttons last I knew. Things may have improved I suppose.
"So long and thanks for all the fish."
Setup with a noVNC web interfaces, and sshkey management in the web management panel (so users can employ their personal ssh keys post-deployment
[Unbalanced parentheses.] Which guide to configuring keys in popular SSH clients does your documentation link to?
However I was (redundantly) asking why someone who calls themselves a security professional and system administrator does not follow BP.
Because BP got hacked by Chinese? Naaah.
Setup with a noVNC web interfaces, and sshkey management in the web management panel (so users can employ their personal ssh keys post-deployment)
[Unbalanced parentheses.] Which guide to configuring keys in popular SSH clients does your documentation link to?
We don't provide one. Support refers users to the official security guides for the appropriate distro, general questions are answered using this as the main source. Documentation for users is almost identical to that on Digital Ocean (they target the same market segment). We don't write subject documentation for users. They do, if we approve it we pay them and publish it (it's the low cost end of the market, minimal SLA).
Internally we follow NIST procedures and are audited to meet several ISO 27K standards (mainly for insurance purposes). We don't own any data centres, or control the hardware. That's a very common practise, with all but the high-end hosting providers (usually).
Our internal procedures are more stringent with the main (non-hosting) business as most of the clients are Defence related (this is Canberra, the majority of work here is Defence related).
However I was (redundantly) asking why someone who calls themselves a security professional and system administrator does not follow BP.
Because BP got hacked by Chinese? Naaah.
[smile] where following BP means jumping in a tug and telling the captain to "follow that slick".
When the services go down, you can't log in to the relying sites. Luckily, core infrastructure like the account systems is a very high priority for the engineers, and the big providers have plenty of resources to keep them up -- and they do. My bank's site is down far, far more often than Google's auth servers, for example. How much more often? I don't know... I've never seen Google's auth servers down.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
And you think a script, which can read the passwordfield cannot replace all hooks the site adds to password fields?
The difference is the online password manager requires I supply my password to them - weakness/trust issues there. With an online password manager you have to trust that they are hacker-proof (unlikely) and you have to assume that all staff are trustworthy, and you have to assume that security services also are keeping your info safe.
Backing up my password is as easy as emailing myself the encrypted passwords to a couple of email addresses - takes a few seconds. My password database doesn't require that I be online, very useful if a internet/network info is in the password database.
Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
My password database says 314 items.
There's no way I would remember all those, especially as they are randomly generated strings.
Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
Darn it!
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
I don't know of any online password managers implemented this way. They keep the backup of your encrypted password file and keep it synchronized. When you need to use a password, you download that file, decrypt it, and then automatically fill in the password field. If implemented the way you describe, I would agree to avoid them. But the ones mentioned in this thread, as far as I know (and other commenters seem to think so as well), don't work that way. They are simply a better version of the process you described and accessible to more people.
Extensions use JavaScript. For all intents and purposes, they are "scripts."
Except where blocked by the website, my passwords are 20-character random strings *which I have never seen*. No two alike, of course. (One bug I found is a site where the mobile site only uses the first 16 characters of the password, while the normal web site uses all 20.)
This is much better than any set of passwords I could remember (I remember a dozen maybe, including things I use away from the computer like my ATM PIN and my security system passcode and my safe combination). The database has *hundreds* of accounts in it.
So yeah, I get *really* angry at sites that work hard to make themselves less secure and/or harder to use.
In the password manager I'm using two-factor authentication before it can unlock the database. Nothing's perfect, of course; but this seems far better than anything else I could possibly use within the current framework.
I don't see how OpenID really helps -- it just comes down to the password I use on the master site then.
Note that KeePass has automagic fill-in crap, too.
This post is about password managers like KeePass, LastPass, etc and not about built-in password managers in browsers (which are also generally encrypted, btw).
The correct approach is to simplify password requirements and use two-factor authentication, not allow manipulation of the password field. If passwords have to get complex enough that you can't keep them in your head, they aren't really knowledge-based authentication anyway.
"as far as I know (and other commenters seem to think so as well), don't work that way" AFAIK != secure. If you were the only holder of the decryption key for your data, the vendor would make sure you knew that. The fact that people are not sure is not a promising sign. Many of the ones discussed are hosted on hardware which must be leased by the hour, but are offered free of charge to users. There is an inherent conflict of interest for the provider of the service, even if their intentions currently are above board. I'm not saying they're worthless, because every federated identity management system has problems, but users often assume there is less counter-party risk than there really is.
Overreact much?
Been using last pass for years, I've never been compromised. Don't be so arrogant. Just because something is closed source doesn't mean it's bad, and there have been plenty of security audits of last pass.
And, seriously, copying passwords to the clipboard... I'm not being patronizing, I'm just saying that doesn't seem safe. The clipboard has no safeguards.
Yeah now that I think about it, any running process can watch the clipboard -- that's the point of the clipboard. If a malicious process can determine when you are copying from keepass (prob not too hard), your screwed.
You may think you're too smart for that to happen, but it can.
"I wouldn't put my bank login details in to it though, because of vulnerabilities + trojans + keystroke-loggers."
So how do you input your bank login details? Vulnerabilities, trojans, and especially keystroke-loggers would affect you (if you have a compromised computer) whether or not you have a password manager or not. Beyond these common securities issues, the only flaw of many standalone password managers is using the clipboard as temporary storage. So in theory, malware that targets the clipboard could steal your password. I don't know about Windows, but I recently installed a security app that showed me how this was clearly a problem in Android since all (most?) apps have the "permission" to cut-n-paste the clipboard. A built-in browser-specific password manager won't suffer from this problem.
I completely agree with the basic post - PLEASE - websites - stop blocking password managers!!! For whatever the reason - bad code or a belief that I am more secure if you block my password manager (you know better than I, what is in my best interest?). Yes - I understand that there are a number of downstream issues, but how are they related? For instance, if I have a key logger on my system - then I am in DEEP - DEEP - DUU - DUU!! And there is nothing that "you" blocking my password manager is going to do that will make this better. Of course, if I don't have a key logger, and you block me - then I am not happy. ---- Really - tech community - I think the issue is how we collect, organize, distribute, mobilize and communicate to the password blockers that their web site is not acceptable to us! Kinda what the original post said about "experts" taken to the next logical response.
Length is all that matters for passwords. You're better off with "thatswhatshesaid" (26 ^ 16) than "B4c0nL0v3r!" (72 ^ 11).
Agreed completely. It annoys me when a site or app forces me to have a number, a mixture of case or some other stupid rules that make a password difficult to remember. A password like "welcometothehotelcalifornia" or "onawarmsummersevening" are easy to remember, quite secure, and don't need numbers or capitals.
My bank restricts the password to be a maximum of 8 characters long. It's ridiculous.
" I've been in the software business for almost 40 years,"
Software, not security.
"I suggest you study texts on encryption, and maybe read the technical details of how a good cloud-based password manager like LastPass actually works"
https://blog.lastpass.com/2015...
That's all I fucking need to know. A piece of paper holding my passwords is more secure in my wallet than my passwords are with LastPass or KeepPass. I also have the ability to actually defend my stuff if someone tries to take it, whereas someone hacks your shit and it's gone, you're fucked. By the time you realize it, it's too late, they've made off with your stuff.
"Your super-whiz-bang method still requires a password, it seems"
Good authentication requires everything, including a password. We could switch to biometrics, you're fucked because there are any number of ways to get around that, including taking your head off. With a password added for second verification (or third verification, in this case) taking your head does me no good unless I was able to get the password from you before hand.
"How do you hash the passwords for your sites? Still using MD5?"
You silly noobs using hashes and salts. Nowdays smart people embed that information in an image file, good old steganography. You think you got a password database? Enjoy the cluster of hentai you just downloaded. Get past the fact that there's information inside the image? Good luck decrypting the white noise format used to encode it. Unless you have used my server software, you aren't going to be able to do much with it.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
My bank doesn't use a simple fixed password system, it uses drop down boxes where it picks some digits from a long pin. It's this pin and the fixed password that I memorise instead of store.
There's also a hardware key system.
Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
many RPs don't trust random providers.
How does Stack Exchange, an RP, get away with trusting random OpenID 2.0 IDPs?
Google, Facebook, Yahoo and AOL
As far as I can tell, signing up for most of these requires a valid subscription to cellular telephone service, as Yahoo's sign-up form states: "Your mobile number is required." I've been told that the same is true of Facebook in some places. In your opinion, is it reasonable to require each server operator to maintain an ongoing subscription to a mobile phone plan with unlimited incoming SMS in addition to the domain, web hosting, wired Internet service, and VoIP that the server operator already has?
no, I can't tell you how to find out who your users are or what they use
That's what I was afraid of.