Slashdot Mirror
A Plea For Websites To Stop Blocking Password Managers
An anonymous reader writes: Password managers aren't a security panacea, but experts widely agree that it's better to use one than to have weak (but easy-to-remember) passwords. Just this week, they were listed as a tool non-experts don't use as much as experts do. I use one, and a pet peeve of mine is when a website specifically (or through bad design) interferes with the copying and pasting of a password. Thus, I appreciated this rant about it in Wired: "It's unacceptable that in an age where our lives are increasingly being played out online, and are sometimes only protected by a password, some sites deliberately stop their users from being as secure as possible, for no really justifiable reason."
Anyone who uses password managers and believes them to be safe and unable to be broken should not be able to use the Internet. All passwords should be maintained separately and typed in manually.
Do you have a citation for that Mr. Scraps of Bad Security on Paper? or are you just varying your normal MOO trolls.
I'm sure Bruce Scheirer would appreciate your insights into secure code. KeepPass has so many flaws.
The alternative being what? Using the same password everywhere and/or spreading your security thin across a thousand different web services you're using all incompetent at protecting your password to varying degrees?
Bitten Apples are still better than dirty Windows...
Except that in the year 2015, attackers have realized that it is far easier to just attack companies directly instead. A password manager, or a manually typed 50-character password that is unique to the site isn't going to change poor security one bit. If you don't trust a recognized password manager, I hope you keep your life savings in your mattress as well.
It's risk analysis. Password managers are essentially making a bet that the risk of your hard drive being compromised is far less likely than a website being compromised. Most people can't remember more than 5 (strong) passwords at best and they get lazy and reuse them everywhere. Password managers let you eliminate password reuse so even if your Amazon account gets hacked, the attackers won't suddenly have the keys to the castle.
It is one place to attack, true, but how likely is it that someone targets your password database? I would argue it's pretty remote, even if your machine was compromised or stolen. Assuming your master password is strong, the attacker either needs to crack it (difficult) or know you well enough to guess it. What's far more likely is that the drive the database is on fails and you lose access to all your randomised passwords. However in that scenario, you might have printed backup keys for your email account (Gmail will let you do this) and no worries.
For the truly paranoid, good old wetware suffices or a pencil and paper; again, you're weighing the risk of your house (or mind) being broken into vs some script kiddies attacking a website.
While it's true the site operators are at fault, I also blame the browser makers.
Many websites don't allow copy or paste, or even selecting/highlighting text.
While I can understand the draw of websites, especially ones with games, being able to grab keyboard input, it's a potential security disaster waiting to happen.
Browser makers should treat these kind of keyboard/mouse hooks the same way they treat websites asking for location data. With a message asking the user if they want to allow the behavior or not. Furthermore, they should do it in such a way that operators can not force users to click allow.
So lets pretend that we've just completed writing this code, as opposed to having just completed sabotaging it -Altera
Except it doesn't stop shit.
Any malware would either intercept the keystrokes, or read the in-memory data directly, or even change the web content to inject whatever scripts it wanted... or even read the password from clipboard, because the fact that you can't paste it into the page, does not stop you from copying if from wherever you had it in the first place.
The frustrating thing is that we have better technology available; but we mostly can't use it because sites don't support it. PKCS#11 is older than God, and ICs to suit are nice and cheap because SIMs also use them; but when was the last time you saw a non-state site supporting that? The RSA style auth fobs are also better, as long as you don't let somebody steal the seed data(looking at you RSA) and they don't even need a card reader on the client device. Whatever the 'FIDO' people are messing around with is immature and barely adopted; but also is better than passwords. Aside from a few token "we'll send you a text message and call it two-factor" options, and amusing little pace-of-adoption quirks that make it easier to get a hardware token to protect your WoW account than your bank account, the sites that control the login options haven't done a damn thing in two decades.
IMHO, this is a browser problem, not a website problem. Browser shouldn't allow scripts to interact with a password field. Period.
[Disclaimer: I'm not the GP AC.]
Isn't this exactly what a password manager does? I thought Lastpass (to name one) uses Javascript to change the form fields, including the password field (which suddenly has a clickable * in it). So if you disable that, you have to paste manually.
The problem AC "identified" is that a password manager can be cracked and reveal all your passwords.
A password BOOK doesn't even need to be cracked, so it's not a solution to that problem - it's got the same problems as before PLUS it's not secured at all.
Hey, I know, why don't we write all our passwords onto stickers and put them under the keyboard. Nobody ever looks under the keyboard.
Password managers are essentially making a bet that the risk of your hard drive being compromised is far less likely than a website being compromised.
If your hard drive is compromised then your keystrokes are being logged and your cookies are being extracted, and any website you log into will be compromised. The password manager isn't really adding that much more risk here.
Websites have disabled autocomplete on password fields to prevent browser bases password managers from working. In response to this many browsers ignore autocomplete=off on password fields. I ran into this behaviour on a user administration screen, the browser was trying to fill in my password into the other users password field. I could not stop the browser from autofilling in the wrong password.
The most dangerous drug
True, although most password managers can generate random passwords (of varying strengths, as a recent Oakland paper showed). Using this functionality is generally easier than thinking up a password.
I am TheRaven on Soylent News
Obviously you have limited experience or familiarity with password managers. LastPass, among others, keeps your encrypted passwords "in the cloud", so that they are accessible even if your local disk "takes a dump". For LastPass, there's also a local copy of the encrypted database, and yes, I do have backups. (If you don't have backups, you have a lot more problems than losing passwords.)
Image/phrase/password verification is hardly "better" (better than what?). How many of those can you remember? If you can come up with an authentication scheme better than passwords that you can get every online service to use, then please let us know. The reality is that passwords are what we use today and password managers make them easier to use in a more secure fashion, so that one has a different, strong password for every login. Two-factor authentication is also very helpful (and I enable that where supported.)
Currently the biggest weakness of passwords, other than most people using them poorly, is sites that store passwords insecurely. This, combined with the tendency of those NOT using password managers to reuse passwords, is what leads to the majority of account hacking.