Slashdot Mirror
A Plea For Websites To Stop Blocking Password Managers
An anonymous reader writes: Password managers aren't a security panacea, but experts widely agree that it's better to use one than to have weak (but easy-to-remember) passwords. Just this week, they were listed as a tool non-experts don't use as much as experts do. I use one, and a pet peeve of mine is when a website specifically (or through bad design) interferes with the copying and pasting of a password. Thus, I appreciated this rant about it in Wired: "It's unacceptable that in an age where our lives are increasingly being played out online, and are sometimes only protected by a password, some sites deliberately stop their users from being as secure as possible, for no really justifiable reason."
The alternative being what? Using the same password everywhere and/or spreading your security thin across a thousand different web services you're using all incompetent at protecting your password to varying degrees?
Bitten Apples are still better than dirty Windows...
If your password is "OPnuo(I&n hKUYNB68IOnih4wOIB*GBi234t73" as it should be,* then yes...
* Yes, please use exactly this password; it's super safe, I promise!
Bitten Apples are still better than dirty Windows...
It's risk analysis. Password managers are essentially making a bet that the risk of your hard drive being compromised is far less likely than a website being compromised. Most people can't remember more than 5 (strong) passwords at best and they get lazy and reuse them everywhere. Password managers let you eliminate password reuse so even if your Amazon account gets hacked, the attackers won't suddenly have the keys to the castle.
It is one place to attack, true, but how likely is it that someone targets your password database? I would argue it's pretty remote, even if your machine was compromised or stolen. Assuming your master password is strong, the attacker either needs to crack it (difficult) or know you well enough to guess it. What's far more likely is that the drive the database is on fails and you lose access to all your randomised passwords. However in that scenario, you might have printed backup keys for your email account (Gmail will let you do this) and no worries.
For the truly paranoid, good old wetware suffices or a pencil and paper; again, you're weighing the risk of your house (or mind) being broken into vs some script kiddies attacking a website.
While it's true the site operators are at fault, I also blame the browser makers.
Many websites don't allow copy or paste, or even selecting/highlighting text.
While I can understand the draw of websites, especially ones with games, being able to grab keyboard input, it's a potential security disaster waiting to happen.
Browser makers should treat these kind of keyboard/mouse hooks the same way they treat websites asking for location data. With a message asking the user if they want to allow the behavior or not. Furthermore, they should do it in such a way that operators can not force users to click allow.
So lets pretend that we've just completed writing this code, as opposed to having just completed sabotaging it -Altera
I generally don't trust anything or anyone having the word "manager" in their name.
Except it doesn't stop shit.
Any malware would either intercept the keystrokes, or read the in-memory data directly, or even change the web content to inject whatever scripts it wanted... or even read the password from clipboard, because the fact that you can't paste it into the page, does not stop you from copying if from wherever you had it in the first place.
The frustrating thing is that we have better technology available; but we mostly can't use it because sites don't support it. PKCS#11 is older than God, and ICs to suit are nice and cheap because SIMs also use them; but when was the last time you saw a non-state site supporting that? The RSA style auth fobs are also better, as long as you don't let somebody steal the seed data(looking at you RSA) and they don't even need a card reader on the client device. Whatever the 'FIDO' people are messing around with is immature and barely adopted; but also is better than passwords. Aside from a few token "we'll send you a text message and call it two-factor" options, and amusing little pace-of-adoption quirks that make it easier to get a hardware token to protect your WoW account than your bank account, the sites that control the login options haven't done a damn thing in two decades.
IMHO, this is a browser problem, not a website problem. Browser shouldn't allow scripts to interact with a password field. Period.
[Disclaimer: I'm not the GP AC.]
Isn't this exactly what a password manager does? I thought Lastpass (to name one) uses Javascript to change the form fields, including the password field (which suddenly has a clickable * in it). So if you disable that, you have to paste manually.
Password managers are essentially making a bet that the risk of your hard drive being compromised is far less likely than a website being compromised.
If your hard drive is compromised then your keystrokes are being logged and your cookies are being extracted, and any website you log into will be compromised. The password manager isn't really adding that much more risk here.
horse battery staple
Not any more. Words are now characters. You have a 3 character password right there. Unless you're going to munge up the words with misspellings or nonalphanumerics,
Besides, having to type in your master pass[phrase] that's 30 characters long into something like LastPass from a phone keyboard with ******** as your visual feedback every time you need to re-authorize (which should be frequent if you're being diligent) is a royal pain in the ass. Do that for a couple of days and you'll be back to 12345 out of shear frustration.
Is it just my observation, or are there way too many stupid people in the world?
Managers are like placing all of your eggs in one basket which has been specifically designed for carrying eggs, with proper separation and cushioning against nearly all common shipping contingencies.
Having a couple of really secure passwords and a couple of throwaways is like putting a couple of small eggs in your back pocket and carrying the big ones in your hands. Much more convenient, and only as secure as you are diligent.
Is it just my observation, or are there way too many stupid people in the world?
Since my password manager is a simple piece of software - an encrypted database of my passwords that runs on my computer with the data on my computer, I'd say yes, I have no reason not to trust it. I wouldn't put my bank login details in to it though, because of vulnerabilities + trojans + keystroke-loggers.
Trust an online password manager - hell no.
Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
True, although most password managers can generate random passwords (of varying strengths, as a recent Oakland paper showed). Using this functionality is generally easier than thinking up a password.
I am TheRaven on Soylent News
LastPass is no more proprietary than KeePass. The JavaScript implementation is visible. And while their server was hacked, the thieves got nothing of value since the contents of your "vault" never leave your computer unencrypted and LastPass doesn't have the key.
I agree with the article - blocking password managers lowers security.