Slashdot Mirror
A Plea For Websites To Stop Blocking Password Managers
An anonymous reader writes: Password managers aren't a security panacea, but experts widely agree that it's better to use one than to have weak (but easy-to-remember) passwords. Just this week, they were listed as a tool non-experts don't use as much as experts do. I use one, and a pet peeve of mine is when a website specifically (or through bad design) interferes with the copying and pasting of a password. Thus, I appreciated this rant about it in Wired: "It's unacceptable that in an age where our lives are increasingly being played out online, and are sometimes only protected by a password, some sites deliberately stop their users from being as secure as possible, for no really justifiable reason."
Anyone who uses password managers and believes them to be safe and unable to be broken should not be able to use the Internet. All passwords should be maintained separately and typed in manually.
Do you have a citation for that Mr. Scraps of Bad Security on Paper? or are you just varying your normal MOO trolls.
I'm sure Bruce Scheirer would appreciate your insights into secure code. KeepPass has so many flaws.
The alternative being what? Using the same password everywhere and/or spreading your security thin across a thousand different web services you're using all incompetent at protecting your password to varying degrees?
Bitten Apples are still better than dirty Windows...
Except that in the year 2015, attackers have realized that it is far easier to just attack companies directly instead. A password manager, or a manually typed 50-character password that is unique to the site isn't going to change poor security one bit. If you don't trust a recognized password manager, I hope you keep your life savings in your mattress as well.
If your password is "OPnuo(I&n hKUYNB68IOnih4wOIB*GBi234t73" as it should be,* then yes...
* Yes, please use exactly this password; it's super safe, I promise!
Bitten Apples are still better than dirty Windows...
It's risk analysis. Password managers are essentially making a bet that the risk of your hard drive being compromised is far less likely than a website being compromised. Most people can't remember more than 5 (strong) passwords at best and they get lazy and reuse them everywhere. Password managers let you eliminate password reuse so even if your Amazon account gets hacked, the attackers won't suddenly have the keys to the castle.
It is one place to attack, true, but how likely is it that someone targets your password database? I would argue it's pretty remote, even if your machine was compromised or stolen. Assuming your master password is strong, the attacker either needs to crack it (difficult) or know you well enough to guess it. What's far more likely is that the drive the database is on fails and you lose access to all your randomised passwords. However in that scenario, you might have printed backup keys for your email account (Gmail will let you do this) and no worries.
For the truly paranoid, good old wetware suffices or a pencil and paper; again, you're weighing the risk of your house (or mind) being broken into vs some script kiddies attacking a website.
While it's true the site operators are at fault, I also blame the browser makers.
Many websites don't allow copy or paste, or even selecting/highlighting text.
While I can understand the draw of websites, especially ones with games, being able to grab keyboard input, it's a potential security disaster waiting to happen.
Browser makers should treat these kind of keyboard/mouse hooks the same way they treat websites asking for location data. With a message asking the user if they want to allow the behavior or not. Furthermore, they should do it in such a way that operators can not force users to click allow.
So lets pretend that we've just completed writing this code, as opposed to having just completed sabotaging it -Altera
I generally don't trust anything or anyone having the word "manager" in their name.
Except it doesn't stop shit.
Any malware would either intercept the keystrokes, or read the in-memory data directly, or even change the web content to inject whatever scripts it wanted... or even read the password from clipboard, because the fact that you can't paste it into the page, does not stop you from copying if from wherever you had it in the first place.
The frustrating thing is that we have better technology available; but we mostly can't use it because sites don't support it. PKCS#11 is older than God, and ICs to suit are nice and cheap because SIMs also use them; but when was the last time you saw a non-state site supporting that? The RSA style auth fobs are also better, as long as you don't let somebody steal the seed data(looking at you RSA) and they don't even need a card reader on the client device. Whatever the 'FIDO' people are messing around with is immature and barely adopted; but also is better than passwords. Aside from a few token "we'll send you a text message and call it two-factor" options, and amusing little pace-of-adoption quirks that make it easier to get a hardware token to protect your WoW account than your bank account, the sites that control the login options haven't done a damn thing in two decades.
Blizzard's Battle.net does this. Or at least to, I haven't checked recently. I did contact them about it and they just scoffed it off as a "security measure."
IMHO, this is a browser problem, not a website problem. Browser shouldn't allow scripts to interact with a password field. Period.
[Disclaimer: I'm not the GP AC.]
Isn't this exactly what a password manager does? I thought Lastpass (to name one) uses Javascript to change the form fields, including the password field (which suddenly has a clickable * in it). So if you disable that, you have to paste manually.
The problem AC "identified" is that a password manager can be cracked and reveal all your passwords.
A password BOOK doesn't even need to be cracked, so it's not a solution to that problem - it's got the same problems as before PLUS it's not secured at all.
Hey, I know, why don't we write all our passwords onto stickers and put them under the keyboard. Nobody ever looks under the keyboard.
My server logs disagree with your assumptions. Fail2ban is running constant blocks on botnets trying to guess passwords on SSH, FTP, SASL and webesites and this goes for my day job, my personal server and my evening contracts.
JavaScript can also intercept the contents of the clipboard. If you're blocking password managers, then people are going to do one of two things. Either they'll pick a (weak) easy-to-remember password, or they'll use a password manager and paste the password in. If they opt for the latter, then any malicious ad on the page can grab the password while it's in the clipboard...
I am TheRaven on Soylent News
Password managers are essentially making a bet that the risk of your hard drive being compromised is far less likely than a website being compromised.
If your hard drive is compromised then your keystrokes are being logged and your cookies are being extracted, and any website you log into will be compromised. The password manager isn't really adding that much more risk here.
Websites have disabled autocomplete on password fields to prevent browser bases password managers from working. In response to this many browsers ignore autocomplete=off on password fields. I ran into this behaviour on a user administration screen, the browser was trying to fill in my password into the other users password field. I could not stop the browser from autofilling in the wrong password.
The most dangerous drug
horse battery staple
Not any more. Words are now characters. You have a 3 character password right there. Unless you're going to munge up the words with misspellings or nonalphanumerics,
Besides, having to type in your master pass[phrase] that's 30 characters long into something like LastPass from a phone keyboard with ******** as your visual feedback every time you need to re-authorize (which should be frequent if you're being diligent) is a royal pain in the ass. Do that for a couple of days and you'll be back to 12345 out of shear frustration.
Is it just my observation, or are there way too many stupid people in the world?
Managers are like placing all of your eggs in one basket which has been specifically designed for carrying eggs, with proper separation and cushioning against nearly all common shipping contingencies.
Having a couple of really secure passwords and a couple of throwaways is like putting a couple of small eggs in your back pocket and carrying the big ones in your hands. Much more convenient, and only as secure as you are diligent.
Is it just my observation, or are there way too many stupid people in the world?
Since my password manager is a simple piece of software - an encrypted database of my passwords that runs on my computer with the data on my computer, I'd say yes, I have no reason not to trust it. I wouldn't put my bank login details in to it though, because of vulnerabilities + trojans + keystroke-loggers.
Trust an online password manager - hell no.
Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
True, although most password managers can generate random passwords (of varying strengths, as a recent Oakland paper showed). Using this functionality is generally easier than thinking up a password.
I am TheRaven on Soylent News
Your argument has one flaw - just because someone uses a password manager doesn't mean he will pick strong passwords...
The flaw you see is not where you think it is. The OP never said a password manager requires strong passwords. That would require idiot proofing - that's a whole other subject.
Using a password manager does not necessarily enforce good passwords - or prohibit the reuse of them.
Writing passwords down means you have to read them out, and type them in to use them - a practise that also does not necessarily enforce good passwords - or prohibit the reuse of them.
Writing passwords down means you have to read them out, and type them in to use them - a practise that encourages bad passwords and the reuse of them.
Using a password manager does not encourage bad passwords and the reuse of them.
The reason for the difference is in ease of use and amount of effort involved. People cut corners because they are lazy or in a hurry.
I touch type - most people don't, I make mistakes typing in complex passwords that have been written down. The more I use those passwords, and the more passwords I need to keep, the greater the incentive to practise bad security. Given that most people can't touch type - they have an even stronger incentive than me to practise poor security - the evidence from all the password list dumps and all the security tests on password usage just proves the same thing. People use dumb passwords, people reuse passwords. When they are asked why they do so they say it's because it's too hard to remember them - or to write them all down, keep control of the pieces of paper, and to type them back in each time.
The other risk with using either method for storing password is loss of the passwords. Passwords managers have to be backed up. Paper records of password needed to be backed up and secured. Password manager use passphrase protection so they are secured. (or should be - see my previous comment about idiot proofing)
If your password is "OPnuo(I&n hKUYNB68IOnih4wOIB*GBi234t73" as it should be,* then yes...
Parent was modded funny, but this is what your passwords should look like -- long and random, and typing them is a PITA. Any web site that disables pasting or prevents your browser or extensions from auto-filling passwords is broken. The sad thing is that most sites that do this (other than those that do it by accident because the devs are clueless) do it because they think they're increasing the security of their users' accounts. They're not.
Solutions like LastPass et al are the best, but honestly just using your browser's password database is better than reusing passwords everywhere. And Chrome and Firefox (at least, perhaps others) offer the option of keeping your passwords synced to all of the devices you use, optionally protected with a master password. Browsers need to offer password generation as well. I think some are working on it.
Of course, the real solution is to get rid of passwords. Web sites should switch to using OpenID authentication. Yes this means that most users will use their Facebook or Google logins, which means that, essentially, the site has outsourced its account security to those other entities. So what? If the developers of random web sites think they can do a better job of account security than Google or Facebook -- they're wrong . I work for Google and previously spent a decade as a security consultant in the financial industry and after seeing how they all work from the inside, I would feel much more secure about my bank account if I could use my Google account (with 2FA, plus all of the analytics and monitoring Google does) to log into it rather than trusting the bank to do a decent job with password-based security. I haven't seen Facebook's infrastructure, but I know people who work there, and they're good. Far better than you'll find at a typical bank, much less J. Random Web Developer.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
LastPass is no more proprietary than KeePass. The JavaScript implementation is visible. And while their server was hacked, the thieves got nothing of value since the contents of your "vault" never leave your computer unencrypted and LastPass doesn't have the key.
I agree with the article - blocking password managers lowers security.
The nicsez check website comes to mind.
You know to one that's used to run background checks for guns in 36 states or so?
If I recall correctly its forbidden in the terms to use a password manager.
And you have to change the password every 90 days.
Minimum threshold fixed. Thanks!
Keepass is also (correct me if I'm wrong: I'd love to hear there is another) the only password manager I know of which is fully cross platform. Combined with Dropbox or some private file sync tool (I host a seafile installation), I have a synced password manager that works on Linux/Win/Mac/iOS/android. And I keep the key separate and move that to devices I use manually, so I'm almost totally unafraid of my vault being intercepted/stolen. Without my master pass phrase AND the encrypted key itself, breaking it is.... way harder than my passwords are worth.
Not by default it can't.
True there are potentially bugs in implementation or bad configurations that allow scripts to read the external clipboard, but the same argument could be made against password managers. Poor security / configuration of the browser could allow scripts to read the password provided by the password manager.