this post was submitted on 08 Jul 2023
-26 points (11.8% liked)

Technology

59358 readers
6724 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
-26
Password Managers. (lock.cmpxchg8b.com)
submitted 1 year ago* (last edited 1 year ago) by lemba@discuss.tchncs.de to c/technology@lemmy.world
 

You don't know Tavis Ormandy? https://en.m.wikipedia.org/wiki/Tavis_Ormandy

tl;dr "If you want to use an online password manager, I would recommend using the one already built into your browser. They provide the same functionality, and can sidestep these fundamental problems with extensions."

I can only speak for myself but his article confirmed my suspicion about any Password Manager, even Bitwarden and I never have or will use any online Password Managers. I create all my Passwords individually with my own algorithm in my head and can always recreate them.

top 17 comments
sorted by: hot top controversial new old
[–] eager_eagle@lemmy.world 15 points 1 year ago* (last edited 1 year ago) (1 children)

so your reasoning for not using a password manager is because they may be tricked by defacing or sneaky scripts, and yet you don't consider yourself vulnerable to phishing when entering your password manually?

[–] oatmilkmaid@possumpat.io 13 points 1 year ago (1 children)

I refuse to use my brain to remember things and thus Bitwarden it is

[–] Izzy@lemmy.world -1 points 1 year ago (1 children)

What do you use your brain for instead?

[–] silver@lemmy.brendan.ie 2 points 1 year ago

living life

[–] AlternateRoute@lemmy.ca 11 points 1 year ago* (last edited 1 year ago) (1 children)

~~Would be more relevant if you linked to something relevant to your argument not just the wiki on him.~~

Travis actually recommends several https://lock.cmpxchg8b.com/passmgrs.html

Good examples of simple and safe password managers are keepass and keepassx, or even pass if you’re a nerd.

He doesn't like password managers that are hosted or integrate with apps via plugins.

[–] eager_eagle@lemmy.world 7 points 1 year ago* (last edited 1 year ago) (1 children)

the post title is actually the link you pasted here, which I think it's even worse because it demonstrates a severe lack of interpreting skills from OP.

[–] AlternateRoute@lemmy.ca 4 points 1 year ago* (last edited 1 year ago)

Ya the conclusion is very clear

Conclusion If you want to use an online password manager, I would recommend using the one already built into your browser. They provide the same functionality, and can sidestep these fundamental problems with extensions.

I use Chrome, but the other major browsers like Edge or Firefox are fine too. They can isolate their trusted UI from websites, they don’t break the sandbox security model, they have world-class security teams, and they couldn’t be easier to use.

Also there are studies showing how bad mental formula passwords are, while computers are not truly random, humans are even worse.

https://lifehacker.com/password-formulas-don-t-fool-hackers-1826238163

[–] redcalcium@c.calciumlabs.com 3 points 1 year ago* (last edited 1 year ago)

Using browser's built-in password manager means you're locking yourself permanently in that browser, or in case of Safari, locking yourself to Apple ecosystem. I refuse to do that. Beside, I'm sure you already heard about horror stories where Google suddenly ban their accounts. Imagine if you store your passwords in chrome and your account somehow mistakenly banned by Google. What a nightmare!

His arguments have merits though. Whenever I install my password manager extension in a new system, the first thing I do is to disable browser autofill in the password manager settings, which reduces possible exploits surface.

[–] Izzy@lemmy.world 2 points 1 year ago (1 children)

Password managers are technically a convenience at the cost of security. At least compared to memorizing dozens of long unique passwords. I'd probably host my own if I were going to use one. For now I just memorize a ton of random characters and then reset my password when I fail to remember. 😅

[–] redcalcium@c.calciumlabs.com 4 points 1 year ago* (last edited 1 year ago) (1 children)

Dozens? Dude, I have over 700 passwords in my password manager ever since I started using them 15 years ago. No way I can remember them all.

[–] Izzy@lemmy.world 1 points 1 year ago

I don't know how many things I've registered for, but I don't regularly use more than 10 passwords. There might be something I need to check every few years so I just reset it then.

[–] atx_aquarian@lemmy.world 2 points 1 year ago* (last edited 1 year ago)

I tried his "try this example if you have NordPass" page, and it didn't do anything in Brave mobile other than load a blank new tab. Maybe they've changed their mechanism, or maybe I should be less lazy and try it in another browser. For me on NordPass and Android, though, the password selection is shown on the keyboard, not within the content area.

I also don't know about his claim about the invalidity of any vendor's "we can't see your passwords" claims. If their software is audited (which is probably easiest with Bitwarden due to its open source--as long as you trust who distributed the built binary) to verify the code is encrypting your key/value store locally with your own passphrase prior to sending, they would have to crack the file to access its contents. But I take his point to be more about trusting their software to do what they claim, which, he points out, may even be out of their control if a malicious actor gets privileged access to modify their software. But, if I've understood that claim, then it is just as applicable for any centralized application; in other words, also don't use web browsers in the first place.

He's got other points about APIs I'm not familiar with, so I have to admit I've only focused on 2 of several points. But, for the 2 I thought I followed, I wasn't seeing those arguments go down the same road he did. This has gotten me thinking though, and I still won't dismiss the thought entirely. Interesting article.

[–] Yeah2206@infosec.pub 0 points 1 year ago (1 children)

He does recommend using the built-in browser's password managers; he just had beefs with how the extensions, which the non-browser password managers have to contend with, are implemented, and with the security of the vendor's network and software. He himself uses Chrome password manager.

[–] lemba@discuss.tchncs.de -2 points 1 year ago

Exactly but that's why I will not use a password manager at all. Better safe than sorry 😜

load more comments
view more: next ›