Slashdot Mirror
A Plea For Websites To Stop Blocking Password Managers
An anonymous reader writes: Password managers aren't a security panacea, but experts widely agree that it's better to use one than to have weak (but easy-to-remember) passwords. Just this week, they were listed as a tool non-experts don't use as much as experts do. I use one, and a pet peeve of mine is when a website specifically (or through bad design) interferes with the copying and pasting of a password. Thus, I appreciated this rant about it in Wired: "It's unacceptable that in an age where our lives are increasingly being played out online, and are sometimes only protected by a password, some sites deliberately stop their users from being as secure as possible, for no really justifiable reason."
The alternative being what? Using the same password everywhere and/or spreading your security thin across a thousand different web services you're using all incompetent at protecting your password to varying degrees?
Bitten Apples are still better than dirty Windows...
It's risk analysis. Password managers are essentially making a bet that the risk of your hard drive being compromised is far less likely than a website being compromised. Most people can't remember more than 5 (strong) passwords at best and they get lazy and reuse them everywhere. Password managers let you eliminate password reuse so even if your Amazon account gets hacked, the attackers won't suddenly have the keys to the castle.
It is one place to attack, true, but how likely is it that someone targets your password database? I would argue it's pretty remote, even if your machine was compromised or stolen. Assuming your master password is strong, the attacker either needs to crack it (difficult) or know you well enough to guess it. What's far more likely is that the drive the database is on fails and you lose access to all your randomised passwords. However in that scenario, you might have printed backup keys for your email account (Gmail will let you do this) and no worries.
For the truly paranoid, good old wetware suffices or a pencil and paper; again, you're weighing the risk of your house (or mind) being broken into vs some script kiddies attacking a website.
I generally don't trust anything or anyone having the word "manager" in their name.
Except it doesn't stop shit.
Any malware would either intercept the keystrokes, or read the in-memory data directly, or even change the web content to inject whatever scripts it wanted... or even read the password from clipboard, because the fact that you can't paste it into the page, does not stop you from copying if from wherever you had it in the first place.
Managers are like placing all of your eggs in one basket which has been specifically designed for carrying eggs, with proper separation and cushioning against nearly all common shipping contingencies.
Having a couple of really secure passwords and a couple of throwaways is like putting a couple of small eggs in your back pocket and carrying the big ones in your hands. Much more convenient, and only as secure as you are diligent.
Is it just my observation, or are there way too many stupid people in the world?
Since my password manager is a simple piece of software - an encrypted database of my passwords that runs on my computer with the data on my computer, I'd say yes, I have no reason not to trust it. I wouldn't put my bank login details in to it though, because of vulnerabilities + trojans + keystroke-loggers.
Trust an online password manager - hell no.
Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
LastPass is no more proprietary than KeePass. The JavaScript implementation is visible. And while their server was hacked, the thieves got nothing of value since the contents of your "vault" never leave your computer unencrypted and LastPass doesn't have the key.
I agree with the article - blocking password managers lowers security.